vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Use constants for TUF roots

Browse source
This commit is contained in:
Evan Cordell 2017-03-22 16:14:56 -04:00
parent 6ad107709c
commit abd78bce56
3 changed files with 14 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
endpoints/v2/test/test_v2auth.py
View file

@ -5,6 +5,7 @@ from flask_principal import Identity, Principal
from endpoints.v2.v2auth import get_tuf_root from endpoints.v2.v2auth import get_tuf_root
from auth import permissions from auth import permissions
from util.security.registry_jwt import QUAY_TUF_ROOT, SIGNER_TUF_ROOT
def admin_identity(namespace, reponame): def admin_identity(namespace, reponame):
identity = Identity('admin') identity = Identity('admin')
@ -31,13 +32,13 @@ def app_with_principal():
return app, principal return app, principal
@pytest.mark.parametrize('identity,expected', [ @pytest.mark.parametrize('identity,expected', [
(Identity('anon'), 'quay'), (Identity('anon'), QUAY_TUF_ROOT),
(read_identity("namespace", "repo"), 'quay'), (read_identity("namespace", "repo"), QUAY_TUF_ROOT),
(read_identity("different", "repo"), 'quay'), (read_identity("different", "repo"), QUAY_TUF_ROOT),
(admin_identity("different", "repo"), 'quay'), (admin_identity("different", "repo"), QUAY_TUF_ROOT),
(write_identity("different", "repo"), 'quay'), (write_identity("different", "repo"), QUAY_TUF_ROOT),
(admin_identity("namespace", "repo"), 'signer'), (admin_identity("namespace", "repo"), SIGNER_TUF_ROOT),
(write_identity("namespace", "repo"), 'signer'), (write_identity("namespace", "repo"), SIGNER_TUF_ROOT),
]) ])
def test_get_tuf_root(identity, expected): def test_get_tuf_root(identity, expected):
app, principal = app_with_principal() app, principal = app_with_principal()

6
endpoints/v2/v2auth.py
View file

@ -15,7 +15,7 @@ from endpoints.v2.errors import InvalidLogin
from data.interfaces.v2 import pre_oci_model as model from data.interfaces.v2 import pre_oci_model as model
from util.cache import no_cache from util.cache import no_cache
from util.names import parse_namespace_repository, REPOSITORY_NAME_REGEX from util.names import parse_namespace_repository, REPOSITORY_NAME_REGEX
from util.security.registry_jwt import generate_bearer_token, build_context_and_subject from util.security.registry_jwt import generate_bearer_token, build_context_and_subject, QUAY_TUF_ROOT, SIGNER_TUF_ROOT
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -184,5 +184,5 @@ def generate_registry_jwt(auth_result):
def get_tuf_root(namespace, reponame): def get_tuf_root(namespace, reponame):
# Users with write access to a repo will see signer-rooted TUF metadata # Users with write access to a repo will see signer-rooted TUF metadata
if ModifyRepositoryPermission(namespace, reponame).can(): if ModifyRepositoryPermission(namespace, reponame).can():
return 'signer' return SIGNER_TUF_ROOT
return 'quay' return QUAY_TUF_ROOT

4
util/security/registry_jwt.py
View file

@ -9,6 +9,8 @@ logger = logging.getLogger(__name__)
ANONYMOUS_SUB = '(anonymous)' ANONYMOUS_SUB = '(anonymous)'
ALGORITHM = 'RS256' ALGORITHM = 'RS256'
CLAIM_TUF_ROOT = 'com.apostille.root' CLAIM_TUF_ROOT = 'com.apostille.root'
QUAY_TUF_ROOT = 'quay'
SIGNER_TUF_ROOT = 'signer'
# The number of allowed seconds of clock skew for a JWT. The iat, nbf and exp are adjusted with this # The number of allowed seconds of clock skew for a JWT. The iat, nbf and exp are adjusted with this
# count. # count.
@ -106,7 +108,7 @@ def build_context_and_subject(user=None, token=None, oauthtoken=None, tuf_root=N
# Default to quay root if not explicitly granted permission to see signer root # Default to quay root if not explicitly granted permission to see signer root
if not tuf_root: if not tuf_root:
tuf_root = 'quay' tuf_root = QUAY_TUF_ROOT
if oauthtoken: if oauthtoken:
context = { context = {