Joseph Schorr
2214a2c7ad
Disable fresh login check in auth engines that won't support it
2018-01-04 15:27:41 -05:00
Joseph Schorr
524d77f527
Add an AppSpecificAuthToken data model for app-specific auth tokens. These will be used for the Docker CLI in place of username+password
2018-01-04 15:27:41 -05:00
Joseph Schorr
503cff8f0c
Don't add a "password required" notification for non-database auth via OIDC
2017-11-13 16:17:36 -05:00
Joseph Schorr
c2a56ae828
Add a test for ping in OIDC auth
2017-10-12 16:49:06 -04:00
Joseph Schorr
7e63184ab4
Add missing ping method
2017-10-12 16:25:21 -04:00
josephschorr
3bef21253d
Merge pull request #2695 from coreos-inc/oidc-internal-auth
...
OIDC internal auth support
2017-10-02 16:51:17 -04:00
Joseph Schorr
f51a863158
Remove access_token from user_info
2017-10-02 16:51:09 -04:00
Joseph Schorr
804d3c46c3
Add feature flag to allow users to be created only if invited to join a team
...
Allows for open user creation, but only if extended an invitation by someone who already has access
2017-09-14 16:28:39 -04:00
Evan Cordell
1d246784dd
Include invalid oidc token in the error message for debugging
2017-09-12 12:26:42 -04:00
Joseph Schorr
ed897c7cb0
Change OIDC engine to not be federated
...
We don't need linking, just the ability to perform lookup
2017-09-12 12:26:41 -04:00
Joseph Schorr
bc82edb2d1
Add ability to configure OIDC internal auth engine via superuser panel
2017-09-12 12:23:52 -04:00
Joseph Schorr
e724125459
Add support for using OIDC tokens via the Docker CLI
2017-09-12 12:23:22 -04:00
Joseph Schorr
0dfb6806e3
Add ping method to auth engines to determine if they are reachable
2017-07-19 16:16:41 +03:00
Joseph Schorr
b3d7577473
Disable federated login for new users if user creation is disabled
...
Fixes https://www.pivotaltracker.com/story/show/144821585
2017-05-15 15:07:08 -04:00
Joseph Schorr
b67113e848
Move LDAP controls init into the inner loop
...
We cannot use it across different DNs, so we need to move it down
2017-05-01 16:04:33 -04:00
Joseph Schorr
30a681343f
Make sure to escape LDAP queries
...
Fixes an issue in team sync around group names that contain *s
Fixes https://www.pivotaltracker.com/story/show/144628235
2017-05-01 14:00:54 -04:00
josephschorr
8b148bf1d4
Merge pull request #2576 from coreos-inc/full-db-tests-tox
...
Reenable full database testing locally and in concourse
2017-04-27 18:09:15 -04:00
Joseph Schorr
dd1addee29
LDAP Team sync improvements
...
- Add a large amount of additional logging
- Handle NO_SUCH_OBJECT in AD searches
- Only check if *a* record exists when adding syncing, as opposed to loading the entire search set
2017-04-26 20:26:12 -04:00
Joseph Schorr
36f2272fe2
Fix handling of team sync when a user already exists with the email address
2017-04-25 17:42:35 -04:00
Joseph Schorr
d7f3ef96ce
Small fixes found by running full db tests
2017-04-24 16:45:15 -04:00
Joseph Schorr
7debd44b54
Switch fixture imports to wildcard in prep for full db test fixes
2017-04-24 16:45:14 -04:00
Joseph Schorr
bdd07d4f39
Fix flakiness in team sync tests
2017-04-03 11:36:42 -04:00
Joseph Schorr
bd22fb255e
Rename get_federated_user to get_and_link_federated_user_info
...
Better to be explicit wherever possible
2017-04-03 11:36:42 -04:00
Joseph Schorr
1a31d98c44
Clarify variable name in Keystone auth
2017-04-03 11:36:41 -04:00
Joseph Schorr
8c07f733eb
Add pagination tests for LDAP
2017-04-03 11:36:41 -04:00
Joseph Schorr
541aa722c2
Add sleeps to make test non-flaky
...
Sucks, but MySQL only has second-level timing, so we need this to be sure
2017-04-03 11:36:41 -04:00
Joseph Schorr
103186f5e8
Small renames to make team syncing code more clear
2017-04-03 11:36:41 -04:00
Joseph Schorr
7f0aa19292
Code cleanup and style improvements in team sync
2017-04-03 11:36:41 -04:00
Joseph Schorr
84e37b68ee
Change if statement to be more readable
2017-04-03 11:31:30 -04:00
Joseph Schorr
71d52d45ba
Add a test for same user returned twice in team sync
2017-04-03 11:31:30 -04:00
Joseph Schorr
d7825c6720
Add group iteration and syncing support to Keystone auth
2017-04-03 11:31:30 -04:00
Joseph Schorr
47278cc559
Cleanup test fixtures
2017-04-03 11:31:30 -04:00
Joseph Schorr
96b9d6b0cd
Add end-to-end test for team sync
2017-04-03 11:31:29 -04:00
Joseph Schorr
938730c076
Move sync team into its own module and add tests
2017-04-03 11:31:29 -04:00
Joseph Schorr
eeadeb9383
Initial interfaces and support for team syncing worker
2017-04-03 11:31:29 -04:00
Joseph Schorr
bb20422260
Fix pagination disabling in LDAP with mockldap
...
Since mockldap doesn't support pagination, just disable it globally
2017-04-03 11:31:28 -04:00
Joseph Schorr
ecfac81721
Add check_group_lookup_args and service_metadata to auth providers
2017-04-03 11:31:28 -04:00
Joseph Schorr
1cfc4a8341
Change max size of LDAP pages and add filtering to reduce attributes returned
2017-04-03 11:31:28 -04:00
Joseph Schorr
d718829f5d
Initial LDAP group member iteration support
...
Add interface for group member iteration on internal auth providers and implement support in the LDAP interface.
2017-04-03 11:31:28 -04:00
Joseph Schorr
b5bb76cdea
Optimize repository search by changing our lookup strategy
...
Previous to this change, repositories were looked up unfiltered in six different queries, and then filtered using the permissions model, which issued a query per repository found, making search incredibly slow. Instead, we now lookup a chunk of repositories unfiltered and then filter them via a single query to the database. By layering the filtering on top of the lookup, each as queries, we can minimize the number of queries necessary, without (at the same time) using a super expensive join.
Other changes:
- Remove the 5 page pre-lookup on V1 search and simply return that there is one more page available, until there isn't. While technically not correct, it is much more efficient, and no one should be using pagination with V1 search anyway.
- Remove the lookup for repos without entries in the RAC table. Instead, we now add a new RAC entry when the repository is created for *the day before*, with count 0, so that it is immediately searchable
- Remove lookup of results with a matching namespace; these aren't very relevant anyway, and it overly complicates sorting
2017-03-09 19:47:55 -05:00
Joseph Schorr
c0f7530b29
Pull out JWT auth validation into validator class
...
Also fixes a small bug in validation (yay tests!)
2017-02-24 12:23:16 -05:00
Joseph Schorr
e2efb6c458
Add default and configurable LDAP timeouts
...
Fixes https://www.pivotaltracker.com/story/show/135885019
2016-12-19 11:53:06 -05:00
Joseph Schorr
3203fd6de1
Fix external auth returns for query_user calls
...
Adds the missing field on the query_user calls, updates the external auth tests to ensure it is returned properly, and adds new end-to-end tests which call the external auth engines via the *API*, to ensure this doesn't break again
2016-12-07 14:28:42 -05:00
Joseph Schorr
536809a992
Change LDAP errors into debug statements to reduce log clutter
...
Fixes #2083
2016-11-10 16:39:26 -05:00
Joseph Schorr
0f2eb61f4a
Add collection of user metadata: name and company
2016-11-08 16:15:02 -05:00
Joseph Schorr
1e3b354201
Add support for temp usernames and an interstitial to confirm username
...
When a user now logs in for the first time for any external auth (LDAP, JWT, Keystone, Github, Google, Dex), they will be presented with a confirmation screen that affords them the opportunity to change their Quay-assigned username.
Addresses most of the user issues around #74
2016-11-03 15:59:14 -04:00
Joseph Schorr
d7f56350a4
Make email addresses optional in external auth if email feature is turned off
...
Before this change, external auth such as Keystone would fail if a user without an email address tried to login, even if the email feature was disabled.
2016-10-31 13:50:24 -04:00
Joseph Schorr
b3d1d7227c
Add support to Keystone Auth for external user linking
...
Also adds Keystone V3 support
2016-10-27 15:42:03 -04:00
Joseph Schorr
fbb524e34e
Add support to ExternalJWT Auth for external user linking
2016-10-27 15:42:03 -04:00
Joseph Schorr
f9ee8d2bef
Add support to LDAP for external user linking
2016-10-27 15:42:03 -04:00