Add scope ordinality and translations. Process oauth tokens and limit scopes accordingly.

auth/permissions.py

@@ -18,40 +18,78 @@ _OrganizationNeed = namedtuple('organization', ['orgname', 'role'])
 _TeamNeed = namedtuple('orgteam', ['orgname', 'teamname', 'role'])
 
 
+REPO_ROLES = [None, 'read', 'write', 'admin']
+TEAM_ROLES = [None, 'member', 'creator', 'admin']
+
+SCOPE_MAX_REPO_ROLES = {
+  'repo:read': 'read',
+  'repo:write': 'write',
+  'repo:admin': 'admin',
+  'repo:create': None,
+}
+
+SCOPE_MAX_TEAM_ROLES = {
+  'repo:read': None,
+  'repo:write': None,
+  'repo:admin': None,
+  'repo:create': 'creator',
+}
+
 class QuayDeferredPermissionUser(Identity):
-  def __init__(self, id, auth_type=None):
+  def __init__(self, id, auth_type=None, scopes=None):
     super(QuayDeferredPermissionUser, self).__init__(id, auth_type)
 
     self._permissions_loaded = False
+    self._scope_set = scopes
+
+  def _translate_role_for_scopes(self, cardinality, max_roles, role):
+    if self._scope_set is None:
+      return role
+
+    max_for_scopes = max({cardinality.index(max_roles[scope]) for scope in self._scope_set})
+
+    if max_for_scopes < cardinality.index(role):
+      logger.debug('Translated permission %s -> %s', role, cardinality[max_for_scopes])
+      return cardinality[max_for_scopes]
+    else:
+      return role
+
+  def _team_role_for_scopes(self, role):
+    return self._translate_role_for_scopes(TEAM_ROLES, SCOPE_MAX_TEAM_ROLES, role)
+
+  def _repo_role_for_scopes(self, role):
+    return self._translate_role_for_scopes(REPO_ROLES, SCOPE_MAX_REPO_ROLES, role)
 
   def can(self, permission):
     if not self._permissions_loaded:
       logger.debug('Loading user permissions after deferring.')
       user_object = model.get_user(self.id)
 
-      # Add the user specific permissions
-      user_grant = UserNeed(user_object.username)
-      self.provides.add(user_grant)
+      # Add the user specific permissions, only for non-oauth permission
+      if self._scope_set is None:
+        user_grant = UserNeed(user_object.username)
+        self.provides.add(user_grant)
 
       # Every user is the admin of their own 'org'
-      user_namespace = _OrganizationNeed(user_object.username, 'admin')
+      user_namespace = _OrganizationNeed(user_object.username, self._team_role_for_scopes('admin'))
       self.provides.add(user_namespace)
 
       # Add repository permissions
       for perm in model.get_all_user_permissions(user_object):
-        grant = _RepositoryNeed(perm.repository.namespace,
-                                perm.repository.name, perm.role.name)
+        grant = _RepositoryNeed(perm.repository.namespace, perm.repository.name,
+                                self._repo_role_for_scopes(perm.role.name))
         logger.debug('User added permission: {0}'.format(grant))
         self.provides.add(grant)
 
       # Add namespace permissions derived
       for team in model.get_org_wide_permissions(user_object):
-        grant = _OrganizationNeed(team.organization.username, team.role.name)
+        grant = _OrganizationNeed(team.organization.username,
+                                  self._team_role_for_scopes(team.role.name))
         logger.debug('Organization team added permission: {0}'.format(grant))
         self.provides.add(grant)
 
         team_grant = _TeamNeed(team.organization.username, team.name,
-                               team.role.name)
+                               self._team_role_for_scopes(team.role.name))
         logger.debug('Team added permission: {0}'.format(team_grant))
         self.provides.add(team_grant)