Add an AppSpecificAuthToken data model for app-specific auth tokens. These will be used for the Docker CLI in place of username+password

endpoints/api/appspecifictokens.py

@@ -0,0 +1,112 @@
+""" Manages app specific tokens for the current user. """
+
+import logging
+
+from flask import request
+
+import features
+
+from auth.auth_context import get_authenticated_user
+from data import model
+from endpoints.api import (ApiResource, nickname, resource, validate_json_request,
+                           log_action, require_user_admin, require_fresh_login,
+                           path_param, NotFound, format_date, show_if)
+
+logger = logging.getLogger(__name__)
+
+def token_view(token, include_code=False):
+  data = {
+    'uuid': token.uuid,
+    'title': token.title,
+    'last_accessed': format_date(token.last_accessed),
+    'created': format_date(token.created),
+    'expiration': format_date(token.expiration),
+  }
+
+  if include_code:
+    data.update({
+      'token_code': token.token_code,
+    })
+
+  return data
+
+@resource('/v1/user/apptoken')
+@show_if(features.APP_SPECIFIC_TOKENS)
+class AppTokens(ApiResource):
+  """ Lists all app specific tokens for a user """
+  schemas = {
+    'NewToken': {
+      'type': 'object',
+      'required': [
+        'title',
+      ],
+      'properties': {
+        'title': {
+          'type': 'string',
+          'description': 'The user-defined title for the token',
+        },
+      }
+    },
+  }
+
+  @require_user_admin
+  @nickname('listAppTokens')
+  def get(self):
+    """ Lists the app specific tokens for the user. """
+    tokens = model.appspecifictoken.list_tokens(get_authenticated_user())
+    return {
+      'tokens': [token_view(token, include_code=False) for token in tokens],
+    }
+
+  @require_user_admin
+  @require_fresh_login
+  @nickname('createAppToken')
+  @validate_json_request('NewToken')
+  def post(self):
+    """ Create a new app specific token for user. """
+    title = request.get_json()['title']
+    token = model.appspecifictoken.create_token(get_authenticated_user(), title)
+
+    log_action('create_app_specific_token', get_authenticated_user().username,
+               {'app_specific_token_title': token.title,
+                'app_specific_token': token.uuid})
+
+    return {
+      'token': token_view(token, include_code=True),
+    }
+
+
+@resource('/v1/user/apptoken/<token_uuid>')
+@show_if(features.APP_SPECIFIC_TOKENS)
+@path_param('token_uuid', 'The uuid of the app specific token')
+class AppToken(ApiResource):
+  """ Provides operations on an app specific token """
+  @require_user_admin
+  @require_fresh_login
+  @nickname('getAppToken')
+  def get(self, token_uuid):
+    """ Returns a specific app token for the user. """
+    token = model.appspecifictoken.get_token_by_uuid(token_uuid, owner=get_authenticated_user())
+    if token is None:
+      raise NotFound()
+
+    return {
+      'token': token_view(token, include_code=True),
+    }
+
+  @require_user_admin
+  @require_fresh_login
+  @nickname('revokeAppToken')
+  def delete(self, token_uuid):
+    """ Revokes a specific app token for the user. """
+    token = model.appspecifictoken.get_token_by_uuid(token_uuid, owner=get_authenticated_user())
+    if token is None:
+      raise NotFound()
+
+    model.appspecifictoken.revoke_token(token)
+
+    log_action('revoke_app_specific_token', get_authenticated_user().username,
+               {'app_specific_token_title': token.title,
+                'app_specific_token': token.uuid})
+
+    return '', 204