Add support for an external JWT-based authentication system

This authentication system hits two HTTP endpoints to check and verify the existence of users: Existance endpoint: GET http://endpoint/ with Authorization: Basic (username:) => Returns 200 if the username/email exists, 4** otherwise Verification endpoint: GET http://endpoint/ with Authorization: Basic (username:password) => Returns 200 and a signed JWT with the user's username and email address if the username+password validates, 4** otherwise with the body containing an optional error message The JWT produced by the endpoint must be issued with an issuer matching that configured in the config.yaml, and the audience must be "quay.io/jwtauthn". The JWT is signed using a private key and then validated on the Quay.io side with the associated public key, found as "jwt-authn.cert" in the conf/stack directory.
2015-06-02 18:19:22 -04:00 · 2015-06-02 18:19:22 -04:00 · 8aac3fd86e
commit 8aac3fd86e
parent 42da017d69
10 changed files with 417 additions and 38 deletions
--- a/static/directives/config/config-setup-tool.html
+++ b/static/directives/config/config-setup-tool.html
@ -58,8 +58,8 @@
                 line with a non-encrypted password and must generate an encrypted
                 password to use.
              </div>
-              <div class="help-text" ng-if="config.AUTHENTICATION_TYPE == 'LDAP'">
-                This feature is <strong>highly recommended</strong> for setups with LDAP authentication, as Docker currently stores passwords in <strong>plaintext</strong> on user's machines.
+              <div class="help-text" ng-if="config.AUTHENTICATION_TYPE != 'Database'">
+                This feature is <strong>highly recommended</strong> for setups with external authentication, as Docker currently stores passwords in <strong>plaintext</strong> on user's machines.
              </div>
            </td>
          </tr>
@ -316,19 +316,20 @@
      <div class="co-panel-body">
        <div class="description">
          <p>
-            Authentication for the registry can be handled by either the registry itself or LDAP.
-            External authentication providers (such as GitHub) can be used on top of this choice.
+            Authentication for the registry can be handled by either the registry itself, LDAP or external JWT endpoint.
+            <br>
+            Additional external authentication providers (such as GitHub) can be used on top of this choice.
          </p>
        </div>

-        <div class="co-alert co-alert-warning" ng-if="config.AUTHENTICATION_TYPE == 'LDAP' && !config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH">
-          It is <strong>highly recommended</strong> to require encrypted client passwords. LDAP passwords used in the Docker client will be stored in <strong>plaintext</strong>!
+        <div class="co-alert co-alert-warning" ng-if="config.AUTHENTICATION_TYPE != 'Database' && !config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH">
+          It is <strong>highly recommended</strong> to require encrypted client passwords. External passwords used in the Docker client will be stored in <strong>plaintext</strong>!
          <a href="javascript:void(0)" ng-click="config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH = true">Enable this requirement now</a>.
        </div>

-        <div class="co-alert co-alert-success" ng-if="config.AUTHENTICATION_TYPE == 'LDAP' && config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH">
+        <div class="co-alert co-alert-success" ng-if="config.AUTHENTICATION_TYPE != 'Database' && config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH">
          Note: The "Require Encrypted Client Passwords" feature is currently enabled which will
-          prevent LDAP passwords from being saved as plaintext by the Docker client.
+          prevent passwords from being saved as plaintext by the Docker client.
        </div>

        <table class="config-table">
@ -338,11 +339,72 @@
              <select ng-model="config.AUTHENTICATION_TYPE">
                <option value="Database">Local Database</option>
                <option value="LDAP">LDAP</option>
+                <option value="JWT">JWT Custom Authentication</option>
              </select>
            </td>
          </tr>
        </table>

+        <!-- JWT Custom Authentication -->
+        <div class="co-alert co-alert-info" ng-if="config.AUTHENTICATION_TYPE == 'JWT'">
+          JSON Web Token authentication allows your organization to provide an HTTP endpoint that
+          verifies user credentials on behalf of <span class="registry-name"></span>.
+          <br>
+          Documentation
+          on the API required can be found here: <a href="https://coreos.com/docs/enterprise-registry/jwt-auth" target="_blank">https://coreos.com/docs/enterprise-registry/jwt-auth</a>.
+        </div>
+
+        <table class="config-table" ng-if="config.AUTHENTICATION_TYPE == 'JWT'">
+          <tr>
+            <td>User Verification Endpoint:</td>
+            <td>
+              <span class="config-string-field" binding="config.JWT_VERIFY_ENDPOINT"
+                    pattern="http(s)?://.+"></span>
+              <div class="help-text">
+              The URL (starting with http or https) on the JWT authentication server for verifying username and password credentials.
+              </div>
+
+              <div class="help-text" style="margin-top: 6px;">
+              Credentials will be sent in the <code>Authorization</code> header as Basic Auth, and this endpoint should return <code>200 OK</code> on success (or a <code>4**</code> otherwise).
+              </div>
+            </td>
+          </tr>
+          <tr>
+            <td>User Exists Endpoint:</td>
+            <td>
+              <span class="config-string-field" binding="config.JWT_EXISTS_ENDPOINT"
+                    pattern="http(s)?://.+"></span>
+              <div class="help-text">
+              The URL (starting with http or https) on the JWT authentication server for checking whether a username exists.
+              </div>
+
+              <div class="help-text" style="margin-top: 6px;">
+              The username will be sent in the <code>Authorization</code> header as Basic Auth, and this endpoint should return <code>200 OK</code> on success (or a <code>4**</code> otherwise).
+              </div>
+            </td>
+          </tr>
+          <tr>
+            <td>Authentication Issuer:</td>
+            <td>
+              <span class="config-string-field" binding="config.JWT_AUTH_ISSUER"></span>
+              <div class="help-text">
+                The id of the issuer signing the JWT token. Must be unique to your organization.
+              </div>
+            </td>
+          </tr>
+          <tr>
+            <td>Public Key:</td>
+            <td>
+              <span class="config-file-field" filename="jwt-authn.cert"></span>
+              <div class="help-text">
+                A certificate containing the public key portion of the key pair used to sign
+                the JSON Web Tokens. This file must be in PEM format.
+              </div
+            </td>
+          </tr>
+        </table>
+
+        <!-- LDAP Authentication -->
        <table class="config-table" ng-if="config.AUTHENTICATION_TYPE == 'LDAP'">
          <tr>
            <td>LDAP URI:</td>