Determine which TUF root to show based on actual access, not requested
access
This commit is contained in:
Evan Cordell
parent
7b411b2c25
commit
43dd974dca
5 changed files with 61 additions and 38 deletions
|
|
@ -105,7 +105,7 @@ class SecurityScannerAPI(object):
|
|||
|
||||
# Generate the JWT which will authorize this
|
||||
audience = self._app.config['SERVER_HOSTNAME']
|
||||
context, subject = build_context_and_subject(None, None, None)
|
||||
context, subject = build_context_and_subject(None, None, None, None)
|
||||
access = [{
|
||||
'type': 'repository',
|
||||
'name': repository_and_namespace,
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ logger = logging.getLogger(__name__)
|
|||
|
||||
ANONYMOUS_SUB = '(anonymous)'
|
||||
ALGORITHM = 'RS256'
|
||||
CLAIM_TUF_ROOT = 'com.apostille.root'
|
||||
|
||||
# The number of allowed seconds of clock skew for a JWT. The iat, nbf and exp are adjusted with this
|
||||
# count.
|
||||
|
|
@ -99,14 +100,20 @@ def _generate_jwt_object(audience, subject, context, access, lifetime_s, issuer,
|
|||
return jwt.encode(token_data, private_key, ALGORITHM, headers=token_headers)
|
||||
|
||||
|
||||
def build_context_and_subject(user, token, oauthtoken):
|
||||
def build_context_and_subject(user, token, oauthtoken, tuf_root):
|
||||
""" Builds the custom context field for the JWT signed token and returns it,
|
||||
along with the subject for the JWT signed token. """
|
||||
|
||||
# Serve quay root if not explicitly granted permission to see signer root
|
||||
if not tuf_root:
|
||||
tuf_root = 'quay'
|
||||
|
||||
if oauthtoken:
|
||||
context = {
|
||||
'kind': 'oauth',
|
||||
'user': user.username,
|
||||
'oauth': oauthtoken.uuid,
|
||||
CLAIM_TUF_ROOT: tuf_root,
|
||||
}
|
||||
|
||||
return (context, user.username)
|
||||
|
|
@ -115,6 +122,7 @@ def build_context_and_subject(user, token, oauthtoken):
|
|||
context = {
|
||||
'kind': 'user',
|
||||
'user': user.username,
|
||||
CLAIM_TUF_ROOT: tuf_root,
|
||||
}
|
||||
return (context, user.username)
|
||||
|
||||
|
|
@ -122,11 +130,13 @@ def build_context_and_subject(user, token, oauthtoken):
|
|||
context = {
|
||||
'kind': 'token',
|
||||
'token': token.code,
|
||||
CLAIM_TUF_ROOT: tuf_root,
|
||||
}
|
||||
return (context, None)
|
||||
|
||||
context = {
|
||||
'kind': 'anonymous',
|
||||
CLAIM_TUF_ROOT: tuf_root,
|
||||
}
|
||||
return (context, ANONYMOUS_SUB)
|
||||
|
||||
|
|
|
|||
Reference in a new issue