Allow use of basic auth for security scan endpoints
This will allow the security labeler to send a pull secret to retrieve security information for a manifest Fixes https://jira.coreos.com/browse/QUAY-1087
This commit is contained in:
parent
f9da0caaa4
commit
a38edea11b
4 changed files with 37 additions and 2 deletions
|
@ -60,6 +60,7 @@ process_oauth = _auth_decorator(handlers=[validate_bearer_auth, validate_session
|
|||
process_auth = _auth_decorator(handlers=[validate_signed_grant, validate_basic_auth])
|
||||
process_auth_or_cookie = _auth_decorator(handlers=[validate_basic_auth, validate_session_cookie])
|
||||
process_basic_auth = _auth_decorator(handlers=[validate_basic_auth], pass_result=True)
|
||||
process_basic_auth_no_pass = _auth_decorator(handlers=[validate_basic_auth])
|
||||
|
||||
|
||||
def require_session_login(func):
|
||||
|
|
|
@ -4,6 +4,7 @@ import logging
|
|||
import features
|
||||
|
||||
from app import secscan_api
|
||||
from auth.decorators import process_basic_auth_no_pass
|
||||
from data.registry_model import registry_model
|
||||
from data.registry_model.datatypes import SecurityScanStatus
|
||||
from endpoints.api import (require_repo_read, path_param,
|
||||
|
@ -53,6 +54,7 @@ def _security_info(manifest_or_legacy_image, include_vulnerabilities=True):
|
|||
class RepositoryImageSecurity(RepositoryParamResource):
|
||||
""" Operations for managing the vulnerabilities in a repository image. """
|
||||
|
||||
@process_basic_auth_no_pass
|
||||
@require_repo_read
|
||||
@nickname('getRepoImageSecurity')
|
||||
@disallow_for_app_repositories
|
||||
|
@ -79,6 +81,7 @@ class RepositoryImageSecurity(RepositoryParamResource):
|
|||
class RepositoryManifestSecurity(RepositoryParamResource):
|
||||
""" Operations for managing the vulnerabilities in a repository manifest. """
|
||||
|
||||
@process_basic_auth_no_pass
|
||||
@require_repo_read
|
||||
@nickname('getRepoManifestSecurity')
|
||||
@disallow_for_app_repositories
|
||||
|
|
|
@ -1,10 +1,11 @@
|
|||
from endpoints.test.shared import conduct_call
|
||||
from endpoints.api import api
|
||||
|
||||
def conduct_api_call(client, resource, method, params, body=None, expected_code=200):
|
||||
def conduct_api_call(client, resource, method, params, body=None, expected_code=200, headers=None):
|
||||
""" Conducts an API call to the given resource via the given client, and ensures its returned
|
||||
status matches the code given.
|
||||
|
||||
Returns the response.
|
||||
"""
|
||||
return conduct_call(client, resource, api.url_for, method, params, body, expected_code)
|
||||
return conduct_call(client, resource, api.url_for, method, params, body, expected_code,
|
||||
headers=headers)
|
||||
|
|
30
endpoints/api/test/test_secscan.py
Normal file
30
endpoints/api/test/test_secscan.py
Normal file
|
@ -0,0 +1,30 @@
|
|||
import base64
|
||||
|
||||
import pytest
|
||||
|
||||
from data.registry_model import registry_model
|
||||
from endpoints.api.test.shared import conduct_api_call
|
||||
from endpoints.api.secscan import RepositoryImageSecurity, RepositoryManifestSecurity
|
||||
|
||||
from test.fixtures import *
|
||||
|
||||
@pytest.mark.parametrize('endpoint', [
|
||||
RepositoryImageSecurity,
|
||||
RepositoryManifestSecurity,
|
||||
])
|
||||
def test_get_security_info_with_pull_secret(endpoint, client):
|
||||
repository_ref = registry_model.lookup_repository('devtable', 'simple')
|
||||
tag = registry_model.get_repo_tag(repository_ref, 'latest', include_legacy_image=True)
|
||||
manifest = registry_model.get_manifest_for_tag(tag, backfill_if_necessary=True)
|
||||
|
||||
params = {
|
||||
'repository': 'devtable/simple',
|
||||
'imageid': tag.legacy_image.docker_image_id,
|
||||
'manifestref': manifest.digest,
|
||||
}
|
||||
|
||||
headers = {
|
||||
'Authorization': 'Basic %s' % base64.b64encode('devtable:password'),
|
||||
}
|
||||
|
||||
conduct_api_call(client, endpoint, 'GET', params, None, headers=headers, expected_code=200)
|
Reference in a new issue