Merge pull request #3139 from quay/spike/install-certs
Install certs in the config app, small refactor to LDAP validation
This commit is contained in:
commit
496d94138c
12 changed files with 141 additions and 78 deletions
|
@ -102,7 +102,8 @@ class ValidatorContext(object):
|
|||
def __init__(self, config, user_password=None, http_client=None, context=None,
|
||||
url_scheme_and_hostname=None, jwt_auth_max=None, registry_title=None,
|
||||
ip_resolver=None, feature_sec_scanner=False, is_testing=False,
|
||||
uri_creator=None, config_provider=None, instance_keys=None):
|
||||
uri_creator=None, config_provider=None, instance_keys=None,
|
||||
init_scripts_location=None):
|
||||
self.config = config
|
||||
self.user = get_authenticated_user()
|
||||
self.user_password = user_password
|
||||
|
@ -117,10 +118,11 @@ class ValidatorContext(object):
|
|||
self.uri_creator = uri_creator
|
||||
self.config_provider = config_provider
|
||||
self.instance_keys = instance_keys
|
||||
self.init_scripts_location = init_scripts_location
|
||||
|
||||
@classmethod
|
||||
def from_app(cls, app, config, user_password, ip_resolver, instance_keys, client=None,
|
||||
config_provider=None):
|
||||
config_provider=None, init_scripts_location=None):
|
||||
"""
|
||||
Creates a ValidatorContext from an app config, with a given config to validate
|
||||
:param app: the Flask app to pull configuration information from
|
||||
|
@ -128,9 +130,10 @@ class ValidatorContext(object):
|
|||
:param user_password: request password
|
||||
:param instance_keys: The instance keys handler
|
||||
:param ip_resolver: an App
|
||||
:param client:
|
||||
:param config_provider:
|
||||
:return:
|
||||
:param client: http client used to connect to services
|
||||
:param config_provider: config provider used to access config volume(s)
|
||||
:param init_scripts_location: location where initial load scripts are stored
|
||||
:return: ValidatorContext
|
||||
"""
|
||||
url_scheme_and_hostname = URLSchemeAndHostname.from_app_config(app.config)
|
||||
|
||||
|
@ -146,4 +149,5 @@ class ValidatorContext(object):
|
|||
is_testing=app.config.get('TESTING', False),
|
||||
uri_creator=get_blob_download_uri_getter(app.test_request_context('/'), url_scheme_and_hostname),
|
||||
config_provider=config_provider,
|
||||
instance_keys=instance_keys)
|
||||
instance_keys=instance_keys,
|
||||
init_scripts_location=init_scripts_location)
|
||||
|
|
|
@ -47,22 +47,21 @@ def test_invalid_uri(uri, app):
|
|||
LDAPValidator.validate(config)
|
||||
|
||||
|
||||
@pytest.mark.parametrize('username, password, expected_exception', [
|
||||
('invaliduser', 'invalidpass', ConfigValidationException),
|
||||
('someuser', 'invalidpass', ConfigValidationException),
|
||||
('invaliduser', 'somepass', ConfigValidationException),
|
||||
('someuser', 'somepass', None),
|
||||
@pytest.mark.parametrize('admin_dn, admin_passwd, user_rdn, expected_exception', [
|
||||
('uid=testy,ou=employees,dc=quay,dc=io', 'password', ['ou=employees'], None),
|
||||
('uid=invalidadmindn', 'password', ['ou=employees'], ConfigValidationException),
|
||||
('uid=testy,ou=employees,dc=quay,dc=io', 'invalid_password', ['ou=employees'], ConfigValidationException),
|
||||
('uid=testy,ou=employees,dc=quay,dc=io', 'password', ['ou=invalidgroup'], ConfigValidationException),
|
||||
])
|
||||
def test_validated_ldap(username, password, expected_exception, app):
|
||||
def test_validated_ldap(admin_dn, admin_passwd, user_rdn, expected_exception, app):
|
||||
config = {}
|
||||
config['AUTHENTICATION_TYPE'] = 'LDAP'
|
||||
config['LDAP_BASE_DN'] = ['dc=quay', 'dc=io']
|
||||
config['LDAP_ADMIN_DN'] = 'uid=testy,ou=employees,dc=quay,dc=io'
|
||||
config['LDAP_ADMIN_PASSWD'] = 'password'
|
||||
config['LDAP_USER_RDN'] = ['ou=employees']
|
||||
config['LDAP_ADMIN_DN'] = admin_dn
|
||||
config['LDAP_ADMIN_PASSWD'] = admin_passwd
|
||||
config['LDAP_USER_RDN'] = user_rdn
|
||||
|
||||
unvalidated_config = ValidatorContext(config, user_password=password, config_provider=config_provider)
|
||||
unvalidated_config.user = AttrDict(dict(username=username))
|
||||
unvalidated_config = ValidatorContext(config, config_provider=config_provider)
|
||||
|
||||
if expected_exception is not None:
|
||||
with pytest.raises(ConfigValidationException):
|
||||
|
|
|
@ -13,16 +13,16 @@ class LDAPValidator(BaseValidator):
|
|||
def validate(cls, validator_context):
|
||||
""" Validates the LDAP connection. """
|
||||
config = validator_context.config
|
||||
user = validator_context.user
|
||||
user_password = validator_context.user_password
|
||||
config_provider = validator_context.config_provider
|
||||
init_scripts_location = validator_context.init_scripts_location
|
||||
|
||||
if config.get('AUTHENTICATION_TYPE', 'Database') != 'LDAP':
|
||||
return
|
||||
|
||||
# If there is a custom LDAP certificate, then reinstall the certificates for the container.
|
||||
if config_provider.volume_file_exists(LDAP_CERT_FILENAME):
|
||||
subprocess.check_call([os.path.join(config_provider.get_config_root(), '../init/certs_install.sh')])
|
||||
subprocess.check_call([os.path.join(init_scripts_location, 'certs_install.sh')],
|
||||
env={ 'QUAYCONF': config_provider.get_config_dir_path() })
|
||||
|
||||
# Note: raises ldap.INVALID_CREDENTIALS on failure
|
||||
admin_dn = config.get('LDAP_ADMIN_DN')
|
||||
|
@ -60,10 +60,10 @@ class LDAPValidator(BaseValidator):
|
|||
users = LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr,
|
||||
allow_tls_fallback, requires_email=requires_email)
|
||||
|
||||
username = user.username
|
||||
(result, err_msg) = users.verify_credentials(username, user_password)
|
||||
# Ensure at least one user exists to verify the connection is setup properly
|
||||
(result, err_msg) = users.at_least_one_user_exists()
|
||||
if not result:
|
||||
msg = ('Verification of superuser %s failed: %s. \n\nThe user either does not exist ' +
|
||||
msg = ('Verification that users exist failed: %s. \n\nNo users exist ' +
|
||||
'in the remote authentication system ' +
|
||||
'OR LDAP auth is misconfigured.') % (username, err_msg)
|
||||
'OR LDAP auth is misconfigured.') % err_msg
|
||||
raise ConfigValidationException(msg)
|
||||
|
|
Reference in a new issue