modules/fm-orchestrator
1
0
Fork 0
mirror of https://pagure.io/fm-orchestrator.git synced 2026-04-05 11:48:33 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,134 Commits 4 Branches 137 Tags
8bbe2d359f6829135abfef71e7367e4e571094e9
Commit Graph

21 Commits

Author SHA1 Message Date
Jan Kaluza
34c8cc833a Fix tests and change two places where Forbidden is more accurate than Unauthorized. 2017-03-14 13:40:53 +01:00
Patrick Uiterwijk
a4763ee316 Use the 403 Forbidden result in case the user is unauthorized 
The difference between 401 Unauthorized and 403 Forbidden is that 403 Forbidden is "permanent":
it indicates that the user was authenticated correctly, but was not allowed to access this endpoint.
In contrast, 401 Unauthorized means that the request as posted was not allowed, but if the user
were to try again with (new) authorization tokens, it might actually succeed.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
 2017-03-13 07:34:36 +00:00
Jan Kaluza
b11ea14358 Add OIDC_REQUIRED_SCOPE and fix the test_auth.py to use Authorization header. 2017-03-06 14:56:09 +01:00
Jan Kaluza
0dbc1f8205 Handle None returned by _get_token_info 2017-02-21 09:24:36 +01:00
Ralph Bean
43ebe6d943 Merge #343 Use an authorization header instead of cookie for OIDC authn. 2017-02-21 02:13:30 +00:00
Ralph Bean
64fb5e9a1d Be nice. Kill whitespace. 2017-02-20 21:12:30 -05:00
Ralph Bean
1bd421e9c2 Merge #340 allow to explicitly disable client authentication 2017-02-21 02:09:48 +00:00
Matt Jia
143effcd15 Error out if OIDC_CLIENT_SECRETS is not set in server config 2017-02-21 11:08:42 +10:00
Matt Jia
be65a0ff81 allow to explicitly disable client authentication 2017-02-21 11:08:37 +10:00
Ralph Bean
61b7b6f47d Use an authorization header instead of cookie for oidc token. 
Fixes #330.
 2017-02-20 13:12:00 -05:00
Ralph Bean
0dec5f2d3c Remove unused import. 2017-02-20 13:07:27 -05:00
Ralph Bean
ef14008927 Split this string, at @puiterwijk's suggestion. 2017-02-20 08:41:36 -05:00
Ralph Bean
54770cdc23 Check that our required OIDC scopes are present. 2017-02-17 10:55:37 -05:00
Matt Prahl
b30a6a8e05 Merge #322 Use requests instead of httplib2 in auth.py 2017-02-17 00:27:42 +00:00
Jakub Kadlčík
47924a2688 Use requests instead of httplib2 2017-02-16 21:52:24 +01:00
Ralph Bean
30daab024e Handle odd response from OIDC UserInfo. 
By surprise, ipsilon handed me back a response with no groups one time.
Not sure why.  But logging here can hopefully help us catch it next
time.
 2017-02-16 14:28:43 -05:00
Ralph Bean
2887e71b29 Mark these functions as "private". 2017-02-10 15:53:36 -05:00
Ralph Bean
88aca055ce Replace query to FAS with OIDC groups scope check. 
This removes our query to FAS and fixes #304.

It is more flexible too, where we can now configure production to only
allow in members of the `modularity-wg` group, and then later open it up
to all packagers after F26 is out (as was agreed with FESCo).

In the process of working on this, I discovered that #305 is not
necessary.  We don't need our own scope; we can just use the `groups`
scope as done here.
 2017-02-10 15:50:41 -05:00
Jan Kaluza
8b3244405f Make the OIDC error messages more verbose and include non-secret client-secrets.json 2016-12-05 11:40:00 +01:00
Jan Kaluza
8cb4e0de5d Use OIDC to auth the users, replace submit-build.sh by submit-build.py which does hackish way of OIDC just to test things. 2016-12-02 14:52:04 +01:00
Matt Prahl
b4082dc551 Rename module from rida to module_build_service 
Rename routes from /rida/1/module-builds/ to /module-build-service/1/module-builds/
 2016-10-24 10:30:23 -04:00