Use constants for TUF roots
This commit is contained in:
Evan Cordell
parent
6ad107709c
commit
abd78bce56
3 changed files with 14 additions and 11 deletions
|
|
@ -5,6 +5,7 @@ from flask_principal import Identity, Principal
|
|||
|
||||
from endpoints.v2.v2auth import get_tuf_root
|
||||
from auth import permissions
|
||||
from util.security.registry_jwt import QUAY_TUF_ROOT, SIGNER_TUF_ROOT
|
||||
|
||||
def admin_identity(namespace, reponame):
|
||||
identity = Identity('admin')
|
||||
|
|
@ -31,13 +32,13 @@ def app_with_principal():
|
|||
return app, principal
|
||||
|
||||
@pytest.mark.parametrize('identity,expected', [
|
||||
(Identity('anon'), 'quay'),
|
||||
(read_identity("namespace", "repo"), 'quay'),
|
||||
(read_identity("different", "repo"), 'quay'),
|
||||
(admin_identity("different", "repo"), 'quay'),
|
||||
(write_identity("different", "repo"), 'quay'),
|
||||
(admin_identity("namespace", "repo"), 'signer'),
|
||||
(write_identity("namespace", "repo"), 'signer'),
|
||||
(Identity('anon'), QUAY_TUF_ROOT),
|
||||
(read_identity("namespace", "repo"), QUAY_TUF_ROOT),
|
||||
(read_identity("different", "repo"), QUAY_TUF_ROOT),
|
||||
(admin_identity("different", "repo"), QUAY_TUF_ROOT),
|
||||
(write_identity("different", "repo"), QUAY_TUF_ROOT),
|
||||
(admin_identity("namespace", "repo"), SIGNER_TUF_ROOT),
|
||||
(write_identity("namespace", "repo"), SIGNER_TUF_ROOT),
|
||||
])
|
||||
def test_get_tuf_root(identity, expected):
|
||||
app, principal = app_with_principal()
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ from endpoints.v2.errors import InvalidLogin
|
|||
from data.interfaces.v2 import pre_oci_model as model
|
||||
from util.cache import no_cache
|
||||
from util.names import parse_namespace_repository, REPOSITORY_NAME_REGEX
|
||||
from util.security.registry_jwt import generate_bearer_token, build_context_and_subject
|
||||
from util.security.registry_jwt import generate_bearer_token, build_context_and_subject, QUAY_TUF_ROOT, SIGNER_TUF_ROOT
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
|
@ -184,5 +184,5 @@ def generate_registry_jwt(auth_result):
|
|||
def get_tuf_root(namespace, reponame):
|
||||
# Users with write access to a repo will see signer-rooted TUF metadata
|
||||
if ModifyRepositoryPermission(namespace, reponame).can():
|
||||
return 'signer'
|
||||
return 'quay'
|
||||
return SIGNER_TUF_ROOT
|
||||
return QUAY_TUF_ROOT
|
||||
|
|
|
|||
|
|
@ -9,6 +9,8 @@ logger = logging.getLogger(__name__)
|
|||
ANONYMOUS_SUB = '(anonymous)'
|
||||
ALGORITHM = 'RS256'
|
||||
CLAIM_TUF_ROOT = 'com.apostille.root'
|
||||
QUAY_TUF_ROOT = 'quay'
|
||||
SIGNER_TUF_ROOT = 'signer'
|
||||
|
||||
# The number of allowed seconds of clock skew for a JWT. The iat, nbf and exp are adjusted with this
|
||||
# count.
|
||||
|
|
@ -106,7 +108,7 @@ def build_context_and_subject(user=None, token=None, oauthtoken=None, tuf_root=N
|
|||
|
||||
# Default to quay root if not explicitly granted permission to see signer root
|
||||
if not tuf_root:
|
||||
tuf_root = 'quay'
|
||||
tuf_root = QUAY_TUF_ROOT
|
||||
|
||||
if oauthtoken:
|
||||
context = {
|
||||
|
|
|
|||
Reference in a new issue