quay/data/model/permission.py

from peewee import JOIN

from data.database import (RepositoryPermission, User, Repository, Visibility, Role, TeamMember,
                           PermissionPrototype, Team, TeamRole, Namespace)
from data.model import DataModelException, _basequery
from util.names import parse_robot_username

def list_team_permissions(team):
  return (RepositoryPermission
          .select(RepositoryPermission)
          .join(Repository)
          .join(Visibility)
          .switch(RepositoryPermission)
          .join(Role)
          .switch(RepositoryPermission)
          .where(RepositoryPermission.team == team))


def list_robot_permissions(robot_name):
  return (RepositoryPermission
          .select(RepositoryPermission, User, Repository)
          .join(Repository)
          .join(Visibility)
          .switch(RepositoryPermission)
          .join(Role)
          .switch(RepositoryPermission)
          .join(User)
          .where(User.username == robot_name, User.robot == True))


def list_organization_member_permissions(organization, limit_to_user=None):
  query = (RepositoryPermission
           .select(RepositoryPermission, Repository, User)
           .join(Repository)
           .switch(RepositoryPermission)
           .join(User)
           .where(Repository.namespace_user == organization))

  if limit_to_user is not None:
    query = query.where(RepositoryPermission.user == limit_to_user)
  else:
    query = query.where(User.robot == False)

  return query


def get_all_user_repository_permissions(user):
  return _get_user_repo_permissions(user)


def get_user_repo_permissions(user, repo):
  return _get_user_repo_permissions(user, limit_to_repository_obj=repo)


def get_user_repository_permissions(user, namespace, repo_name):
  return _get_user_repo_permissions(user, limit_namespace=namespace, limit_repo_name=repo_name)


def _get_user_repo_permissions(user, limit_to_repository_obj=None, limit_namespace=None,
                               limit_repo_name=None):
  UserThroughTeam = User.alias()

  base_query = (RepositoryPermission
                .select(RepositoryPermission, Role, Repository, Namespace)
                .join(Role)
                .switch(RepositoryPermission)
                .join(Repository)
                .join(Namespace, on=(Repository.namespace_user == Namespace.id))
                .switch(RepositoryPermission))

  if limit_to_repository_obj is not None:
    base_query = base_query.where(RepositoryPermission.repository == limit_to_repository_obj)
  elif limit_namespace and limit_repo_name:
    base_query = base_query.where(Repository.name == limit_repo_name,
                                  Namespace.username == limit_namespace)

  direct = (base_query
            .clone()
            .join(User)
            .where(User.id == user))

  team = (base_query
          .clone()
          .join(Team)
          .join(TeamMember)
          .join(UserThroughTeam, on=(UserThroughTeam.id == TeamMember.user))
          .where(UserThroughTeam.id == user))

  return direct | team


def delete_prototype_permission(org, uid):
  found = get_prototype_permission(org, uid)
  if not found:
    return None

  found.delete_instance()
  return found


def get_prototype_permission(org, uid):
  try:
    return PermissionPrototype.get(PermissionPrototype.org == org,
                                   PermissionPrototype.uuid == uid)
  except PermissionPrototype.DoesNotExist:
    return None


def get_prototype_permissions(org):
  ActivatingUser = User.alias()
  DelegateUser = User.alias()
  query = (PermissionPrototype
           .select()
           .where(PermissionPrototype.org == org)
           .join(ActivatingUser, JOIN.LEFT_OUTER,
                 on=(ActivatingUser.id == PermissionPrototype.activating_user))
           .join(DelegateUser, JOIN.LEFT_OUTER,
                 on=(DelegateUser.id == PermissionPrototype.delegate_user))
           .join(Team, JOIN.LEFT_OUTER,
                 on=(Team.id == PermissionPrototype.delegate_team))
           .join(Role, JOIN.LEFT_OUTER, on=(Role.id == PermissionPrototype.role)))
  return query


def update_prototype_permission(org, uid, role_name):
  found = get_prototype_permission(org, uid)
  if not found:
    return None

  new_role = Role.get(Role.name == role_name)
  found.role = new_role
  found.save()
  return found


def add_prototype_permission(org, role_name, activating_user,
                             delegate_user=None, delegate_team=None):
  new_role = Role.get(Role.name == role_name)
  return PermissionPrototype.create(org=org, role=new_role, activating_user=activating_user,
                                    delegate_user=delegate_user, delegate_team=delegate_team)


def get_org_wide_permissions(user, org_filter=None):
  Org = User.alias()
  team_with_role = Team.select(Team, Org, TeamRole).join(TeamRole)
  with_org = team_with_role.switch(Team).join(Org, on=(Team.organization ==
                                                       Org.id))
  with_user = with_org.switch(Team).join(TeamMember).join(User)

  if org_filter:
    with_user.where(Org.username == org_filter)

  return with_user.where(User.id == user, Org.organization == True)


def get_all_repo_teams(namespace_name, repository_name):
  return (RepositoryPermission
          .select(Team.name, Role.name, RepositoryPermission)
          .join(Team)
          .switch(RepositoryPermission)
          .join(Role)
          .switch(RepositoryPermission)
          .join(Repository)
          .join(Namespace, on=(Repository.namespace_user == Namespace.id))
          .where(Namespace.username == namespace_name, Repository.name == repository_name))


def apply_default_permissions(repo_obj, creating_user_obj):
  org = repo_obj.namespace_user
  user_clause = ((PermissionPrototype.activating_user == creating_user_obj) |
                 (PermissionPrototype.activating_user >> None))

  team_protos = (PermissionPrototype
                 .select()
                 .where(PermissionPrototype.org == org, user_clause,
                        PermissionPrototype.delegate_user >> None))

  def create_team_permission(team, repo, role):
    RepositoryPermission.create(team=team, repository=repo, role=role)

  __apply_permission_list(repo_obj, team_protos, 'name', create_team_permission)

  user_protos = (PermissionPrototype
                 .select()
                 .where(PermissionPrototype.org == org, user_clause,
                        PermissionPrototype.delegate_team >> None))

  def create_user_permission(user, repo, role):
    # The creating user always gets admin anyway
    if user.username == creating_user_obj.username:
      return

    RepositoryPermission.create(user=user, repository=repo, role=role)

  __apply_permission_list(repo_obj, user_protos, 'username', create_user_permission)


def __apply_permission_list(repo, proto_query, name_property, create_permission_func):
  final_protos = {}
  for proto in proto_query:
    applies_to = proto.delegate_team or proto.delegate_user
    name = getattr(applies_to, name_property)
    # We will skip the proto if it is pre-empted by a more important proto
    if name in final_protos and proto.activating_user is None:
      continue

    # By this point, it is either a user specific proto, or there is no
    # proto yet, so we can safely assume it applies
    final_protos[name] = (applies_to, proto.role)

  for delegate, role in final_protos.values():
    create_permission_func(delegate, repo, role)


def __entity_permission_repo_query(entity_id, entity_table, entity_id_property, namespace_name,
                                   repository_name):
  """ This method works for both users and teams. """

  return (RepositoryPermission
          .select(entity_table, Repository, Namespace, Role, RepositoryPermission)
          .join(entity_table)
          .switch(RepositoryPermission)
          .join(Role)
          .switch(RepositoryPermission)
          .join(Repository)
          .join(Namespace, on=(Repository.namespace_user == Namespace.id))
          .where(Repository.name == repository_name, Namespace.username == namespace_name,
                 entity_id_property == entity_id))


def get_user_reponame_permission(username, namespace_name, repository_name):
  fetched = list(__entity_permission_repo_query(username, User, User.username, namespace_name,
                                                repository_name))
  if not fetched:
    raise DataModelException('User does not have permission for repo.')

  return fetched[0]


def get_team_reponame_permission(team_name, namespace_name, repository_name):
  fetched = list(__entity_permission_repo_query(team_name, Team, Team.name, namespace_name,
                                                repository_name))
  if not fetched:
    raise DataModelException('Team does not have permission for repo.')

  return fetched[0]


def delete_user_permission(username, namespace_name, repository_name):
  if username == namespace_name:
    raise DataModelException('Namespace owner must always be admin.')

  fetched = list(__entity_permission_repo_query(username, User, User.username, namespace_name,
                                                repository_name))
  if not fetched:
    raise DataModelException('User does not have permission for repo.')

  fetched[0].delete_instance()


def delete_team_permission(team_name, namespace_name, repository_name):
  fetched = list(__entity_permission_repo_query(team_name, Team, Team.name, namespace_name,
                                                repository_name))
  if not fetched:
    raise DataModelException('Team does not have permission for repo.')

  fetched[0].delete_instance()


def __set_entity_repo_permission(entity, permission_entity_property,
                                 namespace_name, repository_name, role_name):
  repo = _basequery.get_existing_repository(namespace_name, repository_name)
  new_role = Role.get(Role.name == role_name)

  # Fetch any existing permission for this entity on the repo
  try:
    entity_attr = getattr(RepositoryPermission, permission_entity_property)
    perm = RepositoryPermission.get(entity_attr == entity, RepositoryPermission.repository == repo)
    perm.role = new_role
    perm.save()
    return perm
  except RepositoryPermission.DoesNotExist:
    set_entity_kwargs = {permission_entity_property: entity}
    new_perm = RepositoryPermission.create(repository=repo, role=new_role, **set_entity_kwargs)
    return new_perm


def set_user_repo_permission(username, namespace_name, repository_name, role_name):
  if username == namespace_name:
    raise DataModelException('Namespace owner must always be admin.')

  try:
    user = User.get(User.username == username)
  except User.DoesNotExist:
    raise DataModelException('Invalid username: %s' % username)

  if user.robot:
    parts = parse_robot_username(user.username)
    if not parts:
      raise DataModelException('Invalid robot: %s' % username)

    robot_namespace, _ = parts
    if robot_namespace != namespace_name:
      raise DataModelException('Cannot add robot %s under namespace %s' %
                               (username, namespace_name))

  return __set_entity_repo_permission(user, 'user', namespace_name, repository_name, role_name)


def set_team_repo_permission(team_name, namespace_name, repository_name, role_name):
  try:
    team = (Team
            .select()
            .join(User)
            .where(Team.name == team_name, User.username == namespace_name)
            .get())
  except Team.DoesNotExist:
    raise DataModelException('No team %s in organization %s' % (team_name, namespace_name))

  return __set_entity_repo_permission(team, 'team', namespace_name, repository_name, role_name)
initial import for Open Source 🎉 2019-11-12 16:09:47 +00:00			`from peewee import JOIN`

			`from data.database import (RepositoryPermission, User, Repository, Visibility, Role, TeamMember,`
			`PermissionPrototype, Team, TeamRole, Namespace)`
			`from data.model import DataModelException, _basequery`
			`from util.names import parse_robot_username`

			`def list_team_permissions(team):`
			`return (RepositoryPermission`
			`.select(RepositoryPermission)`
			`.join(Repository)`
			`.join(Visibility)`
			`.switch(RepositoryPermission)`
			`.join(Role)`
			`.switch(RepositoryPermission)`
			`.where(RepositoryPermission.team == team))`


			`def list_robot_permissions(robot_name):`
			`return (RepositoryPermission`
			`.select(RepositoryPermission, User, Repository)`
			`.join(Repository)`
			`.join(Visibility)`
			`.switch(RepositoryPermission)`
			`.join(Role)`
			`.switch(RepositoryPermission)`
			`.join(User)`
			`.where(User.username == robot_name, User.robot == True))`


			`def list_organization_member_permissions(organization, limit_to_user=None):`
			`query = (RepositoryPermission`
			`.select(RepositoryPermission, Repository, User)`
			`.join(Repository)`
			`.switch(RepositoryPermission)`
			`.join(User)`
			`.where(Repository.namespace_user == organization))`

			`if limit_to_user is not None:`
			`query = query.where(RepositoryPermission.user == limit_to_user)`
			`else:`
			`query = query.where(User.robot == False)`

			`return query`


			`def get_all_user_repository_permissions(user):`
			`return _get_user_repo_permissions(user)`


			`def get_user_repo_permissions(user, repo):`
			`return _get_user_repo_permissions(user, limit_to_repository_obj=repo)`


			`def get_user_repository_permissions(user, namespace, repo_name):`
			`return _get_user_repo_permissions(user, limit_namespace=namespace, limit_repo_name=repo_name)`


			`def _get_user_repo_permissions(user, limit_to_repository_obj=None, limit_namespace=None,`
			`limit_repo_name=None):`
			`UserThroughTeam = User.alias()`

			`base_query = (RepositoryPermission`
			`.select(RepositoryPermission, Role, Repository, Namespace)`
			`.join(Role)`
			`.switch(RepositoryPermission)`
			`.join(Repository)`
			`.join(Namespace, on=(Repository.namespace_user == Namespace.id))`
			`.switch(RepositoryPermission))`

			`if limit_to_repository_obj is not None:`
			`base_query = base_query.where(RepositoryPermission.repository == limit_to_repository_obj)`
			`elif limit_namespace and limit_repo_name:`
			`base_query = base_query.where(Repository.name == limit_repo_name,`
			`Namespace.username == limit_namespace)`

			`direct = (base_query`
			`.clone()`
			`.join(User)`
			`.where(User.id == user))`

			`team = (base_query`
			`.clone()`
			`.join(Team)`
			`.join(TeamMember)`
			`.join(UserThroughTeam, on=(UserThroughTeam.id == TeamMember.user))`
			`.where(UserThroughTeam.id == user))`

			`return direct \| team`


			`def delete_prototype_permission(org, uid):`
			`found = get_prototype_permission(org, uid)`
			`if not found:`
			`return None`

			`found.delete_instance()`
			`return found`


			`def get_prototype_permission(org, uid):`
			`try:`
			`return PermissionPrototype.get(PermissionPrototype.org == org,`
			`PermissionPrototype.uuid == uid)`
			`except PermissionPrototype.DoesNotExist:`
			`return None`


			`def get_prototype_permissions(org):`
			`ActivatingUser = User.alias()`
			`DelegateUser = User.alias()`
			`query = (PermissionPrototype`
			`.select()`
			`.where(PermissionPrototype.org == org)`
			`.join(ActivatingUser, JOIN.LEFT_OUTER,`
			`on=(ActivatingUser.id == PermissionPrototype.activating_user))`
			`.join(DelegateUser, JOIN.LEFT_OUTER,`
			`on=(DelegateUser.id == PermissionPrototype.delegate_user))`
			`.join(Team, JOIN.LEFT_OUTER,`
			`on=(Team.id == PermissionPrototype.delegate_team))`
			`.join(Role, JOIN.LEFT_OUTER, on=(Role.id == PermissionPrototype.role)))`
			`return query`


			`def update_prototype_permission(org, uid, role_name):`
			`found = get_prototype_permission(org, uid)`
			`if not found:`
			`return None`

			`new_role = Role.get(Role.name == role_name)`
			`found.role = new_role`
			`found.save()`
			`return found`


			`def add_prototype_permission(org, role_name, activating_user,`
			`delegate_user=None, delegate_team=None):`
			`new_role = Role.get(Role.name == role_name)`
			`return PermissionPrototype.create(org=org, role=new_role, activating_user=activating_user,`
			`delegate_user=delegate_user, delegate_team=delegate_team)`


			`def get_org_wide_permissions(user, org_filter=None):`
			`Org = User.alias()`
			`team_with_role = Team.select(Team, Org, TeamRole).join(TeamRole)`
			`with_org = team_with_role.switch(Team).join(Org, on=(Team.organization ==`
			`Org.id))`
			`with_user = with_org.switch(Team).join(TeamMember).join(User)`

			`if org_filter:`
			`with_user.where(Org.username == org_filter)`

			`return with_user.where(User.id == user, Org.organization == True)`


			`def get_all_repo_teams(namespace_name, repository_name):`
			`return (RepositoryPermission`
			`.select(Team.name, Role.name, RepositoryPermission)`
			`.join(Team)`
			`.switch(RepositoryPermission)`
			`.join(Role)`
			`.switch(RepositoryPermission)`
			`.join(Repository)`
			`.join(Namespace, on=(Repository.namespace_user == Namespace.id))`
			`.where(Namespace.username == namespace_name, Repository.name == repository_name))`


			`def apply_default_permissions(repo_obj, creating_user_obj):`
			`org = repo_obj.namespace_user`
			`user_clause = ((PermissionPrototype.activating_user == creating_user_obj) \|`
			`(PermissionPrototype.activating_user >> None))`

			`team_protos = (PermissionPrototype`
			`.select()`
			`.where(PermissionPrototype.org == org, user_clause,`
			`PermissionPrototype.delegate_user >> None))`

			`def create_team_permission(team, repo, role):`
			`RepositoryPermission.create(team=team, repository=repo, role=role)`

			`__apply_permission_list(repo_obj, team_protos, 'name', create_team_permission)`

			`user_protos = (PermissionPrototype`
			`.select()`
			`.where(PermissionPrototype.org == org, user_clause,`
			`PermissionPrototype.delegate_team >> None))`

			`def create_user_permission(user, repo, role):`
			`# The creating user always gets admin anyway`
			`if user.username == creating_user_obj.username:`
			`return`

			`RepositoryPermission.create(user=user, repository=repo, role=role)`

			`__apply_permission_list(repo_obj, user_protos, 'username', create_user_permission)`


			`def __apply_permission_list(repo, proto_query, name_property, create_permission_func):`
			`final_protos = {}`
			`for proto in proto_query:`
			`applies_to = proto.delegate_team or proto.delegate_user`
			`name = getattr(applies_to, name_property)`
			`# We will skip the proto if it is pre-empted by a more important proto`
			`if name in final_protos and proto.activating_user is None:`
			`continue`

			`# By this point, it is either a user specific proto, or there is no`
			`# proto yet, so we can safely assume it applies`
			`final_protos[name] = (applies_to, proto.role)`

			`for delegate, role in final_protos.values():`
			`create_permission_func(delegate, repo, role)`


			`def __entity_permission_repo_query(entity_id, entity_table, entity_id_property, namespace_name,`
			`repository_name):`
			`""" This method works for both users and teams. """`

			`return (RepositoryPermission`
			`.select(entity_table, Repository, Namespace, Role, RepositoryPermission)`
			`.join(entity_table)`
			`.switch(RepositoryPermission)`
			`.join(Role)`
			`.switch(RepositoryPermission)`
			`.join(Repository)`
			`.join(Namespace, on=(Repository.namespace_user == Namespace.id))`
			`.where(Repository.name == repository_name, Namespace.username == namespace_name,`
			`entity_id_property == entity_id))`


			`def get_user_reponame_permission(username, namespace_name, repository_name):`
			`fetched = list(__entity_permission_repo_query(username, User, User.username, namespace_name,`
			`repository_name))`
			`if not fetched:`
			`raise DataModelException('User does not have permission for repo.')`

			`return fetched[0]`


			`def get_team_reponame_permission(team_name, namespace_name, repository_name):`
			`fetched = list(__entity_permission_repo_query(team_name, Team, Team.name, namespace_name,`
			`repository_name))`
			`if not fetched:`
			`raise DataModelException('Team does not have permission for repo.')`

			`return fetched[0]`


			`def delete_user_permission(username, namespace_name, repository_name):`
			`if username == namespace_name:`
			`raise DataModelException('Namespace owner must always be admin.')`

			`fetched = list(__entity_permission_repo_query(username, User, User.username, namespace_name,`
			`repository_name))`
			`if not fetched:`
			`raise DataModelException('User does not have permission for repo.')`

			`fetched[0].delete_instance()`


			`def delete_team_permission(team_name, namespace_name, repository_name):`
			`fetched = list(__entity_permission_repo_query(team_name, Team, Team.name, namespace_name,`
			`repository_name))`
			`if not fetched:`
			`raise DataModelException('Team does not have permission for repo.')`

			`fetched[0].delete_instance()`


			`def __set_entity_repo_permission(entity, permission_entity_property,`
			`namespace_name, repository_name, role_name):`
			`repo = _basequery.get_existing_repository(namespace_name, repository_name)`
			`new_role = Role.get(Role.name == role_name)`

			`# Fetch any existing permission for this entity on the repo`
			`try:`
			`entity_attr = getattr(RepositoryPermission, permission_entity_property)`
			`perm = RepositoryPermission.get(entity_attr == entity, RepositoryPermission.repository == repo)`
			`perm.role = new_role`
			`perm.save()`
			`return perm`
			`except RepositoryPermission.DoesNotExist:`
			`set_entity_kwargs = {permission_entity_property: entity}`
			`new_perm = RepositoryPermission.create(repository=repo, role=new_role, **set_entity_kwargs)`
			`return new_perm`


			`def set_user_repo_permission(username, namespace_name, repository_name, role_name):`
			`if username == namespace_name:`
			`raise DataModelException('Namespace owner must always be admin.')`

			`try:`
			`user = User.get(User.username == username)`
			`except User.DoesNotExist:`
			`raise DataModelException('Invalid username: %s' % username)`

			`if user.robot:`
			`parts = parse_robot_username(user.username)`
			`if not parts:`
			`raise DataModelException('Invalid robot: %s' % username)`

			`robot_namespace, _ = parts`
			`if robot_namespace != namespace_name:`
			`raise DataModelException('Cannot add robot %s under namespace %s' %`
			`(username, namespace_name))`

			`return __set_entity_repo_permission(user, 'user', namespace_name, repository_name, role_name)`


			`def set_team_repo_permission(team_name, namespace_name, repository_name, role_name):`
			`try:`
			`team = (Team`
			`.select()`
			`.join(User)`
			`.where(Team.name == team_name, User.username == namespace_name)`
			`.get())`
			`except Team.DoesNotExist:`
			`raise DataModelException('No team %s in organization %s' % (team_name, namespace_name))`

			`return __set_entity_repo_permission(team, 'team', namespace_name, repository_name, role_name)`