Add an AppSpecificAuthToken data model for app-specific auth tokens. These will be used for the Docker CLI in place of username+password

2017-12-08 17:05:59 -05:00 · 2017-12-08 17:05:59 -05:00 · 524d77f527
commit 524d77f527
parent 53b762a875
50 changed files with 943 additions and 289 deletions
--- a/test/registry_tests.py
+++ b/test/registry_tests.py
@ -1121,6 +1121,27 @@ class RegistryTestsMixin(object):
    self.assertEquals(1, logs[0]['metadata']['oauth_token_id'])


+  def test_push_pull_logging_byclitoken(self):
+    # Push the repository.
+    self.do_push('devtable', 'newrepo', 'devtable', 'password')
+
+    # Pull the repository.
+    self.do_pull('devtable', 'newrepo', '$app', 'test')
+
+    # Retrieve the logs and ensure the pull was added.
+    self.conduct_api_login('devtable', 'password')
+    result = self.conduct('GET', '/api/v1/repository/devtable/newrepo/logs')
+    logs = result.json()['logs']
+
+    self.assertEquals(2, len(logs))
+    self.assertEquals('pull_repo', logs[0]['kind'])
+    self.assertEquals('devtable', logs[0]['metadata']['namespace'])
+    self.assertEquals('newrepo', logs[0]['metadata']['repo'])
+
+    self.assertEquals('devtable', logs[0]['performer']['name'])
+    self.assertTrue('app_specific_token' in logs[0]['metadata'])
+
+
  def test_pull_publicrepo_anonymous(self):
    # Add a new repository under the public user, so we have a real repository to pull.
    self.do_push('public', 'newrepo', 'public', 'password')
@ -2447,6 +2468,10 @@ class LoginTests(object):
    self.do_login('$oauthtoken', 'test', expect_success=True,
                  scope='repository:devtable/complex:pull')

+  def test_cli_token(self):
+    self.do_login('$app', 'test', expect_success=True,
+                  scope='repository:devtable/complex:pull')
+

 class V1LoginTests(V1RegistryLoginMixin, LoginTests, RegistryTestCaseMixin, BaseRegistryMixin, LiveServerTestCase):
  """ Tests for V1 login. """
@ -2518,6 +2543,16 @@ class V2LoginTests(V2RegistryLoginMixin, LoginTests, RegistryTestCaseMixin, Base
  def test_invalidpassword_noscope(self):
    self.do_logincheck('public', 'invalidpass', expect_success=False, scope=None)

+  def test_cli_noaccess(self):
+    self.do_logincheck('$app', 'test', expect_success=True,
+                       scope='repository:freshuser/unknownrepo:pull,push',
+                       expected_actions=[])
+
+  def test_cli_public(self):
+    self.do_logincheck('$app', 'test', expect_success=True,
+                       scope='repository:public/publicrepo:pull,push',
+                       expected_actions=['pull'])
+
  def test_oauth_noaccess(self):
    self.do_logincheck('$oauthtoken', 'test', expect_success=True,
                       scope='repository:freshuser/unknownrepo:pull,push',