Switch our temporary token lookups for signed grants which will not require DB access.

auth/permissions.py

@@ -57,6 +57,14 @@ SCOPE_MAX_USER_ROLES.update({
 })
 
 
+def repository_read_grant(namespace, repository):
+  return _RepositoryNeed(namespace, repository, 'read')
+
+
+def repository_write_grant(namespace, repository):
+  return _RepositoryNeed(namespace, repository, 'write')
+
+
 class QuayDeferredPermissionUser(Identity):
   def __init__(self, uuid, auth_type, scopes):
     super(QuayDeferredPermissionUser, self).__init__(uuid, auth_type)
@@ -226,6 +234,10 @@ class ViewTeamPermission(Permission):
                                              team_member, admin_org)
 
 
+class AlwaysFailPermission(Permission):
+  pass
+
+
 @identity_loaded.connect_via(app)
 def on_identity_loaded(sender, identity):
   logger.debug('Identity loaded: %s' % identity)
@@ -249,5 +261,8 @@ def on_identity_loaded(sender, identity):
     logger.debug('Delegate token added permission: {0}'.format(repo_grant))
     identity.provides.add(repo_grant)
 
+  elif identity.auth_type == 'signed_grant':
+    logger.debug('Loaded signed grants identity')
+
   else:
     logger.error('Unknown identity auth type: %s', identity.auth_type)