Add constructors for the QuayDeferredPermissionUser so that we can avoid extraneous DB lookups of the user whenever we already have the object

auth/auth.py

@@ -34,7 +34,7 @@ def _load_user_from_cookie():
 
     logger.debug('Loading user from cookie: %s', current_user.get_id())
     set_authenticated_user_deferred(current_user.get_id())
-    loaded = QuayDeferredPermissionUser(current_user.get_id(), 'user_uuid', {scopes.DIRECT_LOGIN})
+    loaded = QuayDeferredPermissionUser.for_user(current_user.db_user())
     identity_changed.send(app, identity=loaded)
     return current_user.db_user()
   return None
@@ -67,7 +67,7 @@ def _validate_and_apply_oauth_token(token):
   set_authenticated_user(validated.authorized_user)
   set_validated_oauth_token(validated)
 
-  new_identity = QuayDeferredPermissionUser(validated.authorized_user.uuid, 'user_uuid', scope_set)
+  new_identity = QuayDeferredPermissionUser.for_user(validated.authorized_user, scope_set)
   identity_changed.send(app, identity=new_identity)
 
 
@@ -107,7 +107,7 @@ def _process_basic_auth(auth):
       logger.debug('Successfully validated robot: %s' % credentials[0])
       set_authenticated_user(robot)
 
-      deferred_robot = QuayDeferredPermissionUser(robot.uuid, 'user_uuid', {scopes.DIRECT_LOGIN})
+      deferred_robot = QuayDeferredPermissionUser.for_user(robot)
       identity_changed.send(app, identity=deferred_robot)
       return
     except model.InvalidRobotException:
@@ -121,8 +121,7 @@ def _process_basic_auth(auth):
       logger.debug('Successfully validated user: %s' % authenticated.username)
       set_authenticated_user(authenticated)
 
-      new_identity = QuayDeferredPermissionUser(authenticated.uuid, 'user_uuid',
-                                                {scopes.DIRECT_LOGIN})
+      new_identity = QuayDeferredPermissionUser.for_user(authenticated)
       identity_changed.send(app, identity=new_identity)
       return
 

auth/permissions.py

@@ -66,11 +66,21 @@ def repository_write_grant(namespace, repository):
 
 
 class QuayDeferredPermissionUser(Identity):
-  def __init__(self, uuid, auth_type, scopes):
+  def __init__(self, uuid, auth_type, auth_scopes, user=None):
     super(QuayDeferredPermissionUser, self).__init__(uuid, auth_type)
 
     self._permissions_loaded = False
-    self._scope_set = scopes
+    self._scope_set = auth_scopes
+    self._user_object = user
+
+  @staticmethod
+  def for_id(uuid, auth_scopes=None):
+    return QuayDeferredPermissionUser(uuid, 'user_uuid', auth_scopes or {scopes.DIRECT_LOGIN})
+
+  @staticmethod
+  def for_user(user, auth_scopes=None):
+    return QuayDeferredPermissionUser(user.uuid, 'user_uuid', auth_scopes or {scopes.DIRECT_LOGIN},
+                                      user=user)
 
   def _translate_role_for_scopes(self, cardinality, max_roles, role):
     if self._scope_set is None:
@@ -96,7 +106,7 @@ class QuayDeferredPermissionUser(Identity):
   def can(self, permission):
     if not self._permissions_loaded:
       logger.debug('Loading user permissions after deferring.')
-      user_object = model.get_user_by_uuid(self.id)
+      user_object = self._user_object or model.get_user_by_uuid(self.id)
       if user_object is None:
         return super(QuayDeferredPermissionUser, self).can(permission)
 
@@ -249,7 +259,7 @@ def on_identity_loaded(sender, identity):
 
   elif identity.auth_type == 'user_uuid':
     logger.debug('Switching username permission to deferred object with uuid: %s', identity.id)
-    switch_to_deferred = QuayDeferredPermissionUser(identity.id, 'user_uuid', {scopes.DIRECT_LOGIN})
+    switch_to_deferred = QuayDeferredPermissionUser.for_id(identity.id)
     identity_changed.send(app, identity=switch_to_deferred)
 
   elif identity.auth_type == 'token':

endpoints/common.py

@@ -103,7 +103,7 @@ def param_required(param_name):
 def common_login(db_user):
   if login_user(LoginWrappedDBUser(db_user.uuid, db_user)):
     logger.debug('Successfully signed in as: %s (%s)' % (db_user.username, db_user.uuid))
-    new_identity = QuayDeferredPermissionUser(db_user.uuid, 'user_uuid', {scopes.DIRECT_LOGIN})
+    new_identity = QuayDeferredPermissionUser.for_user(db_user)
     identity_changed.send(app, identity=new_identity)
     session['login_time'] = datetime.datetime.now()
     return True