Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Support pre-configured supertoken authentication #687

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: Support pre-configured supertoken authentication #687

wants to merge 3 commits into from

Conversation

RobinHolzingerQC
Copy link
Contributor

@RobinHolzingerQC RobinHolzingerQC commented Feb 11, 2024
edited
Loading

Motivation

We want to run automated CI tests on a dockerized version of quetz (deployed with helm/Kubernetes). To be able to use the API there without any real user (e.g. authenticated via GitHub) we would like to be able to define a supertoken in the TOML config. It should act as an initial technical service account.
This token does not have to support all API endpoints (that could depend on an actual user being present). However, it should at least support creating new "real users" with username/password authentication (in our case https://github.com/mamba-org/quetz-sql-authenticator).

Changes

Introduce a new config element users.supertoken and allow the Rules class to bypass this token in the server role assertions.

@codecov-commenter
Copy link

codecov-commenter commented Feb 11, 2024
edited
Loading

Codecov Report

Attention: 5 lines in your changes are missing coverage. Please review.

Comparison is base (ce3aeb7) 83.23% compared to head (9b7c3e1) 83.18%.

Files Patch % Lines
quetz/authorization.py 61.53% 5 Missing ⚠️

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #687      +/-   ##
==========================================
- Coverage   83.23%   83.18%   -0.05%     
==========================================
  Files          79       79              
  Lines        6291     6304      +13     
==========================================
+ Hits         5236     5244       +8     
- Misses       1055     1060       +5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@RobinHolzingerQC RobinHolzingerQC marked this pull request as ready for review February 12, 2024 08:26
janjagusch
janjagusch reviewed Feb 12, 2024
View reviewed changes
quetz/authorization.py Outdated Show resolved Hide resolved
@janjagusch janjagusch added the enhancement New feature or request label Feb 12, 2024
janjagusch
janjagusch reviewed Feb 12, 2024
View reviewed changes
quetz/authorization.py
Comment on lines 170 to +172
def assert_server_roles(self, roles: list, msg: Optional[str] = None):
if self.is_supertoken:
return "supertoken"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't like how we're sneaking the super token into the authorization layer here. But I also understand that anything more explicit would require big changes in the Quetz authentication and authorization model.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@janjagusch janjagusch janjagusch approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@RobinHolzingerQC @codecov-commenter @janjagusch