Add support for encrypted client tokens via basic auth (for the docker CLI) and a feature flag to disable normal passwords

2015-03-25 18:43:12 -04:00 · 2015-03-25 18:43:12 -04:00 · e4b659f107
commit e4b659f107
parent a7a8571396
10 changed files with 222 additions and 8 deletions
--- a/endpoints/api/user.py
+++ b/endpoints/api/user.py
@ -1,9 +1,11 @@
 import logging
 import json

+from random import SystemRandom
 from flask import request
 from flask.ext.login import logout_user
 from flask.ext.principal import identity_changed, AnonymousIdentity
+from flask.sessions import SecureCookieSessionInterface
 from peewee import IntegrityError

 from app import app, billing as stripe, authentication, avatar
@ -335,13 +337,58 @@ class PrivateRepositories(ApiResource):
    }


+@resource('/v1/user/clientkey')
+@internal_only
+class ClientKey(ApiResource):
+  """ Operations for returning an encrypted key which can be used in place of a password
+      for the Docker client. """
+  schemas = {
+    'GenerateClientKey': {
+      'id': 'GenerateClientKey',
+      'type': 'object',
+      'required': [
+        'password',
+      ],
+      'properties': {
+        'password': {
+          'type': 'string',
+          'description': 'The user\'s password',
+        },
+      }
+    }
+  }
+
+  @require_user_admin
+  @nickname('generateUserClientKey')
+  @validate_json_request('GenerateClientKey')
+  def post(self):
+    """  Return's the user's private client key. """
+    username = get_authenticated_user().username
+    password = request.get_json()['password']
+
+    (result, error_message) = authentication.verify_user(username, password)
+    if not result:
+      raise request_error(message=error_message)
+
+    ser = SecureCookieSessionInterface().get_signing_serializer(app)
+    data_to_sign = {
+      'password': password,
+      'nonce': SystemRandom().randint(0, 10000000000)
+    }
+
+    encrypted = ser.dumps(data_to_sign)
+    return {
+      'key': encrypted
+    }
+
+
 def conduct_signin(username_or_email, password):
  needs_email_verification = False
  invalid_credentials = False

  verified = None
  try:
-    verified = authentication.verify_user(username_or_email, password)
+    (verified, error_message) = authentication.verify_user(username_or_email, password)
  except model.TooManyUsersException as ex:
    raise license_error(exception=ex)

@ -407,7 +454,7 @@ class ConvertToOrganization(ApiResource):

    # Ensure that the sign in credentials work.
    admin_password = convert_data['adminPassword']
-    admin_user =  authentication.verify_user(admin_username, admin_password)
+    (admin_user, error_message) =  authentication.verify_user(admin_username, admin_password)
    if not admin_user:
      raise request_error(reason='invaliduser',
                           message='The admin user credentials are not valid')