diff --git a/auth/auth.py b/auth/auth.py index 30e2f68db..dfd7f1b1c 100644 --- a/auth/auth.py +++ b/auth/auth.py @@ -34,7 +34,7 @@ def _load_user_from_cookie(): logger.debug('Loading user from cookie: %s', current_user.get_id()) set_authenticated_user_deferred(current_user.get_id()) - loaded = QuayDeferredPermissionUser(current_user.get_id(), 'user_uuid', {scopes.DIRECT_LOGIN}) + loaded = QuayDeferredPermissionUser.for_user(current_user.db_user()) identity_changed.send(app, identity=loaded) return current_user.db_user() return None @@ -67,7 +67,7 @@ def _validate_and_apply_oauth_token(token): set_authenticated_user(validated.authorized_user) set_validated_oauth_token(validated) - new_identity = QuayDeferredPermissionUser(validated.authorized_user.uuid, 'user_uuid', scope_set) + new_identity = QuayDeferredPermissionUser.for_user(validated.authorized_user, scope_set) identity_changed.send(app, identity=new_identity) @@ -107,7 +107,7 @@ def _process_basic_auth(auth): logger.debug('Successfully validated robot: %s' % credentials[0]) set_authenticated_user(robot) - deferred_robot = QuayDeferredPermissionUser(robot.uuid, 'user_uuid', {scopes.DIRECT_LOGIN}) + deferred_robot = QuayDeferredPermissionUser.for_user(robot) identity_changed.send(app, identity=deferred_robot) return except model.InvalidRobotException: @@ -121,8 +121,7 @@ def _process_basic_auth(auth): logger.debug('Successfully validated user: %s' % authenticated.username) set_authenticated_user(authenticated) - new_identity = QuayDeferredPermissionUser(authenticated.uuid, 'user_uuid', - {scopes.DIRECT_LOGIN}) + new_identity = QuayDeferredPermissionUser.for_user(authenticated) identity_changed.send(app, identity=new_identity) return diff --git a/auth/permissions.py b/auth/permissions.py index 6c015cf7e..bdc460786 100644 --- a/auth/permissions.py +++ b/auth/permissions.py @@ -66,11 +66,21 @@ def repository_write_grant(namespace, repository): class QuayDeferredPermissionUser(Identity): - def __init__(self, uuid, auth_type, scopes): + def __init__(self, uuid, auth_type, auth_scopes, user=None): super(QuayDeferredPermissionUser, self).__init__(uuid, auth_type) self._permissions_loaded = False - self._scope_set = scopes + self._scope_set = auth_scopes + self._user_object = user + + @staticmethod + def for_id(uuid, auth_scopes=None): + return QuayDeferredPermissionUser(uuid, 'user_uuid', auth_scopes or {scopes.DIRECT_LOGIN}) + + @staticmethod + def for_user(user, auth_scopes=None): + return QuayDeferredPermissionUser(user.uuid, 'user_uuid', auth_scopes or {scopes.DIRECT_LOGIN}, + user=user) def _translate_role_for_scopes(self, cardinality, max_roles, role): if self._scope_set is None: @@ -96,7 +106,7 @@ class QuayDeferredPermissionUser(Identity): def can(self, permission): if not self._permissions_loaded: logger.debug('Loading user permissions after deferring.') - user_object = model.get_user_by_uuid(self.id) + user_object = self._user_object or model.get_user_by_uuid(self.id) if user_object is None: return super(QuayDeferredPermissionUser, self).can(permission) @@ -249,7 +259,7 @@ def on_identity_loaded(sender, identity): elif identity.auth_type == 'user_uuid': logger.debug('Switching username permission to deferred object with uuid: %s', identity.id) - switch_to_deferred = QuayDeferredPermissionUser(identity.id, 'user_uuid', {scopes.DIRECT_LOGIN}) + switch_to_deferred = QuayDeferredPermissionUser.for_id(identity.id) identity_changed.send(app, identity=switch_to_deferred) elif identity.auth_type == 'token': diff --git a/endpoints/common.py b/endpoints/common.py index faeccee41..ec61b5adf 100644 --- a/endpoints/common.py +++ b/endpoints/common.py @@ -103,7 +103,7 @@ def param_required(param_name): def common_login(db_user): if login_user(LoginWrappedDBUser(db_user.uuid, db_user)): logger.debug('Successfully signed in as: %s (%s)' % (db_user.username, db_user.uuid)) - new_identity = QuayDeferredPermissionUser(db_user.uuid, 'user_uuid', {scopes.DIRECT_LOGIN}) + new_identity = QuayDeferredPermissionUser.for_user(db_user) identity_changed.send(app, identity=new_identity) session['login_time'] = datetime.datetime.now() return True