Joseph Schorr
ff52fde8a5
Have Quay always use an OAuth-specific CSRF token
...
This change ensures that we always store and then check the contents of the OAuth `state` argument against a session-stored CSRF token.
Fixes https://www.pivotaltracker.com/story/show/135803615
2016-12-08 16:11:57 -05:00
Joseph Schorr
1a61ef4e04
Report the user's name and company to Marketo
...
Also fixes the API to report the other changes (username and email) as well
2016-11-14 17:34:50 -05:00
Joseph Schorr
0f2eb61f4a
Add collection of user metadata: name and company
2016-11-08 16:15:02 -05:00
Joseph Schorr
1e3b354201
Add support for temp usernames and an interstitial to confirm username
...
When a user now logs in for the first time for any external auth (LDAP, JWT, Keystone, Github, Google, Dex), they will be presented with a confirmation screen that affords them the opportunity to change their Quay-assigned username.
Addresses most of the user issues around #74
2016-11-03 15:59:14 -04:00
josephschorr
840ea4e768
Merge pull request #2047 from coreos-inc/external-auth-email-optional
...
Make email addresses optional in external auth if email feature is turned off
2016-10-31 14:16:33 -04:00
Joseph Schorr
3a473cad2a
Enable permanent sessions
...
Fixes #1955
2016-10-31 13:52:09 -04:00
Joseph Schorr
d7f56350a4
Make email addresses optional in external auth if email feature is turned off
...
Before this change, external auth such as Keystone would fail if a user without an email address tried to login, even if the email feature was disabled.
2016-10-31 13:50:24 -04:00
josephschorr
edc2bc8b93
Merge pull request #1698 from coreos-inc/delete-namespace
...
Add support for deleting namespaces (users, organizations)
2016-10-21 16:54:52 -04:00
Joseph Schorr
73eb66eac5
Add support for deleting namespaces (users, organizations)
...
Fixes #102
Fixes #105
2016-10-21 15:41:09 -04:00
Joseph Schorr
b7fc7999c3
Delete old "license" checking code arounds user counts
...
This is legacy code that doesn't actually do anything of value
2016-10-20 14:58:35 -04:00
Jake Moshenko
f04b018805
Write our users to Marketo as leads.
2016-10-14 16:29:11 -04:00
Jimmy Zelinskie
fc7301be0d
*: fix legacy imports
...
This change reorganizes imports and renames the legacy flask extensions.
2016-09-28 20:17:14 -04:00
Evan Cordell
eba75494d9
Use new error format for auth errors (factor exceptions into module)
2016-04-11 16:22:26 -04:00
Joseph Schorr
ecaa051791
Fix schema for invoice email updating
...
Fixes #1209
2016-02-16 11:52:57 -05:00
Joseph Schorr
534ec9cb2b
Add pagination to the repository list API to make it better for public
...
Fixes #1166
2016-02-01 22:42:44 +02:00
Jake Moshenko
018bf8c5ad
Refactor how parsed_args are passed to methods
2016-01-26 16:27:36 -05:00
Joseph Schorr
e4ffaff869
Fix Docker Auth and our V2 registry paths to support library (i.e. namespace-less) repositories.
...
This support is placed behind a feature flag.
2016-01-22 15:54:06 -05:00
josephschorr
f748d4348d
Merge pull request #1106 from coreos-inc/billingemail
...
Add support for custom billing invoice email address
2016-01-04 14:34:30 -05:00
Joseph Schorr
31a8a0fba4
Better UX when recovering organization emails
...
Fixes #291
2015-12-28 15:25:31 -05:00
Joseph Schorr
10efa96009
Add support for custom billing invoice email address
...
Fixes #782
2015-12-28 13:59:50 -05:00
Joseph Schorr
888ec17538
Recover by email needs to allow anon access to its endpoints
2015-11-10 15:41:19 -05:00
Joseph Schorr
5d8121e060
Return user orgs when making a call via OAuth
...
Fixes #673
2015-10-21 16:40:31 -04:00
Joseph Schorr
c0286d1ac3
Add support for Dex to Quay
...
Fixes #306
- Adds support for Dex as an OAuth external login provider
- Adds support for OIDC in general
- Extract out external logins on the JS side into a service
- Add a feature flag for disabling direct login
- Add support for directing to the single external login service
- Does *not* yet support the config in the superuser tool
2015-09-04 17:05:06 -04:00
Joseph Schorr
5c1d195a19
Fix swagger errors
...
Fixes #287
2015-08-03 14:10:15 -04:00
Joseph Schorr
5d243bb45f
Fix potential NPE
2015-07-24 12:12:30 -04:00
Joseph Schorr
687bab1c05
Support invite codes for verification of email
...
Also changes the system so we don't apply the invite until it is called explicitly from the frontend
Fixes #241
2015-07-22 13:41:27 -04:00
Joseph Schorr
33b54218cc
Refactor the users class into their own files, add a common base class for federated users and add a verify_credentials
method which only does the verification, without the linking. We use this in the superuser verification pass
2015-07-20 11:39:59 -04:00
Jake Moshenko
3efaa255e8
Accidental refactor, split out legacy.py into separate sumodules and update all call sites.
2015-07-17 11:56:15 -04:00
Jake Moshenko
6e6b3c675f
Merge pull request #28 from coreos-inc/swagger2
...
Switch to Swagger v2
2015-06-29 12:18:10 -04:00
Joseph Schorr
dc5af7496c
Allow superusers to disable user accounts
2015-06-29 18:40:52 +03:00
Joseph Schorr
c0e995c1d4
Merge branch 'master' into nolurk
2015-06-02 13:55:16 -04:00
Joseph Schorr
fdd43e2490
Change API calls that expect non-robots to explicitly filter
...
Before this change, we'd filter in the UI but calls to the API could allow robots accounts where we only expect real users
2015-05-26 17:47:33 -04:00
Joseph Schorr
855f3a3e4d
Have the verifyUser endpoint use the same confirm_existing_user method
...
This will prevent us from encountering the same problem as the generated encrypted password issue when using LDAP
2015-05-22 16:26:26 -04:00
Joseph Schorr
b0d763b5ff
Fix encrypted password generator to use the LDAP username, not the Quay username.
...
Currently, we use the Quay username via `verify_user` when we go to create the encrypted password. This is only correct if Quay has not generated its own different username for the LDAP user, and fails if it has. We therefore add a new method `confirm_existing_user`, which looks up the federated login for the LDAP user and then runs the auth flow using that username.
2015-05-20 16:37:09 -04:00
Joseph Schorr
54992c23b7
Add a feature flag for disabling unauthenticated access to the registry in its entirety.
2015-05-19 17:52:44 -04:00
Joseph Schorr
0bc1c29dff
Switch the Python side to Swagger v2
2015-05-14 16:47:38 -04:00
Joseph Schorr
60036927c9
Really disallow usage of the same account for an org as the one being converted. Before, you could do so via email.
2015-04-29 20:30:37 -04:00
Joseph Schorr
f67eeee8c8
Start conversion of the user admin/view
2015-04-02 16:34:41 -04:00
Joseph Schorr
5cd500257d
Merge branch 'master' into orgview
2015-04-01 13:56:49 -04:00
Joseph Schorr
1f5e6df678
- Fix tests
...
- Add new endpoints for retrieving the repo permissions for a robot account
- Have the robots list return the number of repositories for which there are permissions
- Other UI fixes
2015-03-31 18:50:43 -04:00
Joseph Schorr
27a9b84587
Switch avatars to be built out of CSS and only overlayed with the gravatar when a non-default exists
2015-03-30 17:55:04 -04:00
Joseph Schorr
384d6083c4
Make sure to conduct login after the password change now that the session will be invalidated for the user
2015-03-26 20:04:32 -04:00
Joseph Schorr
aaf1b23e98
Address CL concerns and switch to a real encryption system
2015-03-26 15:10:58 -04:00
Joseph Schorr
e4b659f107
Add support for encrypted client tokens via basic auth (for the docker CLI) and a feature flag to disable normal passwords
2015-03-25 18:43:12 -04:00
Jimmy Zelinskie
9dd6e8e639
api/user: remove log_action comments for stars
...
It is not necessary to log the starring of repositories.
2015-03-02 13:25:58 -05:00
Jimmy Zelinskie
fb0d3d69c2
changes to reflect PR comments (not finished)
2015-02-24 17:50:54 -05:00
Jimmy Zelinskie
35a2414d85
tests: star security tests
2015-02-23 14:23:32 -05:00
Jimmy Zelinskie
3780434279
endpoints.api.user: require useradmin for star ops
2015-02-19 17:03:36 -05:00
Jimmy Zelinskie
917dd6b674
Merge branch 'master' into star
2015-02-18 17:36:58 -05:00
Jake Moshenko
990739b1e5
Add the APIs required to change the time machine policy for users and organizations.
2015-02-12 14:37:11 -05:00