docker/quay
1
0
Fork 0
mirror of https://github.com/quay/quay.git synced 2026-01-27 18:42:52 +03:00
Code Activity
Files
ba2aa54d3fc081c052d65c899b49f67dd6ca3ada
quay/data/users/externaljwt.py
Kurtis Mullins 38be6d05d0 Python 3 (#153) 
* Convert all Python2 to Python3 syntax.

* Removes oauth2lib dependency

* Replace mockredis with fakeredis

* byte/str conversions

* Removes nonexisting __nonzero__ in Python3

* Python3 Dockerfile and related

* [PROJQUAY-98] Replace resumablehashlib with rehash

* PROJQUAY-123 - replace gpgme with python3-gpg

* [PROJQUAY-135] Fix unhashable class error

* Update external dependencies for Python 3

- Move github.com/app-registry/appr to github.com/quay/appr
- github.com/coderanger/supervisor-stdout
- github.com/DevTable/container-cloud-config
- Update to latest mockldap with changes applied from coreos/mockldap
- Update dependencies in requirements.txt and requirements-dev.txt

* Default FLOAT_REPR function to str in json encoder and removes keyword assignment

True, False, and str were not keywords in Python2...

* [PROJQUAY-165] Replace package `bencode` with `bencode.py`

- Bencode is not compatible with Python 3.x and is no longer
  maintained. Bencode.py appears to be a drop-in replacement/fork
  that is compatible with Python 3.

* Make sure monkey.patch is called before anything else (

* Removes anunidecode dependency and replaces it with text_unidecode

* Base64 encode/decode pickle dumps/loads when storing value in DB

Base64 encodes/decodes the serialized values when storing them in the
DB. Also make sure to return a Python3 string instead of a Bytes when
coercing for db, otherwise, Postgres' TEXT field will convert it into
a hex representation when storing the value.

* Implement __hash__ on Digest class

In Python 3, if a class defines __eq__() but not __hash__(), its
instances will not be usable as items in hashable collections (e.g sets).

* Remove basestring check

* Fix expected message in credentials tests

* Fix usage of Cryptography.Fernet for Python3 (#219)

- Specifically, this addresses the issue where Byte<->String
  conversions weren't being applied correctly.

* Fix utils

- tar+stream layer format utils
- filelike util

* Fix storage tests

* Fix endpoint tests

* Fix workers tests

* Fix docker's empty layer bytes

* Fix registry tests

* Appr

* Enable CI for Python 3.6

* Skip buildman tests

Skip buildman tests while it's being rewritten to allow ci to pass.

* Install swig for CI

* Update expected exception type in redis validation test

* Fix gpg signing calls

Fix gpg calls for updated gpg wrapper, and add signing tests.

* Convert / to // for Python3 integer division

* WIP: Update buildman to use asyncio instead of trollius.

This dependency is considered deprecated/abandoned and was only
used as an implementation/backport of asyncio on Python 2.x
This is a work in progress, and is included in the PR just to get the
rest of the tests passing. The builder is actually being rewritten.

* Target Python 3.8

* Removes unused files

- Removes unused files that were added accidentally while rebasing
- Small fixes/cleanup
- TODO tasks comments

* Add TODO to verify rehash backward compat with resumablehashlib

* Revert "[PROJQUAY-135] Fix unhashable class error" and implements __hash__ instead.

This reverts commit 735e38e3c1d072bf50ea864bc7e119a55d3a8976.
Instead, defines __hash__ for encryped fields class, using the parent
field's implementation.

* Remove some unused files ad imports

Co-authored-by: Kenny Lee Sin Cheong <kenny.lee@redhat.com>
Co-authored-by: Tom McKay <thomasmckay@redhat.com>
2020-06-05 16:50:13 -04:00

152 lines
5.1 KiB
Python
Raw Blame History

import logging
import json
import os
from data.users.federated import FederatedUsers, UserInformation
from util.security import jwtutil
logger = logging.getLogger(__name__)
class ExternalJWTAuthN(FederatedUsers):
"""
Delegates authentication to a REST endpoint that returns JWTs.
"""
PUBLIC_KEY_FILENAME = "jwt-authn.cert"
def __init__(
self,
verify_url,
query_url,
getuser_url,
issuer,
override_config_dir,
http_client,
max_fresh_s,
public_key_path=None,
requires_email=True,
):
super(ExternalJWTAuthN, self).__init__("jwtauthn", requires_email)
self.verify_url = verify_url
self.query_url = query_url
self.getuser_url = getuser_url
self.issuer = issuer
self.client = http_client
self.max_fresh_s = max_fresh_s
self.requires_email = requires_email
default_key_path = os.path.join(override_config_dir, ExternalJWTAuthN.PUBLIC_KEY_FILENAME)
public_key_path = public_key_path or default_key_path
if not os.path.exists(public_key_path):
error_message = 'JWT Authentication public key file "%s" not found' % public_key_path
raise Exception(error_message)
self.public_key_path = public_key_path
with open(public_key_path, mode="rb") as public_key_file:
self.public_key = public_key_file.read()
def has_password_set(self, username):
return True
def ping(self):
result = self.client.get(self.getuser_url, timeout=2)
# We expect a 401 or 403 of some kind, since we explicitly don't send an auth header
if result.status_code // 100 != 4:
return (False, result.text or "Could not reach JWT authn endpoint")
return (True, None)
def get_user(self, username_or_email):
if self.getuser_url is None:
return (None, "No endpoint defined for retrieving user")
(payload, err_msg) = self._execute_call(
self.getuser_url, "quay.io/jwtauthn/getuser", params=dict(username=username_or_email)
)
if err_msg is not None:
return (None, err_msg)
if not "sub" in payload:
raise Exception("Missing sub field in JWT")
if self.requires_email and not "email" in payload:
raise Exception("Missing email field in JWT")
# Parse out the username and email.
user_info = UserInformation(
username=payload["sub"], email=payload.get("email"), id=payload["sub"]
)
return (user_info, None)
def query_users(self, query, limit=20):
if self.query_url is None:
return (None, self.federated_service, "No endpoint defined for querying users")
(payload, err_msg) = self._execute_call(
self.query_url, "quay.io/jwtauthn/query", params=dict(query=query, limit=limit)
)
if err_msg is not None:
return (None, self.federated_service, err_msg)
query_results = []
for result in payload["results"][0:limit]:
user_info = UserInformation(
username=result["username"], email=result.get("email"), id=result["username"]
)
query_results.append(user_info)
return (query_results, self.federated_service, None)
def verify_credentials(self, username_or_email, password):
(payload, err_msg) = self._execute_call(
self.verify_url, "quay.io/jwtauthn", auth=(username_or_email, password)
)
if err_msg is not None:
return (None, err_msg)
if not "sub" in payload:
raise Exception("Missing sub field in JWT")
if self.requires_email and not "email" in payload:
raise Exception("Missing email field in JWT")
user_info = UserInformation(
username=payload["sub"], email=payload.get("email"), id=payload["sub"]
)
return (user_info, None)
def _execute_call(self, url, aud, auth=None, params=None):
"""
Executes a call to the external JWT auth provider.
"""
result = self.client.get(url, timeout=2, auth=auth, params=params)
if result.status_code != 200:
return (None, result.text or "Could not make JWT auth call")
try:
result_data = json.loads(result.text)
except ValueError:
raise Exception("Returned JWT body for url %s does not contain JSON", url)
# Load the JWT returned.
encoded = result_data.get("token", "")
exp_limit_options = jwtutil.exp_max_s_option(self.max_fresh_s)
try:
payload = jwtutil.decode(
encoded,
self.public_key,
algorithms=["RS256"],
audience=aud,
issuer=self.issuer,
options=exp_limit_options,
)
return (payload, None)
except jwtutil.InvalidTokenError:
logger.exception("Exception when decoding returned JWT for url %s", url)
return (None, "Exception when decoding returned JWT")
View Git Blame Copy Permalink