vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Add UUID to User model and use in cookie.

Browse source
This commit is contained in:
Jimmy Zelinskie 2014-11-11 17:22:37 -05:00 committed by Jimmy Zelinskie
parent b3886570eb
commit 9d677b8eb3
8 changed files with 91 additions and 61 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
auth/auth.py
View file

@ -25,7 +25,7 @@ def _load_user_from_cookie():
if not current_user.is_anonymous(): if not current_user.is_anonymous():
logger.debug('Loading user from cookie: %s', current_user.get_id()) logger.debug('Loading user from cookie: %s', current_user.get_id())
set_authenticated_user_deferred(current_user.get_id()) set_authenticated_user_deferred(current_user.get_id())
loaded = QuayDeferredPermissionUser(current_user.get_id(), 'user_db_id', {scopes.DIRECT_LOGIN}) loaded = QuayDeferredPermissionUser(current_user.get_id(), 'user_uuid', {scopes.DIRECT_LOGIN})
identity_changed.send(app, identity=loaded) identity_changed.send(app, identity=loaded)
return current_user.db_user() return current_user.db_user()
return None return None
@ -58,7 +58,7 @@ def _validate_and_apply_oauth_token(token):
set_authenticated_user(validated.authorized_user) set_authenticated_user(validated.authorized_user)
set_validated_oauth_token(validated) set_validated_oauth_token(validated)
new_identity = QuayDeferredPermissionUser(validated.authorized_user.id, 'user_db_id', scope_set) new_identity = QuayDeferredPermissionUser(validated.authorized_user.uuid, 'user_uuid', scope_set)
identity_changed.send(app, identity=new_identity) identity_changed.send(app, identity=new_identity)
@ -97,8 +97,8 @@ def process_basic_auth(auth):
robot = model.verify_robot(credentials[0], credentials[1]) robot = model.verify_robot(credentials[0], credentials[1])
logger.debug('Successfully validated robot: %s' % credentials[0]) logger.debug('Successfully validated robot: %s' % credentials[0])
set_authenticated_user(robot) set_authenticated_user(robot)
deferred_robot = QuayDeferredPermissionUser(robot.id, 'user_db_id', {scopes.DIRECT_LOGIN}) deferred_robot = QuayDeferredPermissionUser(robot.uuid, 'user_uuid', {scopes.DIRECT_LOGIN})
identity_changed.send(app, identity=deferred_robot) identity_changed.send(app, identity=deferred_robot)
return return
except model.InvalidRobotException: except model.InvalidRobotException:
@ -111,7 +111,7 @@ def process_basic_auth(auth):
logger.debug('Successfully validated user: %s' % authenticated.username) logger.debug('Successfully validated user: %s' % authenticated.username)
set_authenticated_user(authenticated) set_authenticated_user(authenticated)
new_identity = QuayDeferredPermissionUser(authenticated.id, 'user_db_id', new_identity = QuayDeferredPermissionUser(authenticated.uuid, 'user_uuid',
{scopes.DIRECT_LOGIN}) {scopes.DIRECT_LOGIN})
identity_changed.send(app, identity=new_identity) identity_changed.send(app, identity=new_identity)
return return

14
auth/auth_context.py
View file

@ -10,13 +10,13 @@ logger = logging.getLogger(__name__)
def get_authenticated_user(): def get_authenticated_user():
user = getattr(_request_ctx_stack.top, 'authenticated_user', None) user = getattr(_request_ctx_stack.top, 'authenticated_user', None)
if not user: if not user:
db_id = getattr(_request_ctx_stack.top, 'authenticated_db_id', None) user_uuid = getattr(_request_ctx_stack.top, 'authenticated_user_uuid', None)
if not db_id: if not user_uuid:
logger.debug('No authenticated user or deferred database id.') logger.debug('No authenticated user or deferred database uuid.')
return None return None
logger.debug('Loading deferred authenticated user.') logger.debug('Loading deferred authenticated user.')
loaded = model.get_user_by_id(db_id) loaded = model.get_user_by_uuid(user_uuid)
set_authenticated_user(loaded) set_authenticated_user(loaded)
user = loaded user = loaded
@ -30,10 +30,10 @@ def set_authenticated_user(user_or_robot):
ctx.authenticated_user = user_or_robot ctx.authenticated_user = user_or_robot
def set_authenticated_user_deferred(user_or_robot_db_id): def set_authenticated_user_deferred(user_or_robot_uuid):
logger.debug('Deferring loading of authenticated user object: %s', user_or_robot_db_id) logger.debug('Deferring loading of authenticated user object with uuid: %s', user_or_robot_uuid)
ctx = _request_ctx_stack.top ctx = _request_ctx_stack.top
ctx.authenticated_db_id = user_or_robot_db_id ctx.authenticated_user_uuid = user_or_robot_uuid
def get_validated_oauth_token(): def get_validated_oauth_token():

18
auth/permissions.py
View file

@ -58,8 +58,8 @@ SCOPE_MAX_USER_ROLES.update({
class QuayDeferredPermissionUser(Identity): class QuayDeferredPermissionUser(Identity):
def __init__(self, db_id, auth_type, scopes): def __init__(self, id, auth_type, scopes):
super(QuayDeferredPermissionUser, self).__init__(db_id, auth_type) super(QuayDeferredPermissionUser, self).__init__(id, auth_type)
self._permissions_loaded = False self._permissions_loaded = False
self._scope_set = scopes self._scope_set = scopes
@ -88,14 +88,14 @@ class QuayDeferredPermissionUser(Identity):
def can(self, permission): def can(self, permission):
if not self._permissions_loaded: if not self._permissions_loaded:
logger.debug('Loading user permissions after deferring.') logger.debug('Loading user permissions after deferring.')
user_object = model.get_user_by_id(self.id) user_object = model.get_user_by_uuid(self.id)
# Add the superuser need, if applicable. # Add the superuser need, if applicable.
if (user_object.username is not None and if (user_object.username is not None and
user_object.username in app.config.get('SUPER_USERS', [])): user_object.username in app.config.get('SUPER_USERS', [])):
self.provides.add(_SuperUserNeed()) self.provides.add(_SuperUserNeed())
# Add the user specific permissions, only for non-oauth permission # Add the user specific permissions, only for non-oauth permission
user_grant = _UserNeed(user_object.username, self._user_role_for_scopes('admin')) user_grant = _UserNeed(user_object.username, self._user_role_for_scopes('admin'))
logger.debug('User permission: {0}'.format(user_grant)) logger.debug('User permission: {0}'.format(user_grant))
self.provides.add(user_grant) self.provides.add(user_grant)
@ -217,7 +217,7 @@ class ViewTeamPermission(Permission):
team_admin = _TeamNeed(org_name, team_name, 'admin') team_admin = _TeamNeed(org_name, team_name, 'admin')
team_creator = _TeamNeed(org_name, team_name, 'creator') team_creator = _TeamNeed(org_name, team_name, 'creator')
team_member = _TeamNeed(org_name, team_name, 'member') team_member = _TeamNeed(org_name, team_name, 'member')
admin_org = _OrganizationNeed(org_name, 'admin') admin_org = _OrganizationNeed(org_name, 'admin')
super(ViewTeamPermission, self).__init__(team_admin, team_creator, super(ViewTeamPermission, self).__init__(team_admin, team_creator,
team_member, admin_org) team_member, admin_org)
@ -228,11 +228,11 @@ def on_identity_loaded(sender, identity):
# We have verified an identity, load in all of the permissions # We have verified an identity, load in all of the permissions
if isinstance(identity, QuayDeferredPermissionUser): if isinstance(identity, QuayDeferredPermissionUser):
logger.debug('Deferring permissions for user: %s', identity.id) logger.debug('Deferring permissions for user with uuid: %s', identity.id)
elif identity.auth_type == 'user_db_id': elif identity.auth_type == 'user_uuid':
logger.debug('Switching username permission to deferred object: %s', identity.id) logger.debug('Switching username permission to deferred object with uuid: %s', identity.id)
switch_to_deferred = QuayDeferredPermissionUser(identity.id, 'user_db_id', {scopes.DIRECT_LOGIN}) switch_to_deferred = QuayDeferredPermissionUser(identity.id, 'user_uuid', {scopes.DIRECT_LOGIN})
identity_changed.send(app, identity=switch_to_deferred) identity_changed.send(app, identity=switch_to_deferred)
elif identity.auth_type == 'token': elif identity.auth_type == 'token':

11
data/database.py
View file

@ -26,7 +26,7 @@ SCHEME_RANDOM_FUNCTION = {
'mysql+pymysql': fn.Rand, 'mysql+pymysql': fn.Rand,
'sqlite': fn.Random, 'sqlite': fn.Random,
'postgresql': fn.Random, 'postgresql': fn.Random,
'postgresql+psycopg2': fn.Random, 'postgresql+psycopg2': fn.Random,
} }
class CallableProxy(Proxy): class CallableProxy(Proxy):
@ -137,6 +137,7 @@ class BaseModel(ReadSlaveModel):
class User(BaseModel): class User(BaseModel):
uuid = CharField(default=uuid_generator)
username = CharField(unique=True, index=True) username = CharField(unique=True, index=True)
password_hash = CharField(null=True) password_hash = CharField(null=True)
email = CharField(unique=True, index=True, email = CharField(unique=True, index=True,
@ -212,7 +213,7 @@ class FederatedLogin(BaseModel):
user = QuayUserField(allows_robots=True, index=True) user = QuayUserField(allows_robots=True, index=True)
service = ForeignKeyField(LoginService, index=True) service = ForeignKeyField(LoginService, index=True)
service_ident = CharField() service_ident = CharField()
metadata_json = TextField(default='{}') metadata_json = TextField(default='{}')
class Meta: class Meta:
database = db database = db
@ -250,7 +251,7 @@ class Repository(BaseModel):
# Therefore, we define our own deletion order here and use the dependency system to verify it. # Therefore, we define our own deletion order here and use the dependency system to verify it.
ordered_dependencies = [RepositoryAuthorizedEmail, RepositoryTag, Image, LogEntry, ordered_dependencies = [RepositoryAuthorizedEmail, RepositoryTag, Image, LogEntry,
RepositoryBuild, RepositoryBuildTrigger, RepositoryNotification, RepositoryBuild, RepositoryBuildTrigger, RepositoryNotification,
RepositoryPermission, AccessToken] RepositoryPermission, AccessToken]
for query, fk in self.dependencies(search_nullable=True): for query, fk in self.dependencies(search_nullable=True):
model = fk.model_class model = fk.model_class
@ -457,7 +458,7 @@ class LogEntry(BaseModel):
kind = ForeignKeyField(LogEntryKind, index=True) kind = ForeignKeyField(LogEntryKind, index=True)
account = QuayUserField(index=True, related_name='account') account = QuayUserField(index=True, related_name='account')
performer = QuayUserField(allows_robots=True, index=True, null=True, performer = QuayUserField(allows_robots=True, index=True, null=True,
related_name='performer') related_name='performer')
repository = ForeignKeyField(Repository, index=True, null=True) repository = ForeignKeyField(Repository, index=True, null=True)
datetime = DateTimeField(default=datetime.now, index=True) datetime = DateTimeField(default=datetime.now, index=True)
ip = CharField(null=True) ip = CharField(null=True)
@ -537,7 +538,7 @@ class RepositoryAuthorizedEmail(BaseModel):
# create a unique index on email and repository # create a unique index on email and repository
(('email', 'repository'), True), (('email', 'repository'), True),
) )
all_models = [User, Repository, Image, AccessToken, Role, RepositoryPermission, Visibility, all_models = [User, Repository, Image, AccessToken, Role, RepositoryPermission, Visibility,

26
data/migrations/versions/17f11e265e13_add_uuid_field_to_user.py Normal file
View file

@ -0,0 +1,26 @@
"""add uuid field to user
Revision ID: 17f11e265e13
Revises: 204abf14783d
Create Date: 2014-11-11 14:32:54.866188
"""
# revision identifiers, used by Alembic.
revision = '17f11e265e13'
down_revision = '204abf14783d'
from alembic import op
import sqlalchemy as sa
from sqlalchemy.dialects import mysql
def upgrade(tables):
### commands auto generated by Alembic - please adjust! ###
op.add_column('user', sa.Column('uuid', sa.String(length=255), nullable=False))
### end Alembic commands ###
def downgrade(tables):
### commands auto generated by Alembic - please adjust! ###
op.drop_column('user', 'uuid')
### end Alembic commands ###

47
data/model/legacy.py
View file

@ -132,7 +132,7 @@ def create_user(username, password, email, auto_verify=False):
created = _create_user(username, email) created = _create_user(username, email)
created.password_hash = hash_password(password) created.password_hash = hash_password(password)
created.verified = auto_verify created.verified = auto_verify
created.save() created.save()
return created return created
@ -194,7 +194,7 @@ def create_organization(name, email, creating_user):
return new_org return new_org
except InvalidUsernameException: except InvalidUsernameException:
msg = ('Invalid organization name: %s Organization names must consist ' + msg = ('Invalid organization name: %s Organization names must consist ' +
'solely of lower case letters, numbers, and underscores. ' + 'solely of lower case letters, numbers, and underscores. ' +
'[a-z0-9_]') % name '[a-z0-9_]') % name
raise InvalidOrganizationException(msg) raise InvalidOrganizationException(msg)
@ -380,7 +380,7 @@ def remove_team(org_name, team_name, removed_by_username):
def add_or_invite_to_team(inviter, team, user=None, email=None, requires_invite=True): def add_or_invite_to_team(inviter, team, user=None, email=None, requires_invite=True):
# If the user is a member of the organization, then we simply add the # If the user is a member of the organization, then we simply add the
# user directly to the team. Otherwise, an invite is created for the user/email. # user directly to the team. Otherwise, an invite is created for the user/email.
# We return None if the user was directly added and the invite object if the user was invited. # We return None if the user was directly added and the invite object if the user was invited.
if user and requires_invite: if user and requires_invite:
orgname = team.organization.username orgname = team.organization.username
@ -390,7 +390,7 @@ def add_or_invite_to_team(inviter, team, user=None, email=None, requires_invite=
if not user.username.startswith(orgname + '+'): if not user.username.startswith(orgname + '+'):
raise InvalidTeamMemberException('Cannot add the specified robot to this team, ' + raise InvalidTeamMemberException('Cannot add the specified robot to this team, ' +
'as it is not a member of the organization') 'as it is not a member of the organization')
else: else:
Org = User.alias() Org = User.alias()
found = User.select(User.username) found = User.select(User.username)
found = found.where(User.username == user.username).join(TeamMember).join(Team) found = found.where(User.username == user.username).join(TeamMember).join(Team)
@ -525,7 +525,7 @@ def confirm_user_email(code):
code = EmailConfirmation.get(EmailConfirmation.code == code, code = EmailConfirmation.get(EmailConfirmation.code == code,
EmailConfirmation.email_confirm == True) EmailConfirmation.email_confirm == True)
except EmailConfirmation.DoesNotExist: except EmailConfirmation.DoesNotExist:
raise DataModelException('Invalid email confirmation code.') raise DataModelException('Invalid email confirmation code.')
user = code.user user = code.user
user.verified = True user.verified = True
@ -534,11 +534,11 @@ def confirm_user_email(code):
new_email = code.new_email new_email = code.new_email
if new_email: if new_email:
if find_user_by_email(new_email): if find_user_by_email(new_email):
raise DataModelException('E-mail address already used.') raise DataModelException('E-mail address already used.')
old_email = user.email old_email = user.email
user.email = new_email user.email = new_email
user.save() user.save()
code.delete_instance() code.delete_instance()
@ -614,13 +614,20 @@ def get_namespace_by_user_id(namespace_user_db_id):
raise InvalidUsernameException('User with id does not exist: %s' % namespace_user_db_id) raise InvalidUsernameException('User with id does not exist: %s' % namespace_user_db_id)
def get_user_by_uuid(user_uuid):
try:
return User.get(User.uuid == user_uuid, User.organization == False)
except User.DoesNotExist:
return None
def get_user_or_org_by_customer_id(customer_id): def get_user_or_org_by_customer_id(customer_id):
try: try:
return User.get(User.stripe_id == customer_id) return User.get(User.stripe_id == customer_id)
except User.DoesNotExist: except User.DoesNotExist:
return None return None
def get_matching_teams(team_prefix, organization): def get_matching_teams(team_prefix, organization):
query = Team.select().where(Team.name ** (team_prefix + '%'), query = Team.select().where(Team.name ** (team_prefix + '%'),
Team.organization == organization) Team.organization == organization)
return query.limit(10) return query.limit(10)
@ -628,13 +635,13 @@ def get_matching_teams(team_prefix, organization):
def get_matching_users(username_prefix, robot_namespace=None, def get_matching_users(username_prefix, robot_namespace=None,
organization=None): organization=None):
direct_user_query = (User.username ** (username_prefix + '%') & direct_user_query = (User.username ** (username_prefix + '%') &
(User.organization == False) & (User.robot == False)) (User.organization == False) & (User.robot == False))
if robot_namespace: if robot_namespace:
robot_prefix = format_robot_username(robot_namespace, username_prefix) robot_prefix = format_robot_username(robot_namespace, username_prefix)
direct_user_query = (direct_user_query | direct_user_query = (direct_user_query |
(User.username ** (robot_prefix + '%') & (User.username ** (robot_prefix + '%') &
(User.robot == True))) (User.robot == True)))
query = (User query = (User
@ -1198,7 +1205,7 @@ def __translate_ancestry(old_ancestry, translations, repository, username, prefe
translations[old_id] = image_in_repo.id translations[old_id] = image_in_repo.id
return translations[old_id] return translations[old_id]
# Select all the ancestor Docker IDs in a single query. # Select all the ancestor Docker IDs in a single query.
old_ids = [int(id_str) for id_str in old_ancestry.split('/')[1:-1]] old_ids = [int(id_str) for id_str in old_ancestry.split('/')[1:-1]]
query = Image.select(Image.id, Image.docker_image_id).where(Image.id << old_ids) query = Image.select(Image.id, Image.docker_image_id).where(Image.id << old_ids)
old_images = {i.id: i.docker_image_id for i in query} old_images = {i.id: i.docker_image_id for i in query}
@ -1592,7 +1599,7 @@ def garbage_collect_storage(storage_id_whitelist):
storage_id_whitelist, storage_id_whitelist,
(ImageStorage, ImageStoragePlacement, (ImageStorage, ImageStoragePlacement,
ImageStorageLocation)) ImageStorageLocation))
paths_to_remove = placements_query_to_paths_set(placements_to_remove.clone()) paths_to_remove = placements_query_to_paths_set(placements_to_remove.clone())
# Remove the placements for orphaned storages # Remove the placements for orphaned storages
@ -1607,7 +1614,7 @@ def garbage_collect_storage(storage_id_whitelist):
orphaned_storages = list(orphaned_storage_query(ImageStorage.select(ImageStorage.id), orphaned_storages = list(orphaned_storage_query(ImageStorage.select(ImageStorage.id),
storage_id_whitelist, storage_id_whitelist,
(ImageStorage.id,))) (ImageStorage.id,)))
if len(orphaned_storages) > 0: if len(orphaned_storages) > 0:
(ImageStorage (ImageStorage
.delete() .delete()
.where(ImageStorage.id << orphaned_storages) .where(ImageStorage.id << orphaned_storages)
@ -1967,7 +1974,7 @@ def create_repository_build(repo, access_token, job_config_obj, dockerfile_id,
def get_pull_robot_name(trigger): def get_pull_robot_name(trigger):
if not trigger.pull_robot: if not trigger.pull_robot:
return None return None
return trigger.pull_robot.username return trigger.pull_robot.username
@ -2146,14 +2153,14 @@ def list_notifications(user, kind_name=None, id_filter=None, include_dismissed=F
AdminTeamMember.team)) AdminTeamMember.team))
.join(AdminUser, JOIN_LEFT_OUTER, on=(AdminTeamMember.user == .join(AdminUser, JOIN_LEFT_OUTER, on=(AdminTeamMember.user ==
AdminUser.id)) AdminUser.id))
.where((Notification.target == user) | .where((Notification.target == user) |
((AdminUser.id == user) & (TeamRole.name == 'admin'))) ((AdminUser.id == user) & (TeamRole.name == 'admin')))
.order_by(Notification.created) .order_by(Notification.created)
.desc()) .desc())
if not include_dismissed: if not include_dismissed:
query = query.switch(Notification).where(Notification.dismissed == False) query = query.switch(Notification).where(Notification.dismissed == False)
if kind_name: if kind_name:
query = (query query = (query
.switch(Notification) .switch(Notification)
@ -2278,7 +2285,7 @@ def confirm_email_authorization_for_repo(code):
.where(RepositoryAuthorizedEmail.code == code) .where(RepositoryAuthorizedEmail.code == code)
.get()) .get())
except RepositoryAuthorizedEmail.DoesNotExist: except RepositoryAuthorizedEmail.DoesNotExist:
raise DataModelException('Invalid confirmation code.') raise DataModelException('Invalid confirmation code.')
found.confirmed = True found.confirmed = True
found.save() found.save()
@ -2310,7 +2317,7 @@ def lookup_team_invite(code, user=None):
raise DataModelException('Invalid confirmation code.') raise DataModelException('Invalid confirmation code.')
if user and found.user != user: if user and found.user != user:
raise DataModelException('Invalid confirmation code.') raise DataModelException('Invalid confirmation code.')
return found return found
@ -2330,7 +2337,7 @@ def confirm_team_invite(code, user):
# If the invite is for a specific user, we have to confirm that here. # If the invite is for a specific user, we have to confirm that here.
if found.user is not None and found.user != user: if found.user is not None and found.user != user:
message = """This invite is intended for user "%s". message = """This invite is intended for user "%s".
Please login to that account and try again.""" % found.user.username Please login to that account and try again.""" % found.user.username
raise DataModelException(message) raise DataModelException(message)

26
endpoints/common.py
View file

@ -85,23 +85,19 @@ def param_required(param_name):
@login_manager.user_loader @login_manager.user_loader
def load_user(user_db_id): def load_user(user_uuid):
logger.debug('User loader loading deferred user id: %s' % user_db_id) logger.debug('User loader loading deferred user with uuid: %s' % user_uuid)
try: return _LoginWrappedDBUser(user_uuid)
user_db_id_int = int(user_db_id)
return _LoginWrappedDBUser(user_db_id_int)
except ValueError:
return None
class _LoginWrappedDBUser(UserMixin): class _LoginWrappedDBUser(UserMixin):
def __init__(self, user_db_id, db_user=None): def __init__(self, user_uuid, db_user=None):
self._db_id = user_db_id self._uuid = user_uuid
self._db_user = db_user self._db_user = db_user
def db_user(self): def db_user(self):
if not self._db_user: if not self._db_user:
self._db_user = model.get_user_by_id(self._db_id) self._db_user = model.get_user_by_uuid(self._uuid)
return self._db_user return self._db_user
def is_authenticated(self): def is_authenticated(self):
@ -111,13 +107,13 @@ class _LoginWrappedDBUser(UserMixin):
return self.db_user().verified return self.db_user().verified
def get_id(self): def get_id(self):
return unicode(self._db_id) return unicode(self._uuid)
def common_login(db_user): def common_login(db_user):
if login_user(_LoginWrappedDBUser(db_user.id, db_user)): if login_user(_LoginWrappedDBUser(db_user.uuid, db_user)):
logger.debug('Successfully signed in as: %s' % db_user.username) logger.debug('Successfully signed in as: %s (%s)' % (db_user.username, db_user.uuid))
new_identity = QuayDeferredPermissionUser(db_user.id, 'user_db_id', {scopes.DIRECT_LOGIN}) new_identity = QuayDeferredPermissionUser(db_user.uuid, 'user_uuid', {scopes.DIRECT_LOGIN})
identity_changed.send(app, identity=new_identity) identity_changed.send(app, identity=new_identity)
session['login_time'] = datetime.datetime.now() session['login_time'] = datetime.datetime.now()
return True return True
@ -279,4 +275,4 @@ def start_build(repository, dockerfile_id, tags, build_name, subdir, manual,
spawn_notification(repository, 'build_queued', event_data, spawn_notification(repository, 'build_queued', event_data,
subpage='build?current=%s' % build_request.uuid, subpage='build?current=%s' % build_request.uuid,
pathargs=['build', build_request.uuid]) pathargs=['build', build_request.uuid])
return build_request return build_request

BIN
test/data/test.db
View file

Binary file not shown.