mirror of
https://github.com/quay/quay.git
synced 2026-01-26 06:21:37 +03:00
e8ff33e728
* add login failure logging Signed-off-by: dmesser <dmesser@redhat.com> * move failure logging into credential validation Signed-off-by: dmesser <dmesser@redhat.com> * more precise tracking of affected users Signed-off-by: dmesser <dmesser@redhat.com> * fix indent Signed-off-by: dmesser <dmesser@redhat.com> * differentiate robots with wrong credentials Signed-off-by: dmesser <dmesser@redhat.com> * don't audit failures by default Signed-off-by: dmesser <dmesser@redhat.com> * discrete failure tracking for logins, push, pulls and deletes Signed-off-by: dmesser <dmesser@redhat.com> * refine log metadata Signed-off-by: dmesser <dmesser@redhat.com> * login failure log visualization Signed-off-by: dmesser <dmesser@redhat.com> * properly use data model Signed-off-by: dmesser <dmesser@redhat.com> * fix unit test bug Signed-off-by: dmesser <dmesser@redhat.com> * track non-existing repos differently Signed-off-by: dmesser <dmesser@redhat.com> * log view visualization of failed pushes and pulls Signed-off-by: dmesser <dmesser@redhat.com> * ensure all tests are conducted with failure logging Signed-off-by: dmesser <dmesser@redhat.com> * additional unicode protection Signed-off-by: dmesser <dmesser@redhat.com> * python black formatting Signed-off-by: dmesser <dmesser@redhat.com> * add cypress test data Signed-off-by: dmesser <dmesser@redhat.com> * add safety checks for ascii conversion attempts Signed-off-by: dmesser <dmesser@redhat.com> * adjusting unit test with correct error message Signed-off-by: dmesser <dmesser@redhat.com> * update to alembic head Signed-off-by: dmesser <dmesser@redhat.com> * add standard oauth token metadata in audit Signed-off-by: dmesser <dmesser@redhat.com> * update alembic head Signed-off-by: dmesser <dmesser@redhat.com> * correct field name Signed-off-by: dmesser <dmesser@redhat.com> * formatting Signed-off-by: dmesser <dmesser@redhat.com> * bump alembic head Signed-off-by: dmesser <dmesser@redhat.com> * refactor auth logging imports Signed-off-by: dmesser <dmesser@redhat.com> * bump alembic head Signed-off-by: dmesser <dmesser@redhat.com> * formatting Signed-off-by: dmesser <dmesser@redhat.com> * restore module Signed-off-by: dmesser <dmesser@redhat.com> * pre-commit fixes Signed-off-by: dmesser <dmesser@redhat.com> * adding missing default Signed-off-by: dmesser <dmesser@redhat.com> * bump alembic head Signed-off-by: dmesser <dmesser@redhat.com> * update test data Signed-off-by: dmesser <dmesser@redhat.com> * refactoring to save db calls Signed-off-by: dmesser <dmesser@redhat.com> * fix unit tests Signed-off-by: dmesser <dmesser@redhat.com> * handle unicode conversion errors on email look up Signed-off-by: dmesser <dmesser@redhat.com> * bump alembic head Signed-off-by: dmesser <dmesser@redhat.com> * proper debug logging and conditional db calls Signed-off-by: dmesser <dmesser@redhat.com> * omit wildcard import Signed-off-by: dmesser <dmesser@redhat.com> * re-add import Signed-off-by: dmesser <dmesser@redhat.com> --------- Signed-off-by: dmesser <dmesser@redhat.com>
194 lines
7.5 KiB
Python
194 lines
7.5 KiB
Python
# -*- coding: utf-8 -*-
|
|
|
|
from auth.credential_consts import (
|
|
ACCESS_TOKEN_USERNAME,
|
|
APP_SPECIFIC_TOKEN_USERNAME,
|
|
OAUTH_TOKEN_USERNAME,
|
|
)
|
|
from auth.credentials import CredentialKind, validate_credentials
|
|
from auth.validateresult import AuthKind, ValidateResult
|
|
from data import model
|
|
from data.database import RobotAccountToken
|
|
from test.fixtures import *
|
|
|
|
|
|
def test_valid_user(app):
|
|
result, kind = validate_credentials("devtable", "password")
|
|
assert kind == CredentialKind.user
|
|
assert result == ValidateResult(AuthKind.credentials, user=model.user.get_user("devtable"))
|
|
|
|
|
|
def test_valid_robot(app):
|
|
robot, password = model.user.create_robot("somerobot", model.user.get_user("devtable"))
|
|
result, kind = validate_credentials(robot.username, password)
|
|
assert kind == CredentialKind.robot
|
|
assert result == ValidateResult(AuthKind.credentials, robot=robot)
|
|
|
|
|
|
def test_valid_robot_for_disabled_user(app):
|
|
user = model.user.get_user("devtable")
|
|
|
|
robot, password = model.user.create_robot("somerobot", user)
|
|
|
|
user.enabled = False
|
|
user.save()
|
|
|
|
result, kind = validate_credentials(robot.username, password)
|
|
assert kind == CredentialKind.robot
|
|
|
|
err = "Robot %s owner %s is disabled" % (robot.username, user.username)
|
|
assert result == ValidateResult(AuthKind.credentials, error_message=err)
|
|
|
|
|
|
def test_valid_robot_with_invalid_password(app):
|
|
robot, _ = model.user.create_robot("somerobot", model.user.get_user("devtable"))
|
|
result, kind = validate_credentials(robot.username, "wrongpassword")
|
|
assert kind == CredentialKind.robot
|
|
|
|
err = "Could not find robot with username: %s and supplied password." % robot.username
|
|
assert result == ValidateResult(AuthKind.credentials, error_message=err)
|
|
|
|
|
|
def test_valid_robot_with_invalid_token(app):
|
|
robot, password = model.user.create_robot("somerobot", model.user.get_user("devtable"))
|
|
token = RobotAccountToken.get(robot_account=robot)
|
|
token.delete_instance()
|
|
|
|
result, kind = validate_credentials(robot.username, password)
|
|
assert kind == CredentialKind.robot
|
|
|
|
err = "Could not find robot with username: %s and supplied password." % robot.username
|
|
assert result == ValidateResult(AuthKind.credentials, error_message=err)
|
|
|
|
|
|
def test_valid_token(app):
|
|
access_token = model.token.create_delegate_token("devtable", "simple", "sometoken")
|
|
result, kind = validate_credentials(ACCESS_TOKEN_USERNAME, access_token.get_code())
|
|
assert kind == CredentialKind.token
|
|
assert result == ValidateResult(AuthKind.credentials, token=access_token)
|
|
|
|
|
|
def test_valid_oauth(app):
|
|
user = model.user.get_user("devtable")
|
|
app = model.oauth.list_applications_for_org(model.user.get_user_or_org("buynlarge"))[0]
|
|
oauth_token, code = model.oauth.create_user_access_token(user, app.client_id, "repo:read")
|
|
result, kind = validate_credentials(OAUTH_TOKEN_USERNAME, code)
|
|
assert kind == CredentialKind.oauth_token
|
|
assert result == ValidateResult(AuthKind.oauth, oauthtoken=oauth_token)
|
|
|
|
|
|
def test_invalid_password(app):
|
|
result, kind = validate_credentials("devtable", "somepassword")
|
|
assert kind == CredentialKind.user
|
|
assert result == ValidateResult(
|
|
AuthKind.credentials, error_message="Invalid Username or Password"
|
|
)
|
|
|
|
|
|
def test_valid_app_specific_token(app):
|
|
user = model.user.get_user("devtable")
|
|
app_specific_token = model.appspecifictoken.create_token(user, "some token")
|
|
full_token = model.appspecifictoken.get_full_token_string(app_specific_token)
|
|
result, kind = validate_credentials(APP_SPECIFIC_TOKEN_USERNAME, full_token)
|
|
assert kind == CredentialKind.app_specific_token
|
|
assert result == ValidateResult(AuthKind.credentials, appspecifictoken=app_specific_token)
|
|
|
|
|
|
def test_valid_app_specific_token_for_disabled_user(app):
|
|
user = model.user.get_user("devtable")
|
|
user.enabled = False
|
|
user.save()
|
|
|
|
app_specific_token = model.appspecifictoken.create_token(user, "some token")
|
|
full_token = model.appspecifictoken.get_full_token_string(app_specific_token)
|
|
result, kind = validate_credentials(APP_SPECIFIC_TOKEN_USERNAME, full_token)
|
|
assert kind == CredentialKind.app_specific_token
|
|
|
|
err = "This user has been disabled. Please contact your administrator."
|
|
assert result == ValidateResult(AuthKind.credentials, error_message=err)
|
|
|
|
|
|
def test_invalid_app_specific_token(app):
|
|
result, kind = validate_credentials(APP_SPECIFIC_TOKEN_USERNAME, "somecode")
|
|
assert kind == CredentialKind.app_specific_token
|
|
assert result == ValidateResult(AuthKind.credentials, error_message="Invalid token")
|
|
|
|
|
|
def test_invalid_app_specific_token_code(app):
|
|
user = model.user.get_user("devtable")
|
|
app_specific_token = model.appspecifictoken.create_token(user, "some token")
|
|
full_token = app_specific_token.token_name + "something"
|
|
result, kind = validate_credentials(APP_SPECIFIC_TOKEN_USERNAME, full_token)
|
|
assert kind == CredentialKind.app_specific_token
|
|
assert result == ValidateResult(AuthKind.credentials, error_message="Invalid token")
|
|
|
|
|
|
def test_unicode(app):
|
|
result, kind = validate_credentials("someusername", "some₪code")
|
|
assert kind == CredentialKind.user
|
|
assert not result.auth_valid
|
|
assert result == ValidateResult(
|
|
AuthKind.credentials, error_message="Invalid Username or Password"
|
|
)
|
|
|
|
|
|
def test_unicode_robot(app):
|
|
robot, _ = model.user.create_robot("somerobot", model.user.get_user("devtable"))
|
|
result, kind = validate_credentials(robot.username, "some₪code")
|
|
|
|
assert kind == CredentialKind.robot
|
|
assert not result.auth_valid
|
|
|
|
msg = "Could not find robot with username: devtable+somerobot and supplied password."
|
|
assert result == ValidateResult(AuthKind.credentials, error_message=msg)
|
|
|
|
|
|
def test_invalid_user(app):
|
|
result, kind = validate_credentials("someinvaliduser", "password")
|
|
assert kind == CredentialKind.user
|
|
assert not result.authed_user
|
|
assert not result.auth_valid
|
|
|
|
|
|
def test_invalid_user_password(app):
|
|
result, kind = validate_credentials("devtable", "somepassword")
|
|
assert kind == CredentialKind.user
|
|
assert not result.authed_user
|
|
assert not result.auth_valid
|
|
|
|
|
|
def test_invalid_robot(app):
|
|
result, kind = validate_credentials("devtable+doesnotexist", "password")
|
|
assert kind == CredentialKind.robot
|
|
assert not result.authed_user
|
|
assert not result.auth_valid
|
|
|
|
|
|
def test_invalid_robot_token(app):
|
|
robot, _ = model.user.create_robot("somerobot", model.user.get_user("devtable"))
|
|
result, kind = validate_credentials(robot.username, "invalidpassword")
|
|
assert kind == CredentialKind.robot
|
|
assert not result.authed_user
|
|
assert not result.auth_valid
|
|
|
|
|
|
def test_invalid_unicode_robot(app):
|
|
token = "“4JPCOLIVMAY32Q3XGVPHC4CBF8SKII5FWNYMASOFDIVSXTC5I5NBU”"
|
|
result, kind = validate_credentials("devtable+somerobot", token)
|
|
assert kind == CredentialKind.robot
|
|
assert not result.auth_valid
|
|
msg = "Could not find robot with username: devtable+somerobot and supplied password."
|
|
assert result == ValidateResult(AuthKind.credentials, error_message=msg)
|
|
|
|
|
|
def test_invalid_unicode_robot_2(app):
|
|
user = model.user.get_user("devtable")
|
|
robot, password = model.user.create_robot("somerobot", user)
|
|
|
|
token = "“4JPCOLIVMAY32Q3XGVPHC4CBF8SKII5FWNYMASOFDIVSXTC5I5NBU”"
|
|
result, kind = validate_credentials("devtable+somerobot", token)
|
|
assert kind == CredentialKind.robot
|
|
assert not result.auth_valid
|
|
msg = "Could not find robot with username: devtable+somerobot and supplied password."
|
|
assert result == ValidateResult(AuthKind.credentials, error_message=msg)
|