user(robots): disallow robot login and create (PROJQUAY-5968) (#2155)

* add Postgresql client certificate authentication option * user(robots): disallow robot login and create PROJQUAY-5968 Add a config flag `ROBOTS_DISALLOW` to turn off Robot login and creation in Quay for all accounts. with the Flag set existing Robots cannot login anymore ``` $ podman login -u milang+test2 -p W7B...HQA quay.example.com Error: logging into "quay.example.com": invalid username/password ``` This behavior will be reported in the logs accordingly ``` gunicorn-registry stdout | 2023-08-24 19:08:01,907 [253] [WARNING] [auth.credentials] Failed to validate credentials for robot milang+test2: Robot account has been disabled. Please contact your administrator. ``` as well as in the UI when creating a Robot Account which will display the `Robot account has been disabled. Please contact your administrator.` message. * Revert "add Postgresql client certificate authentication option" need to branch for PR (stupid me) This reverts commit f8f54eead2. * fixed error message to proper english and added schema definition for the option
2026-01-26 06:21:37 +03:00 · 2023-09-20 13:07:41 +02:00
parent d50fef9e60
commit 67028af9e2
2 changed files with 12 additions and 0 deletions
--- a/data/model/user.py
+++ b/data/model/user.py
@@ -324,6 +324,10 @@ def update_enabled(user, set_enabled):

 def create_robot(robot_shortname, parent, description="", unstructured_metadata=None, token=None):
    (username_valid, username_issue) = validate_username(robot_shortname)
+    if config.app_config.get("ROBOTS_DISALLOW", False):
+        msg = "Robot accounts have beeen disabled. Please contact your administrator."
+        raise InvalidRobotException(msg)
+
    if not username_valid:
        raise InvalidRobotException(
            "The name for the robot '%s' is invalid: %s" % (robot_shortname, username_issue)
@@ -435,6 +439,9 @@ def get_matching_robots(name_prefix, username, limit=10):


 def verify_robot(robot_username, password):
+    if config.app_config.get("ROBOTS_DISALLOW", False):
+        msg = "Robot accounts have been disabled. Please contact your administrator."
+        raise InvalidRobotException(msg)
    try:
        password.encode("ascii")
    except UnicodeEncodeError:
--- a/util/config/schema.py
+++ b/util/config/schema.py
@@ -1394,5 +1394,10 @@ CONFIG_SCHEMA = {
            "description": "Enable customizing of terms of service for on-prem installations",
            "x-example": "https://quay.io/tos",
        },
+        "ROBOTS_DISALLOW": {
+            "type": "boolean",
+            "description": "If robot accounts are prevented from any interaction as well as from being created. Defaults to False",
+            "x-example": False,
+        },
    },
 }