Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								4e942203cb 
								
							 
						 
						
							
							
								
								Fix handling of tokens in the new context block of the JWT  
							
							
							
						 
						
							2015-12-15 16:52:22 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								ca7d36bf14 
								
							 
						 
						
							
							
								
								Handle empty scopes and always send the WWW-Authenticate header, as per spec  
							
							... 
							
							
							
							Fixes  #1045  
						
							2015-12-15 14:59:47 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								4a4eee5e05 
								
							 
						 
						
							
							
								
								Make our JWT subjects better and log using the info  
							
							... 
							
							
							
							Fixes  #1039  
						
							2015-12-14 14:00:33 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								9c3ddf846f 
								
							 
						 
						
							
							
								
								Some fixes and tests for v2 auth  
							
							... 
							
							
							
							Fixes  #395  
						
							2015-09-10 15:38:57 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								82efc746b3 
								
							 
						 
						
							
							
								
								Make our JWT checking more strict.  
							
							
							
						 
						
							2015-09-04 15:18:57 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								b2844fb8c7 
								
							 
						 
						
							
							
								
								Switch the base case for when a scope string contains an invalid scope.  
							
							
							
						 
						
							2015-08-05 17:35:02 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								354f4109d0 
								
							 
						 
						
							
							
								
								Switch to returning an empty set when there are invalid auth scopes  
							
							
							
						 
						
							2015-07-31 12:49:42 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								804be4d4be 
								
							 
						 
						
							
							
								
								OAuth scopes are space separated, not comma  
							
							
							
						 
						
							2015-07-31 12:37:02 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								5d86fa80e7 
								
							 
						 
						
							
							
								
								Merge pull request  #197  from coreos-inc/keystone  
							
							... 
							
							
							
							Add Keystone Auth 
							
						 
						
							2015-07-22 13:38:47 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								679044574a 
								
							 
						 
						
							
							
								
								Merge pull request  #231  from coreos-inc/smallfix  
							
							... 
							
							
							
							Small API fixes 
							
						 
						
							2015-07-20 13:45:24 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								33b54218cc 
								
							 
						 
						
							
							
								
								Refactor the users class into their own files, add a common base class for federated users and add a verify_credentials method which only does the verification, without the linking. We use this in the superuser verification pass  
							
							
							
						 
						
							2015-07-20 11:39:59 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								bc29561f8f 
								
							 
						 
						
							
							
								
								Fix and templatize the logic for external JWT AuthN and registry v2 Auth.  
							
							... 
							
							
							
							Make it explicit that the registry-v2 stuff is not ready for prime time. 
							
						 
						
							2015-07-17 11:56:15 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								3efaa255e8 
								
							 
						 
						
							
							
								
								Accidental refactor, split out legacy.py into separate sumodules and update all call sites.  
							
							
							
						 
						
							2015-07-17 11:56:15 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								bea8b9ac53 
								
							 
						 
						
							
							
								
								More changes for registry-v2 in python.  
							
							... 
							
							
							
							Implement the minimal changes to the local filesystem storage driver and feed them through the distributed storage driver.
Create a digest package which contains digest_tools and checksums.
Fix the tests to use the new v1 endpoint locations.
Fix repository.delete_instance to properly filter the generated queries to avoid most subquery deletes, but still generate them when not explicitly filtered. 
							
						 
						
							2015-07-17 11:50:41 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								acbcc2e206 
								
							 
						 
						
							
							
								
								Start of a v2 API.  
							
							
							
						 
						
							2015-07-17 11:50:41 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								f5ee7a6697 
								
							 
						 
						
							
							
								
								Make the scopes dynamic based on app config.  
							
							
							
						 
						
							2015-07-15 18:13:15 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								1c5300e439 
								
							 
						 
						
							
							
								
								We still need to process the function if the auth header is invalid  
							
							... 
							
							
							
							Otherwise, the user gets a 500 
							
						 
						
							2015-07-14 11:35:04 +03:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								7b470237a1 
								
							 
						 
						
							
							
								
								The superuser capability does not require the idea of ordinality since it is a binary permission.  
							
							
							
						 
						
							2015-06-30 11:02:13 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								87efcb9e3d 
								
							 
						 
						
							
							
								
								Delegated superuser API access  
							
							... 
							
							
							
							Add a new scope for SUPERUSER that allows delegated access to the superuser endpoints. CA needs this so they can programmatically create and remove users. 
							
						 
						
							2015-06-30 11:08:26 +03:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								dc5af7496c 
								
							 
						 
						
							
							
								
								Allow superusers to disable user accounts  
							
							
							
						 
						
							2015-06-29 18:40:52 +03:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								03e1636ff2 
								
							 
						 
						
							
							
								
								Clean up log format to use lazy string substitution.  
							
							
							
						 
						
							2015-06-23 17:10:03 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								76bef38d71 
								
							 
						 
						
							
							
								
								Remove extra call to the DB for a user we already have  
							
							
							
						 
						
							2015-05-07 17:17:05 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								8eb9c376cd 
								
							 
						 
						
							
							
								
								Add constructors for the QuayDeferredPermissionUser so that we can avoid extraneous DB lookups of the user whenever we already have the object  
							
							
							
						 
						
							2015-05-07 15:04:12 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								e4b659f107 
								
							 
						 
						
							
							
								
								Add support for encrypted client tokens via basic auth (for the docker CLI) and a feature flag to disable normal passwords  
							
							
							
						 
						
							2015-03-25 18:43:12 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								68e1495e54 
								
							 
						 
						
							
							
								
								Remove support for the old style push temporary tokens.  
							
							
							
						 
						
							2015-02-24 14:31:19 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								c58c19db8a 
								
							 
						 
						
							
							
								
								Add support for the deprecated token method. We need this as a live migration strategy and we can remove it about an hour after we deploy the new version to prod.  
							
							
							
						 
						
							2015-02-23 22:02:38 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								450b112f2c 
								
							 
						 
						
							
							
								
								Propagate the grant user context to the signed grant to fix image sharing.  
							
							
							
						 
						
							2015-02-23 15:07:38 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								3bc8b8161c 
								
							 
						 
						
							
							
								
								Make the AlwaysFailPermission live up to its name.  
							
							
							
						 
						
							2015-02-19 16:58:13 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								78c8354174 
								
							 
						 
						
							
							
								
								Switch our temporary token lookups for signed grants which will not require DB access.  
							
							
							
						 
						
							2015-02-19 16:54:23 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								30b895b795 
								
							 
						 
						
							
							
								
								Merge branch 'grunt-js-folder' of  https://github.com/coreos-inc/quay  into ackbar  
							
							
							
						 
						
							2015-01-23 17:26:14 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								28d319ad26 
								
							 
						 
						
							
							
								
								Add an in-memory superusermanager, which stores the current list of superusers in a process-shared Value. We do this because in the ER, when we add a new superuser, we need to ensure that ALL workers have their lists updated (otherwise we get the behavior that some workers validate the new permission and others do not).  
							
							
							
						 
						
							2015-01-20 12:43:11 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								42ea3b835c 
								
							 
						 
						
							
							
								
								Fix NPE  
							
							
							
						 
						
							2015-01-12 11:42:09 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								1bf25f25c1 
								
							 
						 
						
							
							
								
								WIP  
							
							
							
						 
						
							2015-01-04 14:38:41 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jimmy Zelinskie 
								
							 
						 
						
							
							
							
							
								
							
							
								f3259c862b 
								
							 
						 
						
							
							
								
								Merge branch 'koh'  
							
							... 
							
							
							
							Conflicts:
	auth/scopes.py
	requirements-nover.txt
	requirements.txt
	static/css/quay.css
	static/directives/namespace-selector.html
	static/js/app.js
	static/partials/manage-application.html
	templates/oauthorize.html 
							
						 
						
							2014-12-01 12:30:09 -08:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								0e13ef3ff8 
								
							 
						 
						
							
							
								
								Fix various bugs and styling issues  
							
							
							
						 
						
							2014-11-24 19:40:03 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jimmy Zelinskie 
								
							 
						 
						
							
							
							
							
								
							
							
								716d7a737b 
								
							 
						 
						
							
							
								
								Strip whitespace from ALL the things.  
							
							
							
						 
						
							2014-11-24 16:07:38 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								f6dd8b0a4d 
								
							 
						 
						
							
							
								
								Fix NPE  
							
							
							
						 
						
							2014-11-24 12:20:54 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								f9b8319835 
								
							 
						 
						
							
							
								
								Make sure if we are going to treat the cookie as valid, it's actually a user id of the proper type.  
							
							
							
						 
						
							2014-11-21 10:28:50 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jimmy Zelinskie 
								
							 
						 
						
							
							
							
							
								
							
							
								dee4c389a8 
								
							 
						 
						
							
							
								
								Base sessions on UUIDs.  
							
							... 
							
							
							
							Now that a backfill has been applied, sessions can now be based on UUIDs
because all users will have one. 
							
						 
						
							2014-11-20 18:44:36 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jimmy Zelinskie 
								
							 
						 
						
							
							
							
							
								
							
							
								12ff4b107c 
								
							 
						 
						
							
							
								
								Undo sessions being driven by UUID.  
							
							... 
							
							
							
							Basing sessions on UUIDs must be done in phases. First all users
must obtain an UUID. Once a backfill has given all previous users
UUIDs and new users are being generated with UUIDs, then we can
actually change the session to be based on that value. 
							
						 
						
							2014-11-20 12:57:17 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jimmy Zelinskie 
								
							 
						 
						
							
							
							
							
								
							
							
								606ad21bec 
								
							 
						 
						
							
							
								
								Apply reviewed changes.  
							
							... 
							
							
							
							Adds a length to the UUID field, renames QuayDeferredPermissionUser
parameter id->uuid, adds transactions to backfill script. 
							
						 
						
							2014-11-19 13:28:16 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jimmy Zelinskie 
								
							 
						 
						
							
							
							
							
								
							
							
								9d677b8eb3 
								
							 
						 
						
							
							
								
								Add UUID to User model and use in cookie.  
							
							
							
						 
						
							2014-11-19 13:28:16 -05:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								03190efde3 
								
							 
						 
						
							
							
								
								Phase 2 of migrating repo namespaces to referencing user objects, backfilling the rows without a value for namespace_user, and changing all accesses to go through the namespace_user object. All tests are passing, manual testing still required.  
							
							
							
						 
						
							2014-09-24 18:01:35 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								8626d1cd70 
								
							 
						 
						
							
							
								
								Initial changes to move repositories from using a namespace string to referencing a user object. Also stores the user id in the cookie rather than the username, to allow users to be renamed. This commit must not be used unmodified because the database migration is too aggressive for live migration.  
							
							
							
						 
						
							2014-09-19 10:17:23 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								e8ad01cb41 
								
							 
						 
						
							
							
								
								Lots of small NPE and other exception fixes  
							
							
							
						 
						
							2014-09-15 11:27:33 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Joseph Schorr 
								
							 
						 
						
							
							
							
							
								
							
							
								05a1413153 
								
							 
						 
						
							
							
								
								Handle UI for dangerous scopes  
							
							
							
						 
						
							2014-08-05 21:21:22 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								02e47ed572 
								
							 
						 
						
							
							
								
								Begin the work to allow robots and teams to be managed via API.  
							
							
							
						 
						
							2014-08-05 20:53:00 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								0b6552d6cc 
								
							 
						 
						
							
							
								
								Fix the metrics so they are usable for scaling the workers down and up. Switch all datetimes which touch the database from now to utcnow. Fix the worker Dockerfile.  
							
							
							
						 
						
							2014-05-23 14:16:26 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								2da8b4737e 
								
							 
						 
						
							
							
								
								Fix the registry to work with unicode usernames in LDAP.  
							
							
							
						 
						
							2014-05-13 15:22:31 -04:00 
							
								 
							
							
								 
							
						 
					 
				
					
						
							
								
								
									Jake Moshenko 
								
							 
						 
						
							
							
							
							
								
							
							
								5fdccfe3e6 
								
							 
						 
						
							
							
								
								Add an alembic migration for the full initial database with the data. Switch LDAP to using bind and creating a federated login entry. Add LDAP support to the registry and index endpoints. Add a username transliteration and suggestion mechanism. Switch the database and model to require a manual initialization call.  
							
							
							
						 
						
							2014-05-13 12:17:26 -04:00