Merge branch 'bees' into koh

data/model/oauth.py

@@ -9,6 +9,7 @@ from data.database import (OAuthApplication, OAuthAuthorizationCode, OAuthAccess
                            random_string_generator)
 from data.model.legacy import get_user
 from auth import scopes
+from flask import render_template
 
 
 logger = logging.getLogger(__name__)
@@ -154,6 +155,7 @@ class DatabaseAuthorizationProvider(AuthorizationProvider):
 
 
   def get_token_response(self, response_type, client_id, redirect_uri, **params):
+
     # Ensure proper response_type
     if response_type != 'token':
       err = 'unsupported_response_type'
@@ -161,7 +163,7 @@ class DatabaseAuthorizationProvider(AuthorizationProvider):
 
     # Check redirect URI
     is_valid_redirect_uri = self.validate_redirect_uri(client_id, redirect_uri)
-    if not is_valid_redirect_uri:
+    if redirect_uri != 'display' and not is_valid_redirect_uri:
       return self._invalid_redirect_uri_response()
 
     # Check conditions
@@ -196,6 +198,10 @@ class DatabaseAuthorizationProvider(AuthorizationProvider):
     url = utils.build_url(redirect_uri, params)
     url += '#access_token=%s&token_type=%s&expires_in=%s' % (access_token, token_type, expires_in)
 
+    if redirect_uri == 'display':
+      return self._make_response(
+        render_template("message.html", message="Access Token: " + access_token))
+
     return self._make_response(headers={'Location': url}, status_code=302)
 
 

endpoints/api/__init__.py

@@ -2,6 +2,7 @@ import logging
 import json
 import datetime
 
+from app import app
 from flask import Blueprint, request, make_response, jsonify, session
 from flask.ext.restful import Resource, abort, Api, reqparse
 from flask.ext.restful.utils.cors import crossdomain
@@ -170,6 +171,9 @@ internal_only = add_method_metadata('internal', True)
 
 def path_param(name, description):
   def add_param(func):
+    if not func:
+      return func
+      
     if '__api_path_params' not in dir(func):
       func.__api_path_params = {}
     func.__api_path_params[name] = {
@@ -346,6 +350,25 @@ def log_action(kind, user_or_orgname, metadata=None, repo=None):
                    metadata=metadata, repository=repo)
 
 
+def define_json_response(schema_name):
+  def wrapper(func):
+    @add_method_metadata('response_schema', schema_name)
+    @wraps(func)
+    def wrapped(self, *args, **kwargs):
+      schema = self.schemas[schema_name]
+      resp = func(self, *args, **kwargs)
+
+      if app.config['TESTING']:
+        try:
+          validate(resp, schema)
+        except ValidationError as ex:
+          raise InvalidResponse(ex.message)
+
+      return resp
+    return wrapped
+  return wrapper
+
+
 import endpoints.api.billing
 import endpoints.api.build
 import endpoints.api.discovery

endpoints/api/billing.py

@@ -4,10 +4,11 @@ from flask import request
 from app import billing
 from endpoints.api import (resource, nickname, ApiResource, validate_json_request, log_action,
                            related_user_resource, internal_only, Unauthorized, NotFound,
-                           require_user_admin, show_if, hide_if, abort)
+                           require_user_admin, show_if, hide_if, path_param, require_scope, abort)
 from endpoints.api.subscribe import subscribe, subscription_view
 from auth.permissions import AdministerOrganizationPermission
 from auth.auth_context import get_authenticated_user
+from auth import scopes
 from data import model
 from data.billing import PLANS
 
@@ -149,6 +150,7 @@ class UserCard(ApiResource):
 
 
 @resource('/v1/organization/<orgname>/card')
+@path_param('orgname', 'The name of the organization')
 @internal_only
 @related_user_resource(UserCard)
 @show_if(features.BILLING)
@@ -171,6 +173,7 @@ class OrganizationCard(ApiResource):
     },
   }
 
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('getOrgCard')
   def get(self, orgname):
     """ Get the organization's credit card. """
@@ -259,6 +262,7 @@ class UserPlan(ApiResource):
 
 
 @resource('/v1/organization/<orgname>/plan')
+@path_param('orgname', 'The name of the organization')
 @internal_only
 @related_user_resource(UserPlan)
 @show_if(features.BILLING)
@@ -285,6 +289,7 @@ class OrganizationPlan(ApiResource):
     },
   }
 
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('updateOrgSubscription')
   @validate_json_request('OrgSubscription')
   def put(self, orgname):
@@ -299,6 +304,7 @@ class OrganizationPlan(ApiResource):
 
     raise Unauthorized()
 
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('getOrgSubscription')
   def get(self, orgname):
     """ Fetch any existing subscription for the org. """
@@ -343,11 +349,12 @@ class UserInvoiceList(ApiResource):
 
 
 @resource('/v1/organization/<orgname>/invoices')
-@internal_only
+@path_param('orgname', 'The name of the organization')
 @related_user_resource(UserInvoiceList)
 @show_if(features.BILLING)
 class OrgnaizationInvoiceList(ApiResource):
   """ Resource for listing an orgnaization's invoices. """
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('listOrgInvoices')
   def get(self, orgname):
     """ List the invoices for the specified orgnaization. """

endpoints/api/build.py

@@ -6,7 +6,8 @@ from flask import request, redirect
 from app import app, userfiles as user_files, build_logs, log_archive
 from endpoints.api import (RepositoryParamResource, parse_args, query_param, nickname, resource,
                            require_repo_read, require_repo_write, validate_json_request,
-                           ApiResource, internal_only, format_date, api, Unauthorized, NotFound)
+                           ApiResource, internal_only, format_date, api, Unauthorized, NotFound,
+                           path_param)
 from endpoints.common import start_build
 from endpoints.trigger import BuildTrigger
 from data import model
@@ -86,6 +87,7 @@ def build_status_view(build_obj, can_write=False):
 
 
 @resource('/v1/repository/<repopath:repository>/build/')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class RepositoryBuildList(RepositoryParamResource):
   """ Resource related to creating and listing repository builds. """
   schemas = {
@@ -190,6 +192,8 @@ class RepositoryBuildList(RepositoryParamResource):
 
 
 @resource('/v1/repository/<repopath:repository>/build/<build_uuid>/status')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param('build_uuid', 'The UUID of the build')
 class RepositoryBuildStatus(RepositoryParamResource):
   """ Resource for dealing with repository build status. """
   @require_repo_read
@@ -206,6 +210,8 @@ class RepositoryBuildStatus(RepositoryParamResource):
 
 
 @resource('/v1/repository/<repopath:repository>/build/<build_uuid>/logs')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param('build_uuid', 'The UUID of the build')
 class RepositoryBuildLogs(RepositoryParamResource):
   """ Resource for loading repository build logs. """
   @require_repo_write

endpoints/api/discovery.py

@@ -94,13 +94,19 @@ def swagger_route_data(include_internal=False, compact=False):
 
           new_operation = {
             'method': method_name,
-            'nickname': method_metadata(method, 'nickname')
+            'nickname': method_metadata(method, 'nickname') or '(unnamed)'
           }
 
           if not compact:
+            response_type = 'void'
+            res_schema_name = method_metadata(method, 'response_schema')
+            if res_schema_name:
+              models[res_schema_name] = view_class.schemas[res_schema_name]
+              response_type = res_schema_name
+
             new_operation.update({
-              'type': 'void',
+              'type': response_type,
-              'summary': method.__doc__ if method.__doc__ else '',
+              'summary': method.__doc__.strip() if method.__doc__ else '',
               'parameters': parameters,
             })
 
@@ -134,7 +140,7 @@ def swagger_route_data(include_internal=False, compact=False):
       swagger_path = PARAM_REGEX.sub(r'{\2}', rule.rule)
       new_resource = {
         'path': swagger_path,
-        'description': view_class.__doc__ if view_class.__doc__ else "",
+        'description': view_class.__doc__.strip() if view_class.__doc__ else "",
         'operations': operations,
         'name': fully_qualified_name(view_class),
       }

endpoints/api/image.py

@@ -4,7 +4,7 @@ from collections import defaultdict
 
 from app import storage as store
 from endpoints.api import (resource, nickname, require_repo_read, RepositoryParamResource,
-                           format_date, NotFound)
+                           format_date, NotFound, path_param)
 from data import model
 from util.cache import cache_control_flask_restful
 
@@ -40,6 +40,7 @@ def image_view(image, image_map):
 
 
 @resource('/v1/repository/<repopath:repository>/image/')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class RepositoryImageList(RepositoryParamResource):
   """ Resource for listing repository images. """
   @require_repo_read
@@ -67,6 +68,8 @@ class RepositoryImageList(RepositoryParamResource):
 
 
 @resource('/v1/repository/<repopath:repository>/image/<image_id>')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param('image_id', 'The Docker image ID')
 class RepositoryImage(RepositoryParamResource):
   """ Resource for handling repository images. """
   @require_repo_read
@@ -86,6 +89,8 @@ class RepositoryImage(RepositoryParamResource):
 
 
 @resource('/v1/repository/<repopath:repository>/image/<image_id>/changes')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param('image_id', 'The Docker image ID')
 class RepositoryImageChanges(RepositoryParamResource):
   """ Resource for handling repository image change lists. """
 

endpoints/api/logs.py

@@ -5,10 +5,11 @@ from datetime import datetime, timedelta
 from endpoints.api import (resource, nickname, ApiResource, query_param, parse_args,
                            RepositoryParamResource, require_repo_admin, related_user_resource,
                            format_date, Unauthorized, NotFound, require_user_admin,
-                           internal_only)
+                           internal_only, path_param, require_scope)
 from auth.permissions import AdministerOrganizationPermission, AdministerOrganizationPermission
 from auth.auth_context import get_authenticated_user
 from data import model
+from auth import scopes
 
 
 def log_view(log):
@@ -63,7 +64,7 @@ def get_logs(start_time, end_time, performer_name=None, repository=None, namespa
 
 
 @resource('/v1/repository/<repopath:repository>/logs')
-@internal_only
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class RepositoryLogs(RepositoryParamResource):
   """ Resource for fetching logs for the specific repository. """
   @require_repo_admin
@@ -103,7 +104,7 @@ class UserLogs(ApiResource):
 
 
 @resource('/v1/organization/<orgname>/logs')
-@internal_only
+@path_param('orgname', 'The name of the organization')
 @related_user_resource(UserLogs)
 class OrgLogs(ApiResource):
   """ Resource for fetching logs for the entire organization. """
@@ -112,6 +113,7 @@ class OrgLogs(ApiResource):
   @query_param('starttime', 'Earliest time from which to get logs. (%m/%d/%Y %Z)', type=str)
   @query_param('endtime', 'Latest time to which to get logs. (%m/%d/%Y %Z)', type=str)
   @query_param('performer', 'Username for which to filter logs.', type=str)
+  @require_scope(scopes.ORG_ADMIN)
   def get(self, args, orgname):
     """ List the logs for the specified organization. """
     permission = AdministerOrganizationPermission(orgname)

endpoints/api/organization.py

@@ -5,12 +5,14 @@ from flask import request
 from app import billing as stripe, avatar
 from endpoints.api import (resource, nickname, ApiResource, validate_json_request, request_error,
                            related_user_resource, internal_only, Unauthorized, NotFound,
-                           require_user_admin, log_action, show_if)
+                           require_user_admin, log_action, show_if, path_param,
+                           require_scope)
 from endpoints.api.team import team_view
 from endpoints.api.user import User, PrivateRepositories
 from auth.permissions import (AdministerOrganizationPermission,  OrganizationMemberPermission,
                               CreateRepositoryPermission)
 from auth.auth_context import get_authenticated_user
+from auth import scopes
 from data import model
 from data.billing import get_plan
 
@@ -96,7 +98,7 @@ class OrganizationList(ApiResource):
 
 
 @resource('/v1/organization/<orgname>')
-@internal_only
+@path_param('orgname', 'The name of the organization')
 @related_user_resource(User)
 class Organization(ApiResource):
   """ Resource for managing organizations. """
@@ -117,6 +119,8 @@ class Organization(ApiResource):
       },
     },
   }
+
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('getOrganization')
   def get(self, orgname):
     """ Get the details for the specified organization """
@@ -132,6 +136,7 @@ class Organization(ApiResource):
 
     raise Unauthorized()
 
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('changeOrganizationDetails')
   @validate_json_request('UpdateOrg')
   def put(self, orgname):
@@ -162,11 +167,14 @@ class Organization(ApiResource):
 
 
 @resource('/v1/organization/<orgname>/private')
+@path_param('orgname', 'The name of the organization')
 @internal_only
 @related_user_resource(PrivateRepositories)
 @show_if(features.BILLING)
 class OrgPrivateRepositories(ApiResource):
   """ Custom verb to compute whether additional private repositories are available. """
+
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('getOrganizationPrivateAllowed')
   def get(self, orgname):
     """ Return whether or not this org is allowed to create new private repositories. """
@@ -198,9 +206,11 @@ class OrgPrivateRepositories(ApiResource):
 
 
 @resource('/v1/organization/<orgname>/members')
-@internal_only
+@path_param('orgname', 'The name of the organization')
 class OrgnaizationMemberList(ApiResource):
   """ Resource for listing the members of an organization. """
+ 
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('getOrganizationMembers')
   def get(self, orgname):
     """ List the members of the specified organization. """
@@ -231,9 +241,12 @@ class OrgnaizationMemberList(ApiResource):
 
 
 @resource('/v1/organization/<orgname>/members/<membername>')
-@internal_only
+@path_param('orgname', 'The name of the organization')
+@path_param('membername', 'The username of the organization member')
 class OrganizationMember(ApiResource):
   """ Resource for managing individual organization members. """
+
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('getOrganizationMember')
   def get(self, orgname, membername):
     """ Get information on the specific orgnaization member. """
@@ -264,8 +277,10 @@ class OrganizationMember(ApiResource):
 
 
 @resource('/v1/app/<client_id>')
+@path_param('client_id', 'The OAuth client ID')
 class ApplicationInformation(ApiResource):
   """ Resource that returns public information about a registered application. """
+
   @nickname('getApplicationInformation')
   def get(self, client_id):
     """ Get information on the specified application. """
@@ -303,7 +318,7 @@ def app_view(application):
 
 
 @resource('/v1/organization/<orgname>/applications')
-@internal_only
+@path_param('orgname', 'The name of the organization')
 class OrganizationApplications(ApiResource):
   """ Resource for managing applications defined by an organizations. """
   schemas = {
@@ -339,7 +354,7 @@ class OrganizationApplications(ApiResource):
     },
   }
 
-
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('getOrganizationApplications')
   def get(self, orgname):
     """ List the applications for the specified organization """
@@ -355,6 +370,7 @@ class OrganizationApplications(ApiResource):
 
     raise Unauthorized()
 
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('createOrganizationApplication')
   @validate_json_request('NewApp')
   def post(self, orgname):
@@ -387,7 +403,8 @@ class OrganizationApplications(ApiResource):
 
 
 @resource('/v1/organization/<orgname>/applications/<client_id>')
-@internal_only
+@path_param('orgname', 'The name of the organization')
+@path_param('client_id', 'The OAuth client ID')
 class OrganizationApplicationResource(ApiResource):
   """ Resource for managing an application defined by an organizations. """
   schemas = {
@@ -425,6 +442,7 @@ class OrganizationApplicationResource(ApiResource):
     },
   }
 
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('getOrganizationApplication')
   def get(self, orgname, client_id):
     """ Retrieves the application with the specified client_id under the specified organization """
@@ -443,6 +461,7 @@ class OrganizationApplicationResource(ApiResource):
 
     raise Unauthorized()
 
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('updateOrganizationApplication')
   @validate_json_request('UpdateApp')
   def put(self, orgname, client_id):
@@ -476,7 +495,7 @@ class OrganizationApplicationResource(ApiResource):
       return app_view(application)
     raise Unauthorized()
 
-
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('deleteOrganizationApplication')
   def delete(self, orgname, client_id):
     """ Deletes the application under this organization. """
@@ -499,6 +518,8 @@ class OrganizationApplicationResource(ApiResource):
 
 
 @resource('/v1/organization/<orgname>/applications/<client_id>/resetclientsecret')
+@path_param('orgname', 'The name of the organization')
+@path_param('client_id', 'The OAuth client ID')
 @internal_only
 class OrganizationApplicationResetClientSecret(ApiResource):
   """ Custom verb for resetting the client secret of an application. """

endpoints/api/permission.py

@@ -3,7 +3,7 @@ import logging
 from flask import request
 
 from endpoints.api import (resource, nickname, require_repo_admin, RepositoryParamResource,
-                           log_action, request_error, validate_json_request)
+                           log_action, request_error, validate_json_request, path_param)
 from data import model
 
 
@@ -26,6 +26,7 @@ def wrap_role_view_org(role_json, user, org_members):
 
 
 @resource('/v1/repository/<repopath:repository>/permissions/team/')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class RepositoryTeamPermissionList(RepositoryParamResource):
   """ Resource for repository team permissions. """
   @require_repo_admin
@@ -41,6 +42,7 @@ class RepositoryTeamPermissionList(RepositoryParamResource):
 
 
 @resource('/v1/repository/<repopath:repository>/permissions/user/')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class RepositoryUserPermissionList(RepositoryParamResource):
   """ Resource for repository user permissions. """
   @require_repo_admin
@@ -80,6 +82,8 @@ class RepositoryUserPermissionList(RepositoryParamResource):
 
 
 @resource('/v1/repository/<repopath:repository>/permissions/user/<username>')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param('username', 'The username of the user to which the permission applies')
 class RepositoryUserPermission(RepositoryParamResource):
   """ Resource for managing individual user permissions. """
   schemas = {
@@ -175,6 +179,8 @@ class RepositoryUserPermission(RepositoryParamResource):
 
 
 @resource('/v1/repository/<repopath:repository>/permissions/team/<teamname>')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param('teamname', 'The name of the team to which the permission applies')
 class RepositoryTeamPermission(RepositoryParamResource):
   """ Resource for managing individual team permissions. """
   schemas = {

endpoints/api/prototype.py

@@ -1,9 +1,11 @@
 from flask import request
 
 from endpoints.api import (resource, nickname, ApiResource, validate_json_request, request_error,
-                           log_action, Unauthorized, NotFound, internal_only)
+                           log_action, Unauthorized, NotFound, internal_only, path_param,
+                           require_scope)
 from auth.permissions import AdministerOrganizationPermission
 from auth.auth_context import get_authenticated_user
+from auth import scopes
 from data import model
 
 
@@ -54,7 +56,7 @@ def log_prototype_action(action_kind, orgname, prototype, **kwargs):
 
 
 @resource('/v1/organization/<orgname>/prototypes')
-@internal_only
+@path_param('orgname', 'The name of the organization')
 class PermissionPrototypeList(ApiResource):
   """ Resource for listing and creating permission prototypes. """
   schemas = {
@@ -115,6 +117,7 @@ class PermissionPrototypeList(ApiResource):
     },
   }
 
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('getOrganizationPrototypePermissions')
   def get(self, orgname):
     """ List the existing prototypes for this organization. """
@@ -131,6 +134,7 @@ class PermissionPrototypeList(ApiResource):
       
     raise Unauthorized()
 
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('createOrganizationPrototypePermission')
   @validate_json_request('NewPrototype')
   def post(self, orgname):
@@ -179,7 +183,8 @@ class PermissionPrototypeList(ApiResource):
 
 
 @resource('/v1/organization/<orgname>/prototypes/<prototypeid>')
-@internal_only
+@path_param('orgname', 'The name of the organization')
+@path_param('prototypeid', 'The ID of the prototype')
 class PermissionPrototype(ApiResource):
   """ Resource for managingin individual permission prototypes. """
   schemas = {
@@ -204,6 +209,7 @@ class PermissionPrototype(ApiResource):
     },
   }
 
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('deleteOrganizationPrototypePermission')
   def delete(self, orgname, prototypeid):
     """ Delete an existing permission prototype. """
@@ -224,6 +230,7 @@ class PermissionPrototype(ApiResource):
       
     raise Unauthorized()
 
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('updateOrganizationPrototypePermission')
   @validate_json_request('PrototypeUpdate')
   def put(self, orgname, prototypeid):

endpoints/api/repoemail.py

@@ -4,7 +4,7 @@ from flask import request, abort
 
 from endpoints.api import (resource, nickname, require_repo_admin, RepositoryParamResource,
                            log_action, validate_json_request, NotFound, internal_only,
-                           show_if)
+                           path_param, show_if)
 
 from app import tf
 from data import model
@@ -28,6 +28,8 @@ def record_view(record):
 @internal_only
 @show_if(features.MAILING)
 @resource('/v1/repository/<repopath:repository>/authorizedemail/<email>')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param('email', 'The e-mail address')
 class RepositoryAuthorizedEmail(RepositoryParamResource):
   """ Resource for checking and authorizing e-mail addresses to receive repo notifications. """
   @require_repo_admin

endpoints/api/repository.py

@@ -7,7 +7,9 @@ from data import model
 from endpoints.api import (truthy_bool, format_date, nickname, log_action, validate_json_request,
                            require_repo_read, require_repo_write, require_repo_admin,
                            RepositoryParamResource, resource, query_param, parse_args, ApiResource,
-                           request_error, require_scope, Unauthorized, NotFound, InvalidRequest)
+                           request_error, require_scope, Unauthorized, NotFound, InvalidRequest,
+                           path_param)
+
 from auth.permissions import (ModifyRepositoryPermission, AdministerRepositoryPermission,
                               CreateRepositoryPermission, ReadRepositoryPermission)
 from auth.auth_context import get_authenticated_user
@@ -140,6 +142,7 @@ class RepositoryList(ApiResource):
 
 
 @resource('/v1/repository/<repopath:repository>')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class Repository(RepositoryParamResource):
   """Operations for managing a specific repository."""
   schemas = {
@@ -232,6 +235,7 @@ class Repository(RepositoryParamResource):
 
 
 @resource('/v1/repository/<repopath:repository>/changevisibility')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class RepositoryVisibility(RepositoryParamResource):
   """ Custom verb for changing the visibility of the repository. """
   schemas = {

endpoints/api/repositorynotification.py

@@ -4,7 +4,8 @@ from flask import request, abort
 
 from app import notification_queue
 from endpoints.api import (RepositoryParamResource, nickname, resource, require_repo_admin,
-                           log_action, validate_json_request, api, NotFound, request_error)
+                           log_action, validate_json_request, api, NotFound, request_error,
+                           path_param)
 from endpoints.notificationevent import NotificationEvent
 from endpoints.notificationmethod import (NotificationMethod,
                                           CannotValidateNotificationMethodException)
@@ -28,6 +29,7 @@ def notification_view(notification):
 
 
 @resource('/v1/repository/<repopath:repository>/notification/')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class RepositoryNotificationList(RepositoryParamResource):
   """ Resource for dealing with listing and creating notifications on a repository. """
   schemas = {
@@ -95,6 +97,8 @@ class RepositoryNotificationList(RepositoryParamResource):
 
 
 @resource('/v1/repository/<repopath:repository>/notification/<uuid>')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param('uuid', 'The UUID of the notification')
 class RepositoryNotification(RepositoryParamResource):
   """ Resource for dealing with specific notifications. """
   @require_repo_admin
@@ -126,6 +130,8 @@ class RepositoryNotification(RepositoryParamResource):
 
 
 @resource('/v1/repository/<repopath:repository>/notification/<uuid>/test')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param('uuid', 'The UUID of the notification')
 class TestRepositoryNotification(RepositoryParamResource):
   """ Resource for queuing a test of a notification. """
   @require_repo_admin

endpoints/api/repotoken.py

@@ -3,7 +3,7 @@ import logging
 from flask import request
 
 from endpoints.api import (resource, nickname, require_repo_admin, RepositoryParamResource,
-                           log_action, validate_json_request, NotFound)
+                           log_action, validate_json_request, NotFound, path_param)
 from data import model
 
 
@@ -19,6 +19,7 @@ def token_view(token_obj):
 
 
 @resource('/v1/repository/<repopath:repository>/tokens/')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class RepositoryTokenList(RepositoryParamResource):
   """ Resource for creating and listing repository tokens. """
   schemas = {
@@ -66,6 +67,8 @@ class RepositoryTokenList(RepositoryParamResource):
 
 
 @resource('/v1/repository/<repopath:repository>/tokens/<code>')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param('code', 'The token code')
 class RepositoryToken(RepositoryParamResource):
   """ Resource for managing individual tokens. """
   schemas = {

endpoints/api/search.py

@@ -1,5 +1,5 @@
 from endpoints.api import (ApiResource, parse_args, query_param, truthy_bool, nickname, resource,
-                           require_scope)
+                           require_scope, path_param)
 from data import model
 from auth.permissions import (OrganizationMemberPermission, ViewTeamPermission,
                               ReadRepositoryPermission, UserAdminPermission,
@@ -12,6 +12,7 @@ from app import avatar
 @resource('/v1/entities/<prefix>')
 class EntitySearch(ApiResource):
   """ Resource for searching entities. """
+  @path_param('prefix', 'The prefix of the entities being looked up')
   @parse_args
   @query_param('namespace', 'Namespace to use when querying for org entities.', type=str,
                default='')

endpoints/api/superuser.py

@@ -9,7 +9,7 @@ from flask import request
 from endpoints.api import (ApiResource, nickname, resource, validate_json_request, request_error,
                            log_action, internal_only, NotFound, require_user_admin, format_date,
                            InvalidToken, require_scope, format_date, hide_if, show_if, parse_args,
-                           query_param, abort, require_fresh_login)
+                           query_param, abort, require_fresh_login, path_param)
 
 from endpoints.api.logs import get_logs
 
@@ -166,6 +166,7 @@ class SuperUserSendRecoveryEmail(ApiResource):
 
 
 @resource('/v1/superuser/users/<username>')
+@path_param('username', 'The username of the user being managed')
 @internal_only
 @show_if(features.SUPER_USERS)
 class SuperUserManagement(ApiResource):

endpoints/api/tag.py

@@ -1,13 +1,16 @@
 from flask import request
 
 from endpoints.api import (resource, nickname, require_repo_read, require_repo_write,
-                           RepositoryParamResource, log_action, NotFound, validate_json_request)
+                           RepositoryParamResource, log_action, NotFound, validate_json_request,
+                           path_param)
 from endpoints.api.image import image_view
 from data import model
 from auth.auth_context import get_authenticated_user
 
 
 @resource('/v1/repository/<repopath:repository>/tag/<tag>')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param('tag', 'The name of the tag')
 class RepositoryTag(RepositoryParamResource):
   """ Resource for managing repository tags. """
   schemas = {
@@ -73,6 +76,8 @@ class RepositoryTag(RepositoryParamResource):
 
 
 @resource('/v1/repository/<repopath:repository>/tag/<tag>/images')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param('tag', 'The name of the tag')
 class RepositoryTagImages(RepositoryParamResource):
   """ Resource for listing the images in a specific repository tag. """
   @require_repo_read

endpoints/api/team.py

@@ -2,7 +2,8 @@ from flask import request
 
 from endpoints.api import (resource, nickname, ApiResource, validate_json_request, request_error,
                            log_action, Unauthorized, NotFound, internal_only, require_scope,
-                           query_param, truthy_bool, parse_args, require_user_admin, show_if)
+                           path_param, query_param, truthy_bool, parse_args, require_user_admin,
+                           show_if)
 from auth.permissions import AdministerOrganizationPermission, ViewTeamPermission
 from auth.auth_context import get_authenticated_user
 from auth import scopes
@@ -81,7 +82,8 @@ def invite_view(invite):
 
 
 @resource('/v1/organization/<orgname>/team/<teamname>')
-@internal_only
+@path_param('orgname', 'The name of the organization')
+@path_param('teamname', 'The name of the team')
 class OrganizationTeam(ApiResource):
   """ Resource for manging an organization's teams. """
   schemas = {
@@ -110,6 +112,7 @@ class OrganizationTeam(ApiResource):
     },
   }
 
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('updateOrganizationTeam')
   @validate_json_request('TeamDescription')
   def put(self, orgname, teamname):
@@ -151,6 +154,7 @@ class OrganizationTeam(ApiResource):
 
     raise Unauthorized()
 
+  @require_scope(scopes.ORG_ADMIN)
   @nickname('deleteOrganizationTeam')
   def delete(self, orgname, teamname):
     """ Delete the specified team. """
@@ -164,9 +168,11 @@ class OrganizationTeam(ApiResource):
 
 
 @resource('/v1/organization/<orgname>/team/<teamname>/members')
-@internal_only
+@path_param('orgname', 'The name of the organization')
+@path_param('teamname', 'The name of the team')
 class TeamMemberList(ApiResource):
   """ Resource for managing the list of members for a team. """
+  @require_scope(scopes.ORG_ADMIN)
   @parse_args
   @query_param('includePending', 'Whether to include pending members', type=truthy_bool, default=False)
   @nickname('getOrganizationTeamMembers')
@@ -199,8 +205,12 @@ class TeamMemberList(ApiResource):
 
 
 @resource('/v1/organization/<orgname>/team/<teamname>/members/<membername>')
+@path_param('orgname', 'The name of the organization')
+@path_param('teamname', 'The name of the team')
+@path_param('membername', 'The username of the team member')
 class TeamMember(ApiResource):
   """ Resource for managing individual members of a team. """
+
   @require_scope(scopes.ORG_ADMIN)
   @nickname('updateOrganizationTeamMember')
   def put(self, orgname, teamname, membername):

endpoints/api/trigger.py

@@ -8,7 +8,8 @@ from urlparse import urlunparse
 from app import app
 from endpoints.api import (RepositoryParamResource, nickname, resource, require_repo_admin,
                            log_action, request_error, query_param, parse_args, internal_only,
-                           validate_json_request, api, Unauthorized, NotFound, InvalidRequest)
+                           validate_json_request, api, Unauthorized, NotFound, InvalidRequest,
+                           path_param)
 from endpoints.api.build import (build_status_view, trigger_view, RepositoryBuildStatus,
                                  get_trigger_config)
 from endpoints.common import start_build
@@ -30,6 +31,7 @@ def _prepare_webhook_url(scheme, username, password, hostname, path):
 
 
 @resource('/v1/repository/<repopath:repository>/trigger/')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class BuildTriggerList(RepositoryParamResource):
   """ Resource for listing repository build triggers. """
 
@@ -44,6 +46,8 @@ class BuildTriggerList(RepositoryParamResource):
 
 
 @resource('/v1/repository/<repopath:repository>/trigger/<trigger_uuid>')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param('trigger_uuid', 'The UUID of the build trigger')
 class BuildTrigger(RepositoryParamResource):
   """ Resource for managing specific build triggers. """
 
@@ -90,6 +94,8 @@ class BuildTrigger(RepositoryParamResource):
 
 
 @resource('/v1/repository/<repopath:repository>/trigger/<trigger_uuid>/subdir')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param('trigger_uuid', 'The UUID of the build trigger')
 @internal_only
 class BuildTriggerSubdirs(RepositoryParamResource):
   """ Custom verb for fetching the subdirs which are buildable for a trigger. """
@@ -137,7 +143,8 @@ class BuildTriggerSubdirs(RepositoryParamResource):
 
 
 @resource('/v1/repository/<repopath:repository>/trigger/<trigger_uuid>/activate')
-@internal_only
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param('trigger_uuid', 'The UUID of the build trigger')
 class BuildTriggerActivate(RepositoryParamResource):
   """ Custom verb for activating a build trigger once all required information has been collected.
   """
@@ -234,6 +241,8 @@ class BuildTriggerActivate(RepositoryParamResource):
 
 
 @resource('/v1/repository/<repopath:repository>/trigger/<trigger_uuid>/analyze')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param('trigger_uuid', 'The UUID of the build trigger')
 @internal_only
 class BuildTriggerAnalyze(RepositoryParamResource):
   """ Custom verb for analyzing the config for a build trigger and suggesting various changes
@@ -369,6 +378,8 @@ class BuildTriggerAnalyze(RepositoryParamResource):
     
 
 @resource('/v1/repository/<repopath:repository>/trigger/<trigger_uuid>/start')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param('trigger_uuid', 'The UUID of the build trigger')
 class ActivateBuildTrigger(RepositoryParamResource):
   """ Custom verb to manually activate a build trigger. """
   schemas = {
@@ -424,6 +435,8 @@ class ActivateBuildTrigger(RepositoryParamResource):
 
 
 @resource('/v1/repository/<repopath:repository>/trigger/<trigger_uuid>/builds')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param('trigger_uuid', 'The UUID of the build trigger')
 class TriggerBuildList(RepositoryParamResource):
   """ Resource to represent builds that were activated from the specified trigger. """
   @require_repo_admin
@@ -471,6 +484,8 @@ class BuildTriggerFieldValues(RepositoryParamResource):
 
 
 @resource('/v1/repository/<repopath:repository>/trigger/<trigger_uuid>/sources')
+@path_param('repository', 'The full path of the repository. e.g. namespace/name')
+@path_param('trigger_uuid', 'The UUID of the build trigger')
 @internal_only
 class BuildTriggerSources(RepositoryParamResource):
   """ Custom verb to fetch the list of build sources for the trigger config. """

endpoints/api/user.py

@@ -9,7 +9,7 @@ from app import app, billing as stripe, authentication, avatar
 from endpoints.api import (ApiResource, nickname, resource, validate_json_request, request_error,
                            log_action, internal_only, NotFound, require_user_admin, parse_args,
                            query_param, InvalidToken, require_scope, format_date, hide_if, show_if,
-                           license_error,  require_fresh_login)
+                           license_error,  require_fresh_login, path_param, define_json_response)
 from endpoints.api.subscribe import subscribe
 from endpoints.common import common_login
 from endpoints.api.team import try_accept_invite
@@ -59,13 +59,13 @@ def user_view(user):
     'verified': user.verified,
     'anonymous': False,
     'username': user.username,
-    'email': user.email,
     'avatar': avatar.compute_hash(user.email, name=user.username),
   }
 
   user_admin = UserAdminPermission(user.username)
   if user_admin.can():
     user_response.update({
+      'email': user.email,
       'organizations': [org_view(o) for o in organizations],
       'logins': [login_view(login) for login in logins],
       'can_create_repo': True,
@@ -148,10 +148,51 @@ class User(ApiResource):
         },
       },
     },
+    'UserView': {
+      'id': 'UserView',
+      'type': 'object',
+      'description': 'Describes a user',
+      'required': ['verified', 'anonymous', 'gravatar'],
+      'properties': {
+        'verified': {
+          'type': 'boolean',
+          'description': 'Whether the user\'s email address has been verified'
+        },
+        'anonymous': {
+          'type': 'boolean',
+          'description': 'true if this user data represents a guest user'
+        },
+        'email': {
+          'type': 'string',
+          'description': 'The user\'s email address',
+        },
+        'gravatar': {
+          'type': 'string',
+          'description': 'Gravatar hash representing the user\'s icon'
+        },
+        'organizations': {
+          'type': 'array',
+          'description': 'Information about the organizations in which the user is a member'
+        },
+        'logins': {
+          'type': 'array',
+          'description': 'The list of external login providers against which the user has authenticated'
+        },
+        'can_create_repo': {
+          'type': 'boolean',
+          'description': 'Whether the user has permission to create repositories'
+        },
+        'preferred_namespace': {
+          'type': 'boolean',
+          'description': 'If true, the user\'s namespace is the preferred namespace to display'
+        }
+      }
+    },
   }
 
   @require_scope(scopes.READ_USER)
   @nickname('getLoggedInUser')
+  @define_json_response('UserView')
   def get(self):
     """ Get user information for the authenticated user. """
     user = get_authenticated_user()
@@ -165,6 +206,7 @@ class User(ApiResource):
   @nickname('changeUserDetails')
   @internal_only
   @validate_json_request('UpdateUser')
+  @define_json_response('UserView')
   def put(self):
     """ Update a users details such as password or email. """
     user = get_authenticated_user()
@@ -525,6 +567,7 @@ class UserNotificationList(ApiResource):
 
 
 @resource('/v1/user/notifications/<uuid>')
+@path_param('uuid', 'The uuid of the user notification')
 @internal_only
 class UserNotification(ApiResource):
   schemas = {
@@ -597,6 +640,7 @@ class UserAuthorizationList(ApiResource):
 
 
 @resource('/v1/user/authorizations/<access_token_uuid>')
+@path_param('access_token_uuid', 'The uuid of the access token')
 @internal_only
 class UserAuthorization(ApiResource):
   @require_user_admin

endpoints/common.py

@@ -194,6 +194,7 @@ def render_page_template(name, **kwargs):
                                        feature_set=json.dumps(features.get_features()),
                                        config_set=json.dumps(getFrontendVisibleConfig(app.config)),
                                        oauth_set=json.dumps(get_oauth_config()),
+                                       scope_set=json.dumps(scopes.ALL_SCOPES),
                                        mixpanel_key=app.config.get('MIXPANEL_KEY', ''),
                                        google_analytics_key=app.config.get('GOOGLE_ANALYTICS_KEY', ''),
                                        sentry_public_dsn=app.config.get('SENTRY_PUBLIC_DSN', ''),

endpoints/web.py

@@ -404,7 +404,7 @@ def request_authorization_code():
 
   if (not current_user.is_authenticated() or
       not provider.validate_has_scopes(client_id, current_user.db_user().username, scope)):
-    if not provider.validate_redirect_uri(client_id, redirect_uri):
+    if redirect_uri != 'display' and not provider.validate_redirect_uri(client_id, redirect_uri):
       current_app = provider.get_application_for_client_id(client_id)
       if not current_app:
         abort(404)
@@ -445,7 +445,6 @@ def request_authorization_code():
   else:
     return provider.get_authorization_code(response_type, client_id, redirect_uri, scope=scope)
 
-
 @web.route('/oauth/access_token', methods=['POST'])
 @no_cache
 @param_required('grant_type')

static/css/quay.css

@@ -4872,3 +4872,11 @@ i.slack-icon {
   width: 120px;
   padding-right: 10px;
 }
+
+#gen-token table {
+  margin: 10px;
+}
+
+#gen-token input[type="checkbox"] {
+  margin-right: 10px;
+}

static/js/app.js

@@ -1757,6 +1757,12 @@ quayApp = angular.module('quay', quayDependencies, function($provide, cfpLoading
       return notificationService;
     }]);
 
+    $provide.factory('OAuthService', ['$location', 'Config', function($location, Config) {
+      var oauthService = {};
+      oauthService.SCOPES = window.__auth_scopes;
+      return oauthService;
+    }]);
+
     $provide.factory('KeyService', ['$location', 'Config', function($location, Config) {
       var keyService = {}
       var oauth = window.__oauth;

static/js/controllers.js

@@ -2696,12 +2696,28 @@ function OrgMemberLogsCtrl($scope, $routeParams, $rootScope, $timeout, Restangul
 }
 
 
-function ManageApplicationCtrl($scope, $routeParams, $rootScope, $location, $timeout, ApiService) {
+function ManageApplicationCtrl($scope, $routeParams, $rootScope, $location, $timeout, OAuthService, ApiService, UserService, Config) {
   var orgname = $routeParams.orgname;
   var clientId = $routeParams.clientid;
 
+  $scope.Config = Config;
+  $scope.OAuthService = OAuthService;
   $scope.updating = false;
 
+  $scope.genScopes = {};
+
+  UserService.updateUserIn($scope);
+
+  $scope.getScopes = function(scopes) {
+    var checked = [];
+    for (var scopeName in scopes) {
+      if (scopes.hasOwnProperty(scopeName) && scopes[scopeName]) {
+        checked.push(scopeName);
+      }
+    }
+    return checked;
+  };
+
   $scope.askResetClientSecret = function() {
     $('#resetSecretModal').modal({});
   };

static/partials/manage-application.html

@@ -30,6 +30,7 @@
         <ul class="nav nav-pills nav-stacked">
           <li class="active"><a href="javascript:void(0)" data-toggle="tab" data-target="#settings">Settings</a></li>         
           <li><a href="javascript:void(0)" data-toggle="tab" data-target="#oauth">OAuth Information</a></li>
+          <li><a href="javascript:void(0)" data-toggle="tab" data-target="#gen-token">Generate Token</a></li>
           <li><a href="javascript:void(0)" data-toggle="tab" data-target="#delete">Delete Application</a></li>
         </ul>
       </div>
@@ -91,6 +92,30 @@
             </div>
           </div>
 
+          <!-- Generate Token tab -->
+          <div id="gen-token" class="tab-pane">
+            <div style="margin-bottom: 20px">
+                Click the button below to generate a new <a href="http://tools.ietf.org/html/rfc6749#section-1.4" target="_new">OAuth 2 Access Token</a>.
+            </div>
+
+            <div style="margin-bottom: 20px">
+              <strong>Note:</strong> The generated token will act on behalf of user <img src="//www.gravatar.com/avatar/{{ user.gravatar }}?s=16&d=identicon" style="margin-left: 6px; margin-right: 4px;">
+              {{ user.username }}
+            </div>
+
+            <table>
+              <tr ng-repeat="(scopeName, scopeInfo) in OAuthService.SCOPES">
+                <td><label onclick="event.stopPropagation()"><input type="checkbox" value="scopeInfo[0]" ng-model="genScopes[scopeName]">{{ scopeInfo[3] }}</label></td>
+              </tr>
+            </table>
+
+            <a class="btn btn-success"
+               href="{{ Config.getUrl('/oauth/authorize?response_type=token&client_id=' + application.client_id + '&scope=' +  getScopes(genScopes).join(',') + '&redirect_uri=display') }}"
+               ng-disabled="!getScopes(genScopes).length" target="_blank">
+               Generate Access Token
+            </a>
+          </div>
+
           <!-- OAuth tab -->
           <div id="oauth" class="tab-pane">
             <table style="margin-top: 20px;">

templates/base.html

@@ -45,6 +45,7 @@
       window.__features = {{ feature_set|safe }};
       window.__config = {{ config_set|safe }};
       window.__oauth = {{ oauth_set|safe }};
+      window.__auth_scopes = {{ scope_set|safe }};
       window.__token = '{{ csrf_token() }}';
     </script>