Modify ldap validator to just check user existence

Remove auth user check from updating config app config

remove duplicate certs install script
This commit is contained in:
Sam Chow 2018-07-11 16:03:36 -04:00
parent bd54eacbad
commit 9024419896
7 changed files with 52 additions and 92 deletions

View file

@ -16,7 +16,7 @@ app = Flask(__name__)
logger = logging.getLogger(__name__)
OVERRIDE_CONFIG_DIRECTORY = os.path.join(ROOT_DIR, 'config_app/conf/stack')
INIT_SCRIPTS_LOCATION = '/quay-registry/config_app/init/'
INIT_SCRIPTS_LOCATION = '/conf/init/'
is_testing = 'TEST' in os.environ

View file

@ -4,11 +4,9 @@ from flask import abort, request
from config_app.config_endpoints.api.suconfig_models_pre_oci import pre_oci_model as model
from config_app.config_endpoints.api import resource, ApiResource, nickname, validate_json_request
from config_app.c_app import (app, config_provider, superusers, OVERRIDE_CONFIG_DIRECTORY,
ip_resolver, instance_keys, INIT_SCRIPTS_LOCATION)
from config_app.c_app import (app, config_provider, superusers, ip_resolver,
instance_keys, INIT_SCRIPTS_LOCATION)
from auth.auth_context import get_authenticated_user
from data.users import get_federated_service_name, get_users_handler
from data.database import configure
from data.runmigration import run_alembic_migration
from util.config.configutil import add_enterprise_config_defaults
@ -75,27 +73,6 @@ class SuperUserConfig(ApiResource):
# Write the configuration changes to the config override file.
config_provider.save_config(config_object)
# If the authentication system is federated, link the superuser account to the
# the authentication system chosen.
service_name = get_federated_service_name(config_object['AUTHENTICATION_TYPE'])
if service_name is not None:
current_user = get_authenticated_user()
if current_user is None:
abort(401)
service_name = get_federated_service_name(config_object['AUTHENTICATION_TYPE'])
if not model.has_federated_login(current_user.username, service_name):
# Verify the user's credentials and retrieve the user's external username+email.
handler = get_users_handler(config_object, config_provider, OVERRIDE_CONFIG_DIRECTORY)
(result, err_msg) = handler.verify_credentials(current_user.username,
request.get_json().get('password', ''))
if not result:
logger.error('Could not save configuration due to external auth failure: %s', err_msg)
abort(400)
# Link the existing user to the external user.
model.attach_federated_login(current_user.username, service_name, result.username)
return {
'exists': True,
'config': config_object

View file

@ -49,10 +49,9 @@ class SuperUserCustomCertificate(ApiResource):
logger.exception('Got IO error for cert %s', certpath)
return '', 204
# TODO(QUAY-991): properly install the custom certs provided by user
# Call the update script with config dir location to install the certificate immediately.
if subprocess.call([os.path.join(INIT_SCRIPTS_LOCATION, 'certs_install.sh')],
env={ 'QUAYCONF': config_provider.get_config_dir_path() }) != 0:
env={ 'QUAYCONF': config_provider.get_config_dir_path() }) != 0:
raise Exception('Could not install certificates')
return '', 204

View file

@ -1,43 +0,0 @@
#! /bin/bash
set -e
QUAYPATH=${QUAYPATH:-"."}
QUAYCONF=${QUAYCONF:-"$QUAYPATH/conf/stack"}
cd ${QUAYDIR:-"/quay-registry"}
pwd
# Add the custom LDAP certificate
if [ -e $QUAYCONF/ldap.crt ]
then
cp $QUAYCONF/ldap.crt /usr/local/share/ca-certificates/ldap.crt
fi
# Add extra trusted certificates (as a directory)
if [ -d $QUAYCONF/extra_ca_certs ]; then
if test "$(ls -A "$QUAYCONF/extra_ca_certs")"; then
echo "Installing extra certificates found in $QUAYCONF/extra_ca_certs directory"
cp $QUAYCONF/extra_ca_certs/* /usr/local/share/ca-certificates/
cat $QUAYCONF/extra_ca_certs/* >> venv/lib/python2.7/site-packages/requests/cacert.pem
cat $QUAYCONF/extra_ca_certs/* >> venv/lib/python2.7/site-packages/certifi/cacert.pem
fi
fi
# Add extra trusted certificates (as a file)
if [ -f $QUAYCONF/extra_ca_certs ]; then
echo "Installing extra certificates found in $QUAYCONF/extra_ca_certs file"
csplit -z -f /usr/local/share/ca-certificates/extra-ca- $QUAYCONF/extra_ca_certs '/-----BEGIN CERTIFICATE-----/' '{*}'
cat $QUAYCONF/extra_ca_certs >> venv/lib/python2.7/site-packages/requests/cacert.pem
cat $QUAYCONF/extra_ca_certs >> venv/lib/python2.7/site-packages/certifi/cacert.pem
fi
# Add extra trusted certificates (prefixed)
for f in $(find $QUAYCONF/ -maxdepth 1 -type f -name "extra_ca*")
do
echo "Installing extra cert $f"
cp "$f" /usr/local/share/ca-certificates/
cat "$f" >> venv/lib/python2.7/site-packages/requests/cacert.pem
cat "$f" >> venv/lib/python2.7/site-packages/certifi/cacert.pem
done
# Update all CA certificates.
update-ca-certificates