Commit graph

65 commits

Author SHA1 Message Date
Joseph Schorr
2214a2c7ad Disable fresh login check in auth engines that won't support it 2018-01-04 15:27:41 -05:00
Joseph Schorr
524d77f527 Add an AppSpecificAuthToken data model for app-specific auth tokens. These will be used for the Docker CLI in place of username+password 2018-01-04 15:27:41 -05:00
Joseph Schorr
503cff8f0c Don't add a "password required" notification for non-database auth via OIDC 2017-11-13 16:17:36 -05:00
Joseph Schorr
c2a56ae828 Add a test for ping in OIDC auth 2017-10-12 16:49:06 -04:00
Joseph Schorr
7e63184ab4 Add missing ping method 2017-10-12 16:25:21 -04:00
josephschorr
3bef21253d Merge pull request #2695 from coreos-inc/oidc-internal-auth
OIDC internal auth support
2017-10-02 16:51:17 -04:00
Joseph Schorr
f51a863158 Remove access_token from user_info 2017-10-02 16:51:09 -04:00
Joseph Schorr
804d3c46c3 Add feature flag to allow users to be created only if invited to join a team
Allows for open user creation, but only if extended an invitation by someone who already has access
2017-09-14 16:28:39 -04:00
Evan Cordell
1d246784dd Include invalid oidc token in the error message for debugging 2017-09-12 12:26:42 -04:00
Joseph Schorr
ed897c7cb0 Change OIDC engine to not be federated
We don't need linking, just the ability to perform lookup
2017-09-12 12:26:41 -04:00
Joseph Schorr
bc82edb2d1 Add ability to configure OIDC internal auth engine via superuser panel 2017-09-12 12:23:52 -04:00
Joseph Schorr
e724125459 Add support for using OIDC tokens via the Docker CLI 2017-09-12 12:23:22 -04:00
Joseph Schorr
0dfb6806e3 Add ping method to auth engines to determine if they are reachable 2017-07-19 16:16:41 +03:00
Joseph Schorr
b3d7577473 Disable federated login for new users if user creation is disabled
Fixes https://www.pivotaltracker.com/story/show/144821585
2017-05-15 15:07:08 -04:00
Joseph Schorr
b67113e848 Move LDAP controls init into the inner loop
We cannot use it across different DNs, so we need to move it down
2017-05-01 16:04:33 -04:00
Joseph Schorr
30a681343f Make sure to escape LDAP queries
Fixes an issue in team sync around group names that contain *s

Fixes https://www.pivotaltracker.com/story/show/144628235
2017-05-01 14:00:54 -04:00
josephschorr
8b148bf1d4 Merge pull request #2576 from coreos-inc/full-db-tests-tox
Reenable full database testing locally and in concourse
2017-04-27 18:09:15 -04:00
Joseph Schorr
dd1addee29 LDAP Team sync improvements
- Add a large amount of additional logging
- Handle NO_SUCH_OBJECT in AD searches
- Only check if *a* record exists when adding syncing, as opposed to loading the entire search set
2017-04-26 20:26:12 -04:00
Joseph Schorr
36f2272fe2 Fix handling of team sync when a user already exists with the email address 2017-04-25 17:42:35 -04:00
Joseph Schorr
d7f3ef96ce Small fixes found by running full db tests 2017-04-24 16:45:15 -04:00
Joseph Schorr
7debd44b54 Switch fixture imports to wildcard in prep for full db test fixes 2017-04-24 16:45:14 -04:00
Joseph Schorr
bdd07d4f39 Fix flakiness in team sync tests 2017-04-03 11:36:42 -04:00
Joseph Schorr
bd22fb255e Rename get_federated_user to get_and_link_federated_user_info
Better to be explicit wherever possible
2017-04-03 11:36:42 -04:00
Joseph Schorr
1a31d98c44 Clarify variable name in Keystone auth 2017-04-03 11:36:41 -04:00
Joseph Schorr
8c07f733eb Add pagination tests for LDAP 2017-04-03 11:36:41 -04:00
Joseph Schorr
541aa722c2 Add sleeps to make test non-flaky
Sucks, but MySQL only has second-level timing, so we need this to be sure
2017-04-03 11:36:41 -04:00
Joseph Schorr
103186f5e8 Small renames to make team syncing code more clear 2017-04-03 11:36:41 -04:00
Joseph Schorr
7f0aa19292 Code cleanup and style improvements in team sync 2017-04-03 11:36:41 -04:00
Joseph Schorr
84e37b68ee Change if statement to be more readable 2017-04-03 11:31:30 -04:00
Joseph Schorr
71d52d45ba Add a test for same user returned twice in team sync 2017-04-03 11:31:30 -04:00
Joseph Schorr
d7825c6720 Add group iteration and syncing support to Keystone auth 2017-04-03 11:31:30 -04:00
Joseph Schorr
47278cc559 Cleanup test fixtures 2017-04-03 11:31:30 -04:00
Joseph Schorr
96b9d6b0cd Add end-to-end test for team sync 2017-04-03 11:31:29 -04:00
Joseph Schorr
938730c076 Move sync team into its own module and add tests 2017-04-03 11:31:29 -04:00
Joseph Schorr
eeadeb9383 Initial interfaces and support for team syncing worker 2017-04-03 11:31:29 -04:00
Joseph Schorr
bb20422260 Fix pagination disabling in LDAP with mockldap
Since mockldap doesn't support pagination, just disable it globally
2017-04-03 11:31:28 -04:00
Joseph Schorr
ecfac81721 Add check_group_lookup_args and service_metadata to auth providers 2017-04-03 11:31:28 -04:00
Joseph Schorr
1cfc4a8341 Change max size of LDAP pages and add filtering to reduce attributes returned 2017-04-03 11:31:28 -04:00
Joseph Schorr
d718829f5d Initial LDAP group member iteration support
Add interface for group member iteration on internal auth providers and implement support in the LDAP interface.
2017-04-03 11:31:28 -04:00
Joseph Schorr
b5bb76cdea Optimize repository search by changing our lookup strategy
Previous to this change, repositories were looked up unfiltered in six different queries, and then filtered using the permissions model, which issued a query per repository found, making search incredibly slow. Instead, we now lookup a chunk of repositories unfiltered and then filter them via a single query to the database. By layering the filtering on top of the lookup, each as queries, we can minimize the number of queries necessary, without (at the same time) using a super expensive join.

Other changes:
- Remove the 5 page pre-lookup on V1 search and simply return that there is one more page available, until there isn't. While technically not correct, it is much more efficient, and no one should be using pagination with V1 search anyway.
- Remove the lookup for repos without entries in the RAC table. Instead, we now add a new RAC entry when the repository is created for *the day before*, with count 0, so that it is immediately searchable
- Remove lookup of results with a matching namespace; these aren't very relevant anyway, and it overly complicates sorting
2017-03-09 19:47:55 -05:00
Joseph Schorr
c0f7530b29 Pull out JWT auth validation into validator class
Also fixes a small bug in validation (yay tests!)
2017-02-24 12:23:16 -05:00
Joseph Schorr
e2efb6c458 Add default and configurable LDAP timeouts
Fixes https://www.pivotaltracker.com/story/show/135885019
2016-12-19 11:53:06 -05:00
Joseph Schorr
3203fd6de1 Fix external auth returns for query_user calls
Adds the missing field on the query_user calls, updates the external auth tests to ensure it is returned properly, and adds new end-to-end tests which call the external auth engines via the *API*, to ensure this doesn't break again
2016-12-07 14:28:42 -05:00
Joseph Schorr
536809a992 Change LDAP errors into debug statements to reduce log clutter
Fixes #2083
2016-11-10 16:39:26 -05:00
Joseph Schorr
0f2eb61f4a Add collection of user metadata: name and company 2016-11-08 16:15:02 -05:00
Joseph Schorr
1e3b354201 Add support for temp usernames and an interstitial to confirm username
When a user now logs in for the first time for any external auth (LDAP, JWT, Keystone, Github, Google, Dex), they will be presented with a confirmation screen that affords them the opportunity to change their Quay-assigned username.

Addresses most of the user issues around #74
2016-11-03 15:59:14 -04:00
Joseph Schorr
d7f56350a4 Make email addresses optional in external auth if email feature is turned off
Before this change, external auth such as Keystone would fail if a user without an email address tried to login, even if the email feature was disabled.
2016-10-31 13:50:24 -04:00
Joseph Schorr
b3d1d7227c Add support to Keystone Auth for external user linking
Also adds Keystone V3 support
2016-10-27 15:42:03 -04:00
Joseph Schorr
fbb524e34e Add support to ExternalJWT Auth for external user linking 2016-10-27 15:42:03 -04:00
Joseph Schorr
f9ee8d2bef Add support to LDAP for external user linking 2016-10-27 15:42:03 -04:00