1. 06 Jun, 2018 1 commit
  2. 18 May, 2018 2 commits
  3. 26 Apr, 2018 1 commit
  4. 25 Apr, 2018 1 commit
  5. 19 Apr, 2018 1 commit
  6. 12 Apr, 2018 1 commit
  7. 09 Nov, 2017 1 commit
  8. 21 Sep, 2017 2 commits
  9. 13 Sep, 2017 1 commit
  10. 12 Sep, 2017 1 commit
  11. 11 Sep, 2017 1 commit
    • David Johnson's avatar
      Add support for minimally-authenticated Emulab node image pulls. · 13c5baca
      David Johnson authored
      When Emulab vnodes pull a new image after being scheduled for a reload,
      we need to authn/authz the pull.  So, we allow a username that is the
      physical host shortname (i.e. pcXXX, or whatever is in the nodes table);
      a password that is the containing experiment's eventkey -- and if a
      shared vnode, the containing experiment is the shared vhost container
      exp, not the vnode's exp; and the request must come from the vhost's
      public IP.  That is the authn part.  For authz, we authorize a pull from
      any repo referred to by the current_reloads table, for any vnode on the
      vhost.
      
      So, basically the Frisbee pull authentication, except with a little
      username/password scheme.  However, that isn't worth anything at all;
      anyone who has root on the box can see that stuff.  That's ok, it's just
      a scheme to avoid anonymous authn.
      13c5baca
  12. 07 Sep, 2017 1 commit
  13. 31 Aug, 2017 5 commits
  14. 11 Aug, 2017 4 commits
    • David Johnson's avatar
      Fix flipped multi-use token check. · 2d80a225
      David Johnson authored
      2d80a225
    • David Johnson's avatar
      Improve token generation (oauth compat, utc, slop). · b30b5216
      David Johnson authored
      First, we now add issued_at and expires_in fields to the plaintext
      return value, in compat with an oauth bearer token; useful to a
      middleman client to clear its cache, too.  There is no (standard) way to
      indicate that an oauth bearer token is a one-timer (which is presumably
      why JWT has its own mechanism (jti field in encrypted token)).
      
      Second, we add a configurable amount of slop (seconds) for the
      issued_at/iat/nbf fields; defaults to 0 of course.
      
      Finally, add a UTC option for the JWT 'exp' field.  The reference Docker
      registry is not compat with the JWT spec, in its requirement for the
      'exp' field.  JWT spec says that is a UTC UNIX timestamp; however, the
      registry implementation treats it as a local UNIX timestamp.  So, make
      it configurable for future, but default (in Config) to non-UTC.
      b30b5216
    • David Johnson's avatar
      Fix minor bug. · 145405e9
      David Johnson authored
      145405e9
    • David Johnson's avatar
      Support the null scope. · 44e7632e
      David Johnson authored
      (We need this, for instance, for authorization to call /v2/, i.e. an
      authenticate registry version check.)
      44e7632e
  15. 25 Jun, 2017 1 commit