vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
5130 commits 2 branches 62 tags 205 MiB
Commit graph

102 commits

Author SHA1 Message Date
Evan Cordell
eba75494d9 Use new error format for auth errors (factor exceptions into module) 2016-04-11 16:22:26 -04:00
Joseph Schorr
b5b2df2063 Make test more resilient to changes in IDs 2016-03-30 16:19:15 -04:00
Joseph Schorr
a3aa4592cf Change permissions to only load required by default 
Permissions now load just the namespace and/or repository permissions requested, with a fallback to a full permissions load if necessary.
 2016-03-28 16:33:32 -04:00
Jimmy Zelinskie
ea2e17cc11 v2: send proper scopes for authorization failures 
Fixes #1278.
 2016-03-11 13:41:38 -05:00
Jimmy Zelinskie
bb46cc933d use kwargs for parse_repository_name 2016-03-09 16:20:28 -05:00
josephschorr
e8faa9f843 Merge pull request #939 from coreos-inc/user-admin 
Add user admin scope
 2016-02-16 16:42:29 -05:00
Jake Moshenko
01a92a66ba Refresh base image and python dependencies 2016-01-27 11:36:40 -05:00
Joseph Schorr
e4ffaff869 Fix Docker Auth and our V2 registry paths to support library (i.e. namespace-less) repositories. 
This support is placed behind a feature flag.
 2016-01-22 15:54:06 -05:00
Joseph Schorr
4e942203cb Fix handling of tokens in the new context block of the JWT 2015-12-15 16:52:22 -05:00
Joseph Schorr
ca7d36bf14 Handle empty scopes and always send the WWW-Authenticate header, as per spec 
Fixes #1045
 2015-12-15 14:59:47 -05:00
Joseph Schorr
4a4eee5e05 Make our JWT subjects better and log using the info 
Fixes #1039
 2015-12-14 14:00:33 -05:00
Matt Jibson
f02bb3caee Add user admin scope 
Also remove unused scope decorator.

fixes #890
 2015-11-18 12:01:40 -05:00
Jake Moshenko
9c3ddf846f Some fixes and tests for v2 auth 
Fixes #395
 2015-09-10 15:38:57 -04:00
Jake Moshenko
82efc746b3 Make our JWT checking more strict. 2015-09-04 15:18:57 -04:00
Jake Moshenko
b2844fb8c7 Switch the base case for when a scope string contains an invalid scope. 2015-08-05 17:35:02 -04:00
Joseph Schorr
354f4109d0 Switch to returning an empty set when there are invalid auth scopes 2015-07-31 12:49:42 -04:00
Joseph Schorr
804be4d4be OAuth scopes are space separated, not comma 2015-07-31 12:37:02 -04:00
Jake Moshenko
5d86fa80e7 Merge pull request #197 from coreos-inc/keystone 
Add Keystone Auth
 2015-07-22 13:38:47 -04:00
Jake Moshenko
679044574a Merge pull request #231 from coreos-inc/smallfix 
Small API fixes
 2015-07-20 13:45:24 -04:00
Joseph Schorr
33b54218cc Refactor the users class into their own files, add a common base class for federated users and add a verify_credentials method which only does the verification, without the linking. We use this in the superuser verification pass 2015-07-20 11:39:59 -04:00
Jake Moshenko
bc29561f8f Fix and templatize the logic for external JWT AuthN and registry v2 Auth. 
Make it explicit that the registry-v2 stuff is not ready for prime time.
 2015-07-17 11:56:15 -04:00
Jake Moshenko
3efaa255e8 Accidental refactor, split out legacy.py into separate sumodules and update all call sites. 2015-07-17 11:56:15 -04:00
Jake Moshenko
bea8b9ac53 More changes for registry-v2 in python. 
Implement the minimal changes to the local filesystem storage driver and feed them through the distributed storage driver.
Create a digest package which contains digest_tools and checksums.
Fix the tests to use the new v1 endpoint locations.
Fix repository.delete_instance to properly filter the generated queries to avoid most subquery deletes, but still generate them when not explicitly filtered.
 2015-07-17 11:50:41 -04:00
Jake Moshenko
acbcc2e206 Start of a v2 API. 2015-07-17 11:50:41 -04:00
Jake Moshenko
f5ee7a6697 Make the scopes dynamic based on app config. 2015-07-15 18:13:15 -04:00
Joseph Schorr
1c5300e439 We still need to process the function if the auth header is invalid 
Otherwise, the user gets a 500
 2015-07-14 11:35:04 +03:00
Jake Moshenko
7b470237a1 The superuser capability does not require the idea of ordinality since it is a binary permission. 2015-06-30 11:02:13 -04:00
Joseph Schorr
87efcb9e3d Delegated superuser API access 
Add a new scope for SUPERUSER that allows delegated access to the superuser endpoints. CA needs this so they can programmatically create and remove users.
 2015-06-30 11:08:26 +03:00
Joseph Schorr
dc5af7496c Allow superusers to disable user accounts 2015-06-29 18:40:52 +03:00
Jake Moshenko
03e1636ff2 Clean up log format to use lazy string substitution. 2015-06-23 17:10:03 -04:00
Joseph Schorr
76bef38d71 Remove extra call to the DB for a user we already have 2015-05-07 17:17:05 -04:00
Joseph Schorr
8eb9c376cd Add constructors for the QuayDeferredPermissionUser so that we can avoid extraneous DB lookups of the user whenever we already have the object 2015-05-07 15:04:12 -04:00
Joseph Schorr
e4b659f107 Add support for encrypted client tokens via basic auth (for the docker CLI) and a feature flag to disable normal passwords 2015-03-25 18:43:12 -04:00
Jake Moshenko
68e1495e54 Remove support for the old style push temporary tokens. 2015-02-24 14:31:19 -05:00
Joseph Schorr
c58c19db8a Add support for the deprecated token method. We need this as a live migration strategy and we can remove it about an hour after we deploy the new version to prod. 2015-02-23 22:02:38 -05:00
Jake Moshenko
450b112f2c Propagate the grant user context to the signed grant to fix image sharing. 2015-02-23 15:07:38 -05:00
Jake Moshenko
3bc8b8161c Make the AlwaysFailPermission live up to its name. 2015-02-19 16:58:13 -05:00
Jake Moshenko
78c8354174 Switch our temporary token lookups for signed grants which will not require DB access. 2015-02-19 16:54:23 -05:00
Joseph Schorr
30b895b795 Merge branch 'grunt-js-folder' of https://github.com/coreos-inc/quay into ackbar 2015-01-23 17:26:14 -05:00
Joseph Schorr
28d319ad26 Add an in-memory superusermanager, which stores the current list of superusers in a process-shared Value. We do this because in the ER, when we add a new superuser, we need to ensure that ALL workers have their lists updated (otherwise we get the behavior that some workers validate the new permission and others do not). 2015-01-20 12:43:11 -05:00
Joseph Schorr
42ea3b835c Fix NPE 2015-01-12 11:42:09 -05:00
Joseph Schorr
1bf25f25c1 WIP 2015-01-04 14:38:41 -05:00
Jimmy Zelinskie
f3259c862b Merge branch 'koh' 
Conflicts:
	auth/scopes.py
	requirements-nover.txt
	requirements.txt
	static/css/quay.css
	static/directives/namespace-selector.html
	static/js/app.js
	static/partials/manage-application.html
	templates/oauthorize.html
 2014-12-01 12:30:09 -08:00
Joseph Schorr
0e13ef3ff8 Fix various bugs and styling issues 2014-11-24 19:40:03 -05:00
Jimmy Zelinskie
716d7a737b Strip whitespace from ALL the things. 2014-11-24 16:07:38 -05:00
Joseph Schorr
f6dd8b0a4d Fix NPE 2014-11-24 12:20:54 -05:00
Jake Moshenko
f9b8319835 Make sure if we are going to treat the cookie as valid, it's actually a user id of the proper type. 2014-11-21 10:28:50 -05:00
Jimmy Zelinskie
dee4c389a8 Base sessions on UUIDs. 
Now that a backfill has been applied, sessions can now be based on UUIDs
because all users will have one.
 2014-11-20 18:44:36 -05:00
Jimmy Zelinskie
12ff4b107c Undo sessions being driven by UUID. 
Basing sessions on UUIDs must be done in phases. First all users
must obtain an UUID. Once a backfill has given all previous users
UUIDs and new users are being generated with UUIDs, then we can
actually change the session to be based on that value.
 2014-11-20 12:57:17 -05:00
Jimmy Zelinskie
606ad21bec Apply reviewed changes. 
Adds a length to the UUID field, renames QuayDeferredPermissionUser
parameter id->uuid, adds transactions to backfill script.
 2014-11-19 13:28:16 -05:00