Joseph Schorr
4a4eee5e05
Make our JWT subjects better and log using the info
...
Fixes #1039
2015-12-14 14:00:33 -05:00
Jake Moshenko
5d86fa80e7
Merge pull request #197 from coreos-inc/keystone
...
Add Keystone Auth
2015-07-22 13:38:47 -04:00
Jake Moshenko
679044574a
Merge pull request #231 from coreos-inc/smallfix
...
Small API fixes
2015-07-20 13:45:24 -04:00
Joseph Schorr
33b54218cc
Refactor the users class into their own files, add a common base class for federated users and add a verify_credentials
method which only does the verification, without the linking. We use this in the superuser verification pass
2015-07-20 11:39:59 -04:00
Jake Moshenko
3efaa255e8
Accidental refactor, split out legacy.py into separate sumodules and update all call sites.
2015-07-17 11:56:15 -04:00
Joseph Schorr
1c5300e439
We still need to process the function if the auth header is invalid
...
Otherwise, the user gets a 500
2015-07-14 11:35:04 +03:00
Joseph Schorr
dc5af7496c
Allow superusers to disable user accounts
2015-06-29 18:40:52 +03:00
Joseph Schorr
76bef38d71
Remove extra call to the DB for a user we already have
2015-05-07 17:17:05 -04:00
Joseph Schorr
8eb9c376cd
Add constructors for the QuayDeferredPermissionUser so that we can avoid extraneous DB lookups of the user whenever we already have the object
2015-05-07 15:04:12 -04:00
Joseph Schorr
e4b659f107
Add support for encrypted client tokens via basic auth (for the docker CLI) and a feature flag to disable normal passwords
2015-03-25 18:43:12 -04:00
Jake Moshenko
68e1495e54
Remove support for the old style push temporary tokens.
2015-02-24 14:31:19 -05:00
Joseph Schorr
c58c19db8a
Add support for the deprecated token method. We need this as a live migration strategy and we can remove it about an hour after we deploy the new version to prod.
2015-02-23 22:02:38 -05:00
Jake Moshenko
450b112f2c
Propagate the grant user context to the signed grant to fix image sharing.
2015-02-23 15:07:38 -05:00
Jake Moshenko
78c8354174
Switch our temporary token lookups for signed grants which will not require DB access.
2015-02-19 16:54:23 -05:00
Jake Moshenko
f9b8319835
Make sure if we are going to treat the cookie as valid, it's actually a user id of the proper type.
2014-11-21 10:28:50 -05:00
Jimmy Zelinskie
dee4c389a8
Base sessions on UUIDs.
...
Now that a backfill has been applied, sessions can now be based on UUIDs
because all users will have one.
2014-11-20 18:44:36 -05:00
Jimmy Zelinskie
12ff4b107c
Undo sessions being driven by UUID.
...
Basing sessions on UUIDs must be done in phases. First all users
must obtain an UUID. Once a backfill has given all previous users
UUIDs and new users are being generated with UUIDs, then we can
actually change the session to be based on that value.
2014-11-20 12:57:17 -05:00
Jimmy Zelinskie
9d677b8eb3
Add UUID to User model and use in cookie.
2014-11-19 13:28:16 -05:00
Jake Moshenko
8626d1cd70
Initial changes to move repositories from using a namespace string to referencing a user object. Also stores the user id in the cookie rather than the username, to allow users to be renamed. This commit must not be used unmodified because the database migration is too aggressive for live migration.
2014-09-19 10:17:23 -04:00
Joseph Schorr
e8ad01cb41
Lots of small NPE and other exception fixes
2014-09-15 11:27:33 -04:00
Jake Moshenko
0b6552d6cc
Fix the metrics so they are usable for scaling the workers down and up. Switch all datetimes which touch the database from now to utcnow. Fix the worker Dockerfile.
2014-05-23 14:16:26 -04:00
Jake Moshenko
2da8b4737e
Fix the registry to work with unicode usernames in LDAP.
2014-05-13 15:22:31 -04:00
Jake Moshenko
5fdccfe3e6
Add an alembic migration for the full initial database with the data. Switch LDAP to using bind and creating a federated login entry. Add LDAP support to the registry and index endpoints. Add a username transliteration and suggestion mechanism. Switch the database and model to require a manual initialization call.
2014-05-13 12:17:26 -04:00
jakedt
4d2e090bea
Fix the problem with login on new triggers.
2014-03-26 15:52:24 -04:00
Joseph Schorr
efb1ab6562
Fix typo
2014-03-25 16:50:39 -04:00
jakedt
a9c0e016f3
Add the ability to use an oauth token to interact with the index and registry.
2014-03-20 12:09:25 -04:00
jakedt
0992c8a47e
Fix some permissions problems still around due to some usage of scopes as strings.
2014-03-19 18:21:58 -04:00
jakedt
64071b9e8e
Add a user info scope and thread it through the code. Protect the org modification API.
2014-03-18 19:21:27 -04:00
Joseph Schorr
9ae4506a0d
Add OAuth usage information the API logs, have it be displayed in the logs UI and start on the code to display application information when clicked. Note that this does not (yet) do anything with the information returned as we need to wait for the mainline merge of Angular 1.2.9 (which is in master) before I can continue on the display
2014-03-18 16:45:18 -04:00
jakedt
1ae04658ef
Fix the formats for some errors.
2014-03-17 14:38:50 -04:00
jakedt
5bb4008880
Fix cookie auth to work with oauth token auth. Make sure user loading is truly deferred to save DB connections.
2014-03-17 12:01:13 -04:00
jakedt
0e3fe8f3b1
Port a few more repository methods to the new API interface.
2014-03-12 20:33:57 -04:00
jakedt
e74eb3ee87
Add scope ordinality and translations. Process oauth tokens and limit scopes accordingly.
2014-03-12 16:31:37 -04:00
jakedt
25ceb90fc6
Add some sort of oauth.
2014-03-12 12:37:06 -04:00
Joseph Schorr
61ca29de04
Move the auth context methods into their own file so that we don't have auth trying to import itself
2014-02-25 15:07:24 -05:00
Joseph Schorr
a120f6c64a
Make sure all aborts have message information
2014-02-25 14:15:12 -05:00
yackob03
8c1142a770
We weren't properly handling passwords with a colon in them.
2014-02-09 23:59:30 -05:00
yackob03
56722d1ac1
Allow a request with invalid basic auth to still be considered anonymous, rather than throwing a 401.
2013-12-19 15:18:14 -05:00
root
61618c7eab
We can't count on auth tokens being sent anymore, so we set the namespace and repository for the session when the original put on the repo is made.
2013-12-09 04:24:29 +00:00
yackob03
e69591c7d6
Add the ability to login with a robot, use the wrench icon for robots all over the place.
2013-11-20 19:43:19 -05:00
yackob03
283f9b81ae
First stab at token auth. The UI could use a little bit of polishing.
2013-10-16 14:24:10 -04:00
yackob03
959016a6eb
Remove unnecessary calls to the database for user and permission metadata.
2013-10-15 14:48:49 -04:00
yackob03
0652636693
Handle the case where there is no auth at all.
2013-10-01 00:37:28 -04:00
yackob03
9278871381
Load flask principal permissions even for web and api endpoints.
2013-09-26 16:32:09 -04:00
yackob03
23cbcb2979
Make images belong to one repository only. Add a description field to the repository. Fix a bug with access tokens. Fix an embarrasing bug with multiple select criteria in peewee. Update the test db.
2013-09-26 15:58:11 -04:00
yackob03
44255421df
Namespace the storage in the registry to prevent leaking images if one acquires the image id.
2013-09-25 20:00:22 -04:00
yackob03
08446ef59e
Fix some stuff with logins and permissions, add tags to the mode.
2013-09-25 16:46:28 -04:00
yackob03
ee5ea51532
Refactor the code into modules, it was getting unweildy.
2013-09-25 12:45:12 -04:00