Joseph Schorr
a38edea11b
Allow use of basic auth for security scan endpoints
...
This will allow the security labeler to send a pull secret to retrieve security information for a manifest
Fixes https://jira.coreos.com/browse/QUAY-1087
2018-09-21 13:54:33 -04:00
Sam Chow
cc9bedbeb9
refactor approval service key to not need approver
2018-08-15 17:18:41 -04:00
Joseph Schorr
406082be74
Move permissions test to pytest
2018-07-18 11:14:27 -04:00
Joseph Schorr
a1c06042c6
Add a unique_key fields to the auth context type for tracking different instances
...
This will allow us to lookup a cache for the catalog without needing to make a database call
2018-06-19 11:09:58 -04:00
Joseph Schorr
913952ae27
Make signed grant tests stable across runs
...
This was preventing us from running tests in parallel, since the names were changing
2018-06-01 17:06:56 -04:00
Joseph Schorr
86f898d9bd
Fix OAuth scopes display
...
Before, we were sending the wrong kind of data (namedtuple instead of dict) in the non-superuser case, which broke prod. Now, we always explicitly send a standard dictionary.
Fixes https://jira.coreos.com/browse/QUAY-871
2018-03-16 13:03:42 -04:00
Brad Ison
d1ba2dcfc3
Add labels to test cases for invalid JWTs
2018-02-26 12:55:49 -05:00
Joseph Schorr
e220b50543
Refactor auth code to be cleaner and more extensible
...
We move all the auth handling, serialization and deserialization into a new AuthContext interface, and then standardize a registration model for handling of specific auth context types (user, robot, token, etc).
2018-02-14 15:35:27 -05:00
Joseph Schorr
bbdf9e074c
Add metrics for tracking when instance key renewal succeeds and fails, as well as when instance key *lookup* fails
2018-02-02 11:14:42 -05:00
Joseph Schorr
888b564a9b
Add a banner to the Quay UI when an app specific token is about to expire
2018-01-04 15:27:42 -05:00
Joseph Schorr
524d77f527
Add an AppSpecificAuthToken data model for app-specific auth tokens. These will be used for the Docker CLI in place of username+password
2018-01-04 15:27:41 -05:00
Joseph Schorr
1ba3c24fe5
Fix log level on expired OAuth log
2018-01-04 12:59:21 -05:00
Joseph Schorr
3bf8973fd9
Change app registry to use the credentials verification system
...
Allows for tokens, OAuth tokens and robot accounts to be used as well
Fixes https://jira.prod.coreos.systems/browse/QS-36
2017-12-06 13:52:25 -05:00
Joseph Schorr
0bcda90c6e
Add kind to credentials validate call
2017-12-06 13:52:24 -05:00
Joseph Schorr
6f3d9a6fce
Extract credential handling into its own module
...
Will be used in Docker V1 and APPR protocols
2017-12-06 13:52:24 -05:00
Jimmy Zelinskie
1040c939bf
auth.test: merge registry jwt into one pytest file
2017-07-12 15:14:12 -04:00
Jimmy Zelinskie
880871a2ea
auth.test: increase duration to avoid flakes
2017-07-12 15:14:12 -04:00
Jimmy Zelinskie
8a6417869d
auth/test: add missing module db setup
2017-07-12 15:14:12 -04:00
Jimmy Zelinskie
da4fb02423
auth/test: yapf format
2017-07-12 15:14:12 -04:00
Jimmy Zelinskie
92877fa70f
auth.test.test_registry_jwt: rm endpoints.v2 dep
2017-07-12 15:14:12 -04:00
Jimmy Zelinskie
7d1bbbfe19
test: convert registry auth test to pytest
...
This also moves them into the auth package.
2017-07-12 15:14:12 -04:00
Jimmy Zelinskie
7444055511
auth: remove relative imports
2017-05-16 15:54:02 -04:00
Joseph Schorr
7debd44b54
Switch fixture imports to wildcard in prep for full db test fixes
2017-04-24 16:45:14 -04:00
Joseph Schorr
40f936c053
Fix logger statement in new auth code
2017-03-24 17:43:00 -04:00
Joseph Schorr
08673a03e2
Rename cookie header parameter to make it clear it is unused
...
The parameter is necessary to match the auth handler interface, but is unused inside the method
2017-03-23 15:42:45 -04:00
Joseph Schorr
651666b60b
Refactor our auth handling code to be cleaner
...
Breaks out the validation code from the auth context modification calls, makes decorators easier to define and adds testing for each individual piece. Will be the basis of better error messaging in the following change.
2017-03-23 15:42:45 -04:00
Joseph Schorr
1bd4422da9
Move auth decorators into a decorators module
...
The non-decorators will be broken out in the followup change
2017-03-23 15:42:45 -04:00
Jimmy Zelinskie
64421db0a3
MAINTAINERS: init owners to subpkgs
2017-01-23 17:46:34 -05:00
Evan Cordell
b4ace1dd29
registry auth tests: test more access types
2016-11-28 14:02:08 -05:00
Joseph Schorr
4b926ae189
Add new metrics as requested by some customers
...
Note that the `status` field on the pull and push metrics will eventually be set to False for failed pulls and pushes in a followup PR
2016-11-03 15:28:40 -04:00
Joseph Schorr
3439f814b6
Fix quoting of scopes in WWW-Authenticate header
...
Fixes part of #2002
2016-10-17 14:32:43 -04:00
josephschorr
684ace3b5a
Merge pull request #1761 from coreos-inc/nginx-direct-download
...
Add feature flag to force all direct download URLs to be proxied
2016-09-29 22:46:57 +02:00
Jimmy Zelinskie
31b77cf232
rename auth.auth to auth.process
...
This fixes some ambiguity around imports.
2016-09-29 15:24:57 -04:00
Joseph Schorr
6ae3faf7fc
Add explicit config parameter to the JWT auth methods
2016-09-29 11:15:20 +02:00
Joseph Schorr
dd2e086a20
Add feature flag to force all direct download URLs to be proxied
...
Fixes #1667
2016-09-29 11:13:41 +02:00
Jimmy Zelinskie
fc7301be0d
*: fix legacy imports
...
This change reorganizes imports and renames the legacy flask extensions.
2016-09-28 20:17:14 -04:00
Joseph Schorr
c4daf1cc3d
Change permissions model so that non-admins do not get org-wide read
...
Fixes #1684
2016-08-04 16:47:28 -04:00
Joseph Schorr
8887f09ba8
Use the instance service key for registry JWT signing
2016-06-07 11:58:10 -04:00
Joseph Schorr
7933aecf25
Add support for direct granting of OAuth tokens and add tests
...
This allows a client (when authorized in a whitelist) to send direct credentials via a Basic auth header and therefore bypass the OAuth approval UI for that user.
2016-05-23 17:17:06 -04:00
Joseph Schorr
a736407611
Fix user:admin scope handling and add test
2016-05-09 11:16:01 +02:00
Jake Moshenko
9221a515de
Use the registry API for security scanning
...
when the storage engine doesn't support direct download url
2016-05-04 18:04:06 -04:00
Evan Cordell
eba75494d9
Use new error format for auth errors (factor exceptions into module)
2016-04-11 16:22:26 -04:00
Joseph Schorr
b5b2df2063
Make test more resilient to changes in IDs
2016-03-30 16:19:15 -04:00
Joseph Schorr
a3aa4592cf
Change permissions to only load required by default
...
Permissions now load just the namespace and/or repository permissions requested, with a fallback to a full permissions load if necessary.
2016-03-28 16:33:32 -04:00
Jimmy Zelinskie
ea2e17cc11
v2: send proper scopes for authorization failures
...
Fixes #1278 .
2016-03-11 13:41:38 -05:00
Jimmy Zelinskie
bb46cc933d
use kwargs for parse_repository_name
2016-03-09 16:20:28 -05:00
josephschorr
e8faa9f843
Merge pull request #939 from coreos-inc/user-admin
...
Add user admin scope
2016-02-16 16:42:29 -05:00
Jake Moshenko
01a92a66ba
Refresh base image and python dependencies
2016-01-27 11:36:40 -05:00
Joseph Schorr
e4ffaff869
Fix Docker Auth and our V2 registry paths to support library (i.e. namespace-less) repositories.
...
This support is placed behind a feature flag.
2016-01-22 15:54:06 -05:00
Joseph Schorr
4e942203cb
Fix handling of tokens in the new context block of the JWT
2015-12-15 16:52:22 -05:00