auth: Implement is_restricted_user for OIDC and allow super users to …

…create content regardless of set restriction (PROJQUAY-0000) Currently, if OIDC is set as an authentication mechanism and restricted users is set, Quay will return a `501 Not Implemented` on invocation. Now, Quay will properly check the restricted user whitelist for federated users. Additionally, if user restriction is in place and super user's username was **not** explicitly whitelisted, super users would not be able to create new content inside the registry. Now, the username is explicitly checked in the UI to allow super users to create both organizations and repos regardless of restricted users whitelist.
ibazulic · Nov 12, 2024 · 7c6a909 · 7c6a909
1 parent ece794e
commit 7c6a909
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 3 deletions.
diff --git a/data/users/__init__.py b/data/users/__init__.py
@@ -405,6 +405,12 @@ def is_restricted_user(self, username):
 
         return self.state.is_restricted_user(username)
 
+    def is_superuser(self, username):
+        if not features.SUPER_USERS:
+            return False
+
+        return self.state.is_superuser(username)
+
 
 class FederatedUserManager(ConfigUserManager):
     """
@@ -438,7 +444,9 @@ def is_restricted_user(self, username: str, include_robots: bool = True) -> bool
         if super().restricted_whitelist_is_set() and not super().is_restricted_user(username):
             return False
 
-        return self.federated_users.is_restricted_user(username)
+        return self.federated_users.is_restricted_user(username) or super().is_restricted_user(
+            username
+        )
 
     def has_restricted_users(self) -> bool:
         return self.federated_users.has_restricted_users() or super().has_restricted_users()

diff --git a/data/users/externaloidc.py b/data/users/externaloidc.py
@@ -49,6 +49,12 @@ def is_global_readonly_superuser(self, username: str):
         """
         return None
 
+    def is_restricted_user(self, username):
+        """
+        Checks whether the currently logged in user is restricted.
+        """
+        return None
+
     def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False):
         """
         Used by teamSync worker, unsupported for oidc team sync

diff --git a/endpoints/api/organization.py b/endpoints/api/organization.py
@@ -158,8 +158,10 @@ def post(self):
         org_data = request.get_json()
         existing = None
 
-        if features.RESTRICTED_USERS and usermanager.is_restricted_user(user.username):
-            raise Unauthorized()
+        # Super users should be able to create new orgs regardless of user restriction
+        if user.username not in app.config.get("SUPER_USERS", None):
+            if features.RESTRICTED_USERS and usermanager.is_restricted_user(user.username):
+                raise Unauthorized()
 
         try:
             existing = model.organization.get_organization(org_data["name"])

diff --git a/endpoints/api/repository.py b/endpoints/api/repository.py
@@ -10,6 +10,7 @@
 
 import features
 from app import (
+    app,
     dockerfile_build_queue,
     repository_gc_queue,
     tuf_metadata_api,
@@ -144,6 +145,7 @@ def post(self):
             features.RESTRICTED_USERS
             and usermanager.is_restricted_user(owner.username)
             and owner.username == namespace_name
+            and owner.username not in app.config.get("SUPER_USERS", None)
         ):
 
             repository_name = req["repository"]