rework superuser api

2016-03-25 18:44:11 -04:00 · 2016-03-25 18:44:11 -04:00 · 35ed73e195
commit 35ed73e195
parent 4079dba167
4 changed files with 205 additions and 60 deletions
--- a/endpoints/api/superuser.py
+++ b/endpoints/api/superuser.py
@ -4,8 +4,10 @@ import string
 import logging
 import os

+from datetime import datetime
 from random import SystemRandom
-from flask import request, make_response
+
+from flask import request, make_response, jsonify

 import features

@ -469,38 +471,154 @@ class SuperUserOrganizationManagement(ApiResource):

    abort(403)

-@resource('/v1/superuser/services/<service>/keys/<kid>')
-@path_param('service', 'The service using the key')
-@path_param('kid', 'The unique identifier for a service key')
+
+@resource('/v1/superuser/keys')
@show_if(features.SUPER_USERS)
 class SuperUserServiceKeyManagement(ApiResource):
-  """ Resource for managing service keys. """
+  """ Resource for managing service keys."""
  schemas = {
-    'ApproveServiceKey': {
-      'id': 'ApproveServiceKey',
+    'CreateServiceKey': {
+      'id': 'PutServiceKey',
      'type': 'object',
-      'description': 'Description of approved keys for a service',
+      'description': 'Description of creation of a service key',
+      'required': ['service', 'expiration'],
      'properties': {
-        'kid': {
+        'service': {
          'type': 'string',
-          'description': 'The key being approved for service authentication usage.',
+          'description': 'The service authenticating with this key',
+        },
+        'name': {
+          'type': 'string',
+          'description': 'The friendly name of a service key',
+        },
+        'metadata': {
+          'type': 'object',
+          'description': 'The key/value pairs of this key\'s metadata',
+        },
+        'expiration': {
+          'description': 'The expiration date as a unix timestamp',
+          'anyOf': [{'type': 'string'}, {'type': 'null'}],
        },
      },
    },
  }

  @verify_not_prod
-  @nickname('approveServiceKey')
-  @validate_json_request('ApproveServiceKey')
+  @nickname('getServiceKeys')
  @require_scope(scopes.SUPERUSER)
-  def put(self, service, kid):
+  def get():
+    if SuperUserPermission().can():
+      return jsonify(list(model.service_keys.get_service_keys(False)))
+    abort(403)
+
+  @verify_not_prod
+  @nickname('createServiceKey')
+  @require_scope(scopes.SUPERUSER)
+  @validate_json_request('PutServiceKey')
+  def post(self, service):
+    if SuperUserPermission().can():
+      body = request.get_json()
+
+      expiration_date = body['expiration']
+      if expiration_date is not None and expiration_date != '':
+        try:
+          expiration_date = datetime.utcfromtimestamp(float(expiration_date))
+        except ValueError:
+          abort(400)
+
+
+      user = get_authenticate_user()
+      metadata = body.get('metadata', {})
+      metadata.update({
+        'created_by': 'Quay SuperUser Panel',
+        'creator': user.username,
+        'superuser ip': request.remote_addr,
+      })
+
+      key = RSAKey(key=RSA.generate(2048))
+      key.serialize()
+      jwk = json.dumps(key.to_dict(), "enc")
+
+      public_key, private_key = generate_key_pair()
+      jwk = jwk(private_key)
+      kid = kid(private_key)
+
+
+      model.service_keys.create_service_key(body['name'] or '', kid, jwk, metadata, expiration_date)
+      model.service_keys.approve_service_key(kid, user,
+      return jsonify({'public_key': public_key, 'private_key': private_key})
+
+    abort(403)
+
+
+@resource('/v1/superuser/keys/<kid>')
+@path_param('kid', 'The unique identifier for a service key')
+@show_if(features.SUPER_USERS)
+class SuperUserServiceKeyManagement(ApiResource):
+  """ Resource for managing service keys. """
+  schemas = {
+    'PutServiceKey': {
+      'id': 'PutServiceKey',
+      'type': 'object',
+      'description': 'Description of updates for a service key',
+      'required': ['name', 'metadata', 'expiration'],
+      'properties': {
+        'name': {
+          'type': 'string',
+          'description': 'The friendly name of a service key',
+        },
+        'metadata': {
+          'type': 'object',
+          'description': 'The key/value pairs of this key\'s metadata',
+        },
+        'expiration': {
+          'description': 'The expiration date as a unix timestamp',
+          'anyOf': [{'type': 'string'}, {'type': 'null'}],
+        },
+      },
+    },
+  }
+
+  @verify_not_prod
+  @nickname('putServiceKey')
+  @require_scope(scopes.SUPERUSER)
+  @validate_json_request('PutServiceKey')
+  def put(self, kid):
+    if SuperUserPermission().can():
+      body = request.get_json()
+
+      expiration_date = body['expiration']
+      if expiration_date is not None and expiration_date != '':
+        try:
+          expiration_date = datetime.utcfromtimestamp(float(expiration_date))
+        except ValueError:
+          abort(400)
+
+      model.service_keys.update_service_key(body['name'], kid, body['metadata'], expiration_date)
+
+    abort(403)
+
+
+@resource('/v1/superuser/approvedkeys/<kid>')
+@path_param('kid', 'The unique identifier for a service key')
+@show_if(features.SUPER_USERS)
+class SuperUserServiceKeyApproval(ApiResource):
+  """ Resource for approving service keys. """
+
+  @verify_not_prod
+  @nickname('approveServiceKey')
+  @require_scope(scopes.SUPERUSER)
+  @validate_json_request('ApproveServiceKey')
+  def put(self, kid):
    if SuperUserPermission().can():
      approver = get_authenticated_user()
      try:
-        model.service_keys.approve_service_key(service, kid, approver, 'Quay SuperUser API')
+        model.service_keys.approve_service_key(kid, approver, ServiceKeyApprovalType.SUPERUSER)
      except model.ServiceKeyDoesNotExist:
        abort(404)
      except model.ServiceKeyAlreadyApproved:
        pass

      make_response('', 200)
+
+    abort(403)