def post(self):
""" Creates a new user. """
# Ensure that we are using database auth.
if app.config["AUTHENTICATION_TYPE"] != "Database":
raise InvalidRequest("Cannot create a user in a non-database auth system")
user_information = request.get_json()
if SuperUserPermission().can():
# Generate a temporary password for the user.
random = SystemRandom()
password = "".join(
[random.choice(string.ascii_uppercase + string.digits) for _ in range(32)]
)
# Create the user.
username = user_information["username"]
email = user_information.get("email")
install_user, confirmation_code = pre_oci_model.create_install_user(
username, password, email
)
if features.MAILING:
send_confirmation_email(
install_user.username, install_user.email, confirmation_code
)
return {
"username": username,
"email": email,
"password": password,
"encrypted_password": authentication.encrypt_user_password(password),
}
raise Unauthorized()
def put(self, username):
""" Updates information about the specified user. """
if SuperUserPermission().can():
user = pre_oci_model.get_nonrobot_user(username)
if user is None:
raise NotFound()
if superusers.is_superuser(username):
raise InvalidRequest('Cannot update a superuser')
user_data = request.get_json()
if 'password' in user_data:
# Ensure that we are using database auth.
if app.config['AUTHENTICATION_TYPE'] != 'Database':
raise InvalidRequest(
'Cannot change password in non-database auth')
pre_oci_model.change_password(username, user_data['password'])
if 'email' in user_data:
# Ensure that we are using database auth.
if app.config['AUTHENTICATION_TYPE'] not in [
'Database', 'AppToken'
]:
raise InvalidRequest(
'Cannot change e-mail in non-database auth')
pre_oci_model.update_email(username,
user_data['email'],
auto_verify=True)
if 'enabled' in user_data:
# Disable/enable the user.
pre_oci_model.update_enabled(username,
bool(user_data['enabled']))
if 'superuser' in user_data:
config_object = config_provider.get_config()
superusers_set = set(config_object['SUPER_USERS'])
if user_data['superuser']:
superusers_set.add(username)
elif username in superusers_set:
superusers_set.remove(username)
config_object['SUPER_USERS'] = list(superusers_set)
config_provider.save_config(config_object)
return_value = user.to_dict()
if user_data.get('password') is not None:
password = user_data.get('password')
return_value[
'encrypted_password'] = authentication.encrypt_user_password(
password)
if user_data.get('email') is not None:
return_value['email'] = user_data.get('email')
return return_value
raise Unauthorized()
def put(self, username):
"""
Updates information about the specified user.
"""
if SuperUserPermission().can():
user = pre_oci_model.get_nonrobot_user(username)
if user is None:
raise NotFound()
if superusers.is_superuser(username):
raise InvalidRequest("Cannot update a superuser")
user_data = request.get_json()
if "password" in user_data:
# Ensure that we are using database auth.
if app.config["AUTHENTICATION_TYPE"] != "Database":
raise InvalidRequest("Cannot change password in non-database auth")
pre_oci_model.change_password(username, user_data["password"])
if "email" in user_data:
# Ensure that we are using database auth.
if app.config["AUTHENTICATION_TYPE"] not in ["Database", "AppToken"]:
raise InvalidRequest("Cannot change e-mail in non-database auth")
pre_oci_model.update_email(username, user_data["email"], auto_verify=True)
if "enabled" in user_data:
# Disable/enable the user.
pre_oci_model.update_enabled(username, bool(user_data["enabled"]))
if "superuser" in user_data:
config_object = config_provider.get_config()
superusers_set = set(config_object["SUPER_USERS"])
if user_data["superuser"]:
superusers_set.add(username)
elif username in superusers_set:
superusers_set.remove(username)
config_object["SUPER_USERS"] = list(superusers_set)
config_provider.save_config(config_object)
return_value = user.to_dict()
if user_data.get("password") is not None:
password = user_data.get("password")
return_value["encrypted_password"] = authentication.encrypt_user_password(
password
).decode("ascii")
if user_data.get("email") is not None:
return_value["email"] = user_data.get("email")
return return_value
raise Unauthorized()
def post(self):
""" Return's the user's private client key. """
if not authentication.supports_encrypted_credentials:
raise NotFound()
username = get_authenticated_user().username
password = request.get_json()["password"]
(result, error_message) = authentication.confirm_existing_user(username, password)
if not result:
raise request_error(message=error_message)
return {"key": authentication.encrypt_user_password(password)}
def user_view(user, password=None):
user_data = {
"kind": "user",
"name": user.username,
"username": user.username,
"email": user.email,
"verified": user.verified,
"avatar": avatar.get_data_for_user(user),
"super_user": superusers.is_superuser(user.username),
"enabled": user.enabled,
}
if password is not None:
user_data["encrypted_password"] = authentication.encrypt_user_password(password)
return user_data
def user_view(user, password=None):
user_data = {
'kind': 'user',
'name': user.username,
'username': user.username,
'email': user.email,
'verified': user.verified,
'avatar': avatar.get_data_for_user(user),
'super_user': superusers.is_superuser(user.username),
'enabled': user.enabled,
}
if password is not None:
user_data['encrypted_password'] = authentication.encrypt_user_password(
password)
return user_data
def user_initialize():
"""
Create initial user in an empty database
"""
# Ensure that we are using database auth.
if not features.USER_INITIALIZE:
response = jsonify({
"message":
"Cannot initialize user, FEATURE_USER_INITIALIZE is False"
})
response.status_code = 400
return response
# Ensure that we are using database auth.
if app.config["AUTHENTICATION_TYPE"] != "Database":
response = jsonify({
"message":
"Cannot initialize user in a non-database auth system"
})
response.status_code = 400
return response
if has_users():
response = jsonify(
{"message": "Cannot initialize user in a non-empty database"})
response.status_code = 400
return response
user_data = request.get_json()
try:
prompts = model.user.get_default_user_prompts(features)
new_user = model.user.create_user(
user_data["username"],
user_data["password"],
user_data.get("email"),
auto_verify=True,
email_required=features.MAILING,
is_possible_abuser=False,
prompts=prompts,
)
success, headers = common_login(new_user.uuid)
if not success:
response = jsonify(
{"message": "Could not login. Failed to initialize user"})
response.status_code = 403
return response
result = {
"username":
user_data["username"],
"email":
user_data.get("email"),
"encrypted_password":
authentication.encrypt_user_password(
user_data["password"]).decode("ascii"),
}
if user_data.get("access_token"):
model.oauth.create_application(
new_user,
"automation",
"",
"",
client_id=user_data["username"],
description=
"Application token generated via /api/v1/user/initialize",
)
scope = "org:admin repo:admin repo:create repo:read repo:write super:user user:admin user:read"
created, access_token = model.oauth.create_user_access_token(
new_user, user_data["username"], scope)
result["access_token"] = access_token
return (result, 200, headers)
except model.user.DataModelException as ex:
response = jsonify(
{"message": "Failed to initialize user: " + str(ex)})
response.status_code = 400
return response
def process_resources(resources):
response = []
changed = False
for resource in resources:
if resource["work_queue"] == True:
resource["task"] = "skopeo"
enqueue("skopeo", resource)
continue
p_user = resource["user"]
p_password = resource["password"]
p_state = resource["state"]
p_project = resource["project"]
p_repository = resource["repository"]
p_tag = resource["tag"]
p_src_credentials = resource["src_credentials"]
p_src_image = resource["src_image"]
p_src_tag = resource["src_tag"]
p_src_tls_verify = resource["src_tls_verify"]
p_dest_credentials = resource["dest_credentials"]
p_dest_image = resource["dest_image"]
p_dest_tag = resource["dest_tag"]
p_dest_tls_verify = resource["dest_tls_verify"]
repository = model.repository.get_repository(p_project, p_repository)
if repository is None:
response.append("Repository '%s/%s' does not exist" %
(p_project, p_repository))
return {"failed": True, "msg": response}, 400
### auth_token = jwt_bearer_token(p_user, p_project, p_repository)
if p_state == "present":
args = [
"/usr/bin/skopeo",
"copy",
"--dest-creds",
"%s:%s" %
(p_user, authentication.encrypt_user_password(p_password)),
"--src-tls-verify=%s" % p_src_tls_verify,
"--dest-tls-verify=false",
"docker://%s:%s" % (p_src_image, p_src_tag),
"docker://%s/%s/%s:%s" % (app.config["SERVER_HOSTNAME"],
p_project, p_repository, p_tag),
]
if p_src_credentials:
command = command + ["--src-creds", p_src_credentials]
job = subprocess.Popen(args,
shell=False,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
stdout_data, stderr_data = job.communicate()
if job.returncode != 0:
response.append(
"Source '%s:%s' failed to sync.\nSTDOUT: %s\nSTDERR: %s" %
(p_src_image, p_src_tag, stdout_data, stderr_data))
return {
"failed": True,
"changed": changed,
"msg": response
}, 400
else:
changed = True
response.append(
"Source '%s:%s' synced.\nSTDOUT: %s\nSTDERR: %s" %
(p_src_image, p_src_tag, stdout_data, stderr_data))
return {"failed": False, "changed": changed, "meta": response}, 200
