Add an AppSpecificAuthToken data model for app-specific auth tokens. These will be used for the Docker CLI in place of username+password
This commit is contained in:
Joseph Schorr
parent
53b762a875
commit
524d77f527
50 changed files with 943 additions and 289 deletions
29
util/config/validators/test/test_validate_apptokenauth.py
Normal file
29
util/config/validators/test/test_validate_apptokenauth.py
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
import pytest
|
||||
|
||||
from util.config.validators import ConfigValidationException
|
||||
from util.config.validators.validate_apptokenauth import AppTokenAuthValidator
|
||||
|
||||
from test.fixtures import *
|
||||
|
||||
@pytest.mark.parametrize('unvalidated_config', [
|
||||
({'AUTHENTICATION_TYPE': 'AppToken'}),
|
||||
({'AUTHENTICATION_TYPE': 'AppToken', 'FEATURE_APP_SPECIFIC_TOKENS': False}),
|
||||
({'AUTHENTICATION_TYPE': 'AppToken', 'FEATURE_APP_SPECIFIC_TOKENS': True,
|
||||
'FEATURE_DIRECT_LOGIN': True}),
|
||||
])
|
||||
def test_validate_invalid_auth_config(unvalidated_config, app):
|
||||
validator = AppTokenAuthValidator()
|
||||
|
||||
with pytest.raises(ConfigValidationException):
|
||||
validator.validate(unvalidated_config, None, None)
|
||||
|
||||
|
||||
def test_validate_auth(app):
|
||||
config = {
|
||||
'AUTHENTICATION_TYPE': 'AppToken',
|
||||
'FEATURE_APP_SPECIFIC_TOKENS': True,
|
||||
'FEATURE_DIRECT_LOGIN': False,
|
||||
}
|
||||
|
||||
validator = AppTokenAuthValidator()
|
||||
validator.validate(config, None, None)
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
import pytest
|
||||
|
||||
from util.config.validators import ConfigValidationException
|
||||
from util.config.validators.validate_oidcauth import OIDCAuthValidator
|
||||
|
||||
from test.fixtures import *
|
||||
|
||||
@pytest.mark.parametrize('unvalidated_config', [
|
||||
({'AUTHENTICATION_TYPE': 'OIDC'}),
|
||||
({'AUTHENTICATION_TYPE': 'OIDC', 'INTERNAL_OIDC_SERVICE_ID': 'someservice'}),
|
||||
({'AUTHENTICATION_TYPE': 'OIDC', 'INTERNAL_OIDC_SERVICE_ID': 'someservice',
|
||||
'SOMESERVICE_LOGIN_CONFIG': {}, 'FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH': True}),
|
||||
])
|
||||
def test_validate_invalid_oidc_auth_config(unvalidated_config, app):
|
||||
validator = OIDCAuthValidator()
|
||||
|
||||
with pytest.raises(ConfigValidationException):
|
||||
validator.validate(unvalidated_config, None, None)
|
||||
|
||||
|
||||
def test_validate_oidc_auth(app):
|
||||
config = {
|
||||
'AUTHENTICATION_TYPE': 'OIDC',
|
||||
'INTERNAL_OIDC_SERVICE_ID': 'someservice',
|
||||
'SOMESERVICE_LOGIN_CONFIG': {
|
||||
'CLIENT_ID': 'foo',
|
||||
'CLIENT_SECRET': 'bar',
|
||||
'OIDC_SERVER': 'http://someserver',
|
||||
},
|
||||
'HTTPCLIENT': None,
|
||||
}
|
||||
|
||||
validator = OIDCAuthValidator()
|
||||
validator.validate(config, None, None)
|
||||
19
util/config/validators/validate_apptokenauth.py
Normal file
19
util/config/validators/validate_apptokenauth.py
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
from util.config.validators import BaseValidator, ConfigValidationException
|
||||
|
||||
class AppTokenAuthValidator(BaseValidator):
|
||||
name = "apptoken-auth"
|
||||
|
||||
@classmethod
|
||||
def validate(cls, config, user, user_password):
|
||||
if config.get('AUTHENTICATION_TYPE', 'Database') != 'AppToken':
|
||||
return
|
||||
|
||||
# Ensure that app tokens are enabled, as they are required.
|
||||
if not config.get('FEATURE_APP_SPECIFIC_TOKENS', False):
|
||||
msg = 'Application token support must be enabled to use External Application Token auth'
|
||||
raise ConfigValidationException(msg)
|
||||
|
||||
# Ensure that direct login is disabled.
|
||||
if config.get('FEATURE_DIRECT_LOGIN', True):
|
||||
msg = 'Direct login must be disabled to use External Application Token auth'
|
||||
raise ConfigValidationException(msg)
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
from app import app
|
||||
from data.users.oidc import OIDCInternalAuth, UnknownServiceException
|
||||
from util.config.validators import BaseValidator, ConfigValidationException
|
||||
|
||||
class OIDCAuthValidator(BaseValidator):
|
||||
name = "oidc-auth"
|
||||
|
||||
@classmethod
|
||||
def validate(cls, config, user, user_password):
|
||||
if config.get('AUTHENTICATION_TYPE', 'Database') != 'OIDC':
|
||||
return
|
||||
|
||||
# Ensure that encrypted passwords are not required, as they do not work with OIDC auth.
|
||||
if config.get('FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH', False):
|
||||
raise ConfigValidationException('Encrypted passwords must be disabled to use OIDC auth')
|
||||
|
||||
login_service_id = config.get('INTERNAL_OIDC_SERVICE_ID')
|
||||
if not login_service_id:
|
||||
raise ConfigValidationException('Missing OIDC provider')
|
||||
|
||||
# By instantiating the auth engine, it will check if the provider exists and works.
|
||||
try:
|
||||
OIDCInternalAuth(config, login_service_id, False)
|
||||
except UnknownServiceException as use:
|
||||
raise ConfigValidationException(use.message)
|
||||
Reference in a new issue