Commit graph

144 commits

Author SHA1 Message Date
Joseph Schorr
c3f2901ec0 Catch unicode decode errors in auth decode
Fixes https://jira.coreos.com/browse/QUAY-1249
2018-12-07 16:16:32 -05:00
Joseph Schorr
a38edea11b Allow use of basic auth for security scan endpoints
This will allow the security labeler to send a pull secret to retrieve security information for a manifest

Fixes https://jira.coreos.com/browse/QUAY-1087
2018-09-21 13:54:33 -04:00
Sam Chow
cc9bedbeb9 refactor approval service key to not need approver 2018-08-15 17:18:41 -04:00
Joseph Schorr
406082be74 Move permissions test to pytest 2018-07-18 11:14:27 -04:00
Joseph Schorr
a1c06042c6 Add a unique_key fields to the auth context type for tracking different instances
This will allow us to lookup a cache for the catalog without needing to make a database call
2018-06-19 11:09:58 -04:00
Joseph Schorr
913952ae27 Make signed grant tests stable across runs
This was preventing us from running tests in parallel, since the names were changing
2018-06-01 17:06:56 -04:00
Joseph Schorr
86f898d9bd Fix OAuth scopes display
Before, we were sending the wrong kind of data (namedtuple instead of dict) in the non-superuser case, which broke prod. Now, we always explicitly send a standard dictionary.

Fixes https://jira.coreos.com/browse/QUAY-871
2018-03-16 13:03:42 -04:00
Brad Ison
d1ba2dcfc3 Add labels to test cases for invalid JWTs 2018-02-26 12:55:49 -05:00
Joseph Schorr
e220b50543 Refactor auth code to be cleaner and more extensible
We move all the auth handling, serialization and deserialization into a new AuthContext interface, and then standardize a registration model for handling of specific auth context types (user, robot, token, etc).
2018-02-14 15:35:27 -05:00
Joseph Schorr
bbdf9e074c Add metrics for tracking when instance key renewal succeeds and fails, as well as when instance key *lookup* fails 2018-02-02 11:14:42 -05:00
Joseph Schorr
888b564a9b Add a banner to the Quay UI when an app specific token is about to expire 2018-01-04 15:27:42 -05:00
Joseph Schorr
524d77f527 Add an AppSpecificAuthToken data model for app-specific auth tokens. These will be used for the Docker CLI in place of username+password 2018-01-04 15:27:41 -05:00
Joseph Schorr
1ba3c24fe5 Fix log level on expired OAuth log 2018-01-04 12:59:21 -05:00
Joseph Schorr
3bf8973fd9 Change app registry to use the credentials verification system
Allows for tokens, OAuth tokens and robot accounts to be used as well

Fixes https://jira.prod.coreos.systems/browse/QS-36
2017-12-06 13:52:25 -05:00
Joseph Schorr
0bcda90c6e Add kind to credentials validate call 2017-12-06 13:52:24 -05:00
Joseph Schorr
6f3d9a6fce Extract credential handling into its own module
Will be used in Docker V1 and APPR protocols
2017-12-06 13:52:24 -05:00
Jimmy Zelinskie
1040c939bf auth.test: merge registry jwt into one pytest file 2017-07-12 15:14:12 -04:00
Jimmy Zelinskie
880871a2ea auth.test: increase duration to avoid flakes 2017-07-12 15:14:12 -04:00
Jimmy Zelinskie
8a6417869d auth/test: add missing module db setup 2017-07-12 15:14:12 -04:00
Jimmy Zelinskie
da4fb02423 auth/test: yapf format 2017-07-12 15:14:12 -04:00
Jimmy Zelinskie
92877fa70f auth.test.test_registry_jwt: rm endpoints.v2 dep 2017-07-12 15:14:12 -04:00
Jimmy Zelinskie
7d1bbbfe19 test: convert registry auth test to pytest
This also moves them into the auth package.
2017-07-12 15:14:12 -04:00
Jimmy Zelinskie
7444055511 auth: remove relative imports 2017-05-16 15:54:02 -04:00
Joseph Schorr
7debd44b54 Switch fixture imports to wildcard in prep for full db test fixes 2017-04-24 16:45:14 -04:00
Joseph Schorr
40f936c053 Fix logger statement in new auth code 2017-03-24 17:43:00 -04:00
Joseph Schorr
08673a03e2 Rename cookie header parameter to make it clear it is unused
The parameter is necessary to match the auth handler interface, but is unused inside the method
2017-03-23 15:42:45 -04:00
Joseph Schorr
651666b60b Refactor our auth handling code to be cleaner
Breaks out the validation code from the auth context modification calls, makes decorators easier to define and adds testing for each individual piece. Will be the basis of better error messaging in the following change.
2017-03-23 15:42:45 -04:00
Joseph Schorr
1bd4422da9 Move auth decorators into a decorators module
The non-decorators will be broken out in the followup change
2017-03-23 15:42:45 -04:00
Jimmy Zelinskie
64421db0a3 MAINTAINERS: init owners to subpkgs 2017-01-23 17:46:34 -05:00
Evan Cordell
b4ace1dd29 registry auth tests: test more access types 2016-11-28 14:02:08 -05:00
Joseph Schorr
4b926ae189 Add new metrics as requested by some customers
Note that the `status` field on the pull and push metrics will eventually be set to False for failed pulls and pushes in a followup PR
2016-11-03 15:28:40 -04:00
Joseph Schorr
3439f814b6 Fix quoting of scopes in WWW-Authenticate header
Fixes part of #2002
2016-10-17 14:32:43 -04:00
josephschorr
684ace3b5a Merge pull request #1761 from coreos-inc/nginx-direct-download
Add feature flag to force all direct download URLs to be proxied
2016-09-29 22:46:57 +02:00
Jimmy Zelinskie
31b77cf232 rename auth.auth to auth.process
This fixes some ambiguity around imports.
2016-09-29 15:24:57 -04:00
Joseph Schorr
6ae3faf7fc Add explicit config parameter to the JWT auth methods 2016-09-29 11:15:20 +02:00
Joseph Schorr
dd2e086a20 Add feature flag to force all direct download URLs to be proxied
Fixes #1667
2016-09-29 11:13:41 +02:00
Jimmy Zelinskie
fc7301be0d *: fix legacy imports
This change reorganizes imports and renames the legacy flask extensions.
2016-09-28 20:17:14 -04:00
Joseph Schorr
c4daf1cc3d Change permissions model so that non-admins do not get org-wide read
Fixes #1684
2016-08-04 16:47:28 -04:00
Joseph Schorr
8887f09ba8 Use the instance service key for registry JWT signing 2016-06-07 11:58:10 -04:00
Joseph Schorr
7933aecf25 Add support for direct granting of OAuth tokens and add tests
This allows a client (when authorized in a whitelist) to send direct credentials via a Basic auth header and therefore bypass the OAuth approval UI for that user.
2016-05-23 17:17:06 -04:00
Joseph Schorr
a736407611 Fix user:admin scope handling and add test 2016-05-09 11:16:01 +02:00
Jake Moshenko
9221a515de Use the registry API for security scanning
when the storage engine doesn't support direct download url
2016-05-04 18:04:06 -04:00
Evan Cordell
eba75494d9 Use new error format for auth errors (factor exceptions into module) 2016-04-11 16:22:26 -04:00
Joseph Schorr
b5b2df2063 Make test more resilient to changes in IDs 2016-03-30 16:19:15 -04:00
Joseph Schorr
a3aa4592cf Change permissions to only load required by default
Permissions now load just the namespace and/or repository permissions requested, with a fallback to a full permissions load if necessary.
2016-03-28 16:33:32 -04:00
Jimmy Zelinskie
ea2e17cc11 v2: send proper scopes for authorization failures
Fixes #1278.
2016-03-11 13:41:38 -05:00
Jimmy Zelinskie
bb46cc933d use kwargs for parse_repository_name 2016-03-09 16:20:28 -05:00
josephschorr
e8faa9f843 Merge pull request #939 from coreos-inc/user-admin
Add user admin scope
2016-02-16 16:42:29 -05:00
Jake Moshenko
01a92a66ba Refresh base image and python dependencies 2016-01-27 11:36:40 -05:00
Joseph Schorr
e4ffaff869 Fix Docker Auth and our V2 registry paths to support library (i.e. namespace-less) repositories.
This support is placed behind a feature flag.
2016-01-22 15:54:06 -05:00