Accidental refactor, split out legacy.py into separate sumodules and update all call sites.

auth/auth.py

@@ -12,11 +12,10 @@ from base64 import b64decode
 import scopes
 
 from data import model
-from data.model import oauth
 from app import app, authentication
 from permissions import QuayDeferredPermissionUser
 from auth_context import (set_authenticated_user, set_validated_token, set_grant_user_context,
-                          set_authenticated_user_deferred, set_validated_oauth_token)
+                          set_validated_oauth_token)
 from util.http import abort
 
 
@@ -48,7 +47,7 @@ def _load_user_from_cookie():
 
 
 def _validate_and_apply_oauth_token(token):
-  validated = oauth.validate_access_token(token)
+  validated = model.oauth.validate_access_token(token)
   if not validated:
     logger.warning('OAuth access token could not be validated: %s', token)
     authenticate_header = {
@@ -96,40 +95,40 @@ def _process_basic_auth(auth):
   elif credentials[0] == '$token':
     # Use as token auth
     try:
-      token = model.load_token_data(credentials[1])
-      logger.debug('Successfully validated token: %s' % credentials[1])
+      token = model.token.load_token_data(credentials[1])
+      logger.debug('Successfully validated token: %s', credentials[1])
       set_validated_token(token)
 
       identity_changed.send(app, identity=Identity(token.code, 'token'))
       return
 
     except model.DataModelException:
-      logger.debug('Invalid token: %s' % credentials[1])
+      logger.debug('Invalid token: %s', credentials[1])
 
   elif credentials[0] == '$oauthtoken':
     oauth_token = credentials[1]
     _validate_and_apply_oauth_token(oauth_token)
 
   elif '+' in credentials[0]:
-    logger.debug('Trying robot auth with credentials %s' % str(credentials))
+    logger.debug('Trying robot auth with credentials %s', str(credentials))
     # Use as robot auth
     try:
-      robot = model.verify_robot(credentials[0], credentials[1])
-      logger.debug('Successfully validated robot: %s' % credentials[0])
+      robot = model.user.verify_robot(credentials[0], credentials[1])
+      logger.debug('Successfully validated robot: %s', credentials[0])
       set_authenticated_user(robot)
 
       deferred_robot = QuayDeferredPermissionUser.for_user(robot)
       identity_changed.send(app, identity=deferred_robot)
       return
     except model.InvalidRobotException:
-      logger.debug('Invalid robot or password for robot: %s' % credentials[0])
+      logger.debug('Invalid robot or password for robot: %s', credentials[0])
 
   else:
     (authenticated, error_message) = authentication.verify_user(credentials[0], credentials[1],
                                                                 basic_auth=True)
 
     if authenticated:
-      logger.debug('Successfully validated user: %s' % authenticated.username)
+      logger.debug('Successfully validated user: %s', authenticated.username)
       set_authenticated_user(authenticated)
 
       new_identity = QuayDeferredPermissionUser.for_user(authenticated)
@@ -203,7 +202,7 @@ def process_auth(func):
     auth = request.headers.get('authorization', '')
 
     if auth:
-      logger.debug('Validating auth header: %s' % auth)
+      logger.debug('Validating auth header: %s', auth)
       _process_signed_grant(auth)
       _process_basic_auth(auth)
     else:
@@ -227,7 +226,7 @@ def extract_namespace_repo_from_session(func):
   @wraps(func)
   def wrapper(*args, **kwargs):
     if 'namespace' not in session or 'repository' not in session:
-      logger.error('Unable to load namespace or repository from session: %s' % session)
+      logger.error('Unable to load namespace or repository from session: %s', session)
       abort(400, message='Missing namespace in request')
 
     return func(session['namespace'], session['repository'], *args, **kwargs)

auth/auth_context.py

@@ -16,7 +16,7 @@ def get_authenticated_user():
       return None
 
     logger.debug('Loading deferred authenticated user.')
-    loaded = model.get_user_by_uuid(user_uuid)
+    loaded = model.user.get_user_by_uuid(user_uuid)
     if not loaded.enabled:
       return None
 

auth/permissions.py

@@ -105,7 +105,7 @@ class QuayDeferredPermissionUser(Identity):
   def can(self, permission):
     if not self._permissions_loaded:
       logger.debug('Loading user permissions after deferring for: %s', self.id)
-      user_object = self._user_object or model.get_user_by_uuid(self.id)
+      user_object = self._user_object or model.user.get_user_by_uuid(self.id)
       if user_object is None:
         return super(QuayDeferredPermissionUser, self).can(permission)
 
@@ -130,14 +130,14 @@ class QuayDeferredPermissionUser(Identity):
       self.provides.add(user_repos)
 
       # Add repository permissions
-      for perm in model.get_all_user_permissions(user_object):
+      for perm in model.permission.get_all_user_permissions(user_object):
         repo_grant = _RepositoryNeed(perm.repository.namespace_user.username, perm.repository.name,
                                      self._repo_role_for_scopes(perm.role.name))
         logger.debug('User added permission: {0}'.format(repo_grant))
         self.provides.add(repo_grant)
 
       # Add namespace permissions derived
-      for team in model.get_org_wide_permissions(user_object):
+      for team in model.permission.get_org_wide_permissions(user_object):
         team_org_grant = _OrganizationNeed(team.organization.username,
                                            self._team_role_for_scopes(team.role.name))
         logger.debug('Organization team added permission: {0}'.format(team_org_grant))
@@ -261,7 +261,7 @@ def on_identity_loaded(sender, identity):
 
   elif identity.auth_type == 'token':
     logger.debug('Loading permissions for token: %s', identity.id)
-    token_data = model.load_token_data(identity.id)
+    token_data = model.token.load_token_data(identity.id)
 
     repo_grant = _RepositoryNeed(token_data.repository.namespace_user.username,
                                  token_data.repository.name,