def verify_credentials(self, username_or_email, password):
try:
_, sess = self._get_client(username_or_email, password)
user_id = sess.get_user_id()
except KeystoneAuthorizationFailure as kaf:
logger.exception("Keystone auth failure for user: %s", username_or_email)
return (None, "Invalid username or password")
except KeystoneUnauthorized as kut:
logger.exception("Keystone unauthorized for user: %s", username_or_email)
return (None, "Invalid username or password")
except ClientException as ex:
logger.exception("Keystone unauthorized for user: %s", username_or_email)
return (None, "Invalid username or password")
if user_id is None:
return (None, "Invalid username or password")
try:
admin_client, _ = self._get_client(
self.admin_username, self.admin_password, self.admin_tenant
)
user = admin_client.users.get(user_id)
except KeystoneUnauthorized as kut:
logger.exception("Keystone unauthorized admin")
return (None, "Keystone admin credentials are invalid: %s" % kut.message)
if self.requires_email and not hasattr(user, "email"):
return (None, "Missing email field for user %s" % user_id)
email = user.email if hasattr(user, "email") else None
return (UserInformation(username=username_or_email, email=email, id=user_id), None)
def _build_user_information(self, response):
if not response.get(self._uid_attr):
return (None, 'Missing uid field "%s" in user record' % self._uid_attr)
if self._requires_email and not response.get(self._email_attr):
return (None, 'Missing mail field "%s" in user record' % self._email_attr)
username = response[self._uid_attr][0].decode("utf-8")
email = response.get(self._email_attr, [None])[0]
return (UserInformation(username=username, email=email, id=username), None)
def verify_credentials(self, username_or_email, password):
(payload, err_msg) = self._execute_call(self.verify_url,
'quay.io/jwtauthn',
auth=(username_or_email,
password))
if err_msg is not None:
return (None, err_msg)
if not 'sub' in payload:
raise Exception('Missing sub field in JWT')
if self.requires_email and not 'email' in payload:
raise Exception('Missing email field in JWT')
user_info = UserInformation(username=payload['sub'],
email=payload.get('email'),
id=payload['sub'])
return (user_info, None)
def verify_credentials(self, username_or_email, password):
(payload, err_msg) = self._execute_call(self.verify_url,
"quay.io/jwtauthn",
auth=(username_or_email,
password))
if err_msg is not None:
return (None, err_msg)
if not "sub" in payload:
raise Exception("Missing sub field in JWT")
if self.requires_email and not "email" in payload:
raise Exception("Missing email field in JWT")
user_info = UserInformation(username=payload["sub"],
email=payload.get("email"),
id=payload["sub"])
return (user_info, None)
def query_users(self, query, limit=20):
if self.query_url is None:
return (None, self.federated_service,
'No endpoint defined for querying users')
(payload, err_msg) = self._execute_call(self.query_url,
'quay.io/jwtauthn/query',
params=dict(query=query,
limit=limit))
if err_msg is not None:
return (None, self.federated_service, err_msg)
query_results = []
for result in payload['results'][0:limit]:
user_info = UserInformation(username=result['username'],
email=result.get('email'),
id=result['username'])
query_results.append(user_info)
return (query_results, self.federated_service, None)
def get_user(self, username_or_email):
if self.getuser_url is None:
return (None, 'No endpoint defined for retrieving user')
(payload,
err_msg) = self._execute_call(self.getuser_url,
'quay.io/jwtauthn/getuser',
params=dict(username=username_or_email))
if err_msg is not None:
return (None, err_msg)
if not 'sub' in payload:
raise Exception('Missing sub field in JWT')
if self.requires_email and not 'email' in payload:
raise Exception('Missing email field in JWT')
# Parse out the username and email.
user_info = UserInformation(username=payload['sub'],
email=payload.get('email'),
id=payload['sub'])
return (user_info, None)
def get_user(self, username_or_email):
if self.getuser_url is None:
return (None, "No endpoint defined for retrieving user")
(payload,
err_msg) = self._execute_call(self.getuser_url,
"quay.io/jwtauthn/getuser",
params=dict(username=username_or_email))
if err_msg is not None:
return (None, err_msg)
if not "sub" in payload:
raise Exception("Missing sub field in JWT")
if self.requires_email and not "email" in payload:
raise Exception("Missing email field in JWT")
# Parse out the username and email.
user_info = UserInformation(username=payload["sub"],
email=payload.get("email"),
id=payload["sub"])
return (user_info, None)
def _user_info(user):
email = user.email if hasattr(user, "email") else None
return UserInformation(user.name, email, user.id)
with patch("features.BLACKLISTED_EMAILS", request.param):
with patch.dict("data.model.config.app_config",
mock_blacklisted_domains):
yield
@pytest.mark.skipif(
os.environ.get("TEST_DATABASE_URI", "").find("postgres") >= 0,
reason="Postgres fails when existing members are added under the savepoint",
)
@pytest.mark.parametrize(
"starting_membership,group_membership,expected_membership",
[
# Empty team + single member in group => Single member in team.
([], [
UserInformation("someuser", "someuser", "*****@*****.**"),
], ["someuser"]),
# Team with a Quay user + empty group => empty team.
([("someuser", None)], [], []),
# Team with an existing external user + user is in the group => no changes.
(
[
("someuser", "someuser"),
],
[
UserInformation("someuser", "someuser",
"*****@*****.**"),
],
["someuser"],
),
# Team with an existing external user (with a different Quay username) + user is in the group.
@pytest.fixture(params=[True, False])
def blacklisted_emails(request):
mock_blacklisted_domains = {'BLACKLISTED_EMAIL_DOMAINS': ['blacklisted.com', 'blacklisted.net']}
with patch('features.BLACKLISTED_EMAILS', request.param):
with patch.dict('data.model.config.app_config', mock_blacklisted_domains):
yield
@pytest.mark.skipif(os.environ.get('TEST_DATABASE_URI', '').find('postgres') >= 0,
reason="Postgres fails when existing members are added under the savepoint")
@pytest.mark.parametrize('starting_membership,group_membership,expected_membership', [
# Empty team + single member in group => Single member in team.
([],
[
UserInformation('someuser', 'someuser', '*****@*****.**'),
],
['someuser']),
# Team with a Quay user + empty group => empty team.
([('someuser', None)],
[],
[]),
# Team with an existing external user + user is in the group => no changes.
([
('someuser', 'someuser'),
],
[
UserInformation('someuser', 'someuser', '*****@*****.**'),
],