Jake Moshenko
82efc746b3
Make our JWT checking more strict.
2015-09-04 15:18:57 -04:00
Jake Moshenko
b2844fb8c7
Switch the base case for when a scope string contains an invalid scope.
2015-08-05 17:35:02 -04:00
Joseph Schorr
354f4109d0
Switch to returning an empty set when there are invalid auth scopes
2015-07-31 12:49:42 -04:00
Joseph Schorr
804be4d4be
OAuth scopes are space separated, not comma
2015-07-31 12:37:02 -04:00
Jake Moshenko
5d86fa80e7
Merge pull request #197 from coreos-inc/keystone
...
Add Keystone Auth
2015-07-22 13:38:47 -04:00
Jake Moshenko
679044574a
Merge pull request #231 from coreos-inc/smallfix
...
Small API fixes
2015-07-20 13:45:24 -04:00
Joseph Schorr
33b54218cc
Refactor the users class into their own files, add a common base class for federated users and add a verify_credentials
method which only does the verification, without the linking. We use this in the superuser verification pass
2015-07-20 11:39:59 -04:00
Jake Moshenko
bc29561f8f
Fix and templatize the logic for external JWT AuthN and registry v2 Auth.
...
Make it explicit that the registry-v2 stuff is not ready for prime time.
2015-07-17 11:56:15 -04:00
Jake Moshenko
3efaa255e8
Accidental refactor, split out legacy.py into separate sumodules and update all call sites.
2015-07-17 11:56:15 -04:00
Jake Moshenko
bea8b9ac53
More changes for registry-v2 in python.
...
Implement the minimal changes to the local filesystem storage driver and feed them through the distributed storage driver.
Create a digest package which contains digest_tools and checksums.
Fix the tests to use the new v1 endpoint locations.
Fix repository.delete_instance to properly filter the generated queries to avoid most subquery deletes, but still generate them when not explicitly filtered.
2015-07-17 11:50:41 -04:00
Jake Moshenko
acbcc2e206
Start of a v2 API.
2015-07-17 11:50:41 -04:00
Jake Moshenko
f5ee7a6697
Make the scopes dynamic based on app config.
2015-07-15 18:13:15 -04:00
Joseph Schorr
1c5300e439
We still need to process the function if the auth header is invalid
...
Otherwise, the user gets a 500
2015-07-14 11:35:04 +03:00
Jake Moshenko
7b470237a1
The superuser capability does not require the idea of ordinality since it is a binary permission.
2015-06-30 11:02:13 -04:00
Joseph Schorr
87efcb9e3d
Delegated superuser API access
...
Add a new scope for SUPERUSER that allows delegated access to the superuser endpoints. CA needs this so they can programmatically create and remove users.
2015-06-30 11:08:26 +03:00
Joseph Schorr
dc5af7496c
Allow superusers to disable user accounts
2015-06-29 18:40:52 +03:00
Jake Moshenko
03e1636ff2
Clean up log format to use lazy string substitution.
2015-06-23 17:10:03 -04:00
Joseph Schorr
76bef38d71
Remove extra call to the DB for a user we already have
2015-05-07 17:17:05 -04:00
Joseph Schorr
8eb9c376cd
Add constructors for the QuayDeferredPermissionUser so that we can avoid extraneous DB lookups of the user whenever we already have the object
2015-05-07 15:04:12 -04:00
Joseph Schorr
e4b659f107
Add support for encrypted client tokens via basic auth (for the docker CLI) and a feature flag to disable normal passwords
2015-03-25 18:43:12 -04:00
Jake Moshenko
68e1495e54
Remove support for the old style push temporary tokens.
2015-02-24 14:31:19 -05:00
Joseph Schorr
c58c19db8a
Add support for the deprecated token method. We need this as a live migration strategy and we can remove it about an hour after we deploy the new version to prod.
2015-02-23 22:02:38 -05:00
Jake Moshenko
450b112f2c
Propagate the grant user context to the signed grant to fix image sharing.
2015-02-23 15:07:38 -05:00
Jake Moshenko
3bc8b8161c
Make the AlwaysFailPermission live up to its name.
2015-02-19 16:58:13 -05:00
Jake Moshenko
78c8354174
Switch our temporary token lookups for signed grants which will not require DB access.
2015-02-19 16:54:23 -05:00
Joseph Schorr
30b895b795
Merge branch 'grunt-js-folder' of https://github.com/coreos-inc/quay into ackbar
2015-01-23 17:26:14 -05:00
Joseph Schorr
28d319ad26
Add an in-memory superusermanager, which stores the current list of superusers in a process-shared Value. We do this because in the ER, when we add a new superuser, we need to ensure that ALL workers have their lists updated (otherwise we get the behavior that some workers validate the new permission and others do not).
2015-01-20 12:43:11 -05:00
Joseph Schorr
42ea3b835c
Fix NPE
2015-01-12 11:42:09 -05:00
Joseph Schorr
1bf25f25c1
WIP
2015-01-04 14:38:41 -05:00
Jimmy Zelinskie
f3259c862b
Merge branch 'koh'
...
Conflicts:
auth/scopes.py
requirements-nover.txt
requirements.txt
static/css/quay.css
static/directives/namespace-selector.html
static/js/app.js
static/partials/manage-application.html
templates/oauthorize.html
2014-12-01 12:30:09 -08:00
Joseph Schorr
0e13ef3ff8
Fix various bugs and styling issues
2014-11-24 19:40:03 -05:00
Jimmy Zelinskie
716d7a737b
Strip whitespace from ALL the things.
2014-11-24 16:07:38 -05:00
Joseph Schorr
f6dd8b0a4d
Fix NPE
2014-11-24 12:20:54 -05:00
Jake Moshenko
f9b8319835
Make sure if we are going to treat the cookie as valid, it's actually a user id of the proper type.
2014-11-21 10:28:50 -05:00
Jimmy Zelinskie
dee4c389a8
Base sessions on UUIDs.
...
Now that a backfill has been applied, sessions can now be based on UUIDs
because all users will have one.
2014-11-20 18:44:36 -05:00
Jimmy Zelinskie
12ff4b107c
Undo sessions being driven by UUID.
...
Basing sessions on UUIDs must be done in phases. First all users
must obtain an UUID. Once a backfill has given all previous users
UUIDs and new users are being generated with UUIDs, then we can
actually change the session to be based on that value.
2014-11-20 12:57:17 -05:00
Jimmy Zelinskie
606ad21bec
Apply reviewed changes.
...
Adds a length to the UUID field, renames QuayDeferredPermissionUser
parameter id->uuid, adds transactions to backfill script.
2014-11-19 13:28:16 -05:00
Jimmy Zelinskie
9d677b8eb3
Add UUID to User model and use in cookie.
2014-11-19 13:28:16 -05:00
Jake Moshenko
03190efde3
Phase 2 of migrating repo namespaces to referencing user objects, backfilling the rows without a value for namespace_user, and changing all accesses to go through the namespace_user object. All tests are passing, manual testing still required.
2014-09-24 18:01:35 -04:00
Jake Moshenko
8626d1cd70
Initial changes to move repositories from using a namespace string to referencing a user object. Also stores the user id in the cookie rather than the username, to allow users to be renamed. This commit must not be used unmodified because the database migration is too aggressive for live migration.
2014-09-19 10:17:23 -04:00
Joseph Schorr
e8ad01cb41
Lots of small NPE and other exception fixes
2014-09-15 11:27:33 -04:00
Joseph Schorr
05a1413153
Handle UI for dangerous scopes
2014-08-05 21:21:22 -04:00
Jake Moshenko
02e47ed572
Begin the work to allow robots and teams to be managed via API.
2014-08-05 20:53:00 -04:00
Jake Moshenko
0b6552d6cc
Fix the metrics so they are usable for scaling the workers down and up. Switch all datetimes which touch the database from now to utcnow. Fix the worker Dockerfile.
2014-05-23 14:16:26 -04:00
Jake Moshenko
2da8b4737e
Fix the registry to work with unicode usernames in LDAP.
2014-05-13 15:22:31 -04:00
Jake Moshenko
5fdccfe3e6
Add an alembic migration for the full initial database with the data. Switch LDAP to using bind and creating a federated login entry. Add LDAP support to the registry and index endpoints. Add a username transliteration and suggestion mechanism. Switch the database and model to require a manual initialization call.
2014-05-13 12:17:26 -04:00
jakedt
0fd5da172e
Fix the super user default config. Slight style tweaks to the super user permission implementation.
2014-04-10 15:51:39 -04:00
Joseph Schorr
0e320c964f
- Add support for super users
...
- Add a super user API
- Add a super user interface
2014-04-10 00:26:55 -04:00
Joseph Schorr
4f1ae25128
Make sure the TAR import system handles TAR paths with local directory references
2014-04-01 13:00:26 -04:00
jakedt
4d2e090bea
Fix the problem with login on new triggers.
2014-03-26 15:52:24 -04:00