docker/quay
1
0
Fork 0
mirror of https://github.com/quay/quay.git synced 2025-07-30 07:43:13 +03:00
Code Activity

Add Feature flag to whitelist users from recaptcha check(PROJQUAY-3697) (#1454)

Browse Source 
Signed-off-by: harishsurf <hgovinda@redhat.com>
This commit is contained in:
Harish Govindarajulu
2022-07-22 16:18:45 -04:00
committed by GitHub
parent 9eb4fb6aa4
commit 1c8f5df6e2
7 changed files with 39 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
config.py
View File

@ -592,6 +592,9 @@ class DefaultConfig(ImmutableConfig):
RECAPTCHA_SITE_KEY: Optional[str] = None RECAPTCHA_SITE_KEY: Optional[str] = None
RECAPTCHA_SECRET_KEY: Optional[str] = None RECAPTCHA_SECRET_KEY: Optional[str] = None
# List of users allowed to pass through recaptcha security check to enable org/user creation via API
RECAPTCHA_WHITELISTED_USERS: List[str] = []
# Server where TUF metadata can be found # Server where TUF metadata can be found
TUF_SERVER = None TUF_SERVER = None

15
endpoints/api/organization.py
View File

@ -173,13 +173,14 @@ class OrganizationList(ApiResource):
# If recaptcha is enabled, then verify the user is a human. # If recaptcha is enabled, then verify the user is a human.
if features.RECAPTCHA: if features.RECAPTCHA:
recaptcha_response = org_data.get("recaptcha_response", "") # check if the user is whitelisted to bypass recaptcha security check
result = recaptcha2.verify( if user.username not in app.config["RECAPTCHA_WHITELISTED_USERS"]:
app.config["RECAPTCHA_SECRET_KEY"], recaptcha_response, get_request_ip() recaptcha_response = org_data.get("recaptcha_response", "")
) result = recaptcha2.verify(
app.config["RECAPTCHA_SECRET_KEY"], recaptcha_response, get_request_ip()
if not result["success"]: )
return {"message": "Are you a bot? If not, please revalidate the captcha."}, 400 if not result["success"]:
return {"message": "Are you a bot? If not, please revalidate the captcha."}, 400
is_possible_abuser = ip_resolver.is_ip_possible_threat(get_request_ip()) is_possible_abuser = ip_resolver.is_ip_possible_threat(get_request_ip())
try: try:

15
endpoints/api/user.py
View File

@ -516,13 +516,16 @@ class User(ApiResource):
# If recaptcha is enabled, then verify the user is a human. # If recaptcha is enabled, then verify the user is a human.
if features.RECAPTCHA: if features.RECAPTCHA:
recaptcha_response = user_data.get("recaptcha_response", "") user = get_authenticated_user()
result = recaptcha2.verify( # check if the user is whitelisted to bypass recaptcha security check
app.config["RECAPTCHA_SECRET_KEY"], recaptcha_response, get_request_ip() if user is None or (user.username not in app.config["RECAPTCHA_WHITELISTED_USERS"]):
) recaptcha_response = user_data.get("recaptcha_response", "")
result = recaptcha2.verify(
app.config["RECAPTCHA_SECRET_KEY"], recaptcha_response, get_request_ip()
)
if not result["success"]: if not result["success"]:
return {"message": "Are you a bot? If not, please revalidate the captcha."}, 400 return {"message": "Are you a bot? If not, please revalidate the captcha."}, 400
is_possible_abuser = ip_resolver.is_ip_possible_threat(get_request_ip()) is_possible_abuser = ip_resolver.is_ip_possible_threat(get_request_ip())
try: try:

3
features/__init__.pyi
View File

@ -128,6 +128,9 @@ REPO_MIRROR: FeatureNameValue
# Site key and secret key for using recaptcha. # Site key and secret key for using recaptcha.
RECAPTCHA: FeatureNameValue RECAPTCHA: FeatureNameValue
# List of users allowed to pass through recaptcha security check to enable org/user creation via API
RECAPTCHA_WHITELISTED_USERS: FeatureNameValue
# Feature Flag: Whether team syncing from the backing auth is enabled. # Feature Flag: Whether team syncing from the backing auth is enabled.
TEAM_SYNCING: FeatureNameValue TEAM_SYNCING: FeatureNameValue

6
test/test_api_usage.py
View File

@ -814,6 +814,12 @@ class TestCreateNewUser(ApiTestCase):
details["recaptcha_response"] = "somecode" details["recaptcha_response"] = "somecode"
self.postResponse(User, data=details, expected_code=200) self.postResponse(User, data=details, expected_code=200)
def test_recaptcha_whitelisted_users(self):
self.login(READ_ACCESS_USER)
with (self.toggleFeature("RECAPTCHA", True)):
app.config["RECAPTCHA_WHITELISTED_USERS"] = READ_ACCESS_USER
self.postResponse(User, data=NEW_USER_DETAILS, expected_code=200)
def test_createuser_withteaminvite(self): def test_createuser_withteaminvite(self):
inviter = model.user.get_user(ADMIN_ACCESS_USER) inviter = model.user.get_user(ADMIN_ACCESS_USER)
team = model.team.get_organization_team(ORGANIZATION, "owners") team = model.team.get_organization_team(ORGANIZATION, "owners")

1
test/testconfig.py
View File

@ -90,6 +90,7 @@ class TestConfig(DefaultConfig):
RECAPTCHA_SITE_KEY = "somekey" RECAPTCHA_SITE_KEY = "somekey"
RECAPTCHA_SECRET_KEY = "somesecretkey" RECAPTCHA_SECRET_KEY = "somesecretkey"
RECAPTCHA_WHITELISTED_USERS: List[str] = []
FEATURE_APP_REGISTRY = True FEATURE_APP_REGISTRY = True
FEATURE_TEAM_SYNCING = True FEATURE_TEAM_SYNCING = True

9
util/config/schema.py
View File

@ -811,6 +811,15 @@ CONFIG_SCHEMA = {
"type": ["string", "null"], "type": ["string", "null"],
"description": "If recaptcha is enabled, the secret key for the Recaptcha service", "description": "If recaptcha is enabled, the secret key for the Recaptcha service",
}, },
# Pass through recaptcha for whitelisted users to support org/user creation via API
"RECAPTCHA_WHITELISTED_USERS": {
"type": "array",
"description": "Quay usernames of those users allowed to create org/user via API bypassing recaptcha security check",
"uniqueItems": True,
"items": {
"type": "string",
},
},
# External application tokens. # External application tokens.
"FEATURE_APP_SPECIFIC_TOKENS": { "FEATURE_APP_SPECIFIC_TOKENS": {
"type": "boolean", "type": "boolean",