* added base class for OIDC auth + UI
* adding read-only teams page + display sync config + option to remove team sync
* setting page in read only mode fix
* ui tests
* adding validation for group name input
* fixes based on review + fixing test suite
* add backend tests for externalOIDC
* minor fixes
* - added env option to select if we want to follow LDAP referrals
- added check on LDAP if the result is a list, it is an LDAP referral
* - change to config.yaml parameter option for enabling/disabling LDAP
referral lookups
- removed the per/method parameter and moved the referral into the Base
class
- verified behavior with changing the config.yaml option
`LDAP_FOLLOW_REFERRALS`
```
$ grep LDAP_FOLLOW_REFERRALS config.yaml
LDAP_FOLLOW_REFERRALS: 0
$ ./update_bundle
secret "quay-config-secret" deleted
secret/quay-config-secret created
deployment.apps/quay restarted
$ oc -n quay logs -f deploy/quay | grep referrals
gunicorn-web stdout | 2023-05-25 09:41:36,524 [74] [DEBUG] [data.users] LDAPUsers return referrals value 0
gunicorn-secscan stdout | 2023-05-25 09:41:38,093 [73] [DEBUG] [data.users] LDAPUsers return referrals value 0
gunicorn-registry stdout | 2023-05-25 09:41:38,410 [72] [DEBUG] [data.users] LDAPUsers return referrals value 0
$ sed -i -e " s#LDAP_FOLLOW_REFERRALS: 0#LDAP_FOLLOW_REFERRALS: 1#; " config.yaml
$ grep LDAP_FOLLOW_REFERRALS config.yaml
LDAP_FOLLOW_REFERRALS: 1
$ ./update_bundle
secret "quay-config-secret" deleted
secret/quay-config-secret created
deployment.apps/quay restarted
$ oc -n quay logs -f deploy/quay | grep referrals
gunicorn-secscan stdout | 2023-05-25 09:42:22,466 [72] [DEBUG] [data.users] LDAPUsers return referrals value 1
gunicorn-web stdout | 2023-05-25 09:42:22,496 [73] [DEBUG] [data.users] LDAPUsers return referrals value 1
gunicorn-registry stdout | 2023-05-25 09:42:23,658 [71] [DEBUG] [data.users] LDAPUsers return referrals value 1
```
* reformatted LDAPConnectionBulder call according to PEP
* fixed the formatting change according to pip black
* BREAKING CHANGE: LDAP lookup of robot accounts in the UI for granting
permission has been dropped. This impacts Users from LDAP
if they have not logged in already (pre provisioning).
the functions:
* _ldap_single_user_search
* _ldap_user_search
have been updated to provide `context` for dropping the LDAP query. As
the functions are used during login as well as during setting
permissions it is mandatory to be able to distinguish the context.
the functions:
* get_nonrobot_user
* find_user_by_email
from the module `data.model.user` have been utilized to identify, if the
user should be looked up in LDAP or not.
* Adding keepalive setting for LDAP connection in complex network
scenarios.
* removed PROJQUAY-5137 (part one) to simplify merging and rollback
-> Revert "BREAKING CHANGE: LDAP lookup of robot accounts in the UI for granting"
This reverts commit 8765093d73.
* fixed black
* Change error messages in UI during LDAP login (PROJQUAY-4845)
Previously, on installations where LDAP is used, we were telling users whether the username or password was failing when login attempts were made. This might pose a security risk, a malicious user could, via the returned message, identify which users have access to Quay and which don't.
With this change, we return a general message saying the user used wrong credentials instead of providing any details.
* Fixed tests.
* Fix some more tests.
* Readd accidental removal of one assertion.
Prevent creating namespaces/orgs on pushes (CREATE_NAMESPACE_ON_PUSH)
if user is restricted.
Also updates RESTRICTED_USERS_WHITELIST to defaults to all if not set,
given that FEATURE_RESTRICTED_USERS is set.
- Similar to LDAP_SUPERUSER_FILTER, add a specific filter to define
restricted users, based on the LDAP_USER_FILTER
- restrict writes on restricted users' own namespace. Normal
permissions applies on organization membership
- add global readonly superuser GLOBAL_READONLY_SUPER_USERS (PROJQUAY-2604)
- Removes RESTRICTED_USER_INCLUDE_ROBOTS, FEATURE_RESTRICTED_READ_ONLY_USERS
The behavior between keystonev2 and keystonev3 is different today.
In keystonev3 implementation, the username comes from [user.name][1],
but keystonev2 just uses the incoming `username_or_email`.
Also, by reading `user.name`, we can use keystone APIKeys to do
authentication which is necessary due to potential 2FA requirements.
[1]: f4179e5e71/data/users/keystone.py (L316)
* Convert all Python2 to Python3 syntax.
* Removes oauth2lib dependency
* Replace mockredis with fakeredis
* byte/str conversions
* Removes nonexisting __nonzero__ in Python3
* Python3 Dockerfile and related
* [PROJQUAY-98] Replace resumablehashlib with rehash
* PROJQUAY-123 - replace gpgme with python3-gpg
* [PROJQUAY-135] Fix unhashable class error
* Update external dependencies for Python 3
- Move github.com/app-registry/appr to github.com/quay/appr
- github.com/coderanger/supervisor-stdout
- github.com/DevTable/container-cloud-config
- Update to latest mockldap with changes applied from coreos/mockldap
- Update dependencies in requirements.txt and requirements-dev.txt
* Default FLOAT_REPR function to str in json encoder and removes keyword assignment
True, False, and str were not keywords in Python2...
* [PROJQUAY-165] Replace package `bencode` with `bencode.py`
- Bencode is not compatible with Python 3.x and is no longer
maintained. Bencode.py appears to be a drop-in replacement/fork
that is compatible with Python 3.
* Make sure monkey.patch is called before anything else (
* Removes anunidecode dependency and replaces it with text_unidecode
* Base64 encode/decode pickle dumps/loads when storing value in DB
Base64 encodes/decodes the serialized values when storing them in the
DB. Also make sure to return a Python3 string instead of a Bytes when
coercing for db, otherwise, Postgres' TEXT field will convert it into
a hex representation when storing the value.
* Implement __hash__ on Digest class
In Python 3, if a class defines __eq__() but not __hash__(), its
instances will not be usable as items in hashable collections (e.g sets).
* Remove basestring check
* Fix expected message in credentials tests
* Fix usage of Cryptography.Fernet for Python3 (#219)
- Specifically, this addresses the issue where Byte<->String
conversions weren't being applied correctly.
* Fix utils
- tar+stream layer format utils
- filelike util
* Fix storage tests
* Fix endpoint tests
* Fix workers tests
* Fix docker's empty layer bytes
* Fix registry tests
* Appr
* Enable CI for Python 3.6
* Skip buildman tests
Skip buildman tests while it's being rewritten to allow ci to pass.
* Install swig for CI
* Update expected exception type in redis validation test
* Fix gpg signing calls
Fix gpg calls for updated gpg wrapper, and add signing tests.
* Convert / to // for Python3 integer division
* WIP: Update buildman to use asyncio instead of trollius.
This dependency is considered deprecated/abandoned and was only
used as an implementation/backport of asyncio on Python 2.x
This is a work in progress, and is included in the PR just to get the
rest of the tests passing. The builder is actually being rewritten.
* Target Python 3.8
* Removes unused files
- Removes unused files that were added accidentally while rebasing
- Small fixes/cleanup
- TODO tasks comments
* Add TODO to verify rehash backward compat with resumablehashlib
* Revert "[PROJQUAY-135] Fix unhashable class error" and implements __hash__ instead.
This reverts commit 735e38e3c1d072bf50ea864bc7e119a55d3a8976.
Instead, defines __hash__ for encryped fields class, using the parent
field's implementation.
* Remove some unused files ad imports
Co-authored-by: Kenny Lee Sin Cheong <kenny.lee@redhat.com>
Co-authored-by: Tom McKay <thomasmckay@redhat.com>
Up until now, the "if not found_results" line could throw an UnboundLocalError because the variable was assigned inside a try block which could fail but the variable was later referenced.
