Delegated superuser API access

Add a new scope for SUPERUSER that allows delegated access to the superuser endpoints. CA needs this so they can programmatically create and remove users.
This commit is contained in:
Joseph Schorr 2015-06-28 11:22:34 +03:00
parent d9ce8fdf52
commit 87efcb9e3d
4 changed files with 41 additions and 4 deletions

View file

@ -27,7 +27,7 @@ _SuperUserNeed = partial(namedtuple('superuserneed', ['type']), 'superuser')
REPO_ROLES = [None, 'read', 'write', 'admin']
TEAM_ROLES = [None, 'member', 'creator', 'admin']
USER_ROLES = [None, 'read', 'admin']
USER_ROLES = [None, 'read', 'admin', 'superuser']
TEAM_REPO_ROLES = {
'admin': 'admin',
@ -54,6 +54,7 @@ SCOPE_MAX_USER_ROLES = defaultdict(lambda: None)
SCOPE_MAX_USER_ROLES.update({
scopes.READ_USER: 'read',
scopes.DIRECT_LOGIN: 'admin',
scopes.SUPERUSER: 'superuser',
})
@ -113,8 +114,14 @@ class QuayDeferredPermissionUser(Identity):
if user_object is None:
return super(QuayDeferredPermissionUser, self).can(permission)
# Add the superuser need, if applicable.
if superusers.is_superuser(user_object.username):
# Add the superuser need, if applicable:
# - If the user's role is an admin (direct login) and they are a superuser
# - If the user has granted the superuser scope
superuser_role = self._user_role_for_scopes('superuser')
if superuser_role == 'admin' and superusers.is_superuser(user_object.username):
self.provides.add(_SuperUserNeed())
elif superuser_role == 'superuser':
self.provides.add(_SuperUserNeed())
# Add the user specific permissions, only for non-oauth permission

View file

@ -1,5 +1,5 @@
from collections import namedtuple
import features
Scope = namedtuple('scope', ['scope', 'icon', 'dangerous', 'title', 'description'])
@ -59,6 +59,15 @@ DIRECT_LOGIN = Scope(scope='direct_user_login',
description=('This scope should not be available to OAuth applications. '
'Never approve a request for this scope!'))
SUPERUSER = Scope(scope='super:user',
icon='fa-street-view',
dangerous=True,
title='Super User Access',
description=('This application will be able to administer your installation '
'including managing users, managing organizations and other '
'features found in the superuser panel. You should have '
'absolute trust in the requesting application before granting this '
'permission.'))
ALL_SCOPES = {scope.scope:scope for scope in (READ_REPO, WRITE_REPO, ADMIN_REPO, CREATE_REPO,
READ_USER, ORG_ADMIN)}
@ -73,6 +82,9 @@ IMPLIED_SCOPES = {
None: set(),
}
if features.SUPER_USERS:
ALL_SCOPES[SUPERUSER.scope] = SUPERUSER
IMPLIED_SCOPES[SUPERUSER] = {SUPERUSER}
def scopes_from_scope_string(scopes):
if not scopes: