Modify ldap validator to just check user existence
Remove auth user check from updating config app config remove duplicate certs install script
This commit is contained in:
parent
bd54eacbad
commit
9024419896
7 changed files with 52 additions and 92 deletions
|
@ -16,7 +16,7 @@ app = Flask(__name__)
|
|||
logger = logging.getLogger(__name__)
|
||||
|
||||
OVERRIDE_CONFIG_DIRECTORY = os.path.join(ROOT_DIR, 'config_app/conf/stack')
|
||||
INIT_SCRIPTS_LOCATION = '/quay-registry/config_app/init/'
|
||||
INIT_SCRIPTS_LOCATION = '/conf/init/'
|
||||
|
||||
is_testing = 'TEST' in os.environ
|
||||
|
||||
|
|
|
@ -4,11 +4,9 @@ from flask import abort, request
|
|||
|
||||
from config_app.config_endpoints.api.suconfig_models_pre_oci import pre_oci_model as model
|
||||
from config_app.config_endpoints.api import resource, ApiResource, nickname, validate_json_request
|
||||
from config_app.c_app import (app, config_provider, superusers, OVERRIDE_CONFIG_DIRECTORY,
|
||||
ip_resolver, instance_keys, INIT_SCRIPTS_LOCATION)
|
||||
from config_app.c_app import (app, config_provider, superusers, ip_resolver,
|
||||
instance_keys, INIT_SCRIPTS_LOCATION)
|
||||
|
||||
from auth.auth_context import get_authenticated_user
|
||||
from data.users import get_federated_service_name, get_users_handler
|
||||
from data.database import configure
|
||||
from data.runmigration import run_alembic_migration
|
||||
from util.config.configutil import add_enterprise_config_defaults
|
||||
|
@ -75,27 +73,6 @@ class SuperUserConfig(ApiResource):
|
|||
# Write the configuration changes to the config override file.
|
||||
config_provider.save_config(config_object)
|
||||
|
||||
# If the authentication system is federated, link the superuser account to the
|
||||
# the authentication system chosen.
|
||||
service_name = get_federated_service_name(config_object['AUTHENTICATION_TYPE'])
|
||||
if service_name is not None:
|
||||
current_user = get_authenticated_user()
|
||||
if current_user is None:
|
||||
abort(401)
|
||||
|
||||
service_name = get_federated_service_name(config_object['AUTHENTICATION_TYPE'])
|
||||
if not model.has_federated_login(current_user.username, service_name):
|
||||
# Verify the user's credentials and retrieve the user's external username+email.
|
||||
handler = get_users_handler(config_object, config_provider, OVERRIDE_CONFIG_DIRECTORY)
|
||||
(result, err_msg) = handler.verify_credentials(current_user.username,
|
||||
request.get_json().get('password', ''))
|
||||
if not result:
|
||||
logger.error('Could not save configuration due to external auth failure: %s', err_msg)
|
||||
abort(400)
|
||||
|
||||
# Link the existing user to the external user.
|
||||
model.attach_federated_login(current_user.username, service_name, result.username)
|
||||
|
||||
return {
|
||||
'exists': True,
|
||||
'config': config_object
|
||||
|
|
|
@ -49,10 +49,9 @@ class SuperUserCustomCertificate(ApiResource):
|
|||
logger.exception('Got IO error for cert %s', certpath)
|
||||
return '', 204
|
||||
|
||||
# TODO(QUAY-991): properly install the custom certs provided by user
|
||||
# Call the update script with config dir location to install the certificate immediately.
|
||||
if subprocess.call([os.path.join(INIT_SCRIPTS_LOCATION, 'certs_install.sh')],
|
||||
env={ 'QUAYCONF': config_provider.get_config_dir_path() }) != 0:
|
||||
env={ 'QUAYCONF': config_provider.get_config_dir_path() }) != 0:
|
||||
raise Exception('Could not install certificates')
|
||||
|
||||
return '', 204
|
||||
|
|
|
@ -1,43 +0,0 @@
|
|||
#! /bin/bash
|
||||
set -e
|
||||
QUAYPATH=${QUAYPATH:-"."}
|
||||
QUAYCONF=${QUAYCONF:-"$QUAYPATH/conf/stack"}
|
||||
|
||||
cd ${QUAYDIR:-"/quay-registry"}
|
||||
pwd
|
||||
|
||||
# Add the custom LDAP certificate
|
||||
if [ -e $QUAYCONF/ldap.crt ]
|
||||
then
|
||||
cp $QUAYCONF/ldap.crt /usr/local/share/ca-certificates/ldap.crt
|
||||
fi
|
||||
|
||||
# Add extra trusted certificates (as a directory)
|
||||
if [ -d $QUAYCONF/extra_ca_certs ]; then
|
||||
if test "$(ls -A "$QUAYCONF/extra_ca_certs")"; then
|
||||
echo "Installing extra certificates found in $QUAYCONF/extra_ca_certs directory"
|
||||
cp $QUAYCONF/extra_ca_certs/* /usr/local/share/ca-certificates/
|
||||
cat $QUAYCONF/extra_ca_certs/* >> venv/lib/python2.7/site-packages/requests/cacert.pem
|
||||
cat $QUAYCONF/extra_ca_certs/* >> venv/lib/python2.7/site-packages/certifi/cacert.pem
|
||||
fi
|
||||
fi
|
||||
|
||||
# Add extra trusted certificates (as a file)
|
||||
if [ -f $QUAYCONF/extra_ca_certs ]; then
|
||||
echo "Installing extra certificates found in $QUAYCONF/extra_ca_certs file"
|
||||
csplit -z -f /usr/local/share/ca-certificates/extra-ca- $QUAYCONF/extra_ca_certs '/-----BEGIN CERTIFICATE-----/' '{*}'
|
||||
cat $QUAYCONF/extra_ca_certs >> venv/lib/python2.7/site-packages/requests/cacert.pem
|
||||
cat $QUAYCONF/extra_ca_certs >> venv/lib/python2.7/site-packages/certifi/cacert.pem
|
||||
fi
|
||||
|
||||
# Add extra trusted certificates (prefixed)
|
||||
for f in $(find $QUAYCONF/ -maxdepth 1 -type f -name "extra_ca*")
|
||||
do
|
||||
echo "Installing extra cert $f"
|
||||
cp "$f" /usr/local/share/ca-certificates/
|
||||
cat "$f" >> venv/lib/python2.7/site-packages/requests/cacert.pem
|
||||
cat "$f" >> venv/lib/python2.7/site-packages/certifi/cacert.pem
|
||||
done
|
||||
|
||||
# Update all CA certificates.
|
||||
update-ca-certificates
|
Reference in a new issue