Add ability to regenerate robot account credentials

2014-08-25 17:19:23 -04:00 · 2014-08-25 17:19:23 -04:00 · a129aac94b
commit a129aac94b
parent 837630359c
11 changed files with 307 additions and 8 deletions
--- a/data/migrations/versions/43e943c0639f_add_log_kind_for_regenerating_robot_.py
+++ b/data/migrations/versions/43e943c0639f_add_log_kind_for_regenerating_robot_.py
@ -0,0 +1,36 @@
 """add log kind for regenerating robot tokens
 Revision ID: 43e943c0639f
 Revises: 82297d834ad
 Create Date: 2014-08-25 17:14:42.784518
 """
 # revision identifiers, used by Alembic.
 revision = '43e943c0639f'
 down_revision = '82297d834ad'
 from alembic import op
 import sqlalchemy as sa
 from sqlalchemy.dialects import mysql
 from data.model.sqlalchemybridge import gen_sqlalchemy_metadata
 from data.database import all_models
 def upgrade():
    schema = gen_sqlalchemy_metadata(all_models)
    op.bulk_insert(schema.tables['logentrykind'],
    [
        {'id': 41, 'name':'regenerate_robot_token'},
    ])
 def downgrade():
    schema = gen_sqlalchemy_metadata(all_models)
    op.execute(
        (logentrykind.delete()
            .where(logentrykind.c.name == op.inline_literal('regenerate_robot_token')))
    )
--- a/data/model/legacy.py
+++ b/data/model/legacy.py
@ -180,6 +180,19 @@ def create_robot(robot_shortname, parent):
  except Exception as ex:
    raise DataModelException(ex.message)
 def get_robot(robot_shortname, parent):
  robot_username = format_robot_username(parent.username, robot_shortname)
  robot = lookup_robot(robot_username)
  if not robot:
    msg = ('Could not find robot with username: %s' %
           robot_username)
    raise InvalidRobotException(msg)
  service = LoginService.get(name='quayrobot')
  login = FederatedLogin.get(FederatedLogin.user == robot, FederatedLogin.service == service)
  return robot, login.service_ident
 def lookup_robot(robot_username):
  joined = User.select().join(FederatedLogin).join(LoginService)
@ -190,7 +203,6 @@ def lookup_robot(robot_username):
  return found[0]
 def verify_robot(robot_username, password):
  joined = User.select().join(FederatedLogin).join(LoginService)
  found = list(joined.where(FederatedLogin.service_ident == password,
@ -203,6 +215,25 @@ def verify_robot(robot_username, password):
  return found[0]
 def regenerate_robot_token(robot_shortname, parent):
  robot_username = format_robot_username(parent.username, robot_shortname)
  robot = lookup_robot(robot_username)
  if not robot:
    raise InvalidRobotException('Could not find robot with username: %s' %
                                robot_username)
  password = random_string_generator(length=64)()
  robot.email = password
  service = LoginService.get(name='quayrobot')
  login = FederatedLogin.get(FederatedLogin.user == robot, FederatedLogin.service == service)
  login.service_ident = password
  login.save()
  robot.save()
  return robot, password
 def delete_robot(robot_username):
  try:
--- a/endpoints/api/robot.py
+++ b/endpoints/api/robot.py
@ -35,6 +35,14 @@ class UserRobotList(ApiResource):
@internal_only
 class UserRobot(ApiResource):
  """ Resource for managing a user's robots. """
  @require_user_admin
  @nickname('getUserRobot')
  def get(self, robot_shortname):
    """ Returns the user's robot with the specified name. """
    parent = get_authenticated_user()
    robot, password = model.get_robot(robot_shortname, parent)
    return robot_view(robot.username, password)
  @require_user_admin
  @nickname('createUserRobot')
  def put(self, robot_shortname):
@ -79,6 +87,18 @@ class OrgRobotList(ApiResource):
@related_user_resource(UserRobot)
 class OrgRobot(ApiResource):
  """ Resource for managing an organization's robots. """
  @require_scope(scopes.ORG_ADMIN)
  @nickname('getOrgRobot')
  def get(self, orgname, robot_shortname):
    """ Returns the organization's robot with the specified name. """
    permission = AdministerOrganizationPermission(orgname)
    if permission.can():
      parent = model.get_organization(orgname)
      robot, password = model.get_robot(robot_shortname, parent)
      return robot_view(robot.username, password)
    raise Unauthorized()
  @require_scope(scopes.ORG_ADMIN)
  @nickname('createOrgRobot')
  def put(self, orgname, robot_shortname):
@ -103,3 +123,38 @@ class OrgRobot(ApiResource):
      return 'Deleted', 204
    raise Unauthorized()
@resource('/v1/user/robots/<robot_shortname>/regenerate')
@path_param('robot_shortname', 'The short name for the robot, without any user or organization prefix')
@internal_only
 class RegenerateUserRobot(ApiResource):
  """ Resource for regenerate an organization's robot's token. """
  @require_user_admin
  @nickname('regenerateUserRobotToken')
  def post(self, robot_shortname):
    """ Regenerates the token for a user's robot. """
    parent = get_authenticated_user()
    robot, password = model.regenerate_robot_token(robot_shortname, parent)
    log_action('regenerate_robot_token', parent.username,  {'robot': robot_shortname})
    return robot_view(robot.username, password)
@resource('/v1/organization/<orgname>/robots/<robot_shortname>/regenerate')
@path_param('orgname', 'The name of the organization')
@path_param('robot_shortname', 'The short name for the robot, without any user or organization prefix')
@related_user_resource(RegenerateUserRobot)
 class RegenerateOrgRobot(ApiResource):
  """ Resource for regenerate an organization's robot's token. """
  @require_scope(scopes.ORG_ADMIN)
  @nickname('regenerateOrgRobotToken')
  def post(self, orgname, robot_shortname):
    """ Regenerates the token for an organization robot. """
    permission = AdministerOrganizationPermission(orgname)
    if permission.can():
      parent = model.get_organization(orgname)
      robot, password = model.regenerate_robot_token(robot_shortname, parent)
      log_action('regenerate_robot_token', orgname,  {'robot': robot_shortname})
      return robot_view(robot.username, password)
    raise Unauthorized()
--- a/initdb.py
+++ b/initdb.py
@ -229,13 +229,15 @@ def initialize_database():
  LogEntryKind.create(name='delete_application')
  LogEntryKind.create(name='reset_application_client_secret')
-  # Note: These are deprecated.
+  # Note: These next two are deprecated.
  LogEntryKind.create(name='add_repo_webhook')
  LogEntryKind.create(name='delete_repo_webhook')
  LogEntryKind.create(name='add_repo_notification')
  LogEntryKind.create(name='delete_repo_notification')
  LogEntryKind.create(name='regenerate_robot_token')
  ImageStorageLocation.create(name='local_eu')
  ImageStorageLocation.create(name='local_us')
--- a/static/css/quay.css
+++ b/static/css/quay.css
@ -464,6 +464,22 @@ i.toggle-icon:hover {
 .docker-auth-dialog .token-dialog-body .well {
  margin-bottom: 0px;
  position: relative;
  padding-right: 24px;
 }
 .docker-auth-dialog .token-dialog-body .well i.fa-refresh {
  position: absolute;
  top: 9px;
  right: 9px;
  font-size: 20px;
  color: gray;
  transition: all 0.5s ease-in-out;
  cursor: pointer;
 }
 .docker-auth-dialog .token-dialog-body .well i.fa-refresh:hover {
  color: black;
 }
 .docker-auth-dialog .token-view {
--- a/static/directives/docker-auth-dialog.html
+++ b/static/directives/docker-auth-dialog.html
@ -10,11 +10,24 @@
       </div>
       <div class="modal-body token-dialog-body">
         <div class="alert alert-info">The docker <u>username</u> is <b>{{ username }}</b> and the <u>password</u> is the token below. You may use any value for email.</div>
-         <div class="well well-sm">
+
         <div class="well well-sm" ng-show="regenerating">
           Regenerating Token...
           <i class="fa fa-refresh fa-spin"></i>
         </div>
         <div class="well well-sm" ng-show="!regenerating">
           <input id="token-view" class="token-view" type="text" value="{{ token }}" onClick="this.select();" readonly>
           <i class="fa fa-refresh" ng-show="supportsRegenerate" ng-click="askRegenerate()"
              data-title="Regenerate Token"
              data-placement="left"
              bs-tooltip></i>
         </div>
       </div>
-       <div class="modal-footer">
+       <div class="modal-footer" ng-show="regenerating">
         <button type="button" class="btn btn-default" data-dismiss="modal">Close</button>
       </div>
       <div class="modal-footer" ng-show="!regenerating">
         <span class="download-cfg" ng-show="isDownloadSupported()">
           <i class="fa fa-download"></i>
           <a href="javascript:void(0)" ng-click="downloadCfg(shownRobot)">Download .dockercfg file</a>
--- a/static/directives/robots-manager.html
+++ b/static/directives/robots-manager.html
@ -31,7 +31,7 @@
  </div>
  <div class="docker-auth-dialog" username="shownRobot.name" token="shownRobot.token"
-       shown="!!shownRobot" counter="showRobotCounter">
+       shown="!!shownRobot" counter="showRobotCounter" supports-regenerate="true" regenerate="regenerateToken(username)">
    <i class="fa fa-wrench"></i> {{ shownRobot.name }}
  </div>
 </div>
--- a/static/js/app.js
+++ b/static/js/app.js
@ -2385,7 +2385,9 @@ quayApp.directive('dockerAuthDialog', function (Config) {
      'username': '=username',
      'token': '=token',
      'shown': '=shown',
-      'counter': '=counter'
+      'counter': '=counter',
      'supportsRegenerate': '@supportsRegenerate',
      'regenerate': '&regenerate'
    },
    controller: function($scope, $element) {
      var updateCommand = function() {
@ -2396,6 +2398,15 @@ quayApp.directive('dockerAuthDialog', function (Config) {
      $scope.$watch('username', updateCommand);
      $scope.$watch('token', updateCommand);
      $scope.regenerating = true;
      $scope.askRegenerate = function() {
        bootbox.confirm('Are you sure you want to regenerate the token? All existing login credentials will become invalid', function(resp) {
          $scope.regenerating = true;
          $scope.regenerate({'username': $scope.username, 'token': $scope.token});
        });
      };
      $scope.isDownloadSupported = function() {
        var isSafari = /^((?!chrome).)*safari/i.test(navigator.userAgent);
        if (isSafari) {
@ -2421,6 +2432,8 @@ quayApp.directive('dockerAuthDialog', function (Config) {
      };
      var show = function(r) {
        $scope.regenerating = false;
        if (!$scope.shown || !$scope.username || !$scope.token) {
          $('#dockerauthmodal').modal('hide');
          return;
@ -2661,6 +2674,8 @@ quayApp.directive('logsView', function () {
            return 'Delete notification of event "' + eventData['title'] + '" for repository {repo}';
          },
          'regenerate_robot_token': 'Regenerated token for robot {robot}',
          // Note: These are deprecated.
          'add_repo_webhook': 'Add webhook in repository {repo}',
          'delete_repo_webhook': 'Delete webhook in repository {repo}'
@ -2704,6 +2719,7 @@ quayApp.directive('logsView', function () {
        'reset_application_client_secret': 'Reset Client Secret',
        'add_repo_notification': 'Add repository notification',
        'delete_repo_notification': 'Delete repository notification',
        'regenerate_robot_token': 'Regenerate Robot Token',
        // Note: these are deprecated.
        'add_repo_webhook': 'Add webhook',
@ -2875,6 +2891,20 @@ quayApp.directive('robotsManager', function () {
      $scope.shownRobot = null;
      $scope.showRobotCounter = 0;
      $scope.regenerateToken = function(username) {
        if (!username) { return; }
        var shortName = $scope.getShortenedName(username);
        ApiService.regenerateRobotToken($scope.organization, null, {'robot_shortname': shortName}).then(function(updated) {
          var index = $scope.findRobotIndexByName(username);
          if (index >= 0) {
            $scope.robots.splice(index, 1);
            $scope.robots.push(updated);
          }
          $scope.shownRobot = updated;
        }, ApiService.errorDisplay('Cannot regenerate robot account token'));
      };
      $scope.showRobot = function(info) {
        $scope.shownRobot = info;
        $scope.showRobotCounter++;
--- a/test/data/test.db
+++ b/test/data/test.db
--- a/test/test_api_security.py
+++ b/test/test_api_security.py
@ -14,7 +14,9 @@ from endpoints.api.search import FindRepositories, EntitySearch
 from endpoints.api.image import RepositoryImageChanges, RepositoryImage, RepositoryImageList
 from endpoints.api.build import (FileDropResource, RepositoryBuildStatus, RepositoryBuildLogs,
                                 RepositoryBuildList)
-from endpoints.api.robot import UserRobotList, OrgRobot, OrgRobotList, UserRobot
+from endpoints.api.robot import (UserRobotList, OrgRobot, OrgRobotList, UserRobot,
                                 RegenerateOrgRobot, RegenerateUserRobot)
 from endpoints.api.trigger import (BuildTriggerActivate, BuildTriggerSources, BuildTriggerSubdirs,
                                   TriggerBuildList, ActivateBuildTrigger, BuildTrigger,
                                   BuildTriggerList, BuildTriggerAnalyze)
@ -1632,6 +1634,19 @@ class TestOrgRobotBuynlargeZ7pd(ApiTestCase):
    ApiTestCase.setUp(self)
    self._set_url(OrgRobot, orgname="buynlarge", robot_shortname="Z7PD")
  def test_get_anonymous(self):
    self._run_test('GET', 401, None, None)
  def test_get_freshuser(self):
    self._run_test('GET', 403, 'freshuser', None)
  def test_get_reader(self):
    self._run_test('GET', 403, 'reader', None)
  def test_get_devtable(self):
    self._run_test('GET', 400, 'devtable', None)
  def test_put_anonymous(self):
    self._run_test('PUT', 401, None, None)
@ -1644,6 +1659,7 @@ class TestOrgRobotBuynlargeZ7pd(ApiTestCase):
  def test_put_devtable(self):
    self._run_test('PUT', 400, 'devtable', None)
  def test_delete_anonymous(self):
    self._run_test('DELETE', 401, None, None)
@ -3040,6 +3056,19 @@ class TestUserRobot5vdy(ApiTestCase):
    ApiTestCase.setUp(self)
    self._set_url(UserRobot, robot_shortname="robotname")
  def test_get_anonymous(self):
    self._run_test('GET', 401, None, None)
  def test_get_freshuser(self):
    self._run_test('GET', 400, 'freshuser', None)
  def test_get_reader(self):
    self._run_test('GET', 400, 'reader', None)
  def test_get_devtable(self):
    self._run_test('GET', 400, 'devtable', None)
  def test_put_anonymous(self):
    self._run_test('PUT', 401, None, None)
@ -3052,6 +3081,7 @@ class TestUserRobot5vdy(ApiTestCase):
  def test_put_devtable(self):
    self._run_test('PUT', 201, 'devtable', None)
  def test_delete_anonymous(self):
    self._run_test('DELETE', 401, None, None)
@ -3065,6 +3095,42 @@ class TestUserRobot5vdy(ApiTestCase):
    self._run_test('DELETE', 400, 'devtable', None)
 class TestRegenerateUserRobot(ApiTestCase):
  def setUp(self):
    ApiTestCase.setUp(self)
    self._set_url(RegenerateUserRobot, robot_shortname="robotname")
  def test_post_anonymous(self):
    self._run_test('POST', 401, None, None)
  def test_post_freshuser(self):
    self._run_test('POST', 400, 'freshuser', None)
  def test_post_reader(self):
    self._run_test('POST', 400, 'reader', None)
  def test_post_devtable(self):
    self._run_test('POST', 400, 'devtable', None)
 class TestRegenerateOrgRobot(ApiTestCase):
  def setUp(self):
    ApiTestCase.setUp(self)
    self._set_url(RegenerateOrgRobot, orgname="buynlarge", robot_shortname="robotname")
  def test_post_anonymous(self):
    self._run_test('POST', 401, None, None)
  def test_post_freshuser(self):
    self._run_test('POST', 403, 'freshuser', None)
  def test_post_reader(self):
    self._run_test('POST', 403, 'reader', None)
  def test_post_devtable(self):
    self._run_test('POST', 400, 'devtable', None)
 class TestOrganizationBuynlarge(ApiTestCase):
  def setUp(self):
    ApiTestCase.setUp(self)
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@ -16,7 +16,8 @@ from endpoints.api.tag import RepositoryTagImages, RepositoryTag
 from endpoints.api.search import FindRepositories, EntitySearch
 from endpoints.api.image import RepositoryImage, RepositoryImageList
 from endpoints.api.build import RepositoryBuildStatus, RepositoryBuildLogs, RepositoryBuildList
-from endpoints.api.robot import UserRobotList, OrgRobot, OrgRobotList, UserRobot
+from endpoints.api.robot import (UserRobotList, OrgRobot, OrgRobotList, UserRobot,
                                 RegenerateUserRobot, RegenerateOrgRobot)
 from endpoints.api.trigger import (BuildTriggerActivate, BuildTriggerSources, BuildTriggerSubdirs,
                                   TriggerBuildList, ActivateBuildTrigger, BuildTrigger,
                                   BuildTriggerList, BuildTriggerAnalyze)
@ -1572,6 +1573,30 @@ class TestUserRobots(ApiTestCase):
    robots = self.getRobotNames()
    assert not NO_ACCESS_USER + '+bender' in robots
  def test_regenerate(self):
    self.login(NO_ACCESS_USER)
    # Create a robot.
    json = self.putJsonResponse(UserRobot,
                                params=dict(robot_shortname='bender'),
                                expected_code=201)
    token = json['token']
    # Regenerate the robot.
    json = self.postJsonResponse(RegenerateUserRobot,
                                params=dict(robot_shortname='bender'),
                                expected_code=200)
    # Verify the token changed.
    self.assertNotEquals(token, json['token'])
    json2 = self.getJsonResponse(UserRobot,
                                 params=dict(robot_shortname='bender'),
                                 expected_code=200)
    self.assertEquals(json['token'], json2['token'])
 class TestOrgRobots(ApiTestCase):
  def getRobotNames(self):
@ -1601,6 +1626,31 @@ class TestOrgRobots(ApiTestCase):
    assert not ORGANIZATION + '+bender' in robots
  def test_regenerate(self):
    self.login(ADMIN_ACCESS_USER)
    # Create a robot.
    json = self.putJsonResponse(OrgRobot,
                                params=dict(orgname=ORGANIZATION, robot_shortname='bender'),
                                expected_code=201)
    token = json['token']
    # Regenerate the robot.
    json = self.postJsonResponse(RegenerateOrgRobot,
                                params=dict(orgname=ORGANIZATION, robot_shortname='bender'),
                                expected_code=200)
    # Verify the token changed.
    self.assertNotEquals(token, json['token'])
    json2 = self.getJsonResponse(OrgRobot,
                                 params=dict(orgname=ORGANIZATION, robot_shortname='bender'),
                                 expected_code=200)
    self.assertEquals(json['token'], json2['token'])
 class TestLogs(ApiTestCase):
  def test_user_logs(self):
    self.login(ADMIN_ACCESS_USER)