Modify ldap validator to just check user existence

Remove auth user check from updating config app config remove duplicate certs install script
2018-07-11 16:03:36 -04:00 · 2018-07-11 16:03:36 -04:00 · 9024419896
commit 9024419896
parent bd54eacbad
7 changed files with 52 additions and 92 deletions
--- a/config_app/c_app.py
+++ b/config_app/c_app.py
@ -16,7 +16,7 @@ app = Flask(__name__)
 logger = logging.getLogger(__name__)

 OVERRIDE_CONFIG_DIRECTORY = os.path.join(ROOT_DIR, 'config_app/conf/stack')
-INIT_SCRIPTS_LOCATION = '/quay-registry/config_app/init/'
+INIT_SCRIPTS_LOCATION = '/conf/init/'

 is_testing = 'TEST' in os.environ

--- a/config_app/config_endpoints/api/suconfig.py
+++ b/config_app/config_endpoints/api/suconfig.py
@ -4,11 +4,9 @@ from flask import abort, request

 from config_app.config_endpoints.api.suconfig_models_pre_oci import pre_oci_model as model
 from config_app.config_endpoints.api import resource, ApiResource, nickname, validate_json_request
-from config_app.c_app import (app, config_provider, superusers, OVERRIDE_CONFIG_DIRECTORY,
-                              ip_resolver, instance_keys, INIT_SCRIPTS_LOCATION)
+from config_app.c_app import (app, config_provider, superusers, ip_resolver,
+                              instance_keys, INIT_SCRIPTS_LOCATION)

-from auth.auth_context import get_authenticated_user
-from data.users import get_federated_service_name, get_users_handler
 from data.database import configure
 from data.runmigration import run_alembic_migration
 from util.config.configutil import add_enterprise_config_defaults
@ -75,27 +73,6 @@ class SuperUserConfig(ApiResource):
        # Write the configuration changes to the config override file.
        config_provider.save_config(config_object)

-        # If the authentication system is federated, link the superuser account to the
-        # the authentication system chosen.
-        service_name = get_federated_service_name(config_object['AUTHENTICATION_TYPE'])
-        if service_name is not None:
-            current_user = get_authenticated_user()
-            if current_user is None:
-                abort(401)
-
-            service_name = get_federated_service_name(config_object['AUTHENTICATION_TYPE'])
-            if not model.has_federated_login(current_user.username, service_name):
-                # Verify the user's credentials and retrieve the user's external username+email.
-                handler = get_users_handler(config_object, config_provider, OVERRIDE_CONFIG_DIRECTORY)
-                (result, err_msg) = handler.verify_credentials(current_user.username,
-                                                               request.get_json().get('password', ''))
-                if not result:
-                    logger.error('Could not save configuration due to external auth failure: %s', err_msg)
-                    abort(400)
-
-                # Link the existing user to the external user.
-                model.attach_federated_login(current_user.username, service_name, result.username)
-
        return {
            'exists': True,
            'config': config_object
--- a/config_app/config_endpoints/api/superuser.py
+++ b/config_app/config_endpoints/api/superuser.py
@ -49,10 +49,9 @@ class SuperUserCustomCertificate(ApiResource):
            logger.exception('Got IO error for cert %s', certpath)
            return '', 204

-        # TODO(QUAY-991): properly install the custom certs provided by user
        # Call the update script with config dir location to install the certificate immediately.
        if subprocess.call([os.path.join(INIT_SCRIPTS_LOCATION, 'certs_install.sh')],
-                            env={ 'QUAYCONF': config_provider.get_config_dir_path() }) != 0:
+                           env={ 'QUAYCONF': config_provider.get_config_dir_path() }) != 0:
            raise Exception('Could not install certificates')

        return '', 204
--- a/config_app/init/certs_install.sh
+++ b/config_app/init/certs_install.sh
@ -1,43 +0,0 @@
-#! /bin/bash
-set -e
-QUAYPATH=${QUAYPATH:-"."}
-QUAYCONF=${QUAYCONF:-"$QUAYPATH/conf/stack"}
-
-cd ${QUAYDIR:-"/quay-registry"}
-pwd
-
-# Add the custom LDAP certificate
-if [ -e $QUAYCONF/ldap.crt ]
-then
-  cp $QUAYCONF/ldap.crt /usr/local/share/ca-certificates/ldap.crt
-fi
-
-# Add extra trusted certificates (as a directory)
-if [ -d $QUAYCONF/extra_ca_certs ]; then
-  if test "$(ls -A "$QUAYCONF/extra_ca_certs")"; then
-      echo "Installing extra certificates found in $QUAYCONF/extra_ca_certs directory"
-      cp $QUAYCONF/extra_ca_certs/* /usr/local/share/ca-certificates/
-      cat $QUAYCONF/extra_ca_certs/* >> venv/lib/python2.7/site-packages/requests/cacert.pem
-      cat $QUAYCONF/extra_ca_certs/* >> venv/lib/python2.7/site-packages/certifi/cacert.pem
-  fi
-fi
-
-# Add extra trusted certificates (as a file)
-if [ -f $QUAYCONF/extra_ca_certs ]; then
-  echo "Installing extra certificates found in $QUAYCONF/extra_ca_certs file"
-  csplit -z -f /usr/local/share/ca-certificates/extra-ca- $QUAYCONF/extra_ca_certs  '/-----BEGIN CERTIFICATE-----/' '{*}'
-  cat $QUAYCONF/extra_ca_certs >> venv/lib/python2.7/site-packages/requests/cacert.pem
-  cat $QUAYCONF/extra_ca_certs >> venv/lib/python2.7/site-packages/certifi/cacert.pem
-fi
-
-# Add extra trusted certificates (prefixed)
-for f in $(find $QUAYCONF/ -maxdepth 1 -type f -name "extra_ca*")
-do
- echo "Installing extra cert $f"
- cp "$f" /usr/local/share/ca-certificates/
- cat "$f" >> venv/lib/python2.7/site-packages/requests/cacert.pem
- cat "$f" >> venv/lib/python2.7/site-packages/certifi/cacert.pem
-done
-
-# Update all CA certificates.
-update-ca-certificates