This repository has been archived by the owner on Apr 17, 2023. It is now read-only.
Introduce application tokens #625
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
You can start reviewing the code, everything works fine and has been tested. However I want to write some tests using capybara. |
| @@ -2,6 +2,16 @@ | |||
| # use in order to perform operation into the registry. This is the last step in | |||
| # the authentication process for Portus' point of view. | |||
| class Api::V2::TokensController < Api::BaseController | |||
| before_action :check_token | |||
|
|
|||
| def check_token | |||
There was a problem hiding this comment.
Please, add some documentation
|
LGTM. Just fix all my nitpicking :P |
|
Now application token events are tracked too:
|
|
Everything is ready to be reviewed, I'll squash all the commits into a single one before doing the merge. |
|
LGTM. Once tests are passing, just squash your commits and merge it. |
Right now the Docker client stores the credentials in plain format on the host. This is really bad from a security point of view, especially for users using LDAP to authenticated. This commit introduces the concept of "application tokens". Each user can have at most 5 application tokens. The tokens are created in a random secure way by Portus and are stored inside of its database after being hashed via bcrypt. The application tokens can be used by all the programs authenticating against a Docker registry protected by Portus (e.g.: the docker cli client). They cannot be used to log into Portus' web interface. The application tokens can be revoked at any time by using a new UI. Signed-off-by: Flavio Castelli <[email protected]>
flavio
force-pushed
the
authorization-tokens
branch
from
637237d to
b399f90
Compare
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Right now the Docker client stores the credentials in plain
format on the host. This is really bad from a security point of view,
especially for users using LDAP to authenticated.
This commit introduces the concept of "application tokens". Each user
can have at most 5 application tokens. The tokens are created in a
random secure way by Portus and are stored inside of its database after
being hashed via bcrypt.
The application tokens can be used by all the programs authenticating
against a Docker registry protected by Portus (e.g.: the docker cli
client). They cannot be used to log into Portus' web interface.
The application tokens can be revoked at any time by using a new UI.
Screenshots
Token management UI
Notice a new token has just been created
Token removal
After the token has been removed:
Token limit reached
This user has already 5 tokens, hence he cannot add new ones:
