quay/auth/scopes.py

from collections import namedtuple


Scope = namedtuple('scope', ['scope', 'icon', 'title', 'description'])


READ_REPO = Scope(scope='repo:read',
                  icon='fa-hdd-o',
                  title='View all visible repositories',
                  description=('This application will be able to view and pull all repositories '
                               'visible to the granting user or robot account'))

WRITE_REPO = Scope(scope='repo:write',
                   icon='fa-hdd-o',
                   title='Read/Write to any accessible repositories',
                   description=('This application will be able to view, push and pull to all '
                                'repositories to which the granting user or robot account has '
                                'write access'))

ADMIN_REPO = Scope(scope='repo:admin',
                   icon='fa-hdd-o',
                   title='Administer Repositories',
                   description=('This application will have administrator access to all '
                                'repositories to which the granting user or robot account has '
                                'access'))

CREATE_REPO = Scope(scope='repo:create',
                   icon='fa-plus',
                   title='Create Repositories',
                   description=('This application will be able to create repositories in to any '
                                'namespaces that the granting user or robot account is allowed to '
                                'create repositories'))

READ_USER = Scope(scope= 'user:read',
                  icon='fa-user',
                  title='Read User Information',
                  description=('This application will be able to read user information such as '
                               'username and email address.'))


DIRECT_LOGIN = Scope(scope='direct_user_login',
                     icon='fa-exclamation-triangle',
                     title='Full Access',
                     description=('This scope should not be available to OAuth applications. '
                                  'Never approve a request for this scope!'))


ALL_SCOPES = {scope.scope:scope for scope in (READ_REPO, WRITE_REPO, ADMIN_REPO, CREATE_REPO,
                                              READ_USER)}

IMPLIED_SCOPES = {
  ADMIN_REPO: {ADMIN_REPO, WRITE_REPO, READ_REPO},
  WRITE_REPO: {WRITE_REPO, READ_REPO},
  READ_REPO: {READ_REPO},
  CREATE_REPO: {CREATE_REPO},
  READ_USER: {READ_USER},
  None: set(),
}


def scopes_from_scope_string(scopes):
  return {ALL_SCOPES.get(scope, None) for scope in scopes.split(',')}


def validate_scope_string(scopes):
  decoded = scopes_from_scope_string(scopes)
  return None not in decoded and len(decoded) > 0


def is_subset_string(full_string, expected_string):
  """ Returns true if the scopes found in expected_string are also found
      in full_string.
  """
  full_scopes = scopes_from_scope_string(full_string)
  full_implied_scopes = set.union(*[IMPLIED_SCOPES[scope] for scope in full_scopes])
  expected_scopes = scopes_from_scope_string(expected_string)
  return expected_scopes.issubset(full_implied_scopes)


def get_scope_information(scopes_string):
  scopes = scopes_from_scope_string(scopes_string)
  scope_info = []
  for scope in scopes:
    if scope:
      scope_info.append({
        'title': scope.title,
        'scope': scope.scope,
        'description': scope.description,
        'icon': scope.icon,
      })

  return scope_info
User scope objects everywhere. Switch scope objects to namedtuples. Pass the user when validating whether the user has authorized such scopes in the past. Make sure we calculate the scope string using all user scopes form all previously granted tokens. 2014-03-19 22:09:09 +00:00			`from collections import namedtuple`
Add some sort of oauth. 2014-03-12 16:37:06 +00:00

User scope objects everywhere. Switch scope objects to namedtuples. Pass the user when validating whether the user has authorized such scopes in the past. Make sure we calculate the scope string using all user scopes form all previously granted tokens. 2014-03-19 22:09:09 +00:00			`Scope = namedtuple('scope', ['scope', 'icon', 'title', 'description'])`
Add some sort of oauth. 2014-03-12 16:37:06 +00:00

User scope objects everywhere. Switch scope objects to namedtuples. Pass the user when validating whether the user has authorized such scopes in the past. Make sure we calculate the scope string using all user scopes form all previously granted tokens. 2014-03-19 22:09:09 +00:00			`READ_REPO = Scope(scope='repo:read',`
			`icon='fa-hdd-o',`
			`title='View all visible repositories',`
			`description=('This application will be able to view and pull all repositories '`
			`'visible to the granting user or robot account'))`

			`WRITE_REPO = Scope(scope='repo:write',`
			`icon='fa-hdd-o',`
			`title='Read/Write to any accessible repositories',`
			`description=('This application will be able to view, push and pull to all '`
			`'repositories to which the granting user or robot account has '`
			`'write access'))`

			`ADMIN_REPO = Scope(scope='repo:admin',`
			`icon='fa-hdd-o',`
			`title='Administer Repositories',`
			`description=('This application will have administrator access to all '`
			`'repositories to which the granting user or robot account has '`
			`'access'))`

			`CREATE_REPO = Scope(scope='repo:create',`
			`icon='fa-plus',`
			`title='Create Repositories',`
			`description=('This application will be able to create repositories in to any '`
			`'namespaces that the granting user or robot account is allowed to '`
			`'create repositories'))`
Add a user info scope and thread it through the code. Protect the org modification API. 2014-03-18 23:21:27 +00:00
User scope objects everywhere. Switch scope objects to namedtuples. Pass the user when validating whether the user has authorized such scopes in the past. Make sure we calculate the scope string using all user scopes form all previously granted tokens. 2014-03-19 22:09:09 +00:00			`READ_USER = Scope(scope= 'user:read',`
			`icon='fa-user',`
			`title='Read User Information',`
			`description=('This application will be able to read user information such as '`
			`'username and email address.'))`


			`DIRECT_LOGIN = Scope(scope='direct_user_login',`
			`icon='fa-exclamation-triangle',`
			`title='Full Access',`
			`description=('This scope should not be available to OAuth applications. '`
			`'Never approve a request for this scope!'))`


			`ALL_SCOPES = {scope.scope:scope for scope in (READ_REPO, WRITE_REPO, ADMIN_REPO, CREATE_REPO,`
			`READ_USER)}`

			`IMPLIED_SCOPES = {`
			`ADMIN_REPO: {ADMIN_REPO, WRITE_REPO, READ_REPO},`
			`WRITE_REPO: {WRITE_REPO, READ_REPO},`
			`READ_REPO: {READ_REPO},`
			`CREATE_REPO: {CREATE_REPO},`
			`READ_USER: {READ_USER},`
			`None: set(),`
			`}`
Add scope ordinality and translations. Process oauth tokens and limit scopes accordingly. 2014-03-12 20:31:37 +00:00

			`def scopes_from_scope_string(scopes):`
User scope objects everywhere. Switch scope objects to namedtuples. Pass the user when validating whether the user has authorized such scopes in the past. Make sure we calculate the scope string using all user scopes form all previously granted tokens. 2014-03-19 22:09:09 +00:00			`return {ALL_SCOPES.get(scope, None) for scope in scopes.split(',')}`
Add scope ordinality and translations. Process oauth tokens and limit scopes accordingly. 2014-03-12 20:31:37 +00:00

			`def validate_scope_string(scopes):`
			`decoded = scopes_from_scope_string(scopes)`
			`return None not in decoded and len(decoded) > 0`
Add an oauth authorization page 2014-03-14 22:57:28 +00:00

			`def is_subset_string(full_string, expected_string):`
			`""" Returns true if the scopes found in expected_string are also found`
			`in full_string.`
			`"""`
			`full_scopes = scopes_from_scope_string(full_string)`
User scope objects everywhere. Switch scope objects to namedtuples. Pass the user when validating whether the user has authorized such scopes in the past. Make sure we calculate the scope string using all user scopes form all previously granted tokens. 2014-03-19 22:09:09 +00:00			`full_implied_scopes = set.union(*[IMPLIED_SCOPES[scope] for scope in full_scopes])`
Add an oauth authorization page 2014-03-14 22:57:28 +00:00			`expected_scopes = scopes_from_scope_string(expected_string)`
User scope objects everywhere. Switch scope objects to namedtuples. Pass the user when validating whether the user has authorized such scopes in the past. Make sure we calculate the scope string using all user scopes form all previously granted tokens. 2014-03-19 22:09:09 +00:00			`return expected_scopes.issubset(full_implied_scopes)`

Add an oauth authorization page 2014-03-14 22:57:28 +00:00
			`def get_scope_information(scopes_string):`
			`scopes = scopes_from_scope_string(scopes_string)`
			`scope_info = []`
			`for scope in scopes:`
Add checks for invalid scopes in the auth approval process 2014-03-18 21:05:27 +00:00			`if scope:`
			`scope_info.append({`
User scope objects everywhere. Switch scope objects to namedtuples. Pass the user when validating whether the user has authorized such scopes in the past. Make sure we calculate the scope string using all user scopes form all previously granted tokens. 2014-03-19 22:09:09 +00:00			`'title': scope.title,`
			`'scope': scope.scope,`
			`'description': scope.description,`
			`'icon': scope.icon,`
			`})`
Add an oauth authorization page 2014-03-14 22:57:28 +00:00
			`return scope_info`