vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
9186 commits 2 branches 62 tags 205 MiB
Commit graph

144 commits

Author SHA1 Message Date
Joseph Schorr
4e942203cb Fix handling of tokens in the new context block of the JWT 2015-12-15 16:52:22 -05:00
Joseph Schorr
ca7d36bf14 Handle empty scopes and always send the WWW-Authenticate header, as per spec 
Fixes #1045
 2015-12-15 14:59:47 -05:00
Joseph Schorr
4a4eee5e05 Make our JWT subjects better and log using the info 
Fixes #1039
 2015-12-14 14:00:33 -05:00
Matt Jibson
f02bb3caee Add user admin scope 
Also remove unused scope decorator.

fixes #890
 2015-11-18 12:01:40 -05:00
Jake Moshenko
9c3ddf846f Some fixes and tests for v2 auth 
Fixes #395
 2015-09-10 15:38:57 -04:00
Jake Moshenko
82efc746b3 Make our JWT checking more strict. 2015-09-04 15:18:57 -04:00
Jake Moshenko
b2844fb8c7 Switch the base case for when a scope string contains an invalid scope. 2015-08-05 17:35:02 -04:00
Joseph Schorr
354f4109d0 Switch to returning an empty set when there are invalid auth scopes 2015-07-31 12:49:42 -04:00
Joseph Schorr
804be4d4be OAuth scopes are space separated, not comma 2015-07-31 12:37:02 -04:00
Jake Moshenko
5d86fa80e7 Merge pull request #197 from coreos-inc/keystone 
Add Keystone Auth
 2015-07-22 13:38:47 -04:00
Jake Moshenko
679044574a Merge pull request #231 from coreos-inc/smallfix 
Small API fixes
 2015-07-20 13:45:24 -04:00
Joseph Schorr
33b54218cc Refactor the users class into their own files, add a common base class for federated users and add a verify_credentials method which only does the verification, without the linking. We use this in the superuser verification pass 2015-07-20 11:39:59 -04:00
Jake Moshenko
bc29561f8f Fix and templatize the logic for external JWT AuthN and registry v2 Auth. 
Make it explicit that the registry-v2 stuff is not ready for prime time.
 2015-07-17 11:56:15 -04:00
Jake Moshenko
3efaa255e8 Accidental refactor, split out legacy.py into separate sumodules and update all call sites. 2015-07-17 11:56:15 -04:00
Jake Moshenko
bea8b9ac53 More changes for registry-v2 in python. 
Implement the minimal changes to the local filesystem storage driver and feed them through the distributed storage driver.
Create a digest package which contains digest_tools and checksums.
Fix the tests to use the new v1 endpoint locations.
Fix repository.delete_instance to properly filter the generated queries to avoid most subquery deletes, but still generate them when not explicitly filtered.
 2015-07-17 11:50:41 -04:00
Jake Moshenko
acbcc2e206 Start of a v2 API. 2015-07-17 11:50:41 -04:00
Jake Moshenko
f5ee7a6697 Make the scopes dynamic based on app config. 2015-07-15 18:13:15 -04:00
Joseph Schorr
1c5300e439 We still need to process the function if the auth header is invalid 
Otherwise, the user gets a 500
 2015-07-14 11:35:04 +03:00
Jake Moshenko
7b470237a1 The superuser capability does not require the idea of ordinality since it is a binary permission. 2015-06-30 11:02:13 -04:00
Joseph Schorr
87efcb9e3d Delegated superuser API access 
Add a new scope for SUPERUSER that allows delegated access to the superuser endpoints. CA needs this so they can programmatically create and remove users.
 2015-06-30 11:08:26 +03:00
Joseph Schorr
dc5af7496c Allow superusers to disable user accounts 2015-06-29 18:40:52 +03:00
Jake Moshenko
03e1636ff2 Clean up log format to use lazy string substitution. 2015-06-23 17:10:03 -04:00
Joseph Schorr
76bef38d71 Remove extra call to the DB for a user we already have 2015-05-07 17:17:05 -04:00
Joseph Schorr
8eb9c376cd Add constructors for the QuayDeferredPermissionUser so that we can avoid extraneous DB lookups of the user whenever we already have the object 2015-05-07 15:04:12 -04:00
Joseph Schorr
e4b659f107 Add support for encrypted client tokens via basic auth (for the docker CLI) and a feature flag to disable normal passwords 2015-03-25 18:43:12 -04:00
Jake Moshenko
68e1495e54 Remove support for the old style push temporary tokens. 2015-02-24 14:31:19 -05:00
Joseph Schorr
c58c19db8a Add support for the deprecated token method. We need this as a live migration strategy and we can remove it about an hour after we deploy the new version to prod. 2015-02-23 22:02:38 -05:00
Jake Moshenko
450b112f2c Propagate the grant user context to the signed grant to fix image sharing. 2015-02-23 15:07:38 -05:00
Jake Moshenko
3bc8b8161c Make the AlwaysFailPermission live up to its name. 2015-02-19 16:58:13 -05:00
Jake Moshenko
78c8354174 Switch our temporary token lookups for signed grants which will not require DB access. 2015-02-19 16:54:23 -05:00
Joseph Schorr
30b895b795 Merge branch 'grunt-js-folder' of https://github.com/coreos-inc/quay into ackbar 2015-01-23 17:26:14 -05:00
Joseph Schorr
28d319ad26 Add an in-memory superusermanager, which stores the current list of superusers in a process-shared Value. We do this because in the ER, when we add a new superuser, we need to ensure that ALL workers have their lists updated (otherwise we get the behavior that some workers validate the new permission and others do not). 2015-01-20 12:43:11 -05:00
Joseph Schorr
42ea3b835c Fix NPE 2015-01-12 11:42:09 -05:00
Joseph Schorr
1bf25f25c1 WIP 2015-01-04 14:38:41 -05:00
Jimmy Zelinskie
f3259c862b Merge branch 'koh' 
Conflicts:
	auth/scopes.py
	requirements-nover.txt
	requirements.txt
	static/css/quay.css
	static/directives/namespace-selector.html
	static/js/app.js
	static/partials/manage-application.html
	templates/oauthorize.html
 2014-12-01 12:30:09 -08:00
Joseph Schorr
0e13ef3ff8 Fix various bugs and styling issues 2014-11-24 19:40:03 -05:00
Jimmy Zelinskie
716d7a737b Strip whitespace from ALL the things. 2014-11-24 16:07:38 -05:00
Joseph Schorr
f6dd8b0a4d Fix NPE 2014-11-24 12:20:54 -05:00
Jake Moshenko
f9b8319835 Make sure if we are going to treat the cookie as valid, it's actually a user id of the proper type. 2014-11-21 10:28:50 -05:00
Jimmy Zelinskie
dee4c389a8 Base sessions on UUIDs. 
Now that a backfill has been applied, sessions can now be based on UUIDs
because all users will have one.
 2014-11-20 18:44:36 -05:00
Jimmy Zelinskie
12ff4b107c Undo sessions being driven by UUID. 
Basing sessions on UUIDs must be done in phases. First all users
must obtain an UUID. Once a backfill has given all previous users
UUIDs and new users are being generated with UUIDs, then we can
actually change the session to be based on that value.
 2014-11-20 12:57:17 -05:00
Jimmy Zelinskie
606ad21bec Apply reviewed changes. 
Adds a length to the UUID field, renames QuayDeferredPermissionUser
parameter id->uuid, adds transactions to backfill script.
 2014-11-19 13:28:16 -05:00
Jimmy Zelinskie
9d677b8eb3 Add UUID to User model and use in cookie. 2014-11-19 13:28:16 -05:00
Jake Moshenko
03190efde3 Phase 2 of migrating repo namespaces to referencing user objects, backfilling the rows without a value for namespace_user, and changing all accesses to go through the namespace_user object. All tests are passing, manual testing still required. 2014-09-24 18:01:35 -04:00
Jake Moshenko
8626d1cd70 Initial changes to move repositories from using a namespace string to referencing a user object. Also stores the user id in the cookie rather than the username, to allow users to be renamed. This commit must not be used unmodified because the database migration is too aggressive for live migration. 2014-09-19 10:17:23 -04:00
Joseph Schorr
e8ad01cb41 Lots of small NPE and other exception fixes 2014-09-15 11:27:33 -04:00
Joseph Schorr
05a1413153 Handle UI for dangerous scopes 2014-08-05 21:21:22 -04:00
Jake Moshenko
02e47ed572 Begin the work to allow robots and teams to be managed via API. 2014-08-05 20:53:00 -04:00
Jake Moshenko
0b6552d6cc Fix the metrics so they are usable for scaling the workers down and up. Switch all datetimes which touch the database from now to utcnow. Fix the worker Dockerfile. 2014-05-23 14:16:26 -04:00
Jake Moshenko
2da8b4737e Fix the registry to work with unicode usernames in LDAP. 2014-05-13 15:22:31 -04:00
Jake Moshenko
5fdccfe3e6 Add an alembic migration for the full initial database with the data. Switch LDAP to using bind and creating a federated login entry. Add LDAP support to the registry and index endpoints. Add a username transliteration and suggestion mechanism. Switch the database and model to require a manual initialization call. 2014-05-13 12:17:26 -04:00
jakedt
0fd5da172e Fix the super user default config. Slight style tweaks to the super user permission implementation. 2014-04-10 15:51:39 -04:00
Joseph Schorr
0e320c964f - Add support for super users 
- Add a super user API
- Add a super user interface
 2014-04-10 00:26:55 -04:00
Joseph Schorr
4f1ae25128 Make sure the TAR import system handles TAR paths with local directory references 2014-04-01 13:00:26 -04:00
jakedt
4d2e090bea Fix the problem with login on new triggers. 2014-03-26 15:52:24 -04:00
jakedt
250efd76b6 Merge remote-tracking branch 'origin/swaggerlikeus' 2014-03-25 17:27:00 -04:00
jakedt
41cfadac23 Protect the search and repository list endpoints appropriately. Add more differentiating data to some need types. Remove the notification about password change from the user admin page. Select the dependent models for the visible repo list. 2014-03-25 17:26:45 -04:00
Joseph Schorr
efb1ab6562 Fix typo 2014-03-25 16:50:39 -04:00
jakedt
a9c0e016f3 Add the ability to use an oauth token to interact with the index and registry. 2014-03-20 12:09:25 -04:00
jakedt
0992c8a47e Fix some permissions problems still around due to some usage of scopes as strings. 2014-03-19 18:21:58 -04:00
jakedt
3b7b12085d User scope objects everywhere. Switch scope objects to namedtuples. Pass the user when validating whether the user has authorized such scopes in the past. Make sure we calculate the scope string using all user scopes form all previously granted tokens. 2014-03-19 18:09:09 -04:00
jakedt
f2d0a2f479 Split out organization repo roles and org management roles. 2014-03-19 14:36:56 -04:00
jakedt
6fc369bed2 Change non logged in 403s to 401s. 2014-03-19 13:57:36 -04:00
jakedt
19c7453f99 Merge branch 'swaggerlikeus' of ssh://bitbucket.org/yackob03/quay into swaggerlikeus 2014-03-18 19:21:53 -04:00
jakedt
64071b9e8e Add a user info scope and thread it through the code. Protect the org modification API. 2014-03-18 19:21:27 -04:00
Joseph Schorr
d7a59ef0c2 Add checks for invalid scopes in the auth approval process 2014-03-18 17:05:27 -04:00
Joseph Schorr
9ae4506a0d Add OAuth usage information the API logs, have it be displayed in the logs UI and start on the code to display application information when clicked. Note that this does not (yet) do anything with the information returned as we need to wait for the mainline merge of Angular 1.2.9 (which is in master) before I can continue on the display 2014-03-18 16:45:18 -04:00
jakedt
1ae04658ef Fix the formats for some errors. 2014-03-17 14:38:50 -04:00
jakedt
5bb4008880 Fix cookie auth to work with oauth token auth. Make sure user loading is truly deferred to save DB connections. 2014-03-17 12:01:13 -04:00
Joseph Schorr
d469b41899 Add an oauth authorization page 2014-03-14 18:57:28 -04:00
jakedt
0e3fe8f3b1 Port a few more repository methods to the new API interface. 2014-03-12 20:33:57 -04:00
jakedt
e74eb3ee87 Add scope ordinality and translations. Process oauth tokens and limit scopes accordingly. 2014-03-12 16:31:37 -04:00
jakedt
25ceb90fc6 Add some sort of oauth. 2014-03-12 12:37:06 -04:00
Joseph Schorr
61ca29de04 Move the auth context methods into their own file so that we don't have auth trying to import itself 2014-02-25 15:07:24 -05:00
Joseph Schorr
a120f6c64a Make sure all aborts have message information 2014-02-25 14:15:12 -05:00
yackob03
8c1142a770 We weren't properly handling passwords with a colon in them. 2014-02-09 23:59:30 -05:00
yackob03
56722d1ac1 Allow a request with invalid basic auth to still be considered anonymous, rather than throwing a 401. 2013-12-19 15:18:14 -05:00
root
61618c7eab We can't count on auth tokens being sent anymore, so we set the namespace and repository for the session when the original put on the repo is made. 2013-12-09 04:24:29 +00:00
yackob03
e69591c7d6 Add the ability to login with a robot, use the wrench icon for robots all over the place. 2013-11-20 19:43:19 -05:00
yackob03
d064af2800 Fix a bug where org admin was not sufficient for the modify repository permission. 2013-11-07 12:52:46 -05:00
yackob03
d14a292896 Org admins should be able to view all teams. 2013-11-04 16:44:38 -05:00
yackob03
f8d3c95b74 Fix a typo in the team need permissions. 2013-11-04 16:39:52 -05:00
yackob03
2eb7ff2442 Add a bunch of the missing permissions from the API. 2013-11-04 16:18:40 -05:00
yackob03
dd77ebd64f Next batch of backend permissions for orgs. 2013-11-04 15:42:08 -05:00
yackob03
283f9b81ae First stab at token auth. The UI could use a little bit of polishing. 2013-10-16 14:24:10 -04:00
yackob03
959016a6eb Remove unnecessary calls to the database for user and permission metadata. 2013-10-15 14:48:49 -04:00
yackob03
891f992bf2 Allow for anonymous access tokens for public repositories. 2013-10-01 01:18:05 -04:00
yackob03
0652636693 Handle the case where there is no auth at all. 2013-10-01 00:37:28 -04:00
yackob03
6bcb5cfcaa Flesh out some permissions APIs. 2013-09-27 13:24:07 -04:00
yackob03
9278871381 Load flask principal permissions even for web and api endpoints. 2013-09-26 16:32:09 -04:00
yackob03
23cbcb2979 Make images belong to one repository only. Add a description field to the repository. Fix a bug with access tokens. Fix an embarrasing bug with multiple select criteria in peewee. Update the test db. 2013-09-26 15:58:11 -04:00
yackob03
44255421df Namespace the storage in the registry to prevent leaking images if one acquires the image id. 2013-09-25 20:00:22 -04:00
yackob03
08446ef59e Fix some stuff with logins and permissions, add tags to the mode. 2013-09-25 16:46:28 -04:00
yackob03
ee5ea51532 Refactor the code into modules, it was getting unweildy. 2013-09-25 12:45:12 -04:00