vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #2899 from coreos-inc/joseph.schorr/QS-36/appr-auth-improvement

Browse source 
Allow app registry to use robots and tokens to login
This commit is contained in:
josephschorr 2017-12-06 15:04:22 -05:00 committed by GitHub
commit d405f6f158
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 136 additions and 74 deletions
Download patch file Download diff file Expand all files Collapse all files

9
endpoints/appr/registry.py
View file

@ -11,6 +11,7 @@ from cnr.exception import (
from flask import jsonify, request
from auth.auth_context import get_authenticated_user
from auth.credentials import validate_credentials
from auth.decorators import process_auth
from auth.permissions import CreateRepositoryPermission, ModifyRepositoryPermission
from endpoints.appr import appr_bp, require_app_repo_read, require_app_repo_write
@ -56,11 +57,11 @@ def login():
if not username or not password:
raise InvalidUsage('Missing username or password')
user, err = User.get_user(username, password)
if err is not None:
raise UnauthorizedAccess(err)
result, _ = validate_credentials(username, password)
if not result.auth_valid:
raise UnauthorizedAccess(result.error_message)
return jsonify({'token': "basic " + b64encode("%s:%s" % (user.username, password))})
return jsonify({'token': "basic " + b64encode("%s:%s" % (username, password))})
# @TODO: Redirect to S3 url

41
endpoints/v1/index.py
View file

@ -8,6 +8,7 @@ from flask import request, make_response, jsonify, session
from app import authentication, userevents, metric_queue
from auth.auth_context import get_authenticated_user, get_validated_token, get_validated_oauth_token
from auth.credentials import validate_credentials, CredentialKind
from auth.decorators import process_auth
from auth.permissions import (
ModifyRepositoryPermission, UserAdminPermission, ReadRepositoryPermission,
@ -84,34 +85,32 @@ def create_user():
# UGH! we have to use this response when the login actually worked, in order
# to get the CLI to try again with a get, and then tell us login succeeded.
success = make_response('"Username or email already exists"', 400)
result, kind = validate_credentials(username, password)
if not result.auth_valid:
if kind == CredentialKind.token:
abort(400, 'Invalid access token.', issue='invalid-access-token')
if username == '$token':
if model.load_token(password):
return success
abort(400, 'Invalid access token.', issue='invalid-access-token')
if kind == CredentialKind.robot:
abort(400, 'Invalid robot account or password.', issue='robot-login-failure')
elif username == '$oauthtoken':
if model.validate_oauth_token(password):
return success
abort(400, 'Invalid oauth access token.', issue='invalid-oauth-access-token')
if kind == CredentialKind.oauth_token:
abort(400, 'Invalid oauth access token.', issue='invalid-oauth-access-token')
elif '+' in username:
if model.verify_robot(username, password):
return success
abort(400, 'Invalid robot account or password.', issue='robot-login-failure')
if kind == CredentialKind.user:
# Mark that the login failed.
event = userevents.get_event(username)
event.publish_event_data('docker-cli', {'action': 'loginfailure'})
abort(400, result.error_message, issue='login-failure')
(verified, error_message) = authentication.verify_and_link_user(username, password,
basic_auth=True)
if verified:
# Default case: Just fail.
abort(400, result.error_message, issue='login-failure')
if result.has_user:
# Mark that the user was logged in.
event = userevents.get_event(username)
event.publish_event_data('docker-cli', {'action': 'login'})
return success
else:
# Mark that the login failed.
event = userevents.get_event(username)
event.publish_event_data('docker-cli', {'action': 'loginfailure'})
abort(400, error_message, issue='login-failure')
return success
@v1_bp.route('/users', methods=['GET'])