From abd78bce5683dfc2c754b7c3e0862da57e7af3a1 Mon Sep 17 00:00:00 2001 From: Evan Cordell Date: Wed, 22 Mar 2017 16:14:56 -0400 Subject: [PATCH] Use constants for TUF roots --- endpoints/v2/test/test_v2auth.py | 15 ++++++++------- endpoints/v2/v2auth.py | 6 +++--- util/security/registry_jwt.py | 4 +++- 3 files changed, 14 insertions(+), 11 deletions(-) diff --git a/endpoints/v2/test/test_v2auth.py b/endpoints/v2/test/test_v2auth.py index b3c83fde6..38b4167fd 100644 --- a/endpoints/v2/test/test_v2auth.py +++ b/endpoints/v2/test/test_v2auth.py @@ -5,6 +5,7 @@ from flask_principal import Identity, Principal from endpoints.v2.v2auth import get_tuf_root from auth import permissions +from util.security.registry_jwt import QUAY_TUF_ROOT, SIGNER_TUF_ROOT def admin_identity(namespace, reponame): identity = Identity('admin') @@ -31,13 +32,13 @@ def app_with_principal(): return app, principal @pytest.mark.parametrize('identity,expected', [ - (Identity('anon'), 'quay'), - (read_identity("namespace", "repo"), 'quay'), - (read_identity("different", "repo"), 'quay'), - (admin_identity("different", "repo"), 'quay'), - (write_identity("different", "repo"), 'quay'), - (admin_identity("namespace", "repo"), 'signer'), - (write_identity("namespace", "repo"), 'signer'), + (Identity('anon'), QUAY_TUF_ROOT), + (read_identity("namespace", "repo"), QUAY_TUF_ROOT), + (read_identity("different", "repo"), QUAY_TUF_ROOT), + (admin_identity("different", "repo"), QUAY_TUF_ROOT), + (write_identity("different", "repo"), QUAY_TUF_ROOT), + (admin_identity("namespace", "repo"), SIGNER_TUF_ROOT), + (write_identity("namespace", "repo"), SIGNER_TUF_ROOT), ]) def test_get_tuf_root(identity, expected): app, principal = app_with_principal() diff --git a/endpoints/v2/v2auth.py b/endpoints/v2/v2auth.py index 66983c332..b09b62652 100644 --- a/endpoints/v2/v2auth.py +++ b/endpoints/v2/v2auth.py @@ -15,7 +15,7 @@ from endpoints.v2.errors import InvalidLogin from data.interfaces.v2 import pre_oci_model as model from util.cache import no_cache from util.names import parse_namespace_repository, REPOSITORY_NAME_REGEX -from util.security.registry_jwt import generate_bearer_token, build_context_and_subject +from util.security.registry_jwt import generate_bearer_token, build_context_and_subject, QUAY_TUF_ROOT, SIGNER_TUF_ROOT logger = logging.getLogger(__name__) @@ -184,5 +184,5 @@ def generate_registry_jwt(auth_result): def get_tuf_root(namespace, reponame): # Users with write access to a repo will see signer-rooted TUF metadata if ModifyRepositoryPermission(namespace, reponame).can(): - return 'signer' - return 'quay' + return SIGNER_TUF_ROOT + return QUAY_TUF_ROOT diff --git a/util/security/registry_jwt.py b/util/security/registry_jwt.py index 9f7457241..b8efc364c 100644 --- a/util/security/registry_jwt.py +++ b/util/security/registry_jwt.py @@ -9,6 +9,8 @@ logger = logging.getLogger(__name__) ANONYMOUS_SUB = '(anonymous)' ALGORITHM = 'RS256' CLAIM_TUF_ROOT = 'com.apostille.root' +QUAY_TUF_ROOT = 'quay' +SIGNER_TUF_ROOT = 'signer' # The number of allowed seconds of clock skew for a JWT. The iat, nbf and exp are adjusted with this # count. @@ -106,7 +108,7 @@ def build_context_and_subject(user=None, token=None, oauthtoken=None, tuf_root=N # Default to quay root if not explicitly granted permission to see signer root if not tuf_root: - tuf_root = 'quay' + tuf_root = QUAY_TUF_ROOT if oauthtoken: context = {