Merge branch 'looksirdroids'

This commit is contained in:
Joseph Schorr 2013-11-24 22:43:19 -05:00
commit 72acc8769b
22 changed files with 728 additions and 208 deletions

View file

@ -48,6 +48,20 @@ def process_basic_auth(auth):
except model.DataModelException:
logger.debug('Invalid token: %s' % credentials[1])
elif '+' in credentials[0]:
logger.debug('Trying robot auth with credentials %s' % str(credentials))
# Use as robot auth
try:
robot = model.verify_robot(credentials[0], credentials[1])
logger.debug('Successfully validated robot: %s' % credentials[0])
ctx = _request_ctx_stack.top
ctx.authenticated_user = robot
identity_changed.send(app, identity=Identity(robot.username, 'username'))
return
except model.InvalidRobotException:
logger.debug('Invalid robot or password for robot: %s' % credentials[0])
else:
authenticated = model.verify_user(credentials[0], credentials[1])

View file

@ -22,6 +22,14 @@ def close_db(exc):
app.teardown_request(close_db)
def random_string_generator(length=16):
def random_string():
random = SystemRandom()
return ''.join([random.choice(string.ascii_uppercase + string.digits)
for _ in range(length)])
return random_string
class BaseModel(Model):
class Meta:
database = db
@ -30,10 +38,12 @@ class BaseModel(Model):
class User(BaseModel):
username = CharField(unique=True, index=True)
password_hash = CharField(null=True)
email = CharField(unique=True, index=True)
email = CharField(unique=True, index=True,
default=random_string_generator(length=64))
verified = BooleanField(default=False)
stripe_id = CharField(index=True, null=True)
organization = BooleanField(default=False, index=True)
robot = BooleanField(default=False, index=True)
invoice_email = BooleanField(default=False)
@ -123,14 +133,6 @@ class RepositoryPermission(BaseModel):
)
def random_string_generator(length=16):
def random_string():
random = SystemRandom()
return ''.join([random.choice(string.ascii_uppercase + string.digits)
for x in range(length)])
return random_string
class Webhook(BaseModel):
public_id = CharField(default=random_string_generator(length=64),
unique=True, index=True)

View file

@ -6,6 +6,7 @@ import json
from database import *
from util.validation import *
from util.names import format_robot_username
logger = logging.getLogger(__name__)
@ -27,6 +28,10 @@ class InvalidOrganizationException(DataModelException):
pass
class InvalidRobotException(DataModelException):
pass
class InvalidTeamException(DataModelException):
pass
@ -60,7 +65,7 @@ def create_user(username, password, email):
try:
existing = User.get((User.username == username) | (User.email == email))
logger.debug('Existing user with same username or email.')
logger.info('Existing user with same username or email.')
# A user already exists with either the same username or email
if existing.username == username:
@ -104,6 +109,65 @@ def create_organization(name, email, creating_user):
raise InvalidOrganizationException('Invalid organization name: %s' % name)
def create_robot(robot_shortname, parent):
if not validate_username(robot_shortname):
raise InvalidRobotException('The name for the robot \'%s\' is invalid.' %
robot_shortname)
username = format_robot_username(parent.username, robot_shortname)
try:
User.get(User.username == username)
msg = 'Existing robot with name: %s' % username
logger.info(msg)
raise InvalidRobotException(msg)
except User.DoesNotExist:
pass
try:
created = User.create(username=username, robot=True)
service = LoginService.get(name='quayrobot')
password = created.email
FederatedLogin.create(user=created, service=service,
service_ident=password)
return created, password
except Exception as ex:
raise DataModelException(ex.message)
def verify_robot(robot_username, password):
joined = User.select().join(FederatedLogin).join(LoginService)
found = list(joined.where(FederatedLogin.service_ident == password,
LoginService.name == 'quayrobot',
User.username == robot_username))
if not found:
msg = ('Could not find robot with username: %s and supplied password.' %
robot_username)
raise InvalidRobotException(msg)
return found[0]
def delete_robot(robot_username):
try:
robot = User.get(username=robot_username, robot=True)
robot.delete_instance(recursive=True, delete_nullable=True)
except User.DoesNotExist:
raise InvalidRobotException('Could not find robot with username: %s' %
robot_username)
def list_entity_robots(entity_name):
selected = User.select(User.username, FederatedLogin.service_ident)
joined = selected.join(FederatedLogin)
return joined.where(User.robot == True,
User.username ** (entity_name + '+%')).tuples()
def convert_user_to_organization(user, admin_user):
# Change the user to an organization.
user.organization = True
@ -123,6 +187,7 @@ def convert_user_to_organization(user, admin_user):
return user
def create_team(name, org, team_role_name, description=''):
if not validate_username(name):
raise InvalidTeamException('Invalid team name: %s' % name)
@ -136,16 +201,16 @@ def create_team(name, org, team_role_name, description=''):
description=description)
def __get_user_admin_teams(org_name, team_name, username):
Org = User.alias()
user_teams = Team.select().join(TeamMember).join(User)
with_org = user_teams.switch(Team).join(Org,
on=(Org.id == Team.organization))
with_role = with_org.switch(Team).join(TeamRole)
admin_teams = with_role.where(User.username == username,
Org.username == org_name,
TeamRole.name == 'admin')
return admin_teams
def __get_user_admin_teams(org_name, username):
Org = User.alias()
user_teams = Team.select().join(TeamMember).join(User)
with_org = user_teams.switch(Team).join(Org,
on=(Org.id == Team.organization))
with_role = with_org.switch(Team).join(TeamRole)
admin_teams = with_role.where(User.username == username,
Org.username == org_name,
TeamRole.name == 'admin')
return admin_teams
def remove_team(org_name, team_name, removed_by_username):
@ -228,15 +293,16 @@ def set_team_org_permission(team, team_role_name, set_by_username):
def create_federated_user(username, email, service_name, service_id):
new_user = create_user(username, None, email)
new_user.verified = True
new_user.save()
new_user = create_user(username, None, email)
new_user.verified = True
new_user.save()
service = LoginService.get(LoginService.name == service_name)
federated_user = FederatedLogin.create(user=new_user, service=service,
service_ident=service_id)
service = LoginService.get(LoginService.name == service_name)
FederatedLogin.create(user=new_user, service=service,
service_ident=service_id)
return new_user
return new_user
def verify_federated_login(service_name, service_id):
selected = FederatedLogin.select(FederatedLogin, User)
@ -313,11 +379,19 @@ def get_matching_teams(team_prefix, organization):
return query.limit(10)
def get_matching_users(username_prefix, organization=None):
def get_matching_users(username_prefix, robot_namespace=None,
organization=None):
Org = User.alias()
users_no_orgs = (User.username ** (username_prefix + '%') &
(User.organization == False))
query = User.select(User.username, Org.username).where(users_no_orgs)
direct_user_query = (User.username ** (username_prefix + '%') &
(User.organization == False) & (User.robot == False))
if robot_namespace:
robot_prefix = format_robot_username(robot_namespace, username_prefix)
direct_user_query = (direct_user_query |
(User.username ** (robot_prefix + '%') &
(User.robot == True)))
query = User.select(User.username, Org.username, User.robot).where(direct_user_query)
if organization:
with_team = query.join(TeamMember, JOIN_LEFT_OUTER).join(Team,
@ -330,6 +404,7 @@ def get_matching_users(username_prefix, organization=None):
class MatchingUserResult(object):
def __init__(self, *args):
self.username = args[0]
self.is_robot = args[2]
if organization:
self.is_org_member = (args[1] == organization.username)
else:
@ -552,7 +627,7 @@ def get_all_repo_teams(namespace_name, repository_name):
def get_all_repo_users(namespace_name, repository_name):
select = RepositoryPermission.select(User.username, Role.name,
select = RepositoryPermission.select(User.username, User.robot, Role.name,
RepositoryPermission)
with_user = select.join(User)
with_role = with_user.switch(RepositoryPermission).join(Role)

View file

@ -15,7 +15,7 @@ from data.queue import dockerfile_build_queue
from data.plans import USER_PLANS, BUSINESS_PLANS, get_plan
from app import app
from util.email import send_confirmation_email, send_recovery_email
from util.names import parse_repository_name
from util.names import parse_repository_name, format_robot_username
from util.gravatar import compute_hash
from auth.permissions import (ReadRepositoryPermission,
ModifyRepositoryPermission,
@ -44,6 +44,10 @@ def api_login_required(f):
current_user.db_user().organization):
abort(401)
if (current_user and current_user.db_user() and
current_user.db_user().robot):
abort(401)
return f(*args, **kwargs)
return decorated_view
@ -260,20 +264,26 @@ def get_matching_users(prefix):
def get_matching_entities(prefix):
teams = []
organization_name = request.args.get('organization', None)
namespace_name = request.args.get('namespace', None)
robot_namespace = None
organization = None
if organization_name:
permission = OrganizationMemberPermission(organization_name)
try:
organization = model.get_organization(namespace_name)
# namespace name was an org
permission = OrganizationMemberPermission(namespace_name)
if permission.can():
try:
organization = model.get_organization(organization_name)
except model.InvalidOrganizationException:
pass
robot_namespace = namespace_name
if organization:
teams = model.get_matching_teams(prefix, organization)
if request.args.get('includeTeams', False):
teams = model.get_matching_teams(prefix, organization)
users = model.get_matching_users(prefix, organization)
except model.InvalidOrganizationException:
# namespace name was a user
if current_user.db_user().username == namespace_name:
robot_namespace = namespace_name
users = model.get_matching_users(prefix, robot_namespace, organization)
def entity_team_view(team):
result = {
@ -287,10 +297,11 @@ def get_matching_entities(prefix):
user_json = {
'name': user.username,
'kind': 'user',
'is_robot': user.is_robot,
}
if user.is_org_member is not None:
user_json['is_org_member'] = user.is_org_member
user_json['is_org_member'] = user.is_robot or user.is_org_member
return user_json
@ -449,7 +460,8 @@ def get_organization_private_allowed(orgname):
def member_view(member):
return {
'username': member.username
'username': member.username,
'is_robot': member.robot,
}
@ -911,8 +923,13 @@ def role_view(repo_perm_obj):
}
def wrap_role_view_org(role_json, org_member):
role_json['is_org_member'] = org_member
def wrap_role_view_user(role_json, user):
role_json['is_robot'] = user.robot
return role_json
def wrap_role_view_org(role_json, user, org_members):
role_json['is_org_member'] = user.robot or user.username in org_members
return role_json
@ -1021,22 +1038,30 @@ def list_repo_team_permissions(namespace, repository):
def list_repo_user_permissions(namespace, repository):
permission = AdministerRepositoryPermission(namespace, repository)
if permission.can():
# Determine how to wrap the permissions
role_view_func = role_view
# Lookup the organization (if any).
org = None
try:
model.get_organization(namespace) # Will raise an error if not org
org_members = model.get_organization_member_set(namespace)
def wrapped_role_view(repo_perm):
unwrapped = role_view(repo_perm)
return wrap_role_view_org(unwrapped,
repo_perm.user.username in org_members)
role_view_func = wrapped_role_view
org = model.get_organization(namespace) # Will raise an error if not org
except model.InvalidOrganizationException:
# This repository isn't under an org
pass
# Determine how to wrap the role(s).
def wrapped_role_view(repo_perm):
return wrap_role_view_user(role_view(repo_perm), repo_perm.user)
role_view_func = wrapped_role_view
if org:
org_members = model.get_organization_member_set(namespace)
current_func = role_view_func
def wrapped_role_org_view(repo_perm):
return wrap_role_view_org(current_func(repo_perm), repo_perm.user, org_members)
role_view_func = wrapped_role_org_view
# Load and return the permissions.
repo_perms = model.get_all_repo_users(namespace, repository)
return jsonify({
'permissions': {perm.user.username: role_view_func(perm)
@ -1056,13 +1081,12 @@ def get_user_permissions(namespace, repository, username):
permission = AdministerRepositoryPermission(namespace, repository)
if permission.can():
perm = model.get_user_reponame_permission(username, namespace, repository)
perm_view = role_view(perm)
perm_view = wrap_role_view_user(role_view(perm), perm.user)
try:
model.get_organization(namespace)
org_members = model.get_organization_member_set(namespace)
perm_view = wrap_role_view_org(perm_view,
perm.user.username in org_members)
perm_view = wrap_role_view_org(perm_view, perm.user, org_members)
except model.InvalidOrganizationException:
# This repository is not part of an organization
pass
@ -1101,13 +1125,12 @@ def change_user_permissions(namespace, repository, username):
perm = model.set_user_repo_permission(username, namespace, repository,
new_permission['role'])
perm_view = role_view(perm)
perm_view = wrap_role_view_user(role_view(perm), perm.user)
try:
model.get_organization(namespace)
org_members = model.get_organization_member_set(namespace)
perm_view = wrap_role_view_org(perm_view,
perm.user.username in org_members)
perm_view = wrap_role_view_org(perm_view, perm.user, org_members)
except model.InvalidOrganizationException:
# This repository is not part of an organization
pass
@ -1519,3 +1542,78 @@ def get_org_subscription(orgname):
})
abort(403)
def robot_view(name, token):
return {
'name': name,
'token': token,
}
@app.route('/api/user/robots', methods=['GET'])
@api_login_required
def get_user_robots():
user = current_user.db_user()
robots = model.list_entity_robots(user.username)
return jsonify({
'robots': [robot_view(name, password) for name, password in robots]
})
@app.route('/api/organization/<orgname>/robots', methods=['GET'])
@api_login_required
def get_org_robots(orgname):
permission = AdministerOrganizationPermission(orgname)
if permission.can():
robots = model.list_entity_robots(orgname)
return jsonify({
'robots': [robot_view(name, password) for name, password in robots]
})
abort(403)
@app.route('/api/user/robots/<robot_shortname>', methods=['PUT'])
@api_login_required
def create_robot(robot_shortname):
parent = current_user.db_user()
robot, password = model.create_robot(robot_shortname, parent)
resp = jsonify(robot_view(robot.username, password))
resp.status_code = 201
return resp
@app.route('/api/organization/<orgname>/robots/<robot_shortname>',
methods=['PUT'])
@api_login_required
def create_org_robot(orgname, robot_shortname):
permission = AdministerOrganizationPermission(orgname)
if permission.can():
parent = model.get_organization(orgname)
robot, password = model.create_robot(robot_shortname, parent)
resp = jsonify(robot_view(robot.username, password))
resp.status_code = 201
return resp
abort(403)
@app.route('/api/user/robots/<robot_shortname>', methods=['DELETE'])
@api_login_required
def delete_robot(robot_shortname):
parent = current_user.db_user()
model.delete_robot(format_robot_username(parent.username, robot_shortname))
return make_response('No Content', 204)
@app.route('/api/organization/<orgname>/robots/<robot_shortname>',
methods=['DELETE'])
@api_login_required
def delete_org_robot(orgname, robot_shortname):
permission = AdministerOrganizationPermission(orgname)
if permission.can():
model.delete_robot(format_robot_username(orgname, robot_shortname))
return make_response('No Content', 204)
abort(403)

View file

@ -62,6 +62,13 @@ def create_user():
except model.InvalidTokenException:
abort(401)
elif '+' in username:
try:
model.verify_robot(username, password)
return make_response('Verified', 201)
except model.InvalidRobotException:
abort(401)
existing_user = model.get_user(username)
if existing_user:
verified = model.verify_user(username, password)

View file

@ -109,6 +109,7 @@ def initialize_database():
Visibility.create(name='public')
Visibility.create(name='private')
LoginService.create(name='github')
LoginService.create(name='quayrobot')
def wipe_database():
@ -131,6 +132,8 @@ def populate_database():
new_user_1.verified = True
new_user_1.save()
model.create_robot('dtrobot', new_user_1)
new_user_2 = model.create_user('public', 'password',
'jacob.moshenko@gmail.com')
new_user_2.verified = True
@ -187,6 +190,8 @@ def populate_database():
org.stripe_id = TEST_STRIPE_ID
org.save()
model.create_robot('neworgrobot', org)
owners = model.get_organization_team('buynlarge', 'owners')
owners.description = 'Owners have unfetterd access across the entire org.'
owners.save()

View file

@ -3,6 +3,11 @@
margin: 0;
}
#input-box {
padding: 4px;
font-size: 14px;
}
html, body {
height: 100%;
}
@ -16,6 +21,45 @@ html, body {
border-bottom: 1px dashed #aaa;
}
.docker-auth-dialog .token-dialog-body .well {
margin-bottom: 0px;
}
.docker-auth-dialog .token-view {
background: transparent;
display: block;
border: 0px transparent;
font-size: 12px;
width: 100%;
}
.docker-auth-dialog .download-cfg {
float: left;
padding-top: 6px;
font-size: 16px;
}
.docker-auth-dialog .download-cfg .fa-download {
margin-right: 10px;
font-size: 25px;
vertical-align: middle;
}
#copyClipboard {
cursor: pointer;
}
#copyClipboard.zeroclipboard-is-hover {
background: #428bca;
color: white;
}
#clipboardCopied.hovering {
position: absolute;
right: 0px;
top: 40px;
}
.content-container {
padding-bottom: 70px;
}
@ -43,6 +87,27 @@ html, body {
visibility: hidden;
}
.robots-manager-element {
max-width: 800px;
}
.robots-manager-element .alert {
margin-bottom: 20px;
}
.robots-manager-element .robot a {
font-size: 16px;
cursor: pointer;
}
.robots-manager-element .robot .prefix {
color: #aaa;
}
.robots-manager-element .robot i {
margin-right: 10px;
}
.billing-options-element .current-card {
font-size: 16px;
margin-bottom: 20px;
@ -957,21 +1022,6 @@ p.editable:hover i {
width: 300px;
}
.repo #copyClipboard {
cursor: pointer;
}
.repo #copyClipboard.zeroclipboard-is-hover {
background: #428bca;
color: white;
}
.repo #clipboardCopied.hovering {
position: absolute;
right: 0px;
top: 40px;
}
.repo-image-view .id-container {
display: inline-block;
margin-top: 10px;
@ -1014,7 +1064,7 @@ p.editable:hover i {
margin-top: 28px;
}
.repo #clipboardCopied {
#clipboardCopied {
font-size: 0.8em;
display: inline-block;
margin-right: 10px;
@ -1025,7 +1075,7 @@ p.editable:hover i {
border-radius: 4px;
}
.repo #clipboardCopied.animated {
#clipboardCopied.animated {
-webkit-animation: fadeOut 4s ease-in-out 0s 1 forwards;
-moz-animation: fadeOut 4s ease-in-out 0s 1 forwards;
-ms-animation: fadeOut 4s ease-in-out 0s 1 forwards;
@ -1112,21 +1162,17 @@ p.editable:hover i {
width: 300px;
}
.repo-admin .token-dialog-body .well {
margin-bottom: 0px;
}
.repo-admin .token-view {
background: transparent;
display: block;
border: 0px transparent;
font-size: 12px;
width: 100%;
}
.repo-admin .panel {
display: inline-block;
width: 620px;
width: 720px;
}
.repo-admin .prefix {
color: #aaa;
}
.repo-admin .admin-search {
padding-top: 20px;
}
.repo-admin .user i.fa-user {
@ -1134,6 +1180,11 @@ p.editable:hover i {
margin-right: 7px;
}
.repo-admin .user i.fa-wrench {
margin-left: 1px;
margin-right: 5px;
}
.repo-admin .team i.fa-group {
margin-right: 4px;
}
@ -1265,18 +1316,6 @@ p.editable:hover i {
white-space: nowrap;
}
.repo .download-cfg {
float: left;
padding-top: 6px;
font-size: 16px;
}
.repo .download-cfg .icon-download {
margin-right: 10px;
font-size: 25px;
vertical-align: middle;
}
.navbar-nav > li > .user-dropdown {
padding-top: 9px;
padding-bottom: 9px;
@ -1732,16 +1771,16 @@ p.editable:hover i {
margin-right: 4px;
}
.org-admin #members .side-controls {
.side-controls {
float: right;
}
.org-admin #members .result-count {
.side-controls .result-count {
display: inline-block;
margin-right: 10px;
}
.org-admin #members .filter-input {
.side-controls .filter-input {
display: inline-block;
}

View file

@ -0,0 +1,30 @@
<!-- Modal message dialog -->
<div class="modal fade" id="dockerauthmodal">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
<h4 class="modal-title">
<span ng-transclude></span>
</h4>
</div>
<div class="modal-body token-dialog-body">
<div class="alert alert-info">The docker <u>username</u> is <b>{{ username }}</b> and the <u>password</u> is the token below. You may use any value for email.</div>
<div class="well well-sm">
<input id="token-view" class="token-view" type="text" value="{{ token }}" onClick="this.select();" readonly>
</div>
</div>
<div class="modal-footer">
<span class="download-cfg" ng-show="isDownloadSupported()">
<i class="fa fa-download"></i>
<a href="javascript:void(0)" ng-click="downloadCfg(shownRobot)">Download .dockercfg file</a>
</span>
<div id="clipboardCopied" style="display: none">
Copied to clipboard
</div>
<button id="copyClipboard" type="button" class="btn btn-primary" data-clipboard-target="token-view">Copy to clipboard</button>
<button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
</div>
</div><!-- /.modal-content -->
</div><!-- /.modal-dialog -->
</div><!-- /.modal -->

View file

@ -0,0 +1,5 @@
<button class="btn btn-success" data-trigger="click" bs-popover="'static/directives/popup-input-dialog.html'"
data-placement="bottom" ng-click="popupShown()">
<span ng-transclude></span>
</button>

View file

@ -0,0 +1,4 @@
<form name="popupinput" ng-submit="inputSubmit(); hide()" novalidate>
<input id="input-box" type="text form-control" placeholder="{{ placeholder }}" ng-blur="hide()"
ng-pattern="getRegexp(pattern)" ng-model="inputValue" ng-trim="false" ng-minlength="2" required>
</form>

View file

@ -0,0 +1,40 @@
<div class="robots-manager-element">
<i class="fa fa-spinner fa-spin fa-3x" ng-show="loading"></i>
<div class="alert alert-info">Robot accounts allow for delegating access in multiple repositories to role-based accounts that you manage</div>
<div class="container" ng-show="!loading">
<div class="side-controls">
<span class="popup-input-button" pattern="'^[a-zA-Z][a-zA-Z0-9]+$'" placeholder="'Robot Account Name'"
submitted="createRobot(value)">
<i class="fa fa-wrench"></i> Create Robot Account
</span>
</div>
<table class="table">
<thead>
<th>Robot Account Name</th>
<th style="width: 150px"></th>
</thead>
<tr ng-repeat="robotInfo in robots">
<td class="robot">
<i class="fa fa-wrench"></i>
<a ng-click="showRobot(robotInfo)">
<span class="prefix">{{ getPrefix(robotInfo.name) }}+</span>{{ getShortenedName(robotInfo.name) }}
</a>
</td>
<td>
<span class="delete-ui" tabindex="0">
<span class="delete-ui-button" ng-click="deleteRobot(robotInfo)"><button class="btn btn-danger">Delete</button></span>
<i class="fa fa-times" bs-tooltip="tooltip.title" data-placement="right" title="Delete Robot Account"></i>
</span>
</td>
</tr>
</table>
</div>
<div class="docker-auth-dialog" username="shownRobot.name" token="shownRobot.token"
shown="!!shownRobot" counter="showRobotCounter">
<i class="fa fa-wrench"></i> {{ shownRobot.name }}
</div>
</div>

View file

@ -550,7 +550,7 @@ quayApp.directive('plansTable', function () {
priority: 0,
templateUrl: '/static/directives/plans-table.html',
replace: false,
transclude: true,
transclude: false,
restrict: 'C',
scope: {
'plans': '=plans',
@ -566,6 +566,208 @@ quayApp.directive('plansTable', function () {
});
quayApp.directive('dockerAuthDialog', function () {
var directiveDefinitionObject = {
priority: 0,
templateUrl: '/static/directives/docker-auth-dialog.html',
replace: false,
transclude: true,
restrict: 'C',
scope: {
'username': '=username',
'token': '=token',
'shown': '=shown',
'counter': '=counter'
},
controller: function($scope, $element, Restangular) {
$scope.isDownloadSupported = function() {
try { return !!new Blob(); } catch(e){}
return false;
};
$scope.downloadCfg = function() {
var auth = $.base64.encode($scope.username + ":" + $scope.token);
config = {
"https://quay.io/v1/": {
"auth": auth,
"email": ""
}
};
var file = JSON.stringify(config, null, ' ');
var blob = new Blob([file]);
saveAs(blob, '.dockercfg');
};
var show = function(r) {
if (!$scope.shown || !$scope.username || !$scope.token) {
$('#dockerauthmodal').modal('hide');
return;
}
$('#copyClipboard').clipboardCopy();
$('#dockerauthmodal').modal({});
};
$scope.$watch('counter', show);
$scope.$watch('shown', show);
$scope.$watch('username', show);
$scope.$watch('token', show);
}
};
return directiveDefinitionObject;
});
quayApp.directive('robotsManager', function () {
var directiveDefinitionObject = {
priority: 0,
templateUrl: '/static/directives/robots-manager.html',
replace: false,
transclude: false,
restrict: 'C',
scope: {
'organization': '=organization',
'user': '=user'
},
controller: function($scope, $element, Restangular) {
$scope.robots = null;
$scope.loading = false;
$scope.shownRobot = null;
$scope.showRobotCounter = 0;
$scope.showRobot = function(info) {
$scope.shownRobot = info;
$scope.showRobotCounter++;
};
$scope.getShortenedName = function(name) {
var plus = name.indexOf('+');
return name.substr(plus + 1);
};
$scope.getPrefix = function(name) {
var plus = name.indexOf('+');
return name.substr(0, plus);
};
$scope.createRobot = function(name) {
if (!name) { return; }
var url = $scope.organization ? getRestUrl('organization', $scope.organization.name, 'robots', name) :
getRestUrl('user/robots', name);
var createRobot = Restangular.one(url);
createRobot.customPUT().then(function(resp) {
$scope.robots.push(resp);
}, function(resp) {
bootbox.dialog({
"message": resp.data ? resp.data : 'The robot account could not be created',
"title": "Cannot create robot account",
"buttons": {
"close": {
"label": "Close",
"className": "btn-primary"
}
}
});
});
};
$scope.deleteRobot = function(info) {
var shortName = $scope.getShortenedName(info.name);
var url = $scope.organization ? getRestUrl('organization', $scope.organization.name, 'robots', shortName) :
getRestUrl('user/robots', shortName);
var deleteRobot = Restangular.one(url);
deleteRobot.customDELETE().then(function(resp) {
for (var i = 0; i < $scope.robots.length; ++i) {
if ($scope.robots[i].name == info.name) {
$scope.robots.splice(i, 1);
return;
}
}
}, function() {
bootbox.dialog({
"message": 'The selected robot account could not be deleted',
"title": "Cannot delete robot account",
"buttons": {
"close": {
"label": "Close",
"className": "btn-primary"
}
}
});
});
};
var update = function() {
if (!$scope.user && !$scope.organization) { return; }
if ($scope.loading) { return; }
$scope.loading = true;
var url = $scope.organization ? getRestUrl('organization', $scope.organization.name, 'robots') : 'user/robots';
var getRobots = Restangular.one(url);
getRobots.customGET($scope.obj).then(function(resp) {
$scope.robots = resp.robots;
$scope.loading = false;
});
};
$scope.$watch('organization', update);
$scope.$watch('user', update);
}
};
return directiveDefinitionObject;
});
quayApp.directive('popupInputButton', function () {
var directiveDefinitionObject = {
priority: 0,
templateUrl: '/static/directives/popup-input-button.html',
replace: false,
transclude: true,
restrict: 'C',
scope: {
'placeholder': '=placeholder',
'pattern': '=pattern',
'submitted': '&submitted'
},
controller: function($scope, $element) {
$scope.popupShown = function() {
setTimeout(function() {
var box = $('#input-box');
box[0].value = '';
box.focus();
}, 10);
};
$scope.getRegexp = function(pattern) {
if (!pattern) {
pattern = '.*';
}
return new RegExp(pattern);
};
$scope.inputSubmit = function() {
var box = $('#input-box');
if (box.hasClass('ng-invalid')) { return; }
var entered = box[0].value;
if (!entered) {
return;
}
if ($scope.submitted) {
$scope.submitted({'value': entered});
}
};
}
};
return directiveDefinitionObject;
});
quayApp.directive('organizationHeader', function () {
var directiveDefinitionObject = {
priority: 0,
@ -738,9 +940,10 @@ quayApp.directive('entitySearch', function () {
transclude: false,
restrict: 'C',
scope: {
'organization': '=organization',
'namespace': '=namespace',
'inputTitle': '=inputTitle',
'entitySelected': '=entitySelected'
'entitySelected': '=entitySelected',
'includeTeams': '=includeTeams'
},
controller: function($scope, $element) {
if (!$scope.entitySelected) { return; }
@ -748,15 +951,16 @@ quayApp.directive('entitySearch', function () {
number++;
var input = $element[0].firstChild;
$scope.organization = $scope.organization || '';
$scope.namespace = $scope.namespace || '';
$(input).typeahead({
name: 'entities' + number,
remote: {
url: '/api/entities/%QUERY',
replace: function (url, uriEncodedQuery) {
url = url.replace('%QUERY', uriEncodedQuery);
if ($scope.organization) {
url += '?organization=' + encodeURIComponent($scope.organization);
url += '?namespace=' + encodeURIComponent($scope.namespace);
if ($scope.includeTeams) {
url += '&includeTeams=true'
}
return url;
},
@ -775,14 +979,16 @@ quayApp.directive('entitySearch', function () {
},
template: function (datum) {
template = '<div class="entity-mini-listing">';
if (datum.entity.kind == 'user') {
if (datum.entity.kind == 'user' && !datum.entity.is_robot) {
template += '<i class="fa fa-user fa-lg"></i>';
} else if (datum.entity.kind == 'user' && datum.entity.is_robot) {
template += '<i class="fa fa-wrench fa-lg"></i>';
} else if (datum.entity.kind == 'team') {
template += '<i class="fa fa-group fa-lg"></i>';
}
template += '<span class="name">' + datum.value + '</span>';
if (datum.entity.is_org_member !== undefined && !datum.entity.is_org_member) {
if (datum.entity.is_org_member !== undefined && !datum.entity.is_org_member && datum.kind == 'user') {
template += '<div class="alert-warning warning">This user is outside your organization</div>';
}

View file

@ -422,30 +422,19 @@ function RepoAdminCtrl($scope, Restangular, $routeParams, $rootScope) {
'html': true
});
$('#copyClipboard').clipboardCopy();
var namespace = $routeParams.namespace;
var name = $routeParams.name;
$scope.permissions = {'team': [], 'user': []};
$scope.isDownloadSupported = function() {
try { return !!new Blob(); } catch(e){}
return false;
$scope.getPrefix = function(name) {
var plus = name.indexOf('+');
return name.substr(0, plus + 1);
};
$scope.downloadCfg = function(token) {
var auth = $.base64.encode("$token:" + token.code);
config = {
"https://quay.io/v1/": {
"auth": auth,
"email": ""
}
};
var file = JSON.stringify(config, null, ' ');
var blob = new Blob([file]);
saveAs(blob, '.dockercfg');
$scope.getShortenedName = function(name) {
var plus = name.indexOf('+');
return name.substr(plus + 1);
};
$scope.grantRole = function() {
@ -468,7 +457,7 @@ function RepoAdminCtrl($scope, Restangular, $routeParams, $rootScope) {
// Need the $scope.apply for both the permission stuff to change and for
// the XHR call to be made.
$scope.$apply(function() {
$scope.addRole(entity.name, 'read', entity.kind, entity.is_org_member)
$scope.addRole(entity.name, 'read', entity.kind);
});
};
@ -486,15 +475,14 @@ function RepoAdminCtrl($scope, Restangular, $routeParams, $rootScope) {
});
};
$scope.addRole = function(entityName, role, kind, is_org_member) {
$scope.addRole = function(entityName, role, kind) {
var permission = {
'role': role,
'is_org_member': is_org_member
};
var permissionPost = Restangular.one(getRestUrl('repository', namespace, name, 'permissions', kind, entityName));
permissionPost.customPOST(permission).then(function() {
$scope.permissions[kind][entityName] = permission;
permissionPost.customPOST(permission).then(function(result) {
$scope.permissions[kind][entityName] = result;
}, function(result) {
$('#cannotchangeModal').modal({});
});
@ -555,9 +543,11 @@ function RepoAdminCtrl($scope, Restangular, $routeParams, $rootScope) {
});
};
$scope.shownTokenCounter = 0;
$scope.showToken = function(tokenCode) {
$scope.shownToken = $scope.tokens[tokenCode];
$('#tokenmodal').modal({});
$scope.shownTokenCounter++;
};
$scope.askChangeAccess = function(newAccess) {
@ -1104,17 +1094,7 @@ function OrgViewCtrl($rootScope, $scope, Restangular, $routeParams) {
});
};
$scope.createTeamShown = function() {
setTimeout(function() {
$('#create-team-box').focus();
}, 10);
};
$scope.createTeam = function() {
var box = $('#create-team-box');
if (box.hasClass('ng-invalid')) { return; }
var teamname = box[0].value.toLowerCase();
$scope.createTeam = function(teamname) {
if (!teamname) {
return;
}
@ -1247,7 +1227,7 @@ function TeamViewCtrl($rootScope, $scope, Restangular, $routeParams) {
'html': true
});
var orgname = $routeParams.orgname;
$scope.orgname = $routeParams.orgname;
var teamname = $routeParams.teamname;
$rootScope.title = 'Loading...';
@ -1258,7 +1238,7 @@ function TeamViewCtrl($rootScope, $scope, Restangular, $routeParams) {
if ($scope.members[member.name]) { return; }
$scope.$apply(function() {
var addMember = Restangular.one(getRestUrl('organization', orgname, 'team', teamname, 'members', member.name));
var addMember = Restangular.one(getRestUrl('organization', $scope.orgname, 'team', teamname, 'members', member.name));
addMember.customPOST().then(function(resp) {
$scope.members[member.name] = resp;
}, function() {
@ -1268,7 +1248,7 @@ function TeamViewCtrl($rootScope, $scope, Restangular, $routeParams) {
};
$scope.removeMember = function(username) {
var removeMember = Restangular.one(getRestUrl('organization', orgname, 'team', teamname, 'members', username));
var removeMember = Restangular.one(getRestUrl('organization', $scope.orgname, 'team', teamname, 'members', username));
removeMember.customDELETE().then(function(resp) {
delete $scope.members[username];
}, function() {
@ -1279,7 +1259,7 @@ function TeamViewCtrl($rootScope, $scope, Restangular, $routeParams) {
$scope.updateForDescription = function(content) {
$scope.organization.teams[teamname].description = content;
var updateTeam = Restangular.one(getRestUrl('organization', orgname, 'team', teamname));
var updateTeam = Restangular.one(getRestUrl('organization', $scope.orgname, 'team', teamname));
var data = $scope.organization.teams[teamname];
updateTeam.customPUT(data).then(function(resp) {
}, function() {
@ -1288,7 +1268,7 @@ function TeamViewCtrl($rootScope, $scope, Restangular, $routeParams) {
};
var loadOrganization = function() {
var getOrganization = Restangular.one(getRestUrl('organization', orgname))
var getOrganization = Restangular.one(getRestUrl('organization', $scope.orgname))
getOrganization.get().then(function(resp) {
$scope.organization = resp;
$scope.team = $scope.organization.teams[teamname];
@ -1301,12 +1281,12 @@ function TeamViewCtrl($rootScope, $scope, Restangular, $routeParams) {
};
var loadMembers = function() {
var getMembers = Restangular.one(getRestUrl('organization', orgname, 'team', teamname, 'members'));
var getMembers = Restangular.one(getRestUrl('organization', $scope.orgname, 'team', teamname, 'members'));
getMembers.get().then(function(resp) {
$scope.members = resp.members;
$scope.canEditMembers = resp.can_edit;
$scope.loading = !$scope.organization || !$scope.members;
$rootScope.title = teamname + ' (' + orgname + ')';
$rootScope.title = teamname + ' (' + $scope.orgname + ')';
$rootScope.description = 'Team management page for team ' + teamname + ' under organization ' + orgname;
}, function() {
$scope.organization = null;

View file

@ -1,3 +0,0 @@
<form name="newteamform" ng-submit="createTeam(); hide()" novalidate>
<input id="create-team-box" type="text form-control" placeholder="Team Name" ng-blur="hide()" ng-pattern="/^[a-zA-Z][a-zA-Z0-9]+$/" ng-model="newTeamName" ng-trim="false" ng-minlength="2" required>
</form>

View file

@ -50,11 +50,32 @@ Email: my@email.com</pre>
</div>
<br>
<h3>Using robot accounts <span class="label label-info">Requires Admin Access</span></h3>
<div class="container">
<div class="description-overview">
There are many circumstances where permissions for repositories need to be shared across those repositories (continuous integration, etc).
To support this case, Quay allows the use of <b>robot accounts</b> which can be created in the user/organization's admin view and can be
shared by multiple repositories that are owned by that user or organization.
</div>
<ul class="description-list">
<li>Robot accounts can be managed in the user or organization admin's interface
<li><b>Adding a robot account:</b> Click "Create Robot Account" and enter a name for the account. The username will become <b>namespace+accountname</b> where "namespace" is the name of the user or organiaztion.
<li><b>Setting permissions:</b> Permissions can be granted to a robot account in a repository by adding that account like any other user or team.
<li><b>Deleting a robot account:</b> A robot account can be deleted by clicking the <b>X</b> and then clicking <b>Delete</b>
<li><b>Using a robot account:</b> To use the robot account, the following credentials can be used:
<dl class="dl-horizontal">
<dt>Username</dt><dd>namespace+accountname (Example: mycompany+deploy)</dd>
<dt>Password</dt><dd>(token value can be found by clicking on the robot account in the admin panel)</dd>
<dt>Email</dt><dd>This value is ignored, any value may be used.</dd>
</dl>
</ul>
</div>
<h3>Using access tokens in place of users <span class="label label-info">Requires Admin Access</span></h3>
<div class="container">
<div class="description-overview">
There are many circumstances where it makes sense to <b>not</b> use a user's username and password (deployment scripts, etc).
To support this case, Quay allows the use of <b>access tokens</b> which can be created on a repository and have read and/or write
For per-repository token authentication, Quay allows the use of <b>access tokens</b> which can be created on a repository and have read and/or write
permissions, without any passwords.
</div>

View file

@ -15,6 +15,7 @@
<ul class="nav nav-pills nav-stacked">
<li class="active"><a href="javascript:void(0)" data-toggle="tab" data-target="#plan">Plan and Usage</a></li>
<li><a href="javascript:void(0)" data-toggle="tab" data-target="#members" ng-click="loadMembers()">Members</a></li>
<li><a href="javascript:void(0)" data-toggle="tab" data-target="#robots">Robot Accounts</a></li>
<li ng-show="hasPaidPlan"><a href="javascript:void(0)" data-toggle="tab" data-target="#billingoptions">Billing</a></li>
<li ng-show="hasPaidPlan"><a href="javascript:void(0)" data-toggle="tab" data-target="#billing" ng-click="loadInvoices()">Billing History</a></li>
</ul>
@ -28,6 +29,11 @@
<div class="plan-manager" organization="orgname" plan-changed="planChanged(plan)"></div>
</div>
<!-- Robot accounts tab -->
<div id="robots" class="tab-pane">
<div class="robots-manager" organization="organization"></div>
</div>
<!-- Billing Options tab -->
<div id="billingoptions" class="tab-pane">
<div class="billing-options" organization="organization"></div>

View file

@ -9,7 +9,12 @@
<div class="org-view container" ng-show="!loading && organization">
<div class="organization-header" organization="organization">
<div class="header-buttons" ng-show="organization.is_admin">
<button class="btn btn-success" data-trigger="click" bs-popover="'static/partials/create-team-dialog.html'" data-placement="bottom" ng-click="createTeamShown()"><i class="fa fa-group"></i> Create Team</button>
<span class="popup-input-button" pattern="'^[a-zA-Z][a-zA-Z0-9]+$'" placeholder="'Team Name'"
submitted="createTeam(value)">
<i class="fa fa-group"></i> Create Team
</span>
<a class="btn btn-default" href="/organization/{{ organization.name }}/admin"><i class="fa fa-gear"></i> Settings</a>
</div>
</div>

View file

@ -34,16 +34,16 @@
<div id="permissions" class="tab-pane active">
<!-- User Access Permissions -->
<div class="panel panel-default">
<div class="panel-heading">User <span ng-show="repo.is_organization">and Team</span> Access Permissions
<div class="panel-heading">Access Permissions
<i class="info-icon fa fa-info-circle" data-placement="left" data-content="Allow any number of users or teams to read, write or administer this repository"></i>
<i class="info-icon fa fa-info-circle" data-placement="left" data-content="Allow any number of users, robot accounts or teams to read, write or administer this repository"></i>
</div>
<div class="panel-body">
<table class="permissions">
<thead>
<tr>
<td>User<span ng-show="repo.is_organization">/Team</span></td>
<td style="min-width: 400px;">User<span ng-show="repo.is_organization">/Team</span>/Robot Account</td>
<td>Permissions</td>
<td style="width: 95px;"></td>
</tr>
@ -52,7 +52,7 @@
<!-- Team Permissions -->
<tr ng-repeat="(name, permission) in permissions['team']">
<td class="team entity">
<i class="fa fa-group"></i>
<i class="fa fa-group" title="Team" bs-tooltip="tooltip.title"></i>
<span><a href="/organization/{{ repo.namespace }}/teams/{{ name }}">{{name}}</a></span>
</td>
<td class="user-permissions">
@ -68,9 +68,10 @@
<!-- User Permissions -->
<tr ng-repeat="(name, permission) in permissions['user']">
<td class="{{ 'user entity ' + (permission.is_org_member? '' : 'outside') }}">
<i class="fa fa-user"></i>
<span>{{name}}</span>
<td class="{{ 'user entity ' + (permission.is_org_member ? '' : 'outside') }}">
<i class="fa fa-user" ng-show="!permission.is_robot" title="User" bs-tooltip="tooltip.title"></i>
<i class="fa fa-wrench" ng-show="permission.is_robot" title="Robot Account" bs-tooltip="tooltip.title"></i>
<span class="prefix">{{getPrefix(name)}}</span><span>{{getShortenedName(name)}}</span>
<i class="fa fa-exclamation-triangle" ng-show="permission.is_org_member === false" data-trigger="hover" bs-popover="{'content': 'This user is not a member of the organization'}"></i>
</td>
<td class="user-permissions">
@ -87,8 +88,8 @@
</tr>
<tr>
<td colspan="2">
<span class="entity-search" organization="repo.namespace" input-title="'Add a ' + (repo.is_organization ? 'team or ' : '') + 'user...'" entity-selected="addNewPermission"></span>
<td colspan="2" class="admin-search">
<span class="entity-search" namespace="repo.namespace" include-teams="true" input-title="'Add a ' + (repo.is_organization ? 'team or ' : '') + 'user...'" entity-selected="addNewPermission"></span>
</td>
</tr>
</table>
@ -106,7 +107,7 @@
<table class="permissions">
<thead>
<tr>
<td>Token Description</td>
<td style="min-width: 400px;">Token Description</td>
<td>Permissions</td>
<td></td>
</tr>
@ -132,10 +133,10 @@
</tr>
<tr>
<td>
<td class="admin-search">
<input type="text" class="form-control" placeholder="New token description" ng-model="newToken.friendlyName"required>
</td>
<td>
<td class="admin-search">
<button type="submit" ng-disabled="createTokenForm.$invalid" class="btn btn-sm btn-default">Create</button>
</td>
</tr>
@ -237,6 +238,10 @@
</div>
</div>
<div class="docker-auth-dialog" username="shownToken.friendlyName" token="shownToken.code"
shown="!!shownToken" counter="shownTokenCounter">
<i class="fa fa-key"></i> {{ shownToken.friendlyName }}
</div>
<!-- Modal message dialog -->
<div class="modal fade" id="cannotchangeModal">
@ -256,36 +261,6 @@
</div><!-- /.modal-dialog -->
</div><!-- /.modal -->
<!-- Modal message dialog -->
<div class="modal fade" id="tokenmodal">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
<h4 class="modal-title"><i class="fa fa-key"></i> {{ shownToken.friendlyName }}</h4>
</div>
<div class="modal-body token-dialog-body">
<div class="alert alert-info">The docker <u>username</u> is <b>$token</b> and the <u>password</u> is the token. You may use any value for email.</div>
<div class="well well-sm">
<input id="token-view" class="token-view" type="text" value="{{ shownToken.code }}" onClick="this.select();" readonly>
</div>
</div>
<div class="modal-footer">
<span class="download-cfg" ng-show="isDownloadSupported()">
<i class="icon-download"></i>
<a href="javascript:void(0)" ng-click="downloadCfg(shownToken)">Download .dockercfg file</a>
</span>
<div id="clipboardCopied" style="display: none">
Copied to clipboard
</div>
<button id="copyClipboard" type="button" class="btn btn-primary" data-clipboard-target="token-view">Copy to clipboard</button>
<button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
</div>
</div><!-- /.modal-content -->
</div><!-- /.modal-dialog -->
</div><!-- /.modal -->
<!-- Modal message dialog -->
<div class="modal fade" id="makepublicModal">
<div class="modal-dialog">

View file

@ -20,7 +20,8 @@
<table class="permissions">
<tr ng-repeat="(name, member) in members">
<td class="user entity">
<i class="fa fa-user"></i>
<i class="fa fa-user" ng-show="!member.is_robot"></i>
<i class="fa fa-wrench" ng-show="member.is_robot"></i>
<span>{{ member.username }}</span>
</td>
<td>
@ -33,7 +34,7 @@
<tr ng-show="canEditMembers">
<td colspan="2">
<span class="entity-search" organization="''" input-title="'Add a user...'" entity-selected="addNewMember"></span>
<span class="entity-search" namespace="orgname" include-teams="false" input-title="'Add a user...'" entity-selected="addNewMember"></span>
</td>
</tr>
</table>

View file

@ -28,6 +28,7 @@
<ul class="nav nav-pills nav-stacked">
<li class="active"><a href="javascript:void(0)" data-toggle="tab" data-target="#plan">Plan and Usage</a></li>
<li ng-show="hasPaidPlan"><a href="javascript:void(0)" data-toggle="tab" data-target="#billing">Billing Options</a></li>
<li><a href="javascript:void(0)" data-toggle="tab" data-target="#robots">Robot Accounts</a></li>
<li><a href="javascript:void(0)" data-toggle="tab" data-target="#password">Set Password</a></li>
<li><a href="javascript:void(0)" data-toggle="tab" data-target="#migrate" id="migrateTab">Convert to Organization</a></li>
</ul>
@ -59,6 +60,11 @@
</div>
</div>
<!-- Robot accounts tab -->
<div id="robots" class="tab-pane">
<div class="robots-manager" user="user"></div>
</div>
<!-- Billing options tab -->
<div id="billing" class="tab-pane">
<div class="billing-options" user="user"></div>

Binary file not shown.

View file

@ -20,3 +20,7 @@ def parse_repository_name(f):
(namespace, repository) = parse_namespace_repository(repository)
return f(namespace, repository, *args, **kwargs)
return wrapper
def format_robot_username(parent_username, robot_shortname):
return '%s+%s' % (parent_username, robot_shortname)