vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

refactor(endpoints/api/superuser*): refactored code behind db model

Browse source 
this moves all the db model code behind an interface in prep for v2-2

Issue: https://coreosdev.atlassian.net/browse/QUAY-750

- [ ] It works!
- [ ] Comments provide sufficient explanations for the next contributor
- [ ] Tests cover changes and corner cases
- [ ] Follows Quay syntax patterns and format
This commit is contained in:
Charlton Austin 2017-07-31 11:25:56 -04:00
parent 3688b6a8df
commit 6c29ec873a
4 changed files with 751 additions and 177 deletions
Download patch file Download diff file Expand all files Collapse all files

265
endpoints/api/superuser.py
View file

@ -29,7 +29,9 @@ from endpoints.api import (ApiResource, nickname, resource, validate_json_reques
from endpoints.api.build import build_status_view, get_logs_or_log_url
from data import model, database
from data.database import ServiceKeyApprovalType
from endpoints.exception import NotFound
from endpoints.api.superuser_models_pre_oci import pre_oci_model, ServiceKeyDoesNotExist, ServiceKeyAlreadyApproved, \
InvalidRepositoryBuildException
from endpoints.exception import NotFound, InvalidResponse
from util.useremails import send_confirmation_email, send_recovery_email
from util.license import decode_license, LicenseDecodeError
from util.security.ssl import load_certificate, CertInvalidException
@ -39,11 +41,7 @@ from _init import ROOT_DIR
logger = logging.getLogger(__name__)
def _validate_logs_arguments(start_time, end_time, performer_name):
performer = None
if performer_name:
performer = model.user.get_user(performer_name)
def _validate_logs_arguments(start_time, end_time):
if start_time:
try:
start_time = datetime.strptime(start_time + ' UTC', '%m/%d/%Y %Z')
@ -63,7 +61,7 @@ def _validate_logs_arguments(start_time, end_time, performer_name):
if not end_time:
end_time = datetime.today()
return start_time, end_time, performer
return start_time, end_time
def get_immediate_subdirectories(directory):
@ -89,7 +87,7 @@ class SuperUserGetLogsForService(ApiResource):
def get(self, service):
""" Returns the logs for the specific service. """
if SuperUserPermission().can():
if not service in get_services():
if service not in get_services():
abort(404)
logs = []
@ -130,37 +128,6 @@ class SuperUserSystemLogServices(ApiResource):
abort(403)
def aggregated_log_view(log, kinds, start_time):
# Because we aggregate based on the day of the month in SQL, we only have that information.
# Therefore, create a synthetic date based on the day and the month of the start time.
# Logs are allowed for a maximum period of one week, so this calculation should always work.
synthetic_date = datetime(start_time.year, start_time.month, int(log.day), tzinfo=get_localzone())
if synthetic_date.day < start_time.day:
synthetic_date = synthetic_date + relativedelta(months=1)
view = {
'kind': kinds[log.kind_id],
'count': log.count,
'datetime': format_date(synthetic_date),
}
return view
def get_aggregate_logs(start_time, end_time, performer_name=None, repository=None, namespace=None,
ignore=None):
(start_time, end_time, performer) = _validate_logs_arguments(start_time, end_time, performer_name)
kinds = model.log.get_log_entry_kinds()
aggregated_logs = model.log.get_aggregated_logs(start_time, end_time, performer=performer,
repository=repository, namespace=namespace,
ignore=ignore)
return {
'aggregated': [aggregated_log_view(log, kinds, start_time) for log in aggregated_logs]
}
@resource('/v1/superuser/aggregatelogs')
@internal_only
class SuperUserAggregateLogs(ApiResource):
@ -175,10 +142,12 @@ class SuperUserAggregateLogs(ApiResource):
def get(self, parsed_args):
""" Returns the aggregated logs for the current system. """
if SuperUserPermission().can():
start_time = parsed_args['starttime']
end_time = parsed_args['endtime']
(start_time, end_time) = _validate_logs_arguments(parsed_args['starttime'], parsed_args['endtime'])
aggregated_logs = pre_oci_model.get_aggregated_logs(start_time, end_time)
return get_aggregate_logs(start_time, end_time)
return {
'aggregated': [log.to_dict() for log in aggregated_logs]
}
abort(403)
@ -186,59 +155,6 @@ class SuperUserAggregateLogs(ApiResource):
LOGS_PER_PAGE = 20
def log_view(log, kinds, include_namespace):
view = {
'kind': kinds[log.kind_id],
'metadata': json.loads(log.metadata_json),
'ip': log.ip,
'datetime': format_date(log.datetime),
}
if log.performer and log.performer.username:
view['performer'] = {
'kind': 'user',
'name': log.performer.username,
'is_robot': log.performer.robot,
'avatar': avatar.get_data_for_user(log.performer),
}
if include_namespace:
if log.account and log.account.username:
if log.account.organization:
view['namespace'] = {
'kind': 'org',
'name': log.account.username,
'avatar': avatar.get_data_for_org(log.account),
}
else:
view['namespace'] = {
'kind': 'user',
'name': log.account.username,
'avatar': avatar.get_data_for_user(log.account),
}
return view
def get_logs(start_time, end_time, performer_name=None, repository=None, namespace=None,
page_token=None, ignore=None):
(start_time, end_time, performer) = _validate_logs_arguments(start_time, end_time, performer_name)
kinds = model.log.get_log_entry_kinds()
logs_query = model.log.get_logs_query(start_time, end_time, performer=performer,
repository=repository, namespace=namespace,
ignore=ignore)
logs, next_page_token = model.modelutil.paginate(logs_query, database.LogEntry, descending=True,
page_token=page_token, limit=LOGS_PER_PAGE)
include_namespace = namespace is None and repository is None
return {
'start_time': format_date(start_time),
'end_time': format_date(end_time),
'logs': [log_view(log, kinds, include_namespace) for log in logs],
}, next_page_token
@resource('/v1/superuser/logs')
@internal_only
@show_if(features.SUPER_USERS)
@ -259,8 +175,14 @@ class SuperUserLogs(ApiResource):
if SuperUserPermission().can():
start_time = parsed_args['starttime']
end_time = parsed_args['endtime']
(start_time, end_time) = _validate_logs_arguments(start_time, end_time)
log_page = pre_oci_model.get_logs_query(start_time, end_time, page_token=page_token)
return get_logs(start_time, end_time, page_token=page_token)
return {
'start_time': format_date(start_time),
'end_time': format_date(end_time),
'logs': [log.to_dict() for log in log_page.logs],
}, log_page.next_page_token
abort(403)
@ -325,9 +247,8 @@ class SuperUserOrganizationList(ApiResource):
def get(self):
""" Returns a list of all organizations in the system. """
if SuperUserPermission().can():
orgs = model.organization.get_organizations()
return {
'organizations': [org_view(org) for org in orgs]
'organizations': [org.to_dict() for org in pre_oci_model.get_organizations()]
}
abort(403)
@ -364,9 +285,9 @@ class SuperUserList(ApiResource):
def get(self):
""" Returns a list of all users in the system. """
if SuperUserPermission().can():
users = model.user.get_active_users()
users = pre_oci_model.get_active_users()
return {
'users': [user_view(user) for user in users]
'users': [user.to_dict() for user in users]
}
abort(403)
@ -391,14 +312,9 @@ class SuperUserList(ApiResource):
# Create the user.
username = user_information['username']
email = user_information.get('email')
prompts = model.user.get_default_user_prompts(features)
user = model.user.create_user(username, password, email, auto_verify=not features.MAILING,
email_required=features.MAILING, prompts=prompts)
# If mailing is turned on, send the user a verification email.
install_user, confirmation_code = pre_oci_model.create_install_user(username, password, email)
if features.MAILING:
confirmation = model.user.create_confirm_email_code(user)
send_confirmation_email(user.username, user.email, confirmation.code)
send_confirmation_email(install_user.username, install_user.email, confirmation_code)
return {
'username': username,
@ -427,15 +343,15 @@ class SuperUserSendRecoveryEmail(ApiResource):
abort(400)
if SuperUserPermission().can():
user = model.user.get_nonrobot_user(username)
if not user:
user = pre_oci_model.get_nonrobot_user(username)
if user is None:
abort(404)
if superusers.is_superuser(username):
abort(403)
code = model.user.create_reset_password_email_code(user.email)
send_recovery_email(user.email, code.code)
code = pre_oci_model.create_reset_password_email_code(user.email)
send_recovery_email(user.email, code)
return {
'email': user.email
}
@ -478,11 +394,11 @@ class SuperUserManagement(ApiResource):
def get(self, username):
""" Returns information about the specified user. """
if SuperUserPermission().can():
user = model.user.get_nonrobot_user(username)
if not user:
user = pre_oci_model.get_nonrobot_user(username)
if user is None:
abort(404)
return user_view(user)
return user.to_dict()
abort(403)
@ -493,14 +409,14 @@ class SuperUserManagement(ApiResource):
def delete(self, username):
""" Deletes the specified user. """
if SuperUserPermission().can():
user = model.user.get_nonrobot_user(username)
if not user:
user = pre_oci_model.get_nonrobot_user(username)
if user is None:
abort(404)
if superusers.is_superuser(username):
abort(403)
model.user.delete_user(user, all_queues, force=True)
pre_oci_model.delete_user(username)
return '', 204
abort(403)
@ -513,8 +429,8 @@ class SuperUserManagement(ApiResource):
def put(self, username):
""" Updates information about the specified user. """
if SuperUserPermission().can():
user = model.user.get_nonrobot_user(username)
if not user:
user = pre_oci_model.get_nonrobot_user(username)
if user is None:
abort(404)
if superusers.is_superuser(username):
@ -526,19 +442,18 @@ class SuperUserManagement(ApiResource):
if app.config['AUTHENTICATION_TYPE'] != 'Database':
abort(400)
model.user.change_password(user, user_data['password'])
pre_oci_model.change_password(username, user_data['password'])
if 'email' in user_data:
# Ensure that we are using database auth.
if app.config['AUTHENTICATION_TYPE'] != 'Database':
abort(400)
model.user.update_email(user, user_data['email'], auto_verify=True)
pre_oci_model.update_email(username, user_data['email'], auto_verify=True)
if 'enabled' in user_data:
# Disable/enable the user.
user.enabled = bool(user_data['enabled'])
user.save()
pre_oci_model.update_enabled(username, bool(user_data['enabled']))
if 'superuser' in user_data:
config_object = config_provider.get_config()
@ -552,7 +467,11 @@ class SuperUserManagement(ApiResource):
config_object['SUPER_USERS'] = list(superusers_set)
config_provider.save_config(config_object)
return user_view(user, password=user_data.get('password'))
return_value = user.to_dict()
if user_data.get('password') is not None:
return_value['encrypted_password'] = authentication.encrypt_user_password(user_data.get('password'))
return return_value
abort(403)
@ -575,23 +494,14 @@ class SuperUserTakeOwnership(ApiResource):
if superusers.is_superuser(namespace):
abort(400)
entity = model.user.get_user_or_org(namespace)
if entity is None:
abort(404)
authed_user = get_authenticated_user()
was_user = not entity.organization
if entity.organization:
# Add the superuser as an admin to the owners team of the org.
model.organization.add_user_as_admin(authed_user, entity)
else:
# If the entity is a user, convert it to an organization and add the current superuser
# as the admin.
model.organization.convert_user_to_organization(entity, get_authenticated_user())
entity_id, was_user = pre_oci_model.take_ownership(namespace, authed_user)
if entity_id is None:
abort(404)
# Log the change.
log_metadata = {
'entity_id': entity.id,
'entity_id': entity_id,
'namespace': namespace,
'was_user': was_user,
'superuser': authed_user.username,
@ -633,9 +543,7 @@ class SuperUserOrganizationManagement(ApiResource):
def delete(self, name):
""" Deletes the specified organization. """
if SuperUserPermission().can():
org = model.organization.get_organization(name)
model.user.delete_user(org, all_queues)
pre_oci_model.delete_organization(name)
return '', 204
abort(403)
@ -648,13 +556,10 @@ class SuperUserOrganizationManagement(ApiResource):
def put(self, name):
""" Updates information about the specified user. """
if SuperUserPermission().can():
org = model.organization.get_organization(name)
org_data = request.get_json()
if 'name' in org_data:
org = model.user.change_username(org.id, org_data['name'])
return org_view(org)
old_name = org_data['name'] if 'name' in org_data else None
org = pre_oci_model.change_organization_name(name, old_name)
return org.to_dict()
abort(403)
@ -722,10 +627,10 @@ class SuperUserServiceKeyManagement(ApiResource):
@require_scope(scopes.SUPERUSER)
def get(self):
if SuperUserPermission().can():
keys = model.service_keys.list_all_keys()
keys = pre_oci_model.list_all_service_keys()
return jsonify({
'keys': [key_view(key) for key in keys],
'keys': [key.to_dict() for key in keys],
})
abort(403)
@ -760,16 +665,16 @@ class SuperUserServiceKeyManagement(ApiResource):
})
# Generate a key with a private key that we *never save*.
(private_key, key) = model.service_keys.generate_service_key(body['service'], expiration_date,
metadata=metadata,
name=body.get('name', ''))
(private_key, key_id) = pre_oci_model.generate_service_key(body['service'], expiration_date,
metadata=metadata,
name=body.get('name', ''))
# Auto-approve the service key.
model.service_keys.approve_service_key(key.kid, user, ServiceKeyApprovalType.SUPERUSER,
notes=body.get('notes', ''))
pre_oci_model.approve_service_key(key_id, user, ServiceKeyApprovalType.SUPERUSER,
notes=body.get('notes', ''))
# Log the creation and auto-approval of the service key.
key_log_metadata = {
'kid': key.kid,
'kid': key_id,
'preshared': True,
'service': body['service'],
'name': body.get('name', ''),
@ -781,7 +686,7 @@ class SuperUserServiceKeyManagement(ApiResource):
log_action('service_key_approve', None, key_log_metadata)
return jsonify({
'kid': key.kid,
'kid': key_id,
'name': body.get('name', ''),
'service': body['service'],
'public_key': private_key.publickey().exportKey('PEM'),
@ -824,9 +729,9 @@ class SuperUserServiceKey(ApiResource):
def get(self, kid):
if SuperUserPermission().can():
try:
key = model.service_keys.get_service_key(kid, approved_only=False, alive_only=False)
return jsonify(key_view(key))
except model.service_keys.ServiceKeyDoesNotExist:
key = pre_oci_model.get_service_key(kid, approved_only=False, alive_only=False)
return jsonify(key.to_dict())
except ServiceKeyDoesNotExist:
abort(404)
abort(403)
@ -840,8 +745,8 @@ class SuperUserServiceKey(ApiResource):
if SuperUserPermission().can():
body = request.get_json()
try:
key = model.service_keys.get_service_key(kid, approved_only=False, alive_only=False)
except model.service_keys.ServiceKeyDoesNotExist:
key = pre_oci_model.get_service_key(kid, approved_only=False, alive_only=False)
except ServiceKeyDoesNotExist:
abort(404)
key_log_metadata = {
@ -868,14 +773,14 @@ class SuperUserServiceKey(ApiResource):
})
log_action('service_key_extend', None, key_log_metadata)
model.service_keys.set_key_expiration(kid, expiration_date)
pre_oci_model.set_key_expiration(kid, expiration_date)
if 'name' in body or 'metadata' in body:
model.service_keys.update_service_key(kid, body.get('name'), body.get('metadata'))
pre_oci_model.update_service_key(kid, body.get('name'), body.get('metadata'))
log_action('service_key_modify', None, key_log_metadata)
updated_key = model.service_keys.get_service_key(kid, approved_only=False, alive_only=False)
return jsonify(key_view(updated_key))
updated_key = pre_oci_model.get_service_key(kid, approved_only=False, alive_only=False)
return jsonify(updated_key.to_dict())
abort(403)
@ -886,8 +791,8 @@ class SuperUserServiceKey(ApiResource):
def delete(self, kid):
if SuperUserPermission().can():
try:
key = model.service_keys.delete_service_key(kid)
except model.service_keys.ServiceKeyDoesNotExist:
key = pre_oci_model.delete_service_key(kid)
except ServiceKeyDoesNotExist:
abort(404)
key_log_metadata = {
@ -934,8 +839,8 @@ class SuperUserServiceKeyApproval(ApiResource):
notes = request.get_json().get('notes', '')
approver = get_authenticated_user()
try:
key = model.service_keys.approve_service_key(kid, approver, ServiceKeyApprovalType.SUPERUSER,
notes=notes)
key = pre_oci_model.approve_service_key(kid, approver, ServiceKeyApprovalType.SUPERUSER,
notes=notes)
# Log the approval of the service key.
key_log_metadata = {
@ -946,9 +851,9 @@ class SuperUserServiceKeyApproval(ApiResource):
}
log_action('service_key_approve', None, key_log_metadata)
except model.ServiceKeyDoesNotExist:
except ServiceKeyDoesNotExist:
abort(404)
except model.ServiceKeyAlreadyApproved:
except ServiceKeyAlreadyApproved:
pass
return make_response('', 201)
@ -1153,8 +1058,11 @@ class SuperUserRepositoryBuildLogs(ApiResource):
""" Return the build logs for the build specified by the build uuid. """
if not SuperUserPermission().can():
abort(403)
return get_logs_or_log_url(model.build.get_repository_build(build_uuid))
try:
repo_build = pre_oci_model.get_repository_build(build_uuid)
return get_logs_or_log_url(repo_build)
except InvalidRepositoryBuildException as e:
raise InvalidResponse(e.message)
@resource('/v1/superuser/<build_uuid>/status')
@ -1172,8 +1080,11 @@ class SuperUserRepositoryBuildStatus(ApiResource):
""" Return the status for the builds specified by the build uuids. """
if not SuperUserPermission().can():
abort(403)
build = model.build.get_repository_build(build_uuid)
return build_status_view(build)
try:
build = pre_oci_model.get_repository_build(build_uuid)
except InvalidRepositoryBuildException as e:
raise InvalidResponse(e.message)
return build.to_dict()
@resource('/v1/superuser/<build_uuid>/build')
@ -1193,8 +1104,8 @@ class SuperUserRepositoryBuildResource(ApiResource):
abort(403)
try:
build = model.build.get_repository_build(build_uuid)
except model.build.InvalidRepositoryBuildException:
build = pre_oci_model.get_repository_build(build_uuid)
except InvalidRepositoryBuildException:
raise NotFound()
return build_status_view(build)
return build.to_dict()