Commit graph

26 commits

Author SHA1 Message Date
Joseph Schorr
dc5af7496c Allow superusers to disable user accounts 2015-06-29 18:40:52 +03:00
Joseph Schorr
e7915baf8c Have LDAP return a better error message if it fails to connect
Currently, the error results in a 500 being raised when a user tries to login.
2015-06-23 17:41:53 -04:00
Joseph Schorr
07439328a4 Remove user_exists endpoint from all auth systems 2015-06-23 17:33:51 -04:00
Joseph Schorr
331c300893 Refactor JWT auth to not import app locally 2015-06-17 15:53:21 -04:00
Joseph Schorr
8aac3fd86e Add support for an external JWT-based authentication system
This authentication system hits two HTTP endpoints to check and verify the existence of users:

Existance endpoint:
GET http://endpoint/ with Authorization: Basic (username:) =>
    Returns 200 if the username/email exists, 4** otherwise

Verification endpoint:
GET http://endpoint/ with Authorization: Basic (username:password) =>
    Returns 200 and a signed JWT with the user's username and email address if the username+password validates, 4** otherwise with the body containing an optional error message

The JWT produced by the endpoint must be issued with an issuer matching that configured in the config.yaml, and the audience must be "quay.io/jwtauthn". The JWT is signed using a private key and then validated on the Quay.io side with the associated public key, found as "jwt-authn.cert" in the conf/stack directory.
2015-06-05 13:20:10 -04:00
Joseph Schorr
2a56790d38 Switch to using a named LDAP tuple for more readable code 2015-06-01 14:02:05 -04:00
Joseph Schorr
1aff701bc7 Fix LDAP referral and multiple pair handling
Fixes two issues found with our LDAP handling code. First, we now follow referrals in both LDAP calls, as some LDAP systems will return a referral instead of the original record. Second, we now make sure to handle multiple search result pairs properly by further filtering based on the presence of the 'mail' attribute when we have multiple valid pairs. This CL also adds tests for all of the above cases.
2015-05-27 15:04:34 -04:00
Joseph Schorr
b0d763b5ff Fix encrypted password generator to use the LDAP username, not the Quay username.
Currently, we use the Quay username via `verify_user` when we go to create the encrypted password. This is only correct if Quay has not generated its own different username for the LDAP user, and fails if it has. We therefore add a new method `confirm_existing_user`, which looks up the federated login for the LDAP user and then runs the auth flow using that username.
2015-05-20 16:37:09 -04:00
Joseph Schorr
d5e70c6e2a Explicitly enable LDAP referrals
Note: The mock LDAP system doesn't support referrals, so we can't add a unit test for this.
2015-05-20 14:53:31 -04:00
Joseph Schorr
07b4fb9105 LDAP sometimes has multiple records for a user 2015-05-12 12:02:09 -04:00
Joseph Schorr
efab02ae47 LDAP improvements:
- Better logging
  - Better error messages
  - Add unit tests
  - Clean up the setup tool for LDAP
2015-05-11 21:23:18 -04:00
Joseph Schorr
1c83def15b LDAP should only show logs when asked. 2015-05-11 13:01:49 -04:00
Joseph Schorr
f9c1f123c2 Add better debugging to LDAP 2015-05-08 14:19:32 -04:00
Joseph Schorr
a7b6cb5c23 Fix handling of byte strings and large ints 2015-03-26 17:45:43 -04:00
Joseph Schorr
c4a2574b0d Clarify unencrypted password error message 2015-03-26 16:23:28 -04:00
Joseph Schorr
f8afd8b5ce Make sure to parse the big int into a byte string 2015-03-26 16:13:35 -04:00
Joseph Schorr
4d1792db1c getrandbits creates an int, not a float 2015-03-26 15:47:44 -04:00
Joseph Schorr
aaf1b23e98 Address CL concerns and switch to a real encryption system 2015-03-26 15:10:58 -04:00
Joseph Schorr
d23bb6616d Fix error message to exactly match current output 2015-03-26 13:22:16 -04:00
Joseph Schorr
e4b659f107 Add support for encrypted client tokens via basic auth (for the docker CLI) and a feature flag to disable normal passwords 2015-03-25 18:43:12 -04:00
Joseph Schorr
a36266f758 Add LDAP tracing 2015-02-27 17:01:46 -05:00
Jake Moshenko
33b43b75c0 Eliminate a lot of the if cases in create_user by separating them out. Add a limit to the number of users which can be created based on the license. Add support for creating and loading licenses. 2014-05-28 13:51:52 -04:00
Jake Moshenko
628d09afe0 Remove the passwd attr ldap config. 2014-05-13 15:52:20 -04:00
Jake Moshenko
2da8b4737e Fix the registry to work with unicode usernames in LDAP. 2014-05-13 15:22:31 -04:00
Jake Moshenko
5fdccfe3e6 Add an alembic migration for the full initial database with the data. Switch LDAP to using bind and creating a federated login entry. Add LDAP support to the registry and index endpoints. Add a username transliteration and suggestion mechanism. Switch the database and model to require a manual initialization call. 2014-05-13 12:17:26 -04:00
Jake Moshenko
027ada1f5c First stab at LDAP integration. 2014-05-09 17:39:43 -04:00