diff --git a/data/database.py b/data/database.py
index d99f56c77..d6a67bd80 100644
--- a/data/database.py
+++ b/data/database.py
@@ -176,6 +176,7 @@ class RepositoryBuildTrigger(BaseModel):
auth_token = CharField()
config = TextField(default='{}')
write_token = ForeignKeyField(AccessToken, null=True)
+ pull_robot = ForeignKeyField(User, null=True, related_name='triggerpullrobot')
class EmailConfirmation(BaseModel):
@@ -244,6 +245,7 @@ class RepositoryBuild(BaseModel):
started = DateTimeField(default=datetime.now)
display_name = CharField()
trigger = ForeignKeyField(RepositoryBuildTrigger, null=True, index=True)
+ pull_robot = ForeignKeyField(User, null=True, related_name='buildpullrobot')
class QueueItem(BaseModel):
diff --git a/data/model/legacy.py b/data/model/legacy.py
index 5a735014b..3cfa6c27f 100644
--- a/data/model/legacy.py
+++ b/data/model/legacy.py
@@ -154,6 +154,16 @@ def create_robot(robot_shortname, parent):
raise DataModelException(ex.message)
+def lookup_robot(robot_username):
+ joined = User.select().join(FederatedLogin).join(LoginService)
+ found = list(joined.where(LoginService.name == 'quayrobot',
+ User.username == robot_username))
+ if not found or len(found) < 1 or not found[0].robot:
+ return None
+
+ return found[0]
+
+
def verify_robot(robot_username, password):
joined = User.select().join(FederatedLogin).join(LoginService)
found = list(joined.where(FederatedLogin.service_ident == password,
@@ -1443,11 +1453,40 @@ def get_recent_repository_build(namespace_name, repository_name):
def create_repository_build(repo, access_token, job_config_obj, dockerfile_id,
- display_name, trigger=None):
+ display_name, trigger=None, pull_robot_name=None):
+ pull_robot = None
+ if pull_robot_name:
+ pull_robot = lookup_robot(pull_robot_name)
+
return RepositoryBuild.create(repository=repo, access_token=access_token,
job_config=json.dumps(job_config_obj),
display_name=display_name, trigger=trigger,
- resource_key=dockerfile_id)
+ resource_key=dockerfile_id,
+ pull_robot=pull_robot)
+
+
+def get_pull_robot_name(trigger):
+ if not trigger.pull_robot:
+ return None
+
+ return trigger.pull_robot.username
+
+
+def get_pull_credentials(robotname):
+ robot = lookup_robot(robotname)
+ if not robot:
+ return None
+
+ try:
+ login_info = FederatedLogin.get(user=robot)
+ except FederatedLogin.DoesNotExist:
+ return None
+
+ return {
+ 'username': robot.username,
+ 'password': login_info.service_ident,
+ 'registry': '%s://%s/v1/' % (app.config['URL_SCHEME'], app.config['URL_HOST']),
+ }
def create_webhook(repo, params_obj):
@@ -1506,11 +1545,12 @@ def log_action(kind_name, user_or_organization_name, performer=None,
metadata_json=json.dumps(metadata), datetime=timestamp)
-def create_build_trigger(repo, service_name, auth_token, user):
+def create_build_trigger(repo, service_name, auth_token, user, pull_robot=None):
service = BuildTriggerService.get(name=service_name)
trigger = RepositoryBuildTrigger.create(repository=repo, service=service,
auth_token=auth_token,
- connected_user=user)
+ connected_user=user,
+ pull_robot=pull_robot)
return trigger
diff --git a/endpoints/api/build.py b/endpoints/api/build.py
index 63c85ad8e..9fa130054 100644
--- a/endpoints/api/build.py
+++ b/endpoints/api/build.py
@@ -10,8 +10,10 @@ from endpoints.api import (RepositoryParamResource, parse_args, query_param, nic
from endpoints.common import start_build
from endpoints.trigger import BuildTrigger
from data import model
-from auth.permissions import ModifyRepositoryPermission
+from auth.auth_context import get_authenticated_user
+from auth.permissions import ModifyRepositoryPermission, AdministerOrganizationPermission
from data.buildlogs import BuildStatusRetrievalError
+from util.names import parse_robot_username
logger = logging.getLogger(__name__)
@@ -33,7 +35,15 @@ def get_job_config(build_obj):
return None
+def user_view(user):
+ return {
+ 'name': user.username,
+ 'kind': 'user',
+ 'is_robot': user.robot,
+ }
+
def trigger_view(trigger):
+
if trigger and trigger.uuid:
config_dict = get_trigger_config(trigger)
build_trigger = BuildTrigger.get_trigger_for_service(trigger.service.name)
@@ -42,7 +52,8 @@ def trigger_view(trigger):
'config': config_dict,
'id': trigger.uuid,
'connected_user': trigger.connected_user.username,
- 'is_active': build_trigger.is_active(config_dict)
+ 'is_active': build_trigger.is_active(config_dict),
+ 'pull_robot': user_view(trigger.pull_robot) if trigger.pull_robot else None
}
return None
@@ -67,6 +78,7 @@ def build_status_view(build_obj, can_write=False):
'is_writer': can_write,
'trigger': trigger_view(build_obj.trigger),
'resource_key': build_obj.resource_key,
+ 'pull_robot': user_view(build_obj.pull_robot) if build_obj.pull_robot else None,
}
if can_write:
@@ -95,6 +107,10 @@ class RepositoryBuildList(RepositoryParamResource):
'type': 'string',
'description': 'Subdirectory in which the Dockerfile can be found',
},
+ 'pull_robot': {
+ 'type': 'string',
+ 'description': 'Username of a Quay robot account to use as pull credentials',
+ }
},
},
}
@@ -123,6 +139,22 @@ class RepositoryBuildList(RepositoryParamResource):
dockerfile_id = request_json['file_id']
subdir = request_json['subdirectory'] if 'subdirectory' in request_json else ''
+ pull_robot_name = request_json.get('pull_robot', None)
+
+ # Verify the security behind the pull robot.
+ if pull_robot_name:
+ result = parse_robot_username(pull_robot_name)
+ if result:
+ pull_robot = model.lookup_robot(pull_robot_name)
+ if not pull_robot:
+ raise NotFound()
+
+ # Make sure the user has administer permissions for the robot's namespace.
+ (robot_namespace, shortname) = result
+ if not AdministerOrganizationPermission(robot_namespace).can():
+ raise Unauthorized()
+ else:
+ raise Unauthorized()
# Check if the dockerfile resource has already been used. If so, then it
# can only be reused if the user has access to the repository for which it
@@ -137,7 +169,8 @@ class RepositoryBuildList(RepositoryParamResource):
repo = model.get_repository(namespace, repository)
display_name = user_files.get_file_checksum(dockerfile_id)
- build_request = start_build(repo, dockerfile_id, ['latest'], display_name, subdir, True)
+ build_request = start_build(repo, dockerfile_id, ['latest'], display_name, subdir, True,
+ pull_robot_name=pull_robot_name)
resp = build_status_view(build_request, True)
repo_string = '%s/%s' % (namespace, repository)
diff --git a/endpoints/api/trigger.py b/endpoints/api/trigger.py
index c28188057..c62367f52 100644
--- a/endpoints/api/trigger.py
+++ b/endpoints/api/trigger.py
@@ -16,7 +16,8 @@ from endpoints.trigger import (BuildTrigger as BuildTriggerBase, TriggerDeactiva
TriggerActivationException, EmptyRepositoryException,
RepositoryReadException)
from data import model
-from auth.permissions import UserAdminPermission
+from auth.permissions import UserAdminPermission, AdministerOrganizationPermission
+from util.names import parse_robot_username
logger = logging.getLogger(__name__)
@@ -139,7 +140,19 @@ class BuildTriggerActivate(RepositoryParamResource):
'BuildTriggerActivateRequest': {
'id': 'BuildTriggerActivateRequest',
'type': 'object',
- 'description': 'Arbitrary json.',
+ 'required': [
+ 'config'
+ ],
+ 'properties': {
+ 'config': {
+ 'type': 'object',
+ 'description': 'Arbitrary json.',
+ },
+ 'pull_robot': {
+ 'type': 'string',
+ 'description': 'The name of the robot that will be used to pull images.'
+ }
+ }
},
}
@@ -160,7 +173,27 @@ class BuildTriggerActivate(RepositoryParamResource):
user_permission = UserAdminPermission(trigger.connected_user.username)
if user_permission.can():
- new_config_dict = request.get_json()
+ # Update the pull robot (if any).
+ pull_robot_name = request.get_json().get('pull_robot', None)
+ if pull_robot_name:
+ pull_robot = model.lookup_robot(pull_robot_name)
+ if not pull_robot:
+ raise NotFound()
+
+ # Make sure the user has administer permissions for the robot's namespace.
+ (robot_namespace, shortname) = parse_robot_username(pull_robot_name)
+ if not AdministerOrganizationPermission(robot_namespace).can():
+ raise Unauthorized()
+
+ # Make sure the namespace matches that of the trigger.
+ if robot_namespace != namespace:
+ raise Unauthorized()
+
+ # Set the pull robot.
+ trigger.pull_robot = pull_robot
+
+ # Update the config.
+ new_config_dict = request.get_json()['config']
token_name = 'Build Trigger: %s' % trigger.service.name
token = model.create_delegate_token(namespace, repository, token_name,
@@ -191,6 +224,7 @@ class BuildTriggerActivate(RepositoryParamResource):
log_action('setup_repo_trigger', namespace,
{'repo': repository, 'namespace': namespace,
'trigger_id': trigger.uuid, 'service': trigger.service.name,
+ 'pull_robot': trigger.pull_robot.username if trigger.pull_robot else None,
'config': final_config}, repo=repo)
return trigger_view(trigger)
@@ -220,8 +254,10 @@ class ActivateBuildTrigger(RepositoryParamResource):
dockerfile_id, tags, name, subdir = specs
repo = model.get_repository(namespace, repository)
+ pull_robot_name = model.get_pull_robot_name(trigger)
- build_request = start_build(repo, dockerfile_id, tags, name, subdir, True)
+ build_request = start_build(repo, dockerfile_id, tags, name, subdir, True,
+ pull_robot_name=pull_robot_name)
resp = build_status_view(build_request, True)
repo_string = '%s/%s' % (namespace, repository)
diff --git a/endpoints/common.py b/endpoints/common.py
index df233dfba..e25d7c797 100644
--- a/endpoints/common.py
+++ b/endpoints/common.py
@@ -107,7 +107,7 @@ def check_repository_usage(user_or_org, plan_found):
def start_build(repository, dockerfile_id, tags, build_name, subdir, manual,
- trigger=None):
+ trigger=None, pull_robot_name=None):
host = urlparse.urlparse(request.url).netloc
repo_path = '%s/%s/%s' % (host, repository.namespace, repository.name)
@@ -118,16 +118,18 @@ def start_build(repository, dockerfile_id, tags, build_name, subdir, manual,
job_config = {
'docker_tags': tags,
'repository': repo_path,
- 'build_subdir': subdir,
+ 'build_subdir': subdir
}
+
build_request = model.create_repository_build(repository, token, job_config,
dockerfile_id, build_name,
- trigger)
+ trigger, pull_robot_name = pull_robot_name)
dockerfile_build_queue.put(json.dumps({
'build_uuid': build_request.uuid,
'namespace': repository.namespace,
'repository': repository.name,
+ 'pull_credentials': model.get_pull_credentials(pull_robot_name) if pull_robot_name else None
}), retries_remaining=1)
metadata = {
diff --git a/endpoints/webhooks.py b/endpoints/webhooks.py
index d92e7095e..93d5e413c 100644
--- a/endpoints/webhooks.py
+++ b/endpoints/webhooks.py
@@ -73,8 +73,10 @@ def build_trigger_webhook(namespace, repository, trigger_uuid):
# This was just a validation request, we don't need to build anything
return make_response('Okay')
+ pull_robot_name = model.get_pull_robot_name(trigger)
repo = model.get_repository(namespace, repository)
- start_build(repo, dockerfile_id, tags, name, subdir, False, trigger)
+ start_build(repo, dockerfile_id, tags, name, subdir, False, trigger,
+ pull_robot_name=pull_robot_name)
return make_response('Okay')
diff --git a/initdb.py b/initdb.py
index fdb3f8e01..854f83f8a 100644
--- a/initdb.py
+++ b/initdb.py
@@ -257,7 +257,7 @@ def populate_database():
new_user_1.stripe_id = TEST_STRIPE_ID
new_user_1.save()
- model.create_robot('dtrobot', new_user_1)
+ dtrobot = model.create_robot('dtrobot', new_user_1)
new_user_2 = model.create_user('public', 'password',
'jacob.moshenko@gmail.com')
@@ -268,6 +268,8 @@ def populate_database():
new_user_3.verified = True
new_user_3.save()
+ model.create_robot('anotherrobot', new_user_3)
+
new_user_4 = model.create_user('randomuser', 'password', 'no4@thanks.com')
new_user_4.verified = True
new_user_4.save()
@@ -330,7 +332,7 @@ def populate_database():
token = model.create_access_token(building, 'write')
trigger = model.create_build_trigger(building, 'github', '123authtoken',
- new_user_1)
+ new_user_1, pull_robot=dtrobot[0])
trigger.config = json.dumps({
'build_source': 'jakedt/testconnect',
'subdir': '',
@@ -366,6 +368,8 @@ def populate_database():
org.stripe_id = TEST_STRIPE_ID
org.save()
+ model.create_robot('coolrobot', org)
+
oauth.create_application(org, 'Some Test App', 'http://localhost:8000', 'http://localhost:8000/o2c.html',
client_id='deadbeef')
diff --git a/requirements-nover.txt b/requirements-nover.txt
index bac4ba690..8bd0d7946 100644
--- a/requirements-nover.txt
+++ b/requirements-nover.txt
@@ -21,7 +21,7 @@ xhtml2pdf
logstash_formatter
redis
hiredis
-docker-py
+git+https://github.com/DevTable/docker-py.git
loremipsum
pygithub
flask-restful
diff --git a/static/css/quay.css b/static/css/quay.css
index ac7c01e66..919c0ddc9 100644
--- a/static/css/quay.css
+++ b/static/css/quay.css
@@ -3589,4 +3589,38 @@ pre.command:before {
.auth-info .scope {
cursor: pointer;
margin-right: 4px;
+}
+
+.trigger-pull-credentials {
+ margin-top: 4px;
+ padding-left: 26px;
+ font-size: 12px;
+}
+
+.trigger-pull-credentials .context-tooltip {
+ color: gray;
+ margin-right: 4px;
+}
+
+.trigger-description .trigger-description-subtitle {
+ display: inline-block;
+ margin-right: 34px;
+}
+
+.trigger-option-section:not(:last-child) {
+ border-bottom: 1px solid #eee;
+ padding-bottom: 16px;
+ margin-bottom: 16px;
+}
+
+.trigger-option-section .entity-search-element .twitter-typeahead {
+ width: 370px;
+}
+
+.trigger-option-section .entity-search-element input {
+ width: 100%;
+}
+
+.trigger-option-section table td {
+ padding: 6px;
}
\ No newline at end of file
diff --git a/static/directives/trigger-description.html b/static/directives/trigger-description.html
index 2a081aa69..1ce32ec32 100644
--- a/static/directives/trigger-description.html
+++ b/static/directives/trigger-description.html
@@ -10,7 +10,7 @@
-
Dockerfile:
+ Dockerfile:
//Dockerfile
diff --git a/static/js/app.js b/static/js/app.js
index 57a012a44..311b531fb 100644
--- a/static/js/app.js
+++ b/static/js/app.js
@@ -2644,7 +2644,8 @@ quayApp.directive('entitySearch', function () {
'isOrganization': '=isOrganization',
'isPersistent': '=isPersistent',
'currentEntity': '=currentEntity',
- 'clearNow': '=clearNow'
+ 'clearNow': '=clearNow',
+ 'filter': '=filter',
},
controller: function($scope, $element, Restangular, UserService, ApiService) {
$scope.lazyLoading = true;
@@ -2727,7 +2728,7 @@ quayApp.directive('entitySearch', function () {
entity['is_org_member'] = true;
}
- $scope.setEntityInternal(entity);
+ $scope.setEntityInternal(entity, false);
};
$scope.clearEntityInternal = function() {
@@ -2737,8 +2738,12 @@ quayApp.directive('entitySearch', function () {
}
};
- $scope.setEntityInternal = function(entity) {
- $(input).typeahead('val', $scope.isPersistent ? entity.name : '');
+ $scope.setEntityInternal = function(entity, updateTypeahead) {
+ if (updateTypeahead) {
+ $(input).typeahead('val', $scope.isPersistent ? entity.name : '');
+ } else {
+ $(input).val($scope.isPersistent ? entity.name : '');
+ }
if ($scope.isPersistent) {
$scope.currentEntity = entity;
@@ -2768,6 +2773,19 @@ quayApp.directive('entitySearch', function () {
var datums = [];
for (var i = 0; i < data.results.length; ++i) {
var entity = data.results[i];
+ if ($scope.filter) {
+ var allowed = $scope.filter;
+ var found = 'user';
+ if (entity.kind == 'user') {
+ found = entity.is_robot ? 'robot' : 'user';
+ } else if (entity.kind == 'team') {
+ found = 'team';
+ }
+ if (allowed.indexOf(found)) {
+ continue;
+ }
+ }
+
datums.push({
'value': entity.name,
'tokens': [entity.name],
@@ -2840,7 +2858,7 @@ quayApp.directive('entitySearch', function () {
$(input).on('typeahead:selected', function(e, datum) {
$scope.$apply(function() {
- $scope.setEntityInternal(datum.entity);
+ $scope.setEntityInternal(datum.entity, true);
});
});
diff --git a/static/js/controllers.js b/static/js/controllers.js
index c2249773c..08bcca561 100644
--- a/static/js/controllers.js
+++ b/static/js/controllers.js
@@ -962,9 +962,13 @@ function RepoBuildCtrl($scope, Restangular, ApiService, $routeParams, $rootScope
var data = {
'file_id': build['resource_key'],
- 'subdirectory': subdirectory
+ 'subdirectory': subdirectory,
};
+ if (build['pull_robot']) {
+ data['pull_robot'] = build['pull_robot']['name'];
+ }
+
var params = {
'repository': namespace + '/' + name
};
@@ -1148,7 +1152,7 @@ function RepoBuildCtrl($scope, Restangular, ApiService, $routeParams, $rootScope
fetchRepository();
}
-function RepoAdminCtrl($scope, Restangular, ApiService, KeyService, $routeParams, $rootScope, $location) {
+function RepoAdminCtrl($scope, Restangular, ApiService, KeyService, $routeParams, $rootScope, $location, UserService) {
var namespace = $routeParams.namespace;
var name = $routeParams.name;
@@ -1452,6 +1456,10 @@ function RepoAdminCtrl($scope, Restangular, ApiService, KeyService, $routeParams
$scope.setupTrigger = function(trigger) {
$scope.triggerSetupReady = false;
$scope.currentSetupTrigger = trigger;
+
+ trigger['_pullEntity'] = null;
+ trigger['_publicPull'] = true;
+
$('#setupTriggerModal').modal({});
$('#setupTriggerModal').on('hidden.bs.modal', function () {
$scope.$apply(function() {
@@ -1460,6 +1468,10 @@ function RepoAdminCtrl($scope, Restangular, ApiService, KeyService, $routeParams
});
};
+ $scope.isNamespaceAdmin = function(namespace) {
+ return UserService.isNamespaceAdmin(namespace);
+ };
+
$scope.finishSetupTrigger = function(trigger) {
$('#setupTriggerModal').modal('hide');
$scope.currentSetupTrigger = null;
@@ -1469,8 +1481,17 @@ function RepoAdminCtrl($scope, Restangular, ApiService, KeyService, $routeParams
'trigger_uuid': trigger.id
};
- ApiService.activateBuildTrigger(trigger['config'], params).then(function(resp) {
- trigger['is_active'] = true;
+ var data = {
+ 'config': trigger['config']
+ };
+
+ if (trigger['_pullEntity']) {
+ data['pull_robot'] = trigger['_pullEntity']['name'];
+ }
+
+ ApiService.activateBuildTrigger(data, params).then(function(resp) {
+ trigger['is_active'] = true;
+ trigger['pull_robot'] = resp['pull_robot'];
}, function(resp) {
$scope.triggers.splice($scope.triggers.indexOf(trigger), 1);
bootbox.dialog({
diff --git a/static/partials/repo-admin.html b/static/partials/repo-admin.html
index 6d2fe9665..f1ee224f5 100644
--- a/static/partials/repo-admin.html
+++ b/static/partials/repo-admin.html
@@ -270,6 +270,12 @@
Setting up trigger
+
+ Pull Credentials:
+
+
+
@@ -387,14 +393,54 @@
Setup new build trigger
-
+
+
+
+ |
+
+ Pull Credentials:
+
+ |
+
+
+ In order to set pull credentials for a build trigger, you must be an Administrator of the namespace {{ repo.namespace }}
+
+
+
+
+
+ |
+
+
+ |
+ |
+
+
+ |
+
+
+
+
+
|