From 67028af9e22c2d5e3754e3700eaba8a71473eb50 Mon Sep 17 00:00:00 2001
From: Michaela Lang <94735640+michaelalang@users.noreply.github.com>
Date: Wed, 20 Sep 2023 13:07:41 +0200
Subject: [PATCH] user(robots): disallow robot login and create (PROJQUAY-5968)
 (#2155)

* add Postgresql client certificate authentication option

* user(robots): disallow robot login and create PROJQUAY-5968

Add a config flag `ROBOTS_DISALLOW` to turn off Robot login and creation
in Quay for all accounts.

with the Flag set existing Robots cannot login anymore
```
$ podman login -u milang+test2 -p W7B...HQA quay.example.com
Error: logging into "quay.example.com": invalid username/password
```

This behavior will be reported in the logs accordingly
```
gunicorn-registry stdout | 2023-08-24 19:08:01,907 [253] [WARNING] [auth.credentials] Failed to validate credentials for robot milang+test2: Robot account has been disabled. Please contact your administrator.
```

as well as in the UI when creating a Robot Account which will display
the `Robot account has been disabled. Please contact your
administrator.` message.

* Revert "add Postgresql client certificate authentication option"
  need to branch for PR (stupid me)

This reverts commit f8f54eead24f15c52d23399f5ca440e3a31a14a1.

* fixed error message to proper english and added schema definition for the option
---
 data/model/user.py    | 7 +++++++
 util/config/schema.py | 5 +++++
 2 files changed, 12 insertions(+)

diff --git a/data/model/user.py b/data/model/user.py
index e779ce859..acd22020f 100644
--- a/data/model/user.py
+++ b/data/model/user.py
@@ -324,6 +324,10 @@ def update_enabled(user, set_enabled):
 
 def create_robot(robot_shortname, parent, description="", unstructured_metadata=None, token=None):
     (username_valid, username_issue) = validate_username(robot_shortname)
+    if config.app_config.get("ROBOTS_DISALLOW", False):
+        msg = "Robot accounts have beeen disabled. Please contact your administrator."
+        raise InvalidRobotException(msg)
+
     if not username_valid:
         raise InvalidRobotException(
             "The name for the robot '%s' is invalid: %s" % (robot_shortname, username_issue)
@@ -435,6 +439,9 @@ def get_matching_robots(name_prefix, username, limit=10):
 
 
 def verify_robot(robot_username, password):
+    if config.app_config.get("ROBOTS_DISALLOW", False):
+        msg = "Robot accounts have been disabled. Please contact your administrator."
+        raise InvalidRobotException(msg)
     try:
         password.encode("ascii")
     except UnicodeEncodeError:
diff --git a/util/config/schema.py b/util/config/schema.py
index a82cf851e..7b9aece86 100644
--- a/util/config/schema.py
+++ b/util/config/schema.py
@@ -1394,5 +1394,10 @@ CONFIG_SCHEMA = {
             "description": "Enable customizing of terms of service for on-prem installations",
             "x-example": "https://quay.io/tos",
         },
+        "ROBOTS_DISALLOW": {
+            "type": "boolean",
+            "description": "If robot accounts are prevented from any interaction as well as from being created. Defaults to False",
+            "x-example": False,
+        },
     },
 }