Refactor auth code to be cleaner and more extensible
We move all the auth handling, serialization and deserialization into a new AuthContext interface, and then standardize a registration model for handling of specific auth context types (user, robot, token, etc).
This commit is contained in:
Joseph Schorr
parent
8ba2e71fb1
commit
e220b50543
31 changed files with 822 additions and 436 deletions
|
|
@ -106,50 +106,21 @@ def _generate_jwt_object(audience, subject, context, access, lifetime_s, issuer,
|
|||
return jwt.encode(token_data, private_key, ALGORITHM, headers=token_headers)
|
||||
|
||||
|
||||
def build_context_and_subject(user=None, token=None, oauthtoken=None, appspecifictoken=None,
|
||||
tuf_root=None):
|
||||
def build_context_and_subject(auth_context=None, tuf_root=None):
|
||||
""" Builds the custom context field for the JWT signed token and returns it,
|
||||
along with the subject for the JWT signed token. """
|
||||
|
||||
# Serialize to a dictionary.
|
||||
context = auth_context.to_signed_dict() if auth_context else {}
|
||||
|
||||
# Default to quay root if not explicitly granted permission to see signer root
|
||||
if not tuf_root:
|
||||
tuf_root = QUAY_TUF_ROOT
|
||||
|
||||
context = {
|
||||
CLAIM_TUF_ROOT: tuf_root
|
||||
}
|
||||
|
||||
if oauthtoken:
|
||||
context.update({
|
||||
'kind': 'oauth',
|
||||
'user': user.username,
|
||||
'oauth': oauthtoken.uuid,
|
||||
})
|
||||
return (context, user.username)
|
||||
|
||||
if appspecifictoken:
|
||||
context.update({
|
||||
'kind': 'app_specific_token',
|
||||
'user': user.username,
|
||||
'ast': appspecifictoken.uuid,
|
||||
})
|
||||
return (context, user.username)
|
||||
|
||||
if user:
|
||||
context.update({
|
||||
'kind': 'user',
|
||||
'user': user.username,
|
||||
})
|
||||
return (context, user.username)
|
||||
|
||||
if token:
|
||||
context.update({
|
||||
'kind': 'token',
|
||||
'token': token.code,
|
||||
})
|
||||
return (context, None)
|
||||
|
||||
context.update({
|
||||
'kind': 'anonymous',
|
||||
CLAIM_TUF_ROOT: tuf_root
|
||||
})
|
||||
return (context, ANONYMOUS_SUB)
|
||||
|
||||
if not auth_context or auth_context.is_anonymous:
|
||||
return (context, ANONYMOUS_SUB)
|
||||
|
||||
return (context, auth_context.authed_user.username if auth_context.authed_user else None)
|
||||
|
|
|
|||
Reference in a new issue