vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Begin the work to allow robots and teams to be managed via API.

Browse source
This commit is contained in:
Jake Moshenko 2014-08-05 20:53:00 -04:00
parent b8979c0499
commit 02e47ed572
4 changed files with 33 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
auth/permissions.py
View file

@ -47,6 +47,7 @@ SCOPE_MAX_TEAM_ROLES = defaultdict(lambda: None)
SCOPE_MAX_TEAM_ROLES.update({ SCOPE_MAX_TEAM_ROLES.update({
scopes.CREATE_REPO: 'creator', scopes.CREATE_REPO: 'creator',
scopes.DIRECT_LOGIN: 'admin', scopes.DIRECT_LOGIN: 'admin',
scopes.ORG_ADMIN: 'admin',
}) })
SCOPE_MAX_USER_ROLES = defaultdict(lambda: None) SCOPE_MAX_USER_ROLES = defaultdict(lambda: None)

30
auth/scopes.py
View file

@ -1,17 +1,19 @@
from collections import namedtuple from collections import namedtuple
Scope = namedtuple('scope', ['scope', 'icon', 'title', 'description']) Scope = namedtuple('scope', ['scope', 'icon', 'dangerous', 'title', 'description'])
READ_REPO = Scope(scope='repo:read', READ_REPO = Scope(scope='repo:read',
icon='fa-hdd-o', icon='fa-hdd-o',
dangerous=False,
title='View all visible repositories', title='View all visible repositories',
description=('This application will be able to view and pull all repositories ' description=('This application will be able to view and pull all repositories '
'visible to the granting user or robot account')) 'visible to the granting user or robot account'))
WRITE_REPO = Scope(scope='repo:write', WRITE_REPO = Scope(scope='repo:write',
icon='fa-hdd-o', icon='fa-hdd-o',
dangerous=False,
title='Read/Write to any accessible repositories', title='Read/Write to any accessible repositories',
description=('This application will be able to view, push and pull to all ' description=('This application will be able to view, push and pull to all '
'repositories to which the granting user or robot account has ' 'repositories to which the granting user or robot account has '
@ -19,34 +21,47 @@ WRITE_REPO = Scope(scope='repo:write',
ADMIN_REPO = Scope(scope='repo:admin', ADMIN_REPO = Scope(scope='repo:admin',
icon='fa-hdd-o', icon='fa-hdd-o',
dangerous=False,
title='Administer Repositories', title='Administer Repositories',
description=('This application will have administrator access to all ' description=('This application will have administrator access to all '
'repositories to which the granting user or robot account has ' 'repositories to which the granting user or robot account has '
'access')) 'access'))
CREATE_REPO = Scope(scope='repo:create', CREATE_REPO = Scope(scope='repo:create',
icon='fa-plus', icon='fa-plus',
title='Create Repositories', dangerous=False,
description=('This application will be able to create repositories in to any ' title='Create Repositories',
'namespaces that the granting user or robot account is allowed to ' description=('This application will be able to create repositories in to any '
'create repositories')) 'namespaces that the granting user or robot account is allowed '
'to create repositories'))
READ_USER = Scope(scope= 'user:read', READ_USER = Scope(scope= 'user:read',
icon='fa-user', icon='fa-user',
dangerous=False,
title='Read User Information', title='Read User Information',
description=('This application will be able to read user information such as ' description=('This application will be able to read user information such as '
'username and email address.')) 'username and email address.'))
ORG_ADMIN = Scope(scope='org:admin',
icon='fa-exclamation-triangle',
dangerous=True,
title='Administer Organization',
description=('This application will be able to administer your organizations '
'including creating robots, creating teams, adjusting team '
'membership, and changing billing settings. You should have '
'absolute trust in the requesting application before granting this '
'permission.'))
DIRECT_LOGIN = Scope(scope='direct_user_login', DIRECT_LOGIN = Scope(scope='direct_user_login',
icon='fa-exclamation-triangle', icon='fa-exclamation-triangle',
dangerous=True,
title='Full Access', title='Full Access',
description=('This scope should not be available to OAuth applications. ' description=('This scope should not be available to OAuth applications. '
'Never approve a request for this scope!')) 'Never approve a request for this scope!'))
ALL_SCOPES = {scope.scope:scope for scope in (READ_REPO, WRITE_REPO, ADMIN_REPO, CREATE_REPO, ALL_SCOPES = {scope.scope:scope for scope in (READ_REPO, WRITE_REPO, ADMIN_REPO, CREATE_REPO,
READ_USER)} READ_USER, ORG_ADMIN)}
IMPLIED_SCOPES = { IMPLIED_SCOPES = {
ADMIN_REPO: {ADMIN_REPO, WRITE_REPO, READ_REPO}, ADMIN_REPO: {ADMIN_REPO, WRITE_REPO, READ_REPO},
@ -54,6 +69,7 @@ IMPLIED_SCOPES = {
READ_REPO: {READ_REPO}, READ_REPO: {READ_REPO},
CREATE_REPO: {CREATE_REPO}, CREATE_REPO: {CREATE_REPO},
READ_USER: {READ_USER}, READ_USER: {READ_USER},
ORG_ADMIN: {ORG_ADMIN},
None: set(), None: set(),
} }

8
endpoints/api/robot.py
View file

@ -1,7 +1,8 @@
from endpoints.api import (resource, nickname, ApiResource, log_action, related_user_resource, from endpoints.api import (resource, nickname, ApiResource, log_action, related_user_resource,
Unauthorized, require_user_admin, internal_only) Unauthorized, require_user_admin, internal_only, require_scope)
from auth.permissions import AdministerOrganizationPermission, OrganizationMemberPermission from auth.permissions import AdministerOrganizationPermission, OrganizationMemberPermission
from auth.auth_context import get_authenticated_user from auth.auth_context import get_authenticated_user
from auth import scopes
from data import model from data import model
from util.names import format_robot_username from util.names import format_robot_username
@ -52,10 +53,10 @@ class UserRobot(ApiResource):
@resource('/v1/organization/<orgname>/robots') @resource('/v1/organization/<orgname>/robots')
@internal_only
@related_user_resource(UserRobotList) @related_user_resource(UserRobotList)
class OrgRobotList(ApiResource): class OrgRobotList(ApiResource):
""" Resource for listing an organization's robots. """ """ Resource for listing an organization's robots. """
@require_scope(scopes.ORG_ADMIN)
@nickname('getOrgRobots') @nickname('getOrgRobots')
def get(self, orgname): def get(self, orgname):
""" List the organization's robots. """ """ List the organization's robots. """
@ -70,10 +71,10 @@ class OrgRobotList(ApiResource):
@resource('/v1/organization/<orgname>/robots/<robot_shortname>') @resource('/v1/organization/<orgname>/robots/<robot_shortname>')
@internal_only
@related_user_resource(UserRobot) @related_user_resource(UserRobot)
class OrgRobot(ApiResource): class OrgRobot(ApiResource):
""" Resource for managing an organization's robots. """ """ Resource for managing an organization's robots. """
@require_scope(scopes.ORG_ADMIN)
@nickname('createOrgRobot') @nickname('createOrgRobot')
def put(self, orgname, robot_shortname): def put(self, orgname, robot_shortname):
""" Create a new robot in the organization. """ """ Create a new robot in the organization. """
@ -86,6 +87,7 @@ class OrgRobot(ApiResource):
raise Unauthorized() raise Unauthorized()
@require_scope(scopes.ORG_ADMIN)
@nickname('deleteOrgRobot') @nickname('deleteOrgRobot')
def delete(self, orgname, robot_shortname): def delete(self, orgname, robot_shortname):
""" Delete an existing organization robot. """ """ Delete an existing organization robot. """

6
endpoints/api/team.py
View file

@ -1,9 +1,10 @@
from flask import request from flask import request
from endpoints.api import (resource, nickname, ApiResource, validate_json_request, request_error, from endpoints.api import (resource, nickname, ApiResource, validate_json_request, request_error,
log_action, Unauthorized, NotFound, internal_only) log_action, Unauthorized, NotFound, internal_only, require_scope)
from auth.permissions import AdministerOrganizationPermission, ViewTeamPermission from auth.permissions import AdministerOrganizationPermission, ViewTeamPermission
from auth.auth_context import get_authenticated_user from auth.auth_context import get_authenticated_user
from auth import scopes
from data import model from data import model
@ -136,9 +137,9 @@ class TeamMemberList(ApiResource):
@resource('/v1/organization/<orgname>/team/<teamname>/members/<membername>') @resource('/v1/organization/<orgname>/team/<teamname>/members/<membername>')
@internal_only
class TeamMember(ApiResource): class TeamMember(ApiResource):
""" Resource for managing individual members of a team. """ """ Resource for managing individual members of a team. """
@require_scope(scopes.ORG_ADMIN)
@nickname('updateOrganizationTeamMember') @nickname('updateOrganizationTeamMember')
def put(self, orgname, teamname, membername): def put(self, orgname, teamname, membername):
""" Add a member to an existing team. """ """ Add a member to an existing team. """
@ -165,6 +166,7 @@ class TeamMember(ApiResource):
raise Unauthorized() raise Unauthorized()
@require_scope(scopes.ORG_ADMIN)
@nickname('deleteOrganizationTeamMember') @nickname('deleteOrganizationTeamMember')
def delete(self, orgname, teamname, membername): def delete(self, orgname, teamname, membername):
""" Delete an existing member of a team. """ """ Delete an existing member of a team. """