Add support for multiple scope parameters on V2 auth requests

Fixes https://jira.coreos.com/browse/QUAY-892
2018-03-23 17:47:55 -04:00 · 2018-03-23 17:47:55 -04:00 · a59c951aa3
commit a59c951aa3
parent 86aa93aab5
5 changed files with 164 additions and 119 deletions
--- a/endpoints/v2/test/test_v2_tuf.py
+++ b/endpoints/v2/test/test_v2_tuf.py
@ -5,7 +5,7 @@ from flask_principal import Identity, Principal
 from mock import Mock

 from auth import permissions
-from endpoints.v2.v2auth import get_tuf_root
+from endpoints.v2.v2auth import _get_tuf_root
 from test import testconfig
 from util.security.registry_jwt import QUAY_TUF_ROOT, SIGNER_TUF_ROOT, DISABLED_TUF_ROOT

@ -52,7 +52,7 @@ def test_get_tuf_root(identity, expected):
  app, principal = app_with_principal()
  with app.test_request_context('/'):
    principal.set_identity(identity)
-    actual = get_tuf_root(Mock(), "namespace", "repo")
+    actual = _get_tuf_root(Mock(), "namespace", "repo")
    assert actual == expected, "should be %s, but was %s" % (expected, actual)


@ -64,5 +64,5 @@ def test_trust_disabled(trust_enabled,tuf_root):
  app, principal = app_with_principal()
  with app.test_request_context('/'):
    principal.set_identity(read_identity("namespace", "repo"))
-    actual = get_tuf_root(Mock(trust_enabled=trust_enabled), "namespace", "repo")
+    actual = _get_tuf_root(Mock(trust_enabled=trust_enabled), "namespace", "repo")
    assert actual == tuf_root, "should be %s, but was %s" % (tuf_root, actual)
--- a/endpoints/v2/test/test_v2auth.py
+++ b/endpoints/v2/test/test_v2auth.py
@ -4,7 +4,7 @@ from flask import url_for

 from app import instance_keys, app as original_app
 from endpoints.test.shared import conduct_call
-from util.security.registry_jwt import decode_bearer_token
+from util.security.registry_jwt import decode_bearer_token, CLAIM_TUF_ROOTS

 from test.fixtures import *

@ -34,6 +34,8 @@ from test.fixtures import *
  ('repository:buynlarge/orgrepo:pull,push,*', 'devtable', 'password', 200,
   ['buynlarge/orgrepo:push,pull,*']),

+  ('', 'devtable', 'password', 200, []),
+
  # No credentials, non-public repo.
  ('repository:devtable/simple:pull', None, None, 200, ['devtable/simple:']),

@ -51,6 +53,20 @@ from test.fixtures import *
  # Unknown repository in another namespace.
  ('repository:somenamespace/unknownrepo:pull,push', 'devtable', 'password', 200,
   ['somenamespace/unknownrepo:']),
+
+  # Multiple scopes.
+  (['repository:devtable/simple:pull,push', 'repository:devtable/complex:pull'],
+    'devtable', 'password', 200,
+   ['devtable/simple:push,pull', 'devtable/complex:pull']),
+
+  # Multiple scopes with restricted behavior.
+  (['repository:devtable/simple:pull,push', 'repository:public/publicrepo:pull,push'],
+    'devtable', 'password', 200,
+   ['devtable/simple:push,pull', 'public/publicrepo:pull']),
+
+  (['repository:devtable/simple:pull,push,*', 'repository:public/publicrepo:pull,push,*'],
+    'devtable', 'password', 200,
+   ['devtable/simple:push,pull,*', 'public/publicrepo:pull']),
 ])
 def test_generate_registry_jwt(scope, username, password, expected_code, expected_scopes,
                               app, client):
@ -86,3 +102,4 @@ def test_generate_registry_jwt(scope, username, password, expected_code, expecte
    })

  assert decoded['access'] == expected_access
+  assert len(decoded['context'][CLAIM_TUF_ROOTS]) == len(expected_scopes)