quayio: Add export compliance service to Red Hat SSO (PROJQUAY-2056) (#…

…1239) - Add FEATURE_EXPORT_COMPLIANCE to config schema - Add call to export compliance service during OAuth workflow when feature is enabled
quay · Apr 18, 2022 · 247fec3 · 247fec3
1 parent aa7068a
commit 247fec3
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 0 deletions.
diff --git a/config.py b/config.py
@@ -823,3 +823,9 @@ def create_transaction(db):
 
     # Feature Flag: Enables Quay to act as a pull through cache for upstream registries
     FEATURE_PROXY_CACHE = False
+
+    # Feature Flag: Use Red Hat Export Compliance Service during Red Hat SSO (only used in Quay.io)
+    FEATURE_EXPORT_COMPLIANCE = False
+
+    # Export Compliance Endpoint
+    EXPORT_COMPLIANCE_ENDPOINT = ""
diff --git a/endpoints/oauth/login.py b/endpoints/oauth/login.py
@@ -1,14 +1,18 @@
 import logging
 import time
 import recaptcha2
+import os
 
 from collections import namedtuple
 from flask import request, redirect, url_for, Blueprint, abort, session
 from peewee import IntegrityError
+import requests
+
 
 import features
 
 from app import app, analytics, get_app_url, oauth_login, authentication, url_scheme_and_hostname
+from _init import CONF_DIR
 from auth.auth_context import get_authenticated_user
 from auth.decorators import require_session_login
 from data import model
@@ -297,6 +301,28 @@ def attach_func():
         if result.error_message is not None:
             return _get_response(result)
 
+        # Conduct RedHat Export Compliance if enabled
+        if features.EXPORT_COMPLIANCE:
+            logger.debug("Attempting to hit export compliance service")
+            try:
+                result = requests.post(
+                    app.config.get("EXPORT_COMPLIANCE_ENDPOINT"),
+                    cert=(
+                        os.path.join(CONF_DIR, "export-compliance-client.crt"),
+                        os.path.join(CONF_DIR, "export-compliance-client.key"),
+                    ),
+                    verify=os.path.join(CONF_DIR, "export-compliance-ca.crt"),
+                    json={"user": {"login": lusername}, "account": {"primary": True}},
+                    timeout=5,
+                )
+                logger.debug("Got result from export compliance service: " + result.json())
+                if result.status_code != 200:
+                    return _render_ologin_error(
+                        login_service.service_id(), str(result.json()["errors"])
+                    )
+            except Exception as e:
+                return _render_ologin_error(login_service.service_name(), str(e))
+
         return redirect(
             url_for(
                 "web.user_view",

diff --git a/util/config/schema.py b/util/config/schema.py
@@ -1215,5 +1215,15 @@
             "description": "Enables system default quota reject byte allowance for all organizations",
             "x-example": False,
         },
+        "FEATURE_EXPORT_COMPLIANCE": {
+            "type": "boolean",
+            "description": "Use Red Hat Export Compliance Service during Red Hat SSO (only used in Quay.io)",
+            "x-example": False,
+        },
+        "EXPORT_COMPLIANCE_ENDPOINT": {
+            "type": "string",
+            "description": "The Red Hat Export Compliance Service Endpoint (only used in Quay.io)",
+            "x-example": "export-compliance.com",
+        },
     },
 }