Each LDAP user search was creating two connections: one just to verify
admin credentials worked, then another for the actual search. This
doubled the load on LDAP servers. Consolidated into a single connection
block with proper error handling for INVALID_CREDENTIALS.
Affected methods:
- _ldap_user_search(): Core search used by most LDAP operations
- at_least_one_user_exists(): User existence checks
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
BREAKING CHANGE: LDAP lookup of robot accounts in the UI for granting permission has been dropped in context of permissions granting. This impacts Users from LDAP if they have not logged in to Quay already (pre provisioning) as a Federation User will only be available after logging in or being part of a Team.
* - added env option to select if we want to follow LDAP referrals
- added check on LDAP if the result is a list, it is an LDAP referral
* - change to config.yaml parameter option for enabling/disabling LDAP
referral lookups
- removed the per/method parameter and moved the referral into the Base
class
- verified behavior with changing the config.yaml option
`LDAP_FOLLOW_REFERRALS`
```
$ grep LDAP_FOLLOW_REFERRALS config.yaml
LDAP_FOLLOW_REFERRALS: 0
$ ./update_bundle
secret "quay-config-secret" deleted
secret/quay-config-secret created
deployment.apps/quay restarted
$ oc -n quay logs -f deploy/quay | grep referrals
gunicorn-web stdout | 2023-05-25 09:41:36,524 [74] [DEBUG] [data.users] LDAPUsers return referrals value 0
gunicorn-secscan stdout | 2023-05-25 09:41:38,093 [73] [DEBUG] [data.users] LDAPUsers return referrals value 0
gunicorn-registry stdout | 2023-05-25 09:41:38,410 [72] [DEBUG] [data.users] LDAPUsers return referrals value 0
$ sed -i -e " s#LDAP_FOLLOW_REFERRALS: 0#LDAP_FOLLOW_REFERRALS: 1#; " config.yaml
$ grep LDAP_FOLLOW_REFERRALS config.yaml
LDAP_FOLLOW_REFERRALS: 1
$ ./update_bundle
secret "quay-config-secret" deleted
secret/quay-config-secret created
deployment.apps/quay restarted
$ oc -n quay logs -f deploy/quay | grep referrals
gunicorn-secscan stdout | 2023-05-25 09:42:22,466 [72] [DEBUG] [data.users] LDAPUsers return referrals value 1
gunicorn-web stdout | 2023-05-25 09:42:22,496 [73] [DEBUG] [data.users] LDAPUsers return referrals value 1
gunicorn-registry stdout | 2023-05-25 09:42:23,658 [71] [DEBUG] [data.users] LDAPUsers return referrals value 1
```
* reformatted LDAPConnectionBulder call according to PEP
* fixed the formatting change according to pip black
* BREAKING CHANGE: LDAP lookup of robot accounts in the UI for granting
permission has been dropped. This impacts Users from LDAP
if they have not logged in already (pre provisioning).
the functions:
* _ldap_single_user_search
* _ldap_user_search
have been updated to provide `context` for dropping the LDAP query. As
the functions are used during login as well as during setting
permissions it is mandatory to be able to distinguish the context.
the functions:
* get_nonrobot_user
* find_user_by_email
from the module `data.model.user` have been utilized to identify, if the
user should be looked up in LDAP or not.
* Adding keepalive setting for LDAP connection in complex network
scenarios.
* removed PROJQUAY-5137 (part one) to simplify merging and rollback
-> Revert "BREAKING CHANGE: LDAP lookup of robot accounts in the UI for granting"
This reverts commit 8765093d73.
* fixed black
* Change error messages in UI during LDAP login (PROJQUAY-4845)
Previously, on installations where LDAP is used, we were telling users whether the username or password was failing when login attempts were made. This might pose a security risk, a malicious user could, via the returned message, identify which users have access to Quay and which don't.
With this change, we return a general message saying the user used wrong credentials instead of providing any details.
* Fixed tests.
* Fix some more tests.
* Readd accidental removal of one assertion.
- Similar to LDAP_SUPERUSER_FILTER, add a specific filter to define
restricted users, based on the LDAP_USER_FILTER
- restrict writes on restricted users' own namespace. Normal
permissions applies on organization membership
- add global readonly superuser GLOBAL_READONLY_SUPER_USERS (PROJQUAY-2604)
- Removes RESTRICTED_USER_INCLUDE_ROBOTS, FEATURE_RESTRICTED_READ_ONLY_USERS
* Convert all Python2 to Python3 syntax.
* Removes oauth2lib dependency
* Replace mockredis with fakeredis
* byte/str conversions
* Removes nonexisting __nonzero__ in Python3
* Python3 Dockerfile and related
* [PROJQUAY-98] Replace resumablehashlib with rehash
* PROJQUAY-123 - replace gpgme with python3-gpg
* [PROJQUAY-135] Fix unhashable class error
* Update external dependencies for Python 3
- Move github.com/app-registry/appr to github.com/quay/appr
- github.com/coderanger/supervisor-stdout
- github.com/DevTable/container-cloud-config
- Update to latest mockldap with changes applied from coreos/mockldap
- Update dependencies in requirements.txt and requirements-dev.txt
* Default FLOAT_REPR function to str in json encoder and removes keyword assignment
True, False, and str were not keywords in Python2...
* [PROJQUAY-165] Replace package `bencode` with `bencode.py`
- Bencode is not compatible with Python 3.x and is no longer
maintained. Bencode.py appears to be a drop-in replacement/fork
that is compatible with Python 3.
* Make sure monkey.patch is called before anything else (
* Removes anunidecode dependency and replaces it with text_unidecode
* Base64 encode/decode pickle dumps/loads when storing value in DB
Base64 encodes/decodes the serialized values when storing them in the
DB. Also make sure to return a Python3 string instead of a Bytes when
coercing for db, otherwise, Postgres' TEXT field will convert it into
a hex representation when storing the value.
* Implement __hash__ on Digest class
In Python 3, if a class defines __eq__() but not __hash__(), its
instances will not be usable as items in hashable collections (e.g sets).
* Remove basestring check
* Fix expected message in credentials tests
* Fix usage of Cryptography.Fernet for Python3 (#219)
- Specifically, this addresses the issue where Byte<->String
conversions weren't being applied correctly.
* Fix utils
- tar+stream layer format utils
- filelike util
* Fix storage tests
* Fix endpoint tests
* Fix workers tests
* Fix docker's empty layer bytes
* Fix registry tests
* Appr
* Enable CI for Python 3.6
* Skip buildman tests
Skip buildman tests while it's being rewritten to allow ci to pass.
* Install swig for CI
* Update expected exception type in redis validation test
* Fix gpg signing calls
Fix gpg calls for updated gpg wrapper, and add signing tests.
* Convert / to // for Python3 integer division
* WIP: Update buildman to use asyncio instead of trollius.
This dependency is considered deprecated/abandoned and was only
used as an implementation/backport of asyncio on Python 2.x
This is a work in progress, and is included in the PR just to get the
rest of the tests passing. The builder is actually being rewritten.
* Target Python 3.8
* Removes unused files
- Removes unused files that were added accidentally while rebasing
- Small fixes/cleanup
- TODO tasks comments
* Add TODO to verify rehash backward compat with resumablehashlib
* Revert "[PROJQUAY-135] Fix unhashable class error" and implements __hash__ instead.
This reverts commit 735e38e3c1d072bf50ea864bc7e119a55d3a8976.
Instead, defines __hash__ for encryped fields class, using the parent
field's implementation.
* Remove some unused files ad imports
Co-authored-by: Kenny Lee Sin Cheong <kenny.lee@redhat.com>
Co-authored-by: Tom McKay <thomasmckay@redhat.com>
Up until now, the "if not found_results" line could throw an UnboundLocalError because the variable was assigned inside a try block which could fail but the variable was later referenced.
