Add support for encrypted client tokens via basic auth (for the docker CLI) and a feature flag to disable normal passwords

2015-03-25 18:43:12 -04:00 · 2015-03-25 18:43:12 -04:00 · e4b659f107
commit e4b659f107
parent a7a8571396
10 changed files with 222 additions and 8 deletions
--- a/static/directives/config/config-setup-tool.html
+++ b/static/directives/config/config-setup-tool.html
@ -34,7 +34,7 @@
            </td>
          </tr>
          <tr>
-            <td>User Creation:</td>
+            <td class="non-input">User Creation:</td>
            <td colspan="2">
              <div class="co-checkbox">
                <input id="ftuc" type="checkbox" ng-model="config.FEATURE_USER_CREATION">
@ -46,6 +46,23 @@
              </div>
            </td>
          </tr>
+          <tr>
+            <td class="non-input">Encrypted Client Tokens:</td>
+            <td colspan="2">
+              <div class="co-checkbox">
+                <input id="ftet" type="checkbox" ng-model="config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH">
+                <label for="ftet">Require Encrypted Client Tokens</label>
+              </div>
+              <div class="help-text">
+                 If enabled, users will not be able to login from the Docker command
+                 line with a non-encrypted password and must generate an encrypted
+                 token to use.
+              </div>
+              <div class="help-text" ng-if="config.AUTHENTICATION_TYPE == 'LDAP'">
+                This feature is <strong>highly recommended</strong> for setups with LDAP authentication, as Docker currently stores passwords in <strong>plaintext</strong> on user's machines.
+              </div>
+            </td>
+          </tr>
        </table>
      </div>
    </div>
@ -293,6 +310,16 @@
          </p>
        </div>

+        <div class="alert alert-warning" ng-if="config.AUTHENTICATION_TYPE == 'LDAP' && !config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH">
+          It is <strong>highly recommended</strong> to require encrypted client tokens. LDAP passwords used in the Docker client will be stored in <strong>plain-text</strong>!
+          <a href="javascript:void(0)" ng-click="config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH = true">Enable this requirement now</a>.
+        </div>
+
+        <div class="alert alert-success" ng-if="config.AUTHENTICATION_TYPE == 'LDAP' && config.FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH">
+          Note: The "Require Encrypted Client Tokens" feature is currently enabled which will
+          prevent LDAP passwords from being saved as plain-text by the Docker client.
+        </div>
+
        <table class="config-table">
          <tr>
            <td class="non-input">Authentication:</td>
@ -305,7 +332,6 @@
          </tr>
        </table>

-
        <table class="config-table" ng-if="config.AUTHENTICATION_TYPE == 'LDAP'">
          <tr>
            <td>LDAP URI:</td>