Jake Moshenko
18100be481
Refactor the util directory to use subpackages.
2015-08-03 16:04:19 -04:00
Joseph Schorr
26ae629189
Prevent local storage setup on non-mounted paths
...
Fixes #269
2015-07-27 14:32:02 -04:00
Joseph Schorr
38a6b3621c
Automatically link the superuser account to federated service for auth
...
When the user commits the configuration, if they have chosen a non-DB auth system, we now auto-link the superuser account to that auth system, to ensure they can login again after restart.
2015-07-22 13:37:23 -04:00
Joseph Schorr
33b54218cc
Refactor the users class into their own files, add a common base class for federated users and add a verify_credentials
method which only does the verification, without the linking. We use this in the superuser verification pass
2015-07-20 11:39:59 -04:00
Joseph Schorr
066637f496
Basic Keystone Auth support
...
Note: This has been verified as working by the end customer
2015-07-20 10:55:21 -04:00
Jake Moshenko
bc29561f8f
Fix and templatize the logic for external JWT AuthN and registry v2 Auth.
...
Make it explicit that the registry-v2 stuff is not ready for prime time.
2015-07-17 11:56:15 -04:00
Joseph Schorr
4726559322
The database SSL name needs to be in its own list
...
FIxes #243
2015-07-16 00:49:07 +03:00
Joseph Schorr
bb07d0965f
Allow SSL cert for the database to be configured
...
This change adds a field for the SSL cert for the database in the setup tool. Fixes #89
2015-06-29 08:08:10 +03:00
Joseph Schorr
07439328a4
Remove user_exists
endpoint from all auth systems
2015-06-23 17:33:51 -04:00
Joseph Schorr
331c300893
Refactor JWT auth to not import app locally
2015-06-17 15:53:21 -04:00
Joseph Schorr
90b4f0a2ed
Fix default log archive location for ER
...
Before this change, the ER was using the default of 'local_us' from the base config, which is incorrect, and caused no logs to be archived.
2015-06-11 13:43:29 -04:00
Joseph Schorr
457ee7306e
Parenthesis fix on the JWT auth error message
2015-06-10 16:00:25 -04:00
Jake Moshenko
2a2414d6af
Merge pull request #60 from coreos-inc/jwtauthentication
...
Add support for an external JWT-based authentication system
2015-06-05 13:37:42 -04:00
Joseph Schorr
8aac3fd86e
Add support for an external JWT-based authentication system
...
This authentication system hits two HTTP endpoints to check and verify the existence of users:
Existance endpoint:
GET http://endpoint/ with Authorization: Basic (username:) =>
Returns 200 if the username/email exists, 4** otherwise
Verification endpoint:
GET http://endpoint/ with Authorization: Basic (username:password) =>
Returns 200 and a signed JWT with the user's username and email address if the username+password validates, 4** otherwise with the body containing an optional error message
The JWT produced by the endpoint must be issued with an issuer matching that configured in the config.yaml, and the audience must be "quay.io/jwtauthn". The JWT is signed using a private key and then validated on the Quay.io side with the associated public key, found as "jwt-authn.cert" in the conf/stack directory.
2015-06-05 13:20:10 -04:00
Joseph Schorr
54992c23b7
Add a feature flag for disabling unauthenticated access to the registry in its entirety.
2015-05-19 17:52:44 -04:00
Joseph Schorr
4f2a1b3734
Add setup UI for the new trigger types (bitbucket and gitlab) and add validation
2015-05-03 11:50:26 -07:00
Joseph Schorr
036c8e56e0
Add proper error handling when the config volume is mounted in a read-only state.
2015-04-02 18:54:09 -04:00
Joseph Schorr
85d6500daa
Merge resistanceisfutile into master
2015-03-23 15:39:08 -04:00
Joseph Schorr
360aa69d92
Fix LDAP error and url handling to be more clear for the end user
2015-03-16 14:33:53 -04:00
Joseph Schorr
4ca5d9b04b
Add support for filtering github login by org
2015-03-03 19:58:42 -05:00
Joseph Schorr
2c662b7861
Make sure to specify a default mail sender when validating emails. Unfortunately for us, flask-mail by default uses the sender from the *global* app instance, rather than the one specified in the Mail(...) call. This was breaking validation.
2015-03-03 13:56:32 -05:00
Joseph Schorr
7a199f63eb
Various small fixes and add support for subjectAltName to the SSL cert check
2015-02-12 14:00:26 -05:00
Joseph Schorr
400ffa73e6
Add SSL cert and key validation
2015-02-05 13:06:56 -05:00
Joseph Schorr
c8229b9c8a
Implement new step-by-step setup
2015-01-23 17:19:15 -05:00
Joseph Schorr
28d319ad26
Add an in-memory superusermanager, which stores the current list of superusers in a process-shared Value. We do this because in the ER, when we add a new superuser, we need to ensure that ALL workers have their lists updated (otherwise we get the behavior that some workers validate the new permission and others do not).
2015-01-20 12:43:11 -05:00
Joseph Schorr
53e5fc6265
Have the config setup tool automatically prepare the S3 or GCS storage with CORS config
2015-01-16 16:10:40 -05:00
Joseph Schorr
0d2c42ad03
Fix tests
2015-01-09 17:11:51 -05:00
Joseph Schorr
6d604a656a
Move config handling into a provider class to make testing much easier
2015-01-09 16:23:31 -05:00
Joseph Schorr
bfd273d16f
- Make validation a bit nicer:
...
- Add timeout to the DB validation
- Make DB validation exception handling a bit nicer
- Move the DB validation error message
- Fix bug around RADOS config default for Is Secure
- Allow hiding of the validation box
2015-01-08 15:27:49 -05:00
Joseph Schorr
5ac2c4970a
Add Google auth validation and fix the case where no config is specified at all for Google auth or Github auth
2015-01-08 13:56:17 -05:00
Joseph Schorr
5e0ce4eea9
Add validation of github to the config tool
2015-01-08 13:26:24 -05:00
Joseph Schorr
63504c87fb
Get end-to-end configuration setup working, including verification (except for Github, which is in progress)
2015-01-07 16:20:51 -05:00