vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
6444 commits 2 branches 62 tags 205 MiB
Commit graph

48 commits

Author SHA1 Message Date
Joseph Schorr
7e0fbeb625 Custom SSL certificates config panel 
Adds a new panel to the superuser config tool, for managing custom SSL certificates in the config bundle

[Delivers #135586525]
 2017-01-13 14:34:35 -05:00
Joseph Schorr
3a24871422 Add SSL certificate utility and tests 2017-01-10 17:06:13 -05:00
Joseph Schorr
29d6abddb5 Linter fixes 2017-01-10 17:06:13 -05:00
Joseph Schorr
236655adb4 Fix config validator for storage and add a test suite 
Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
 2016-11-30 11:58:41 -05:00
josephschorr
74e54bdbbb Merge pull request #1872 from coreos-inc/qe-torrent 
Add QE setup tool support for BitTorrent downloads
 2016-11-11 13:56:22 -05:00
Joseph Schorr
681f975df5 Add QE setup tool support for BitTorrent downloads 
Fixes #1871
 2016-11-02 17:32:12 -04:00
Joseph Schorr
d7f56350a4 Make email addresses optional in external auth if email feature is turned off 
Before this change, external auth such as Keystone would fail if a user without an email address tried to login, even if the email feature was disabled.
 2016-10-31 13:50:24 -04:00
Joseph Schorr
b3d1d7227c Add support to Keystone Auth for external user linking 
Also adds Keystone V3 support
 2016-10-27 15:42:03 -04:00
Joseph Schorr
fbb524e34e Add support to ExternalJWT Auth for external user linking 2016-10-27 15:42:03 -04:00
Joseph Schorr
5a8200f17a Add option to properly handle external TLS 
Fixes #1984
 2016-10-13 14:49:29 -04:00
Jimmy Zelinskie
fc7301be0d *: fix legacy imports 
This change reorganizes imports and renames the legacy flask extensions.
 2016-09-28 20:17:14 -04:00
Joseph Schorr
c7beea2032 Fix handling of custom LDAP cert 
This change moves the LDAP cert installation into a common script and reorganizes the startup scripts for creating and installing these certs

Fixes #1846
 2016-09-19 17:55:08 -04:00
Joseph Schorr
770ac0016e Change validate method to work for all storages 2016-08-02 15:01:37 -04:00
Joseph Schorr
66ec1d81ce Switch to install custom LDAP cert by name 2016-06-21 15:10:26 -04:00
Jake Moshenko
9221a515de Use the registry API for security scanning 
when the storage engine doesn't support direct download url
 2016-05-04 18:04:06 -04:00
josephschorr
f55fd2049f Merge pull request #1433 from coreos-inc/ldapoptions 
Add additional options for LDAP
 2016-05-04 14:06:29 -04:00
Joseph Schorr
42515ed9ec Add additional options for LDAP 
Fixes #1420
 2016-05-04 13:59:20 -04:00
Joseph Schorr
2cbdecb043 Implement setup tool support for Clair 
Fixes #1387
 2016-05-04 13:40:50 -04:00
Joseph Schorr
1940fd9939 Add UI to the setup tool for enabling ACI conversion 
Fixes #1211
 2016-02-17 12:05:48 -05:00
Joseph Schorr
1536709c02 Small fixes 2016-01-29 20:01:17 +02:00
Silas Sewell
5000b1621c superuser: add storage replication config 2015-11-09 17:34:22 -05:00
Joseph Schorr
6f2271d0ae Add support for direct download in Swift storage engine 
Fixes #483
 2015-09-14 18:00:03 -04:00
Joseph Schorr
88a04441de Extract the config provider into its own sub-module 2015-09-10 12:19:59 -04:00
Jake Moshenko
18100be481 Refactor the util directory to use subpackages. 2015-08-03 16:04:19 -04:00
Joseph Schorr
26ae629189 Prevent local storage setup on non-mounted paths 
Fixes #269
 2015-07-27 14:32:02 -04:00
Joseph Schorr
38a6b3621c Automatically link the superuser account to federated service for auth 
When the user commits the configuration, if they have chosen a non-DB auth system, we now auto-link the superuser account to that auth system, to ensure they can login again after restart.
 2015-07-22 13:37:23 -04:00
Joseph Schorr
33b54218cc Refactor the users class into their own files, add a common base class for federated users and add a verify_credentials method which only does the verification, without the linking. We use this in the superuser verification pass 2015-07-20 11:39:59 -04:00
Joseph Schorr
066637f496 Basic Keystone Auth support 
Note: This has been verified as working by the end customer
 2015-07-20 10:55:21 -04:00
Jake Moshenko
bc29561f8f Fix and templatize the logic for external JWT AuthN and registry v2 Auth. 
Make it explicit that the registry-v2 stuff is not ready for prime time.
 2015-07-17 11:56:15 -04:00
Joseph Schorr
4726559322 The database SSL name needs to be in its own list 
FIxes #243
 2015-07-16 00:49:07 +03:00
Joseph Schorr
bb07d0965f Allow SSL cert for the database to be configured 
This change adds a field for the SSL cert for the database in the setup tool. Fixes #89
 2015-06-29 08:08:10 +03:00
Joseph Schorr
07439328a4 Remove user_exists endpoint from all auth systems 2015-06-23 17:33:51 -04:00
Joseph Schorr
331c300893 Refactor JWT auth to not import app locally 2015-06-17 15:53:21 -04:00
Joseph Schorr
457ee7306e Parenthesis fix on the JWT auth error message 2015-06-10 16:00:25 -04:00
Joseph Schorr
8aac3fd86e Add support for an external JWT-based authentication system 
This authentication system hits two HTTP endpoints to check and verify the existence of users:

Existance endpoint:
GET http://endpoint/ with Authorization: Basic (username:) =>
    Returns 200 if the username/email exists, 4** otherwise

Verification endpoint:
GET http://endpoint/ with Authorization: Basic (username:password) =>
    Returns 200 and a signed JWT with the user's username and email address if the username+password validates, 4** otherwise with the body containing an optional error message

The JWT produced by the endpoint must be issued with an issuer matching that configured in the config.yaml, and the audience must be "quay.io/jwtauthn". The JWT is signed using a private key and then validated on the Quay.io side with the associated public key, found as "jwt-authn.cert" in the conf/stack directory.
 2015-06-05 13:20:10 -04:00
Joseph Schorr
4f2a1b3734 Add setup UI for the new trigger types (bitbucket and gitlab) and add validation 2015-05-03 11:50:26 -07:00
Joseph Schorr
85d6500daa Merge resistanceisfutile into master 2015-03-23 15:39:08 -04:00
Joseph Schorr
360aa69d92 Fix LDAP error and url handling to be more clear for the end user 2015-03-16 14:33:53 -04:00
Joseph Schorr
4ca5d9b04b Add support for filtering github login by org 2015-03-03 19:58:42 -05:00
Joseph Schorr
2c662b7861 Make sure to specify a default mail sender when validating emails. Unfortunately for us, flask-mail by default uses the sender from the *global* app instance, rather than the one specified in the Mail(...) call. This was breaking validation. 2015-03-03 13:56:32 -05:00
Joseph Schorr
7a199f63eb Various small fixes and add support for subjectAltName to the SSL cert check 2015-02-12 14:00:26 -05:00
Joseph Schorr
400ffa73e6 Add SSL cert and key validation 2015-02-05 13:06:56 -05:00
Joseph Schorr
53e5fc6265 Have the config setup tool automatically prepare the S3 or GCS storage with CORS config 2015-01-16 16:10:40 -05:00
Joseph Schorr
6d604a656a Move config handling into a provider class to make testing much easier 2015-01-09 16:23:31 -05:00
Joseph Schorr
bfd273d16f - Make validation a bit nicer: 
- Add timeout to the DB validation
  - Make DB validation exception handling a bit nicer
  - Move the DB validation error message

- Fix bug around RADOS config default for Is Secure
- Allow hiding of the validation box
 2015-01-08 15:27:49 -05:00
Joseph Schorr
5ac2c4970a Add Google auth validation and fix the case where no config is specified at all for Google auth or Github auth 2015-01-08 13:56:17 -05:00
Joseph Schorr
5e0ce4eea9 Add validation of github to the config tool 2015-01-08 13:26:24 -05:00
Joseph Schorr
63504c87fb Get end-to-end configuration setup working, including verification (except for Github, which is in progress) 2015-01-07 16:20:51 -05:00