Merge pull request #1905 from coreos-inc/external-auth-search
Add support for entity search against external auth users not yet linked
This commit is contained in:
josephschorr
GitHub
commit
934cdecbd6
16 changed files with 817 additions and 100 deletions
|
|
@ -21,7 +21,7 @@ from data.database import validate_database_url
|
|||
from data.users import LDAP_CERT_FILENAME
|
||||
from data.users.externaljwt import ExternalJWTAuthN
|
||||
from data.users.externalldap import LDAPConnection, LDAPUsers
|
||||
from data.users.keystone import KeystoneUsers
|
||||
from data.users.keystone import get_keystone_users
|
||||
from storage import get_storage_driver
|
||||
from util.config.oauth import GoogleOAuthConfig, GithubOAuthConfig, GitLabOAuthConfig
|
||||
from util.secscan.api import SecurityScannerAPI
|
||||
|
|
@ -372,6 +372,9 @@ def _validate_jwt(config, password):
|
|||
return
|
||||
|
||||
verify_endpoint = config.get('JWT_VERIFY_ENDPOINT')
|
||||
query_endpoint = config.get('JWT_QUERY_ENDPOINT', None)
|
||||
getuser_endpoint = config.get('JWT_GETUSER_ENDPOINT', None)
|
||||
|
||||
issuer = config.get('JWT_AUTH_ISSUER')
|
||||
|
||||
if not verify_endpoint:
|
||||
|
|
@ -382,7 +385,8 @@ def _validate_jwt(config, password):
|
|||
|
||||
# Try to instatiate the JWT authentication mechanism. This will raise an exception if
|
||||
# the key cannot be found.
|
||||
users = ExternalJWTAuthN(verify_endpoint, issuer, OVERRIDE_CONFIG_DIRECTORY,
|
||||
users = ExternalJWTAuthN(verify_endpoint, query_endpoint, getuser_endpoint, issuer,
|
||||
OVERRIDE_CONFIG_DIRECTORY,
|
||||
app.config['HTTPCLIENT'],
|
||||
app.config.get('JWT_AUTH_MAX_FRESH_S', 300))
|
||||
|
||||
|
|
@ -392,7 +396,24 @@ def _validate_jwt(config, password):
|
|||
if not result:
|
||||
raise Exception(('Verification of superuser %s failed: %s. \n\nThe user either does not ' +
|
||||
'exist in the remote authentication system ' +
|
||||
'OR JWT auth is misconfigured.') % (username, err_msg))
|
||||
'OR JWT auth is misconfigured') % (username, err_msg))
|
||||
|
||||
# If the query endpoint exists, ensure we can query to find the current user and that we can
|
||||
# look up users directly.
|
||||
if query_endpoint:
|
||||
(results, err_msg) = users.query_users(username)
|
||||
if not results:
|
||||
err_msg = err_msg or ('Could not find users matching query: %s' % username)
|
||||
raise Exception('Query endpoint is misconfigured or not returning proper users: %s' % err_msg)
|
||||
|
||||
# Make sure the get user endpoint is also configured.
|
||||
if not getuser_endpoint:
|
||||
raise Exception('The lookup user endpoint must be configured if the query endpoint is set')
|
||||
|
||||
(result, err_msg) = users.get_user(username)
|
||||
if not result:
|
||||
err_msg = err_msg or ('Could not find user %s' % username)
|
||||
raise Exception('Lookup endpoint is misconfigured or not returning properly: %s' % err_msg)
|
||||
|
||||
|
||||
def _validate_keystone(config, password):
|
||||
|
|
@ -401,6 +422,7 @@ def _validate_keystone(config, password):
|
|||
return
|
||||
|
||||
auth_url = config.get('KEYSTONE_AUTH_URL')
|
||||
auth_version = int(config.get('KEYSTONE_AUTH_VERSION', 2))
|
||||
admin_username = config.get('KEYSTONE_ADMIN_USERNAME')
|
||||
admin_password = config.get('KEYSTONE_ADMIN_PASSWORD')
|
||||
admin_tenant = config.get('KEYSTONE_ADMIN_TENANT')
|
||||
|
|
@ -417,7 +439,7 @@ def _validate_keystone(config, password):
|
|||
if not admin_tenant:
|
||||
raise Exception('Missing admin tenant')
|
||||
|
||||
users = KeystoneUsers(auth_url, admin_username, admin_password, admin_tenant)
|
||||
users = get_keystone_users(auth_version, auth_url, admin_username, admin_password, admin_tenant)
|
||||
|
||||
# Verify that the superuser exists. If not, raise an exception.
|
||||
username = get_authenticated_user().username
|
||||
|
|
|
|||
Reference in a new issue