Ejemplo n.º 1
0
    def verify_credentials(self, username_or_email, password):
        try:
            _, sess = self._get_client(username_or_email, password)
            user_id = sess.get_user_id()
        except KeystoneAuthorizationFailure as kaf:
            logger.exception("Keystone auth failure for user: %s", username_or_email)
            return (None, "Invalid username or password")
        except KeystoneUnauthorized as kut:
            logger.exception("Keystone unauthorized for user: %s", username_or_email)
            return (None, "Invalid username or password")
        except ClientException as ex:
            logger.exception("Keystone unauthorized for user: %s", username_or_email)
            return (None, "Invalid username or password")

        if user_id is None:
            return (None, "Invalid username or password")

        try:
            admin_client, _ = self._get_client(
                self.admin_username, self.admin_password, self.admin_tenant
            )
            user = admin_client.users.get(user_id)
        except KeystoneUnauthorized as kut:
            logger.exception("Keystone unauthorized admin")
            return (None, "Keystone admin credentials are invalid: %s" % kut.message)

        if self.requires_email and not hasattr(user, "email"):
            return (None, "Missing email field for user %s" % user_id)

        email = user.email if hasattr(user, "email") else None
        return (UserInformation(username=username_or_email, email=email, id=user_id), None)
Ejemplo n.º 2
0
    def _build_user_information(self, response):
        if not response.get(self._uid_attr):
            return (None, 'Missing uid field "%s" in user record' % self._uid_attr)

        if self._requires_email and not response.get(self._email_attr):
            return (None, 'Missing mail field "%s" in user record' % self._email_attr)

        username = response[self._uid_attr][0].decode("utf-8")
        email = response.get(self._email_attr, [None])[0]
        return (UserInformation(username=username, email=email, id=username), None)
Ejemplo n.º 3
0
    def verify_credentials(self, username_or_email, password):
        (payload, err_msg) = self._execute_call(self.verify_url,
                                                'quay.io/jwtauthn',
                                                auth=(username_or_email,
                                                      password))
        if err_msg is not None:
            return (None, err_msg)

        if not 'sub' in payload:
            raise Exception('Missing sub field in JWT')

        if self.requires_email and not 'email' in payload:
            raise Exception('Missing email field in JWT')

        user_info = UserInformation(username=payload['sub'],
                                    email=payload.get('email'),
                                    id=payload['sub'])
        return (user_info, None)
Ejemplo n.º 4
0
    def verify_credentials(self, username_or_email, password):
        (payload, err_msg) = self._execute_call(self.verify_url,
                                                "quay.io/jwtauthn",
                                                auth=(username_or_email,
                                                      password))
        if err_msg is not None:
            return (None, err_msg)

        if not "sub" in payload:
            raise Exception("Missing sub field in JWT")

        if self.requires_email and not "email" in payload:
            raise Exception("Missing email field in JWT")

        user_info = UserInformation(username=payload["sub"],
                                    email=payload.get("email"),
                                    id=payload["sub"])
        return (user_info, None)
Ejemplo n.º 5
0
    def query_users(self, query, limit=20):
        if self.query_url is None:
            return (None, self.federated_service,
                    'No endpoint defined for querying users')

        (payload, err_msg) = self._execute_call(self.query_url,
                                                'quay.io/jwtauthn/query',
                                                params=dict(query=query,
                                                            limit=limit))
        if err_msg is not None:
            return (None, self.federated_service, err_msg)

        query_results = []
        for result in payload['results'][0:limit]:
            user_info = UserInformation(username=result['username'],
                                        email=result.get('email'),
                                        id=result['username'])
            query_results.append(user_info)

        return (query_results, self.federated_service, None)
Ejemplo n.º 6
0
    def get_user(self, username_or_email):
        if self.getuser_url is None:
            return (None, 'No endpoint defined for retrieving user')

        (payload,
         err_msg) = self._execute_call(self.getuser_url,
                                       'quay.io/jwtauthn/getuser',
                                       params=dict(username=username_or_email))
        if err_msg is not None:
            return (None, err_msg)

        if not 'sub' in payload:
            raise Exception('Missing sub field in JWT')

        if self.requires_email and not 'email' in payload:
            raise Exception('Missing email field in JWT')

        # Parse out the username and email.
        user_info = UserInformation(username=payload['sub'],
                                    email=payload.get('email'),
                                    id=payload['sub'])
        return (user_info, None)
Ejemplo n.º 7
0
    def get_user(self, username_or_email):
        if self.getuser_url is None:
            return (None, "No endpoint defined for retrieving user")

        (payload,
         err_msg) = self._execute_call(self.getuser_url,
                                       "quay.io/jwtauthn/getuser",
                                       params=dict(username=username_or_email))
        if err_msg is not None:
            return (None, err_msg)

        if not "sub" in payload:
            raise Exception("Missing sub field in JWT")

        if self.requires_email and not "email" in payload:
            raise Exception("Missing email field in JWT")

        # Parse out the username and email.
        user_info = UserInformation(username=payload["sub"],
                                    email=payload.get("email"),
                                    id=payload["sub"])
        return (user_info, None)
Ejemplo n.º 8
0
 def _user_info(user):
     email = user.email if hasattr(user, "email") else None
     return UserInformation(user.name, email, user.id)
Ejemplo n.º 9
0
    with patch("features.BLACKLISTED_EMAILS", request.param):
        with patch.dict("data.model.config.app_config",
                        mock_blacklisted_domains):
            yield


@pytest.mark.skipif(
    os.environ.get("TEST_DATABASE_URI", "").find("postgres") >= 0,
    reason="Postgres fails when existing members are added under the savepoint",
)
@pytest.mark.parametrize(
    "starting_membership,group_membership,expected_membership",
    [
        # Empty team + single member in group => Single member in team.
        ([], [
            UserInformation("someuser", "someuser", "*****@*****.**"),
        ], ["someuser"]),
        # Team with a Quay user + empty group => empty team.
        ([("someuser", None)], [], []),
        # Team with an existing external user + user is in the group => no changes.
        (
            [
                ("someuser", "someuser"),
            ],
            [
                UserInformation("someuser", "someuser",
                                "*****@*****.**"),
            ],
            ["someuser"],
        ),
        # Team with an existing external user (with a different Quay username) + user is in the group.
Ejemplo n.º 10
0
@pytest.fixture(params=[True, False])
def blacklisted_emails(request):
  mock_blacklisted_domains = {'BLACKLISTED_EMAIL_DOMAINS': ['blacklisted.com', 'blacklisted.net']}
  with patch('features.BLACKLISTED_EMAILS', request.param):
    with patch.dict('data.model.config.app_config', mock_blacklisted_domains):
      yield


@pytest.mark.skipif(os.environ.get('TEST_DATABASE_URI', '').find('postgres') >= 0,
                    reason="Postgres fails when existing members are added under the savepoint")
@pytest.mark.parametrize('starting_membership,group_membership,expected_membership', [
  # Empty team + single member in group => Single member in team.
  ([],
   [
     UserInformation('someuser', 'someuser', '*****@*****.**'),
   ],
   ['someuser']),

  # Team with a Quay user + empty group => empty team.
  ([('someuser', None)],
   [],
   []),

  # Team with an existing external user + user is in the group => no changes.
  ([
    ('someuser', 'someuser'),
   ],
   [
     UserInformation('someuser', 'someuser', '*****@*****.**'),
   ],