Add an AppSpecificAuthToken data model for app-specific auth tokens. These will be used for the Docker CLI in place of username+password
This commit is contained in:
Joseph Schorr
parent
53b762a875
commit
524d77f527
50 changed files with 943 additions and 289 deletions
|
|
@ -6,7 +6,8 @@ from flask import request, jsonify, abort
|
|||
|
||||
import features
|
||||
from app import app, userevents, instance_keys
|
||||
from auth.auth_context import get_authenticated_user, get_validated_token, get_validated_oauth_token
|
||||
from auth.auth_context import (get_authenticated_user, get_validated_token,
|
||||
get_validated_oauth_token, get_validated_app_specific_token)
|
||||
from auth.decorators import process_basic_auth
|
||||
from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermission,
|
||||
CreateRepositoryPermission, AdministerRepositoryPermission)
|
||||
|
|
@ -56,6 +57,9 @@ def generate_registry_jwt(auth_result):
|
|||
oauthtoken = get_validated_oauth_token()
|
||||
logger.debug('Authenticated OAuth token: %s', oauthtoken)
|
||||
|
||||
appspecifictoken = get_validated_app_specific_token()
|
||||
logger.debug('Authenticated app specific token: %s', appspecifictoken)
|
||||
|
||||
auth_header = request.headers.get('authorization', '')
|
||||
auth_credentials_sent = bool(auth_header)
|
||||
if auth_credentials_sent and not user and not token:
|
||||
|
|
@ -64,7 +68,8 @@ def generate_registry_jwt(auth_result):
|
|||
|
||||
access = []
|
||||
user_event_data = {
|
||||
'action': 'login',}
|
||||
'action': 'login',
|
||||
}
|
||||
tuf_root = DISABLED_TUF_ROOT
|
||||
|
||||
if len(scope_param) > 0:
|
||||
|
|
@ -149,7 +154,8 @@ def generate_registry_jwt(auth_result):
|
|||
access.append({
|
||||
'type': 'repository',
|
||||
'name': registry_and_repo,
|
||||
'actions': final_actions,})
|
||||
'actions': final_actions,
|
||||
})
|
||||
|
||||
# Set the user event data for the auth.
|
||||
if 'push' in final_actions:
|
||||
|
|
@ -162,7 +168,8 @@ def generate_registry_jwt(auth_result):
|
|||
user_event_data = {
|
||||
'action': user_action,
|
||||
'repository': reponame,
|
||||
'namespace': namespace,}
|
||||
'namespace': namespace,
|
||||
}
|
||||
tuf_root = get_tuf_root(repo, namespace, reponame)
|
||||
|
||||
elif user is None and token is None:
|
||||
|
|
@ -175,9 +182,9 @@ def generate_registry_jwt(auth_result):
|
|||
event = userevents.get_event(user.username)
|
||||
event.publish_event_data('docker-cli', user_event_data)
|
||||
|
||||
# Build the signed JWT.
|
||||
# Build the signed JWT.
|
||||
context, subject = build_context_and_subject(user=user, token=token, oauthtoken=oauthtoken,
|
||||
tuf_root=tuf_root)
|
||||
appspecifictoken=appspecifictoken, tuf_root=tuf_root)
|
||||
token = generate_bearer_token(audience_param, subject, context, access,
|
||||
TOKEN_VALIDITY_LIFETIME_S, instance_keys)
|
||||
return jsonify({'token': token})
|
||||
|
|
|
|||
Reference in a new issue