Joseph Schorr
f4b05df179
Fix SSL test import
2018-07-19 11:59:14 -04:00
Joseph Schorr
894b754121
Move SSL util tests to pytest
2018-07-18 17:26:24 -04:00
Joseph Schorr
a59c951aa3
Add support for multiple scope parameters on V2 auth requests
...
Fixes https://jira.coreos.com/browse/QUAY-892
2018-04-18 20:16:49 +03:00
Brad Ison
5da8744ddf
Reject JWTs with future issued-at times
...
PyJWT stopped doing this in 1.5.0 because it's not part of the spec,
and there are legitimate reasons to issue future tokens. We still
want to reject these though as we don't have that need.
2018-02-26 12:55:32 -05:00
Joseph Schorr
e220b50543
Refactor auth code to be cleaner and more extensible
...
We move all the auth handling, serialization and deserialization into a new AuthContext interface, and then standardize a registration model for handling of specific auth context types (user, robot, token, etc).
2018-02-14 15:35:27 -05:00
Joseph Schorr
bbdf9e074c
Add metrics for tracking when instance key renewal succeeds and fails, as well as when instance key *lookup* fails
2018-02-02 11:14:42 -05:00
Joseph Schorr
524d77f527
Add an AppSpecificAuthToken data model for app-specific auth tokens. These will be used for the Docker CLI in place of username+password
2018-01-04 15:27:41 -05:00
Joseph Schorr
54a4476cbb
Make missing log more descriptive
2017-09-12 16:19:55 -04:00
Joseph Schorr
0ba54ed4fc
Simplify the caching of service keys to hopefully avoid the not found issue
...
Makes accesses simpler and reduces the number of dictionaries to one, in an effort to remove race conditions
2017-05-26 13:51:48 -04:00
Evan Cordell
2661db7485
Add flag to enable trust per repo ( #2541 )
...
* Add flag to enable trust per repo
* Add api for enabling/disabling trust
* Add new LogEntryKind for changing repo trust settings
Also add tests for repo trust api
* Add `set_trust` method to repository
* Expose new logkind to UI
* Fix registry tests
* Rebase migrations and regen test.db
* Raise downstreamissue if trust metadata can't be removed
* Refactor change_repo_trust
* Add show_if to change_repo_trust endpoint
2017-04-15 08:26:33 -04:00
Evan Cordell
1016641f8d
refactor jwt context building
2017-03-27 11:37:17 -04:00
Evan Cordell
abd78bce56
Use constants for TUF roots
2017-03-27 11:37:17 -04:00
Evan Cordell
6ad107709c
Change build_context_and_subject to take kwargs
2017-03-27 11:37:17 -04:00
Evan Cordell
43dd974dca
Determine which TUF root to show based on actual access, not requested
...
access
2017-03-27 11:37:17 -04:00
Joseph Schorr
d63cca025a
DNS name check got reversed; breaks wildcards
2017-01-29 11:51:37 -05:00
Joseph Schorr
3a24871422
Add SSL certificate utility and tests
2017-01-10 17:06:13 -05:00
Joseph Schorr
6ae3faf7fc
Add explicit config parameter to the JWT auth methods
2016-09-29 11:15:20 +02:00
Joseph Schorr
dd2e086a20
Add feature flag to force all direct download URLs to be proxied
...
Fixes #1667
2016-09-29 11:13:41 +02:00
Joseph Schorr
ab1756306b
Switch to using the leeway parameter on JWT validation
2016-06-27 14:42:44 -04:00
Joseph Schorr
2653d213c9
Add an allowed amount of clock skew to registry JWTs
2016-06-24 15:08:26 -04:00
Joseph Schorr
a43b741f1b
Add a uniqueness hash to derived image storage to break caching over tags
...
This allows converted ACIs and squashed images to be unique based on the specified tag.
Fixes #92
2016-06-20 16:34:52 -04:00
Joseph Schorr
71b2853f40
Make sure to iterate over a copy of the public_keys dictionary
2016-06-07 18:20:42 -04:00
Joseph Schorr
8887f09ba8
Use the instance service key for registry JWT signing
2016-06-07 11:58:10 -04:00
Joseph Schorr
f02d295dd8
Fix missing argument change
2016-05-23 17:44:22 -04:00
Joseph Schorr
f670c4c7a9
Change Signer to use the config provider and fix tests
...
Fixes the broken ACI tests
2016-05-23 17:10:03 -04:00
Jimmy Zelinskie
5568cc77b8
remove all default keys ( #1485 )
...
This change:
- Generates a new BitTorrent pepper by default
- Generates a new pagination key by default
- Changes the pagination key format to base64
- Removes selfsigned JWT certs
- Moves test keys to test/data
2016-05-23 16:00:48 -04:00
Jake Moshenko
4266ae7ce5
Fix the x5c header in our registry jwts.
2016-05-23 15:05:54 -04:00
Jake Moshenko
9221a515de
Use the registry API for security scanning
...
when the storage engine doesn't support direct download url
2016-05-04 18:04:06 -04:00
Jimmy Zelinskie
6577ac3e62
mv JWK-canonicalization util.security.fingerprint
2016-04-29 14:05:16 -04:00
Joseph Schorr
8e1727b6d3
Fix mail and signing defaults
2016-03-08 18:08:40 -05:00
josephschorr
11af123ba5
Merge pull request #1244 from coreos-inc/enableaci
...
Add UI to the setup tool for enabling ACI conversion
2016-02-17 12:29:48 -05:00
Joseph Schorr
1940fd9939
Add UI to the setup tool for enabling ACI conversion
...
Fixes #1211
2016-02-17 12:05:48 -05:00
Joseph Schorr
db0eab0461
Fix V2 catalog and tag pagination
2016-02-10 00:25:33 +02:00
Jake Moshenko
01a92a66ba
Refresh base image and python dependencies
2016-01-27 11:36:40 -05:00
Joseph Schorr
335c8eb3a9
Add 2 day TTL to page tokens
2016-01-26 14:04:03 -05:00
Joseph Schorr
b4bddacedb
Switch to Fernet crypto as per gtank's recommendation
2016-01-26 12:50:48 -05:00
Jake Moshenko
9c3ddf846f
Some fixes and tests for v2 auth
...
Fixes #395
2015-09-10 15:38:57 -04:00
Jake Moshenko
82efc746b3
Make our JWT checking more strict.
2015-09-04 15:18:57 -04:00
Jake Moshenko
18100be481
Refactor the util directory to use subpackages.
2015-08-03 16:04:19 -04:00