Delegated superuser API access
Add a new scope for SUPERUSER that allows delegated access to the superuser endpoints. CA needs this so they can programmatically create and remove users.
This commit is contained in:
Joseph Schorr
parent
d9ce8fdf52
commit
87efcb9e3d
4 changed files with 41 additions and 4 deletions
|
|
@ -19,6 +19,7 @@ from endpoints.api.logs import get_logs
|
|||
from data import model
|
||||
from auth.permissions import SuperUserPermission
|
||||
from auth.auth_context import get_authenticated_user
|
||||
from auth import scopes
|
||||
from util.useremails import send_confirmation_email, send_recovery_email
|
||||
|
||||
import features
|
||||
|
|
@ -42,6 +43,7 @@ class SuperUserGetLogsForService(ApiResource):
|
|||
@require_fresh_login
|
||||
@verify_not_prod
|
||||
@nickname('getSystemLogs')
|
||||
@require_scope(scopes.SUPERUSER)
|
||||
def get(self, service):
|
||||
""" Returns the logs for the specific service. """
|
||||
if SuperUserPermission().can():
|
||||
|
|
@ -70,6 +72,7 @@ class SuperUserSystemLogServices(ApiResource):
|
|||
@require_fresh_login
|
||||
@verify_not_prod
|
||||
@nickname('listSystemLogServices')
|
||||
@require_scope(scopes.SUPERUSER)
|
||||
def get(self):
|
||||
""" List the system logs for the current system. """
|
||||
if SuperUserPermission().can():
|
||||
|
|
@ -93,6 +96,7 @@ class SuperUserLogs(ApiResource):
|
|||
@query_param('starttime', 'Earliest time from which to get logs. (%m/%d/%Y %Z)', type=str)
|
||||
@query_param('endtime', 'Latest time to which to get logs. (%m/%d/%Y %Z)', type=str)
|
||||
@query_param('performer', 'Username for which to filter logs.', type=str)
|
||||
@require_scope(scopes.SUPERUSER)
|
||||
def get(self, args):
|
||||
""" List the usage logs for the current system. """
|
||||
if SuperUserPermission().can():
|
||||
|
|
@ -129,6 +133,7 @@ class ChangeLog(ApiResource):
|
|||
@require_fresh_login
|
||||
@verify_not_prod
|
||||
@nickname('getChangeLog')
|
||||
@require_scope(scopes.SUPERUSER)
|
||||
def get(self):
|
||||
""" Returns the change log for this installation. """
|
||||
if SuperUserPermission().can():
|
||||
|
|
@ -149,6 +154,7 @@ class SuperUserOrganizationList(ApiResource):
|
|||
@require_fresh_login
|
||||
@verify_not_prod
|
||||
@nickname('listAllOrganizations')
|
||||
@require_scope(scopes.SUPERUSER)
|
||||
def get(self):
|
||||
""" Returns a list of all organizations in the system. """
|
||||
if SuperUserPermission().can():
|
||||
|
|
@ -187,6 +193,7 @@ class SuperUserList(ApiResource):
|
|||
@require_fresh_login
|
||||
@verify_not_prod
|
||||
@nickname('listAllUsers')
|
||||
@require_scope(scopes.SUPERUSER)
|
||||
def get(self):
|
||||
""" Returns a list of all users in the system. """
|
||||
if SuperUserPermission().can():
|
||||
|
|
@ -202,6 +209,7 @@ class SuperUserList(ApiResource):
|
|||
@verify_not_prod
|
||||
@nickname('createInstallUser')
|
||||
@validate_json_request('CreateInstallUser')
|
||||
@require_scope(scopes.SUPERUSER)
|
||||
def post(self):
|
||||
""" Creates a new user. """
|
||||
user_information = request.get_json()
|
||||
|
|
@ -239,6 +247,7 @@ class SuperUserSendRecoveryEmail(ApiResource):
|
|||
@require_fresh_login
|
||||
@verify_not_prod
|
||||
@nickname('sendInstallUserRecoveryEmail')
|
||||
@require_scope(scopes.SUPERUSER)
|
||||
def post(self, username):
|
||||
if SuperUserPermission().can():
|
||||
user = model.get_nonrobot_user(username)
|
||||
|
|
@ -288,6 +297,7 @@ class SuperUserManagement(ApiResource):
|
|||
@require_fresh_login
|
||||
@verify_not_prod
|
||||
@nickname('getInstallUser')
|
||||
@require_scope(scopes.SUPERUSER)
|
||||
def get(self, username):
|
||||
""" Returns information about the specified user. """
|
||||
if SuperUserPermission().can():
|
||||
|
|
@ -302,6 +312,7 @@ class SuperUserManagement(ApiResource):
|
|||
@require_fresh_login
|
||||
@verify_not_prod
|
||||
@nickname('deleteInstallUser')
|
||||
@require_scope(scopes.SUPERUSER)
|
||||
def delete(self, username):
|
||||
""" Deletes the specified user. """
|
||||
if SuperUserPermission().can():
|
||||
|
|
@ -321,6 +332,7 @@ class SuperUserManagement(ApiResource):
|
|||
@verify_not_prod
|
||||
@nickname('changeInstallUser')
|
||||
@validate_json_request('UpdateUser')
|
||||
@require_scope(scopes.SUPERUSER)
|
||||
def put(self, username):
|
||||
""" Updates information about the specified user. """
|
||||
if SuperUserPermission().can():
|
||||
|
|
@ -371,6 +383,7 @@ class SuperUserOrganizationManagement(ApiResource):
|
|||
@require_fresh_login
|
||||
@verify_not_prod
|
||||
@nickname('deleteOrganization')
|
||||
@require_scope(scopes.SUPERUSER)
|
||||
def delete(self, name):
|
||||
""" Deletes the specified organization. """
|
||||
if SuperUserPermission().can():
|
||||
|
|
@ -385,6 +398,7 @@ class SuperUserOrganizationManagement(ApiResource):
|
|||
@verify_not_prod
|
||||
@nickname('changeOrganization')
|
||||
@validate_json_request('UpdateOrg')
|
||||
@require_scope(scopes.SUPERUSER)
|
||||
def put(self, name):
|
||||
""" Updates information about the specified user. """
|
||||
if SuperUserPermission().can():
|
||||
|
|
|
|||
Reference in a new issue