Next batch of backend permissions for orgs.

2013-11-04 15:42:08 -05:00 · 2013-11-04 15:42:08 -05:00 · dd77ebd64f
commit dd77ebd64f
parent 100ec563fa
11 changed files with 13596 additions and 62 deletions
--- a/auth/permissions.py
+++ b/auth/permissions.py
@ -14,6 +14,7 @@ logger = logging.getLogger(__name__)
 _ResourceNeed = namedtuple('resource', ['type', 'namespace', 'name', 'role'])
 _RepositoryNeed = partial(_ResourceNeed, 'repository')
 _OrganizationNeed = namedtuple('organization', ['orgname', 'role'])
 class QuayDeferredPermissionUser(Identity):
@ -27,13 +28,27 @@ class QuayDeferredPermissionUser(Identity):
      logger.debug('Loading user permissions after deferring.')
      user_object = model.get_user(self.id)
-      for user in model.get_all_user_permissions(user_object):
+      # Add the user specific permissions
-        grant = _RepositoryNeed(user.repositorypermission.repository.namespace,
+      user_grant = UserNeed(user_object.username)
-                                user.repositorypermission.repository.name,
+      self.provides.add(user_grant)
-                                user.repositorypermission.role.name)
+
      # Every user is the admin of their own 'org'
      user_namespace = _OrganizationNeed(user_object.username, 'admin')
      self.provides.add(user_namespace)
      # Add repository permissions
      for perm in model.get_all_user_permissions(user_object):
        grant = _RepositoryNeed(perm.repository.namespace,
                                perm.repository.name, perm.role.name)
        logger.debug('User added permission: {0}'.format(grant))
        self.provides.add(grant)
      # Add namespace permissions derived
      for team in model.get_org_wide_permissions(user_object):
        grant = _OrganizationNeed(team.organization.username, team.role.name)
        logger.debug('Organization team added permission: {0}'.format(grant))
        self.provides.add(grant)
      self._permissions_loaded = True
    return super(QuayDeferredPermissionUser, self).can(permission)
@ -43,6 +58,7 @@ class ModifyRepositoryPermission(Permission):
  def __init__(self, namespace, name):
    admin_need = _RepositoryNeed(namespace, name, 'admin')
    write_need = _RepositoryNeed(namespace, name, 'write')
    org_admin_need = _OrganizationNeed(namespace, 'admin')
    super(ModifyRepositoryPermission, self).__init__(admin_need, write_need)
@ -51,14 +67,25 @@ class ReadRepositoryPermission(Permission):
    admin_need = _RepositoryNeed(namespace, name, 'admin')
    write_need = _RepositoryNeed(namespace, name, 'write')
    read_need = _RepositoryNeed(namespace, name, 'read')
    org_admin_need = _OrganizationNeed(namespace, 'admin')
    super(ReadRepositoryPermission, self).__init__(admin_need, write_need,
-                                                   read_need)
+                                                   read_need, org_admin_need)
 class AdministerRepositoryPermission(Permission):
  def __init__(self, namespace, name):
    admin_need = _RepositoryNeed(namespace, name, 'admin')
-    super(AdministerRepositoryPermission, self).__init__(admin_need)
+    org_admin_need = _OrganizationNeed(namespace, 'admin')
    super(AdministerRepositoryPermission, self).__init__(admin_need,
                                                         org_admin_need)
 class CreateRepositoryPermission(Permission):
  def __init__(self, namespace):
    admin_org = _OrganizationNeed(namespace, 'admin')
    create_repo_org = _OrganizationNeed(namespace, 'creator')
    super(CreateRepositoryPermission, self).__init__(admin_org,
                                                     create_repo_org)
 class UserPermission(Permission):
--- a/data/database.py
+++ b/data/database.py
@ -37,9 +37,14 @@ class User(BaseModel):
  organization = BooleanField(default=False, index=True)
 class TeamRole(BaseModel):
  name = CharField(index=True)
 class Team(BaseModel):
  name = CharField(index=True)
  organization = ForeignKeyField(User, index=True)
  role = ForeignKeyField(TeamRole)
  class Meta:
    database = db
@ -117,18 +122,6 @@ class RepositoryPermission(BaseModel):
    )
 class TeamPermission(BaseModel):
  team = ForeignKeyField(Team, index=True)
  organization = ForeignKeyField(User, index=True)
  role = ForeignKeyField(Role)
  class Meta:
    database = db
    indexes = (
      (('team', 'organization'), True),
    )
 def random_string_generator(length=16):
  def random_string():
    random = SystemRandom()
@ -212,10 +205,13 @@ def initialize_db():
                       RepositoryPermission, Visibility, RepositoryTag,
                       EmailConfirmation, FederatedLogin, LoginService,
                       QueueItem, RepositoryBuild, Team, TeamMember,
-                       TeamPermission])
+                       TeamRole])
  Role.create(name='admin')
  Role.create(name='write')
  Role.create(name='read')
  TeamRole.create(name='admin')
  TeamRole.create(name='creator')
  TeamRole.create(name='member')
  Visibility.create(name='public')
  Visibility.create(name='private')
  LoginService.create(name='github')
--- a/data/model.py
+++ b/data/model.py
@ -89,20 +89,17 @@ def create_organization(name, email, creating_user):
    new_org.save()
    # Create a team for the owners
-    owners_team = create_team('Owners', new_org)
+    owners_team = create_team('Owners', new_org, 'admin')
-    # Add the user who created the org to the owners
+    # Add the user who created the org to the owners team
    add_user_to_team(creating_user, owners_team)
    # Give the owners team admin access to the namespace
    set_team_org_permission(owners_team, new_org, 'admin')
    return new_org
  except InvalidUsernameException:
    raise InvalidOrganizationException('Invalid organization name: %s' % name)
-def create_team(name, org):
+def create_team(name, org, team_role_name):
  if not validate_username(name):
    raise InvalidTeamException('Invalid team name: %s' % name)
@ -110,27 +107,19 @@ def create_team(name, org):
    raise InvalidOrganizationException('User with name %s is not an org.' %
                                       org.username)
-  return Team.create(name=name, organization=org)
+  team_role = TeamRole.get(TeamRole.name == team_role_name)
  return Team.create(name=name, organization=org, role=team_role)
 def add_user_to_team(user, team):
  return TeamMember.create(user=user, team=team)
-def set_team_org_permission(team, org, role_name):
+def set_team_org_permission(team, org, team_role_name):
-  new_role = Role.get(Role.name == role_name)
+  new_role = TeamRole.get(TeamRole.name == tean_role_name)
-
+  team.role = new_role
-  # Fetch any existing permission for this user on the repo
+  team.save()
-  try:
+  return team
    perm = TeamPermission.get(TeamPermission.team == team,
                              TeamPermission.organization == org)
    perm.role = new_role
    perm.save()
    return perm
  except TeamPermission.DoesNotExist:
    new_perm = TeamPermission.create(team=team, organization=org,
                                     role=new_role)
    return new_perm
 def create_federated_user(username, email, service_name, service_id):
@ -327,10 +316,31 @@ def update_email(user, new_email):
 def get_all_user_permissions(user):
-  select = User.select(User, Repository, RepositoryPermission, Role)
+  select = RepositoryPermission.select(RepositoryPermission, Role, Repository)
-  with_repo = select.join(RepositoryPermission).join(Repository)
+  with_role = select.join(Role)
-  with_role = with_repo.switch(RepositoryPermission).join(Role)
+  with_repo = with_role.switch(RepositoryPermission).join(Repository)
-  return with_role.where(User.username == user.username)
+  through_user = with_repo.switch(RepositoryPermission).join(User,
                                                             JOIN_LEFT_OUTER)
  as_perm = through_user.switch(RepositoryPermission)
  through_team = as_perm.join(Team, JOIN_LEFT_OUTER).join(TeamMember,
                                                          JOIN_LEFT_OUTER)
  UserThroughTeam = User.alias()
  with_team_member = through_team.join(UserThroughTeam, JOIN_LEFT_OUTER,
                                       on=(UserThroughTeam.id ==
                                           TeamMember.user))
  return with_team_member.where((User.id == user) | 
                                (UserThroughTeam.id == user))
 def get_org_wide_permissions(user):
  Org = User.alias()
  team_with_role = Team.select(Team, Org, TeamRole).join(TeamRole)
  with_org = team_with_role.switch(Team).join(Org, on=(Team.organization ==
                                                       Org.id))
  with_user = with_org.switch(Team).join(TeamMember).join(User)
  return with_user.where(User.id == user, Org.organization == True)
 def get_all_repo_teams(namespace_name, repository_name):
--- a/endpoints/api.py
+++ b/endpoints/api.py
@ -23,7 +23,8 @@ from util.names import parse_repository_name
 from util.gravatar import compute_hash
 from auth.permissions import (ReadRepositoryPermission,
                              ModifyRepositoryPermission,
-                              AdministerRepositoryPermission)
+                              AdministerRepositoryPermission,
                              CreateRepositoryPermission)
 from endpoints import registry
 from endpoints.web import common_login
 from util.cache import cache_control
@ -290,22 +291,25 @@ def get_organization_private_allowed(orgname):
@api_login_required
 def create_repo_api():
  owner = current_user.db_user()
  # TODO(jake): Verify that the user can create a repo in this namespace.
  json = request.get_json()
  namespace_name = json['namespace'] if 'namespace' in  json else owner.username
  repository_name = json['repository']
  visibility = json['visibility']
-  repo = model.create_repository(namespace_name, repository_name, owner,
+  permission = CreateRepositoryPermission(json['namespace'])
-                                 visibility)
+  if permission.can():
-  repo.description = json['description']
+    namespace_name = json['namespace'] if 'namespace' in  json else owner.username
-  repo.save()
+    repository_name = json['repository']
    visibility = json['visibility']
-  return jsonify({
+    repo = model.create_repository(namespace_name, repository_name, owner,
-    'namespace': namespace_name,
+                                   visibility)
-    'name': repository_name
+    repo.description = json['description']
-  })
+    repo.save()
    return jsonify({
      'namespace': namespace_name,
      'name': repository_name
    })
  abort(403)
@app.route('/api/find/repository', methods=['GET'])
--- a/endpoints/index.py
+++ b/endpoints/index.py
@ -13,8 +13,9 @@ from auth.auth import (process_auth, get_authenticated_user,
                       get_validated_token)
 from util.names import parse_namespace_repository, parse_repository_name
 from util.email import send_confirmation_email
-from auth.permissions import (ModifyRepositoryPermission,
+from auth.permissions import (ModifyRepositoryPermission, UserPermission,
-                              ReadRepositoryPermission, UserPermission)
+                              ReadRepositoryPermission,
                              CreateRepositoryPermission)
 logger = logging.getLogger(__name__)
@ -127,7 +128,9 @@ def create_repository(namespace, repository):
      abort(403)
  else:
-    if get_authenticated_user().username != namespace:
+    permission = CreateRepoPermission('namespace')
    if not permission.can():
      logger.info('Attempt to create a new repo with insufficient perms.')
      abort(403)
    logger.debug('Creaing repository with owner: %s' %
--- a/initdb.py
+++ b/initdb.py
@ -156,7 +156,7 @@ if __name__ == '__main__':
                                     'Repository owned by an org.', False,
                                     [], (4, [], ['latest', 'prod']))
-    reader_team = model.create_team('Readers', org)
+    reader_team = model.create_team('Readers', org, 'member')
    model.set_team_repo_permission(reader_team.name, org_repo.namespace,
                                   org_repo.name, 'read')
    model.add_user_to_team(new_user_2, reader_team)
--- a/test/data/registry/images/devtableorg/orgrepo/093fb171162b8fd665e05974a0a533b0093fb171162b8fd665e05974a0a533b0/diffs.json
+++ b/test/data/registry/images/devtableorg/orgrepo/093fb171162b8fd665e05974a0a533b0093fb171162b8fd665e05974a0a533b0/diffs.json
--- a/test/data/registry/images/devtableorg/orgrepo/6455bbcefd536a2e8c90a1dd8a73d9be6455bbcefd536a2e8c90a1dd8a73d9be/diffs.json
+++ b/test/data/registry/images/devtableorg/orgrepo/6455bbcefd536a2e8c90a1dd8a73d9be6455bbcefd536a2e8c90a1dd8a73d9be/diffs.json
@ -0,0 +1,45 @@
 {
  "removed": [], 
  "added": [
    "/opt/elasticsearch-0.90.5/LICENSE.txt", 
    "/opt/elasticsearch-0.90.5/NOTICE.txt", 
    "/opt/elasticsearch-0.90.5/README.textile", 
    "/opt/elasticsearch-0.90.5/bin/elasticsearch", 
    "/opt/elasticsearch-0.90.5/bin/elasticsearch.in.sh", 
    "/opt/elasticsearch-0.90.5/bin/plugin", 
    "/opt/elasticsearch-0.90.5/config/elasticsearch.yml", 
    "/opt/elasticsearch-0.90.5/config/logging.yml", 
    "/opt/elasticsearch-0.90.5/lib/elasticsearch-0.90.5.jar", 
    "/opt/elasticsearch-0.90.5/lib/jna-3.3.0.jar", 
    "/opt/elasticsearch-0.90.5/lib/jts-1.12.jar", 
    "/opt/elasticsearch-0.90.5/lib/log4j-1.2.17.jar", 
    "/opt/elasticsearch-0.90.5/lib/lucene-analyzers-common-4.4.0.jar", 
    "/opt/elasticsearch-0.90.5/lib/lucene-codecs-4.4.0.jar", 
    "/opt/elasticsearch-0.90.5/lib/lucene-core-4.4.0.jar", 
    "/opt/elasticsearch-0.90.5/lib/lucene-grouping-4.4.0.jar", 
    "/opt/elasticsearch-0.90.5/lib/lucene-highlighter-4.4.0.jar", 
    "/opt/elasticsearch-0.90.5/lib/lucene-join-4.4.0.jar", 
    "/opt/elasticsearch-0.90.5/lib/lucene-memory-4.4.0.jar", 
    "/opt/elasticsearch-0.90.5/lib/lucene-misc-4.4.0.jar", 
    "/opt/elasticsearch-0.90.5/lib/lucene-queries-4.4.0.jar", 
    "/opt/elasticsearch-0.90.5/lib/lucene-queryparser-4.4.0.jar", 
    "/opt/elasticsearch-0.90.5/lib/lucene-sandbox-4.4.0.jar", 
    "/opt/elasticsearch-0.90.5/lib/lucene-spatial-4.4.0.jar", 
    "/opt/elasticsearch-0.90.5/lib/lucene-suggest-4.4.0.jar", 
    "/opt/elasticsearch-0.90.5/lib/sigar/libsigar-amd64-freebsd-6.so", 
    "/opt/elasticsearch-0.90.5/lib/sigar/libsigar-amd64-linux.so", 
    "/opt/elasticsearch-0.90.5/lib/sigar/libsigar-amd64-solaris.so", 
    "/opt/elasticsearch-0.90.5/lib/sigar/libsigar-ia64-linux.so", 
    "/opt/elasticsearch-0.90.5/lib/sigar/libsigar-sparc-solaris.so", 
    "/opt/elasticsearch-0.90.5/lib/sigar/libsigar-sparc64-solaris.so", 
    "/opt/elasticsearch-0.90.5/lib/sigar/libsigar-universal-macosx.dylib", 
    "/opt/elasticsearch-0.90.5/lib/sigar/libsigar-universal64-macosx.dylib", 
    "/opt/elasticsearch-0.90.5/lib/sigar/libsigar-x86-freebsd-5.so", 
    "/opt/elasticsearch-0.90.5/lib/sigar/libsigar-x86-freebsd-6.so", 
    "/opt/elasticsearch-0.90.5/lib/sigar/libsigar-x86-linux.so", 
    "/opt/elasticsearch-0.90.5/lib/sigar/libsigar-x86-solaris.so", 
    "/opt/elasticsearch-0.90.5/lib/sigar/sigar-1.6.4.jar", 
    "/opt/elasticsearch-0.90.5/lib/spatial4j-0.3.jar"
  ], 
  "changed": []
 }
--- a/test/data/registry/images/devtableorg/orgrepo/e8fad6cb413b631f91d5c5292940466ae8fad6cb413b631f91d5c5292940466a/diffs.json
+++ b/test/data/registry/images/devtableorg/orgrepo/e8fad6cb413b631f91d5c5292940466ae8fad6cb413b631f91d5c5292940466a/diffs.json
--- a/test/data/registry/images/devtableorg/orgrepo/edd9b69561cdbc647d968ca679c941ecedd9b69561cdbc647d968ca679c941ec/diffs.json
+++ b/test/data/registry/images/devtableorg/orgrepo/edd9b69561cdbc647d968ca679c941ecedd9b69561cdbc647d968ca679c941ec/diffs.json
@ -0,0 +1,5 @@
 {
  "removed": [], 
  "added": [], 
  "changed": []
 }
--- a/test/data/test.db
+++ b/test/data/test.db