Add support for encrypted client tokens via basic auth (for the docker CLI) and a feature flag to disable normal passwords

2015-03-25 18:43:12 -04:00 · 2015-03-25 18:43:12 -04:00 · e4b659f107
commit e4b659f107
parent a7a8571396
10 changed files with 222 additions and 8 deletions
--- a/static/directives/config/config-setup-tool.html
+++ b/static/directives/config/config-setup-tool.html
@ -34,7 +34,7 @@
            </td>
          </tr>
          <tr>
-            <td>User Creation:</td>
+            <td class="non-input">User Creation:</td>
            <td colspan="2">
              <div class="co-checkbox">
                <input id="ftuc" type="checkbox" ng-model="config.FEATURE_USER_CREATION">
@ -46,6 +46,23 @@
              </div>
            </td>
          </tr>
+          <tr>
+            <td class="non-input">Encrypted Client Tokens:</td>
+            <td colspan="2">
+              <div class="co-checkbox">
+                <input id="ftet" type="checkbox" ng-model="config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH">
+                <label for="ftet">Require Encrypted Client Tokens</label>
+              </div>
+              <div class="help-text">
+                 If enabled, users will not be able to login from the Docker command
+                 line with a non-encrypted password and must generate an encrypted
+                 token to use.
+              </div>
+              <div class="help-text" ng-if="config.AUTHENTICATION_TYPE == 'LDAP'">
+                This feature is <strong>highly recommended</strong> for setups with LDAP authentication, as Docker currently stores passwords in <strong>plaintext</strong> on user's machines.
+              </div>
+            </td>
+          </tr>
        </table>
      </div>
    </div>
@ -293,6 +310,16 @@
          </p>
        </div>

+        <div class="alert alert-warning" ng-if="config.AUTHENTICATION_TYPE == 'LDAP' && !config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH">
+          It is <strong>highly recommended</strong> to require encrypted client tokens. LDAP passwords used in the Docker client will be stored in <strong>plain-text</strong>!
+          <a href="javascript:void(0)" ng-click="config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH = true">Enable this requirement now</a>.
+        </div>
+
+        <div class="alert alert-success" ng-if="config.AUTHENTICATION_TYPE == 'LDAP' && config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH">
+          Note: The "Require Encrypted Client Tokens" feature is currently enabled which will
+          prevent LDAP passwords from being saved as plain-text by the Docker client.
+        </div>
+
        <table class="config-table">
          <tr>
            <td class="non-input">Authentication:</td>
@ -305,7 +332,6 @@
          </tr>
        </table>

-
        <table class="config-table" ng-if="config.AUTHENTICATION_TYPE == 'LDAP'">
          <tr>
            <td>LDAP URI:</td>
--- a/static/js/pages/user-admin.js
+++ b/static/js/pages/user-admin.js
@ -196,6 +196,21 @@
      });
    };

+    $scope.generateClientToken = function() {
+      var generateToken = function(password) {
+        var data = {
+          'password': password
+        };
+
+        ApiService.generateUserClientKey(data).then(function(resp) {
+          $scope.generatedClientToken = resp['key'];
+          $('#clientTokenModal').modal({});
+        }, ApiService.errorDisplay('Could not generate token'));
+      };
+
+      UIService.showPasswordDialog('Enter your password to generate a client token:', generateToken);
+    };
+
    $scope.detachExternalLogin = function(kind) {
      var params = {
        'servicename': kind
--- a/static/js/services/ui-service.js
+++ b/static/js/services/ui-service.js
@ -92,5 +92,47 @@ angular.module('quay').factory('UIService', [function() {
    return new CheckStateController(items, opt_checked);
  };

+  uiService.showPasswordDialog = function(message, callback, opt_canceledCallback) {
+    var success = function() {
+      var password = $('#passDialogBox').val();
+      $('#passDialogBox').val('');
+      callback(password);
+    };
+
+    var canceled = function() {
+      $('#passDialogBox').val('');
+      opt_canceledCallback && opt_canceledCallback();
+    };
+
+    var box = bootbox.dialog({
+      "message": message +
+        '<form style="margin-top: 10px" action="javascript:void(0)">' +
+        '<input id="passDialogBox" class="form-control" type="password" placeholder="Current Password">' +
+        '</form>',
+      "title": 'Please Verify',
+      "buttons": {
+        "verify": {
+          "label": "Verify",
+          "className": "btn-success",
+          "callback": success
+        },
+        "close": {
+          "label": "Cancel",
+          "className": "btn-default",
+          "callback": canceled
+        }
+      }
+    });
+
+    box.bind('shown.bs.modal', function(){
+      box.find("input").focus();
+      box.find("form").submit(function() {
+        if (!$('#passDialogBox').val()) { return; }
+        box.modal('hide');
+        success();
+      });
+    });
+  };
+
  return uiService;
 }]);
--- a/static/partials/user-admin.html
+++ b/static/partials/user-admin.html
@ -33,6 +33,7 @@
        <li quay-classes="{'!Features.BILLING': 'active'}"><a href="javascript:void(0)" data-toggle="tab" data-target="#email">Account E-mail</a></li>
        <li><a href="javascript:void(0)" data-toggle="tab" data-target="#robots">Robot Accounts</a></li>
        <li><a href="javascript:void(0)" data-toggle="tab" data-target="#password">Change Password</a></li>
+        <li><a href="javascript:void(0)" data-toggle="tab" data-target="#clienttoken">Client Token</a></li>
        <li><a href="javascript:void(0)" data-toggle="tab" data-target="#external" quay-show="Features.GITHUB_LOGIN || Features.GOOGLE_LOGIN">External Logins</a></li>
        <li><a href="javascript:void(0)" data-toggle="tab" data-target="#authorized" ng-click="loadAuthedApps()">Authorized Applications</a></li>
        <li quay-show="Features.USER_LOG_ACCESS || hasPaidBusinessPlan">
@ -99,6 +100,16 @@

        </div>

+        <!-- Client token tab -->
+        <div id="clienttoken" class="tab-pane">
+          <div class="alert alert-success">Click the "Generate" button below to generate a client token that can be used <strong>in place of your password</strong> for the Docker
+          command line.</div>
+
+          <button class="btn btn-primary" ng-click="generateClientToken()">
+            <i class="fa fa-key" style="margin-right: 6px;"></i>Generate Client Token
+          </button>
+        </div>
+
        <!-- Logs tab -->
        <div id="logs" class="tab-pane">
          <div class="logs-view" user="user" makevisible="logsShown"></div>
@ -370,6 +381,27 @@
 </div><!-- /.modal -->


+<!-- Modal message dialog -->
+<div class="modal fade" id="clientTokenModal">
+  <div class="modal-dialog">
+    <div class="modal-content">
+      <div class="modal-header">
+        <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
+        <h4 class="modal-title">Generate Client Token</h4>
+      </div>
+      <div class="modal-body">
+        <div style="margin-bottom: 10px;">Your generated client token:</div>
+        <div class="copy-box" value="generatedClientToken"></div>
+      </div>
+      <div class="modal-footer">
+        <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
+      </div>
+    </div><!-- /.modal-content -->
+  </div><!-- /.modal-dialog -->
+</div><!-- /.modal -->
+
+
+
 <!-- Modal message dialog -->
 <div class="modal fade" id="reallyconvertModal">
  <div class="modal-dialog">