vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Make script paths work in docker and locally for config_app

Browse source
This commit is contained in:
Sam Chow 2018-06-05 13:43:01 -04:00
parent d5db3462b9
commit e9d24dc5ff
26 changed files with 79 additions and 2248 deletions
Download patch file Download diff file Expand all files Collapse all files

19
config_app/config_endpoints/api/__init__.py
View file

@ -22,7 +22,6 @@ class ApiExceptionHandlingApi(Api):
@crossdomain(origin='*', headers=CROSS_DOMAIN_HEADERS)
def handle_error(self, error):
print('HANDLING ERROR IN API')
return super(ApiExceptionHandlingApi, self).handle_error(error)
@ -38,30 +37,12 @@ def format_date(date):
return formatdate(timegm(date.utctimetuple()))
def verify_not_prod(func):
@add_method_metadata('enterprise_only', True)
@wraps(func)
def wrapped(*args, **kwargs):
# Verify that we are not running on a production (i.e. hosted) stack. If so, we fail.
# This should never happen (because of the feature-flag on SUPER_USERS), but we want to be
# absolutely sure.
# if app.config['SERVER_HOSTNAME'].find('quay.io') >= 0:
# TODO(config_port) fixme
if False:
logger.error('!!! Super user method called IN PRODUCTION !!!')
raise StandardError()
return func(*args, **kwargs)
return wrapped
def resource(*urls, **kwargs):
def wrapper(api_resource):
if not api_resource:
return None
print('registering resource: ', urls)
api_resource.registered = True
api.add_resource(api_resource, *urls, **kwargs)
return api_resource

1
config_app/config_endpoints/api/discovery.py
View file

@ -1,3 +1,4 @@
# TODO to extract the discovery stuff into a util at the top level and then use it both here and old discovery.py
import logging
import sys
from collections import OrderedDict

13
config_app/config_endpoints/api/suconfig.py
View file

@ -6,7 +6,7 @@ import signal
from flask import abort, request
from config_app.config_endpoints.api.suconfig_models_pre_oci import pre_oci_model as model
from config_app.config_endpoints.api import resource, ApiResource, verify_not_prod, nickname, validate_json_request
from config_app.config_endpoints.api import resource, ApiResource, nickname, validate_json_request
from config_app.c_app import app, config_provider, superusers, OVERRIDE_CONFIG_DIRECTORY, ip_resolver
from auth.auth_context import get_authenticated_user
@ -58,7 +58,6 @@ class SuperUserConfig(ApiResource):
},
}
@verify_not_prod
@nickname('scGetConfig')
def get(self):
""" Returns the currently defined configuration, if any. """
@ -68,13 +67,11 @@ class SuperUserConfig(ApiResource):
}
@nickname('scUpdateConfig')
@verify_not_prod
@validate_json_request('UpdateConfig')
def put(self):
""" Updates the config override file. """
# Note: This method is called to set the database configuration before super users exists,
# so we also allow it to be called if there is no valid registry configuration setup.
# if not config_provider.config_exists() or SuperUserPermission().can():
if not config_provider.config_exists():
config_object = request.get_json()['config']
hostname = request.get_json()['hostname']
@ -124,7 +121,6 @@ class SuperUserRegistryStatus(ApiResource):
if a database is configured, and if it has any defined users.
"""
@nickname('scRegistryStatus')
@verify_not_prod
def get(self):
""" Returns the status of the registry. """
@ -174,7 +170,6 @@ class _AlembicLogHandler(logging.Handler):
@resource('/v1/superuser/setupdb')
class SuperUserSetupDatabase(ApiResource):
""" Resource for invoking alembic to setup the database. """
@verify_not_prod
@nickname('scSetupDatabase')
def get(self):
""" Invokes the alembic upgrade process. """
@ -224,14 +219,12 @@ def get_process_id(name):
class SuperUserShutdown(ApiResource):
""" Resource for sending a shutdown signal to the container. """
@verify_not_prod
@nickname('scShutdownContainer')
def post(self):
""" Sends a signal to the phusion init system to shut down the container. """
# Note: This method is called to set the database configuration before super users exists,
# so we also allow it to be called if there is no valid registry configuration setup.
# if app.config['TESTING'] or not database_has_users() or SuperUserPermission().can():
if app.config['TESTING'] or not database_has_users():
# Note: We skip if debugging locally.
if app.config.get('DEBUGGING') == True:
@ -303,7 +296,7 @@ class SuperUserCreateInitialSuperUser(ApiResource):
superusers.register_superuser(username)
# Conduct login with that user.
# TODO(config): assuming we don't need to login the user
# TODO(config): figure out if we need validation for checking logged in user stuff
# common_login(superuser_uuid)
return {
@ -336,14 +329,12 @@ class SuperUserConfigValidate(ApiResource):
}
@nickname('scValidateConfig')
@verify_not_prod
@validate_json_request('ValidateConfig')
def post(self, service):
""" Validates the given config for the given service. """
# Note: This method is called to validate the database configuration before super users exists,
# so we also allow it to be called if there is no valid registry configuration setup. Note that
# this is also safe since this method does not access any information not given in the request.
# if not config_provider.config_exists() or SuperUserPermission().can():
if not config_provider.config_exists():
config = request.get_json()['config']
validator_context = ValidatorContext.from_app(app, config, request.get_json().get('password', ''),

7
config_app/config_endpoints/api/superuser.py
View file

@ -4,7 +4,7 @@ import pathvalidate
from flask import request, jsonify
from config_app.config_endpoints.exception import InvalidRequest
from config_app.config_endpoints.api import resource, ApiResource, verify_not_prod, nickname
from config_app.config_endpoints.api import resource, ApiResource, nickname
from config_app.config_util.ssl import load_certificate, CertInvalidException
from config_app.c_app import app, config_provider
@ -19,7 +19,6 @@ class SuperUserCustomCertificate(ApiResource):
""" Resource for managing a custom certificate. """
@nickname('uploadCustomCertificate')
@verify_not_prod
def post(self, certpath):
uploaded_file = request.files['file']
if not uploaded_file:
@ -58,7 +57,6 @@ class SuperUserCustomCertificate(ApiResource):
return '', 204
@nickname('deleteCustomCertificate')
@verify_not_prod
def delete(self, certpath):
cert_full_path = config_provider.get_volume_path(EXTRA_CA_DIRECTORY, certpath)
config_provider.remove_volume_file(cert_full_path)
@ -70,7 +68,6 @@ class SuperUserCustomCertificates(ApiResource):
""" Resource for managing custom certificates. """
@nickname('getCustomCertificates')
@verify_not_prod
def get(self):
has_extra_certs_path = config_provider.volume_file_exists(EXTRA_CA_DIRECTORY)
extra_certs_found = config_provider.list_volume_directory(EXTRA_CA_DIRECTORY)
@ -107,7 +104,6 @@ class SuperUserCustomCertificates(ApiResource):
}
# TODO(config) port this endpoint when (https://github.com/quay/quay/pull/3055) merged to ensure no conflicts
@resource('/v1/superuser/keys')
class SuperUserServiceKeyManagement(ApiResource):
""" Resource for managing service keys."""
@ -142,7 +138,6 @@ class SuperUserServiceKeyManagement(ApiResource):
},
}
@verify_not_prod
@nickname('listServiceKeys')
def get(self):
keys = pre_oci_model.list_all_service_keys()

278
config_app/config_endpoints/api/superuser_models_interface.py
View file

@ -1,17 +1,8 @@
import json
from abc import ABCMeta, abstractmethod
from collections import namedtuple
from datetime import datetime
from dateutil.relativedelta import relativedelta
from six import add_metaclass
from tzlocal import get_localzone
# from app import avatar, superusers
# from buildtrigger.basehandler import BuildTriggerHandler
from data import model
from config_app.config_endpoints.api import format_date
from util.morecollections import AttrDict
def user_view(user):
@ -22,46 +13,6 @@ def user_view(user):
}
# class BuildTrigger(
# namedtuple('BuildTrigger', ['uuid', 'service_name', 'pull_robot', 'can_read', 'can_admin', 'for_build'])):
# """
# BuildTrigger represent a trigger that is associated with a build
# :type uuid: string
# :type service_name: string
# :type pull_robot: User
# :type can_read: boolean
# :type can_admin: boolean
# :type for_build: boolean
# """
#
# def to_dict(self):
# if not self.uuid:
# return None
#
# build_trigger = BuildTriggerHandler.get_handler(self)
# build_source = build_trigger.config.get('build_source')
#
# repo_url = build_trigger.get_repository_url() if build_source else None
# can_read = self.can_read or self.can_admin
#
# trigger_data = {
# 'id': self.uuid,
# 'service': self.service_name,
# 'is_active': build_trigger.is_active(),
#
# 'build_source': build_source if can_read else None,
# 'repository_url': repo_url if can_read else None,
#
# 'config': build_trigger.config if self.can_admin else {},
# 'can_invoke': self.can_admin,
# }
#
# if not self.for_build and self.can_admin and self.pull_robot:
# trigger_data['pull_robot'] = user_view(self.pull_robot)
#
# return trigger_data
class RepositoryBuild(namedtuple('RepositoryBuild',
['uuid', 'logs_archived', 'repository_namespace_user_username', 'repository_name',
'can_write', 'can_read', 'pull_robot', 'resource_key', 'trigger', 'display_name',
@ -185,9 +136,6 @@ class User(namedtuple('User', ['username', 'email', 'verified', 'enabled', 'robo
'username': self.username,
'email': self.email,
'verified': self.verified,
# todo(config) remove or add these lines from app
# 'avatar': avatar.get_data_for_user(self),
# 'super_user': superusers.is_superuser(self.username),
'enabled': self.enabled,
}
@ -205,108 +153,9 @@ class Organization(namedtuple('Organization', ['username', 'email'])):
return {
'name': self.username,
'email': self.email,
# todo(config) remove or add these lines from app
# 'avatar': avatar.get_data_for_org(self),
}
class LogEntry(
namedtuple('LogEntry', [
'metadata_json', 'ip', 'datetime', 'performer_email', 'performer_username', 'performer_robot',
'account_organization', 'account_username', 'account_email', 'account_robot', 'kind',
])):
"""
LogEntry a single log entry.
:type metadata_json: string
:type ip: string
:type datetime: string
:type performer_email: int
:type performer_username: string
:type performer_robot: boolean
:type account_organization: boolean
:type account_username: string
:type account_email: string
:type account_robot: boolean
:type kind_id: int
"""
def to_dict(self):
view = {
'kind': self.kind,
'metadata': json.loads(self.metadata_json),
'ip': self.ip,
'datetime': format_date(self.datetime),
}
if self.performer_username:
performer = AttrDict({'username': self.performer_username, 'email': self.performer_email})
performer.robot = None
if self.performer_robot:
performer.robot = self.performer_robot
view['performer'] = {
'kind': 'user',
'name': self.performer_username,
'is_robot': self.performer_robot,
# todo(config) remove or add these lines from app
# 'avatar': avatar.get_data_for_user(performer),
}
if self.account_username:
account = AttrDict({'username': self.account_username, 'email': self.account_email})
if self.account_organization:
view['namespace'] = {
'kind': 'org',
'name': self.account_username,
# todo(config) remove or add these lines from app
# 'avatar': avatar.get_data_for_org(account),
}
else:
account.robot = None
if self.account_robot:
account.robot = self.account_robot
view['namespace'] = {
'kind': 'user',
'name': self.account_username,
# todo(config) remove or add these lines from app
# 'avatar': avatar.get_data_for_user(account),
}
return view
class LogEntryPage(
namedtuple('LogEntryPage', ['logs', 'next_page_token'])):
"""
LogEntryPage represents a single page of logs.
:type logs: [LogEntry]
:type next_page_token: {any -> any}
"""
class AggregatedLogEntry(
namedtuple('AggregatedLogEntry', ['count', 'kind_id', 'day', 'start_time'])):
"""
AggregatedLogEntry represents an aggregated view of logs.
:type count: int
:type kind_id: int
:type day: string
:type start_time: Date
"""
def to_dict(self):
synthetic_date = datetime(self.start_time.year, self.start_time.month, int(self.day), tzinfo=get_localzone())
if synthetic_date.day < self.start_time.day:
synthetic_date = synthetic_date + relativedelta(months=1)
kinds = model.log.get_log_entry_kinds()
view = {
'kind': kinds[self.kind_id],
'count': self.count,
'datetime': format_date(synthetic_date),
}
return view
@add_metaclass(ABCMeta)
@ -314,135 +163,8 @@ class SuperuserDataInterface(object):
"""
Interface that represents all data store interactions required by a superuser api.
"""
@abstractmethod
def get_logs_query(self, start_time, end_time, page_token=None):
"""
Returns a LogEntryPage.
"""
@abstractmethod
def get_aggregated_logs(self, start_time, end_time):
"""
Returns a list of AggregatedLogEntry
"""
@abstractmethod
def get_organizations(self):
"""
Returns a list of Organization
"""
@abstractmethod
def get_active_users(self):
"""
Returns a list of User
"""
@abstractmethod
def create_install_user(self, username, password, email):
"""
Returns the created user and confirmation code for email confirmation
"""
@abstractmethod
def get_nonrobot_user(self, username):
"""
Returns a User
"""
@abstractmethod
def create_reset_password_email_code(self, email):
"""
Returns a recover password code
"""
@abstractmethod
def mark_user_for_deletion(self, username):
"""
Returns None
"""
@abstractmethod
def change_password(self, username, password):
"""
Returns None
"""
@abstractmethod
def update_email(self, username, email, auto_verify):
"""
Returns None
"""
@abstractmethod
def update_enabled(self, username, enabled):
"""
Returns None
"""
@abstractmethod
def take_ownership(self, namespace, authed_user):
"""
Returns id of entity and whether the entity was a user
"""
@abstractmethod
def mark_organization_for_deletion(self, name):
"""
Returns None
"""
@abstractmethod
def change_organization_name(self, old_org_name, new_org_name):
"""
Returns updated Organization
"""
@abstractmethod
def list_all_service_keys(self):
"""
Returns a list of service keys
"""
@abstractmethod
def generate_service_key(self, service, expiration_date, kid=None, name='', metadata=None, rotation_duration=None):
"""
Returns a tuple of private key and public key id
"""
@abstractmethod
def approve_service_key(self, kid, approver, approval_type, notes=''):
"""
Returns the approved Key
"""
@abstractmethod
def get_service_key(self, kid, service=None, alive_only=True, approved_only=True):
"""
Returns ServiceKey
"""
@abstractmethod
def set_key_expiration(self, kid, expiration_date):
"""
Returns None
"""
@abstractmethod
def update_service_key(self, kid, name=None, metadata=None):
"""
Returns None
"""
@abstractmethod
def delete_service_key(self, kid):
"""
Returns deleted ServiceKey
"""
@abstractmethod
def get_repository_build(self, uuid):
"""
Returns RepositoryBuild
"""

243
config_app/config_endpoints/api/superuser_models_pre_oci.py
View file

@ -2,36 +2,6 @@ from data import model
from config_app.config_endpoints.api.superuser_models_interface import SuperuserDataInterface, User, ServiceKey, Approval
#
# def _create_log(log, log_kind):
# account_organization = None
# account_username = None
# account_email = None
# account_robot = None
# try:
# account_organization = log.account.organization
# account_username = log.account.username
# account_email = log.account.email
# account_robot = log.account.robot
# except AttributeError:
# pass
#
# performer_robot = None
# performer_username = None
# performer_email = None
#
# try:
# performer_robot = log.performer.robot
# performer_username = log.performer.username
# performer_email = log.performer.email
# except AttributeError:
# pass
#
# return LogEntry(log.metadata_json, log.ip, log.datetime, performer_email, performer_username,
# performer_robot, account_organization, account_username,
# account_email, account_robot, log_kind[log.kind_id])
def _create_user(user):
if user is None:
return None
@ -46,18 +16,6 @@ def _create_key(key):
return ServiceKey(key.name, key.kid, key.service, key.jwk, key.metadata, key.created_date, key.expiration_date,
key.rotation_duration, approval)
#
#
# class ServiceKeyDoesNotExist(Exception):
# pass
#
#
# class ServiceKeyAlreadyApproved(Exception):
# pass
#
#
# class InvalidRepositoryBuildException(Exception):
# pass
class PreOCIModel(SuperuserDataInterface):
@ -65,210 +23,9 @@ class PreOCIModel(SuperuserDataInterface):
PreOCIModel implements the data model for the SuperUser using a database schema
before it was changed to support the OCI specification.
"""
def get_logs_query(self, start_time, end_time, page_token=None):
pass
def get_aggregated_logs(self, start_time, end_time):
pass
def get_organizations(self):
pass
def get_active_users(self):
pass
def create_install_user(self, username, password, email):
pass
def get_nonrobot_user(self, username):
pass
def create_reset_password_email_code(self, email):
pass
def mark_user_for_deletion(self, username):
pass
def change_password(self, username, password):
pass
def update_email(self, username, email, auto_verify):
pass
def update_enabled(self, username, enabled):
pass
def take_ownership(self, namespace, authed_user):
pass
def mark_organization_for_deletion(self, name):
pass
def change_organization_name(self, old_org_name, new_org_name):
pass
def generate_service_key(self, service, expiration_date, kid=None, name='', metadata=None, rotation_duration=None):
pass
def approve_service_key(self, kid, approver, approval_type, notes=''):
pass
def get_service_key(self, kid, service=None, alive_only=True, approved_only=True):
pass
def set_key_expiration(self, kid, expiration_date):
pass
def update_service_key(self, kid, name=None, metadata=None):
pass
def delete_service_key(self, kid):
pass
def get_repository_build(self, uuid):
pass
# def get_repository_build(self, uuid):
# try:
# build = model.build.get_repository_build(uuid)
# except model.InvalidRepositoryBuildException as e:
# raise InvalidRepositoryBuildException(e.message)
#
# repo_namespace = build.repository_namespace_user_username
# repo_name = build.repository_name
#
# can_read = ReadRepositoryPermission(repo_namespace, repo_name).can()
# can_write = ModifyRepositoryPermission(repo_namespace, repo_name).can()
# can_admin = AdministerRepositoryPermission(repo_namespace, repo_name).can()
# job_config = get_job_config(build.job_config)
# phase, status, error = _get_build_status(build)
# url = userfiles.get_file_url(self.resource_key, request.remote_addr, requires_cors=True)
#
# return RepositoryBuild(build.uuid, build.logs_archived, repo_namespace, repo_name, can_write, can_read,
# _create_user(build.pull_robot), build.resource_key,
# BuildTrigger(build.trigger.uuid, build.trigger.service.name,
# _create_user(build.trigger.pull_robot), can_read, can_admin, True),
# build.display_name, build.display_name, build.started, job_config, phase, status, error, url)
#
# def delete_service_key(self, kid):
# try:
# key = model.service_keys.delete_service_key(kid)
# except model.ServiceKeyDoesNotExist:
# raise ServiceKeyDoesNotExist
# return _create_key(key)
#
# def update_service_key(self, kid, name=None, metadata=None):
# model.service_keys.update_service_key(kid, name, metadata)
#
# def set_key_expiration(self, kid, expiration_date):
# model.service_keys.set_key_expiration(kid, expiration_date)
#
# def get_service_key(self, kid, service=None, alive_only=True, approved_only=True):
# try:
# key = model.service_keys.get_service_key(kid, approved_only=approved_only, alive_only=alive_only)
# return _create_key(key)
# except model.ServiceKeyDoesNotExist:
# raise ServiceKeyDoesNotExist
#
# def approve_service_key(self, kid, approver, approval_type, notes=''):
# try:
# key = model.service_keys.approve_service_key(kid, approver, approval_type, notes=notes)
# return _create_key(key)
# except model.ServiceKeyDoesNotExist:
# raise ServiceKeyDoesNotExist
# except model.ServiceKeyAlreadyApproved:
# raise ServiceKeyAlreadyApproved
#
# def generate_service_key(self, service, expiration_date, kid=None, name='', metadata=None, rotation_duration=None):
# (private_key, key) = model.service_keys.generate_service_key(service, expiration_date, metadata=metadata, name=name)
#
# return private_key, key.kid
def list_all_service_keys(self):
keys = model.service_keys.list_all_keys()
return [_create_key(key) for key in keys]
# def change_organization_name(self, old_org_name, new_org_name):
# org = model.organization.get_organization(old_org_name)
# if new_org_name is not None:
# org = model.user.change_username(org.id, new_org_name)
#
# return Organization(org.username, org.email)
#
# def mark_organization_for_deletion(self, name):
# org = model.organization.get_organization(name)
# model.user.mark_namespace_for_deletion(org, all_queues, namespace_gc_queue, force=True)
#
# def take_ownership(self, namespace, authed_user):
# entity = model.user.get_user_or_org(namespace)
# if entity is None:
# return None, False
#
# was_user = not entity.organization
# if entity.organization:
# # Add the superuser as an admin to the owners team of the org.
# model.organization.add_user_as_admin(authed_user, entity)
# else:
# # If the entity is a user, convert it to an organization and add the current superuser
# # as the admin.
# model.organization.convert_user_to_organization(entity, authed_user)
# return entity.id, was_user
#
# def update_enabled(self, username, enabled):
# user = model.user.get_nonrobot_user(username)
# model.user.update_enabled(user, bool(enabled))
#
# def update_email(self, username, email, auto_verify):
# user = model.user.get_nonrobot_user(username)
# model.user.update_email(user, email, auto_verify)
#
# def change_password(self, username, password):
# user = model.user.get_nonrobot_user(username)
# model.user.change_password(user, password)
#
# def mark_user_for_deletion(self, username):
# user = model.user.get_nonrobot_user(username)
# model.user.mark_namespace_for_deletion(user, all_queues, namespace_gc_queue, force=True)
#
# def create_reset_password_email_code(self, email):
# code = model.user.create_reset_password_email_code(email)
# return code.code
#
# def get_nonrobot_user(self, username):
# user = model.user.get_nonrobot_user(username)
# if user is None:
# return None
# return _create_user(user)
#
# def create_install_user(self, username, password, email):
# prompts = model.user.get_default_user_prompts(features)
# user = model.user.create_user(username, password, email, auto_verify=not features.MAILING,
# email_required=features.MAILING, prompts=prompts)
#
# return_user = _create_user(user)
# # If mailing is turned on, send the user a verification email.
# if features.MAILING:
# confirmation = model.user.create_confirm_email_code(user)
# return return_user, confirmation.code
# return return_user, ''
#
# def get_active_users(self, disabled=True):
# users = model.user.get_active_users(disabled=disabled)
# return [_create_user(user) for user in users]
#
# def get_organizations(self):
# return [Organization(org.username, org.email) for org in model.organization.get_organizations()]
#
# def get_aggregated_logs(self, start_time, end_time):
# aggregated_logs = model.log.get_aggregated_logs(start_time, end_time)
# return [AggregatedLogEntry(log.count, log.kind_id, log.day, start_time) for log in aggregated_logs]
#
# def get_logs_query(self, start_time, end_time, page_token=None):
# logs_query = model.log.get_logs_query(start_time, end_time)
# logs, next_page_token = model.modelutil.paginate(logs_query, database.LogEntry, descending=True,
# page_token=page_token, limit=20)
# kinds = model.log.get_log_entry_kinds()
# return LogEntryPage([_create_log(log, kinds) for log in logs], next_page_token)
pre_oci_model = PreOCIModel()

13
config_app/config_endpoints/api/user.py
View file

@ -1,4 +1,6 @@
from auth.auth_context import get_authenticated_user
from config_app.config_endpoints.api import resource, ApiResource, nickname
from config_app.config_endpoints.api.superuser_models_interface import user_view
@resource('/v1/user/')
@ -8,11 +10,10 @@ class User(ApiResource):
@nickname('getLoggedInUser')
def get(self):
""" Get user information for the authenticated user. """
# user = get_authenticated_user()
user = get_authenticated_user()
# TODO(config): figure out if we need user validation
# if user is None or user.organization or not UserReadPermission(user.username).can():
# raise InvalidToken("Requires authentication", payload={'session_required': False})
# return user_view(user)
return {
'anonymous': False,
# 'username': user.username,
}
return user_view(user)