vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #1294 from coreos-inc/partialperms

Browse source 
Change permissions to only load required by default
This commit is contained in:
josephschorr 2016-03-30 16:40:40 -04:00
commit edb157c5cb
3 changed files with 187 additions and 83 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

147
auth/permissions.py
View file

@ -68,7 +68,10 @@ class QuayDeferredPermissionUser(Identity):
def __init__(self, uuid, auth_type, auth_scopes, user=None): def __init__(self, uuid, auth_type, auth_scopes, user=None):
super(QuayDeferredPermissionUser, self).__init__(uuid, auth_type) super(QuayDeferredPermissionUser, self).__init__(uuid, auth_type)
self._permissions_loaded = False self._namespace_wide_loaded = set()
self._repositories_loaded = set()
self._personal_loaded = False
self._scope_set = auth_scopes self._scope_set = auth_scopes
self._user_object = user self._user_object = user
@ -103,17 +106,10 @@ class QuayDeferredPermissionUser(Identity):
def _user_role_for_scopes(self, role): def _user_role_for_scopes(self, role):
return self._translate_role_for_scopes(USER_ROLES, SCOPE_MAX_USER_ROLES, role) return self._translate_role_for_scopes(USER_ROLES, SCOPE_MAX_USER_ROLES, role)
def can(self, permission): def _populate_user_provides(self, user_object):
if not self._permissions_loaded: """ Populates the provides that naturally apply to a user, such as being the admin of
logger.debug('Loading user permissions after deferring for: %s', self.id) their own namespace.
user_object = self._user_object or model.user.get_user_by_uuid(self.id) """
if user_object is None:
return super(QuayDeferredPermissionUser, self).can(permission)
if ((scopes.SUPERUSER in self._scope_set or scopes.DIRECT_LOGIN in self._scope_set) and
superusers.is_superuser(user_object.username)):
logger.debug('Adding superuser to user: %s', user_object.username)
self.provides.add(_SuperUserNeed())
# Add the user specific permissions, only for non-oauth permission # Add the user specific permissions, only for non-oauth permission
user_grant = _UserNeed(user_object.username, self._user_role_for_scopes('admin')) user_grant = _UserNeed(user_object.username, self._user_role_for_scopes('admin'))
@ -130,21 +126,22 @@ class QuayDeferredPermissionUser(Identity):
logger.debug('User namespace repo permission: {0}'.format(user_repos)) logger.debug('User namespace repo permission: {0}'.format(user_repos))
self.provides.add(user_repos) self.provides.add(user_repos)
# Add repository permissions if ((scopes.SUPERUSER in self._scope_set or scopes.DIRECT_LOGIN in self._scope_set) and
for perm in model.permission.get_all_user_permissions(user_object): superusers.is_superuser(user_object.username)):
repo_grant = _RepositoryNeed(perm.repository.namespace_user.username, perm.repository.name, logger.debug('Adding superuser to user: %s', user_object.username)
self._repo_role_for_scopes(perm.role.name)) self.provides.add(_SuperUserNeed())
logger.debug('User added permission: {0}'.format(repo_grant))
self.provides.add(repo_grant)
# Add namespace permissions derived def _populate_namespace_wide_provides(self, user_object, namespace_filter):
for team in model.permission.get_org_wide_permissions(user_object): """ Populates the namespace-wide provides for a particular user under a particular namespace.
This method does *not* add any provides for specific repositories.
"""
for team in model.permission.get_org_wide_permissions(user_object, org_filter=namespace_filter):
team_org_grant = _OrganizationNeed(team.organization.username, team_org_grant = _OrganizationNeed(team.organization.username,
self._team_role_for_scopes(team.role.name)) self._team_role_for_scopes(team.role.name))
logger.debug('Organization team added permission: {0}'.format(team_org_grant)) logger.debug('Organization team added permission: {0}'.format(team_org_grant))
self.provides.add(team_org_grant) self.provides.add(team_org_grant)
team_repo_role = TEAM_REPO_ROLES[team.role.name] team_repo_role = TEAM_REPO_ROLES[team.role.name]
org_repo_grant = _OrganizationRepoNeed(team.organization.username, org_repo_grant = _OrganizationRepoNeed(team.organization.username,
self._repo_role_for_scopes(team_repo_role)) self._repo_role_for_scopes(team_repo_role))
@ -156,22 +153,86 @@ class QuayDeferredPermissionUser(Identity):
logger.debug('Team added permission: {0}'.format(team_grant)) logger.debug('Team added permission: {0}'.format(team_grant))
self.provides.add(team_grant) self.provides.add(team_grant)
self._permissions_loaded = True def _populate_repository_provides(self, user_object, namespace_filter, repository_name):
""" Populates the repository-specific provides for a particular user and repository. """
if namespace_filter and repository_name:
permissions = model.permission.get_user_repository_permissions(user_object, namespace_filter,
repository_name)
else:
permissions = model.permission.get_all_user_repository_permissions(user_object)
for perm in permissions:
repo_grant = _RepositoryNeed(perm.repository.namespace_user.username, perm.repository.name,
self._repo_role_for_scopes(perm.role.name))
logger.debug('User added permission: {0}'.format(repo_grant))
self.provides.add(repo_grant)
def can(self, permission):
logger.debug('Loading user permissions after deferring for: %s', self.id)
user_object = self._user_object or model.user.get_user_by_uuid(self.id)
if user_object is None:
return super(QuayDeferredPermissionUser, self).can(permission)
# Add the user-specific provides.
if not self._personal_loaded:
self._populate_user_provides(user_object)
self._personal_loaded = True
# If we now have permission, no need to load any more permissions.
if super(QuayDeferredPermissionUser, self).can(permission):
return super(QuayDeferredPermissionUser, self).can(permission)
# Check for namespace and/or repository permissions.
perm_namespace = permission.namespace
perm_repo_name = permission.repo_name
perm_repository = None
if perm_namespace and perm_repo_name:
perm_repository = '%s/%s' % (perm_namespace, perm_repo_name)
if not perm_namespace and not perm_repo_name:
# Nothing more to load, so just check directly.
return super(QuayDeferredPermissionUser, self).can(permission)
# Lazy-load the repository-specific permissions.
if perm_repository and perm_repository not in self._repositories_loaded:
self._populate_repository_provides(user_object, perm_namespace, perm_repo_name)
self._repositories_loaded.add(perm_repository)
# If we now have permission, no need to load any more permissions.
if super(QuayDeferredPermissionUser, self).can(permission):
return super(QuayDeferredPermissionUser, self).can(permission)
# Lazy-load the namespace-wide-only permissions.
if perm_namespace and perm_namespace not in self._namespace_wide_loaded:
self._populate_namespace_wide_provides(user_object, perm_namespace)
self._namespace_wide_loaded.add(perm_namespace)
return super(QuayDeferredPermissionUser, self).can(permission) return super(QuayDeferredPermissionUser, self).can(permission)
class ModifyRepositoryPermission(Permission): class QuayPermission(Permission):
""" Base for all permissions in Quay. """
namespace = None
repo_name = None
class ModifyRepositoryPermission(QuayPermission):
def __init__(self, namespace, name): def __init__(self, namespace, name):
admin_need = _RepositoryNeed(namespace, name, 'admin') admin_need = _RepositoryNeed(namespace, name, 'admin')
write_need = _RepositoryNeed(namespace, name, 'write') write_need = _RepositoryNeed(namespace, name, 'write')
org_admin_need = _OrganizationRepoNeed(namespace, 'admin') org_admin_need = _OrganizationRepoNeed(namespace, 'admin')
org_write_need = _OrganizationRepoNeed(namespace, 'write') org_write_need = _OrganizationRepoNeed(namespace, 'write')
self.namespace = namespace
self.repo_name = name
super(ModifyRepositoryPermission, self).__init__(admin_need, write_need, org_admin_need, super(ModifyRepositoryPermission, self).__init__(admin_need, write_need, org_admin_need,
org_write_need) org_write_need)
class ReadRepositoryPermission(Permission): class ReadRepositoryPermission(QuayPermission):
def __init__(self, namespace, name): def __init__(self, namespace, name):
admin_need = _RepositoryNeed(namespace, name, 'admin') admin_need = _RepositoryNeed(namespace, name, 'admin')
write_need = _RepositoryNeed(namespace, name, 'write') write_need = _RepositoryNeed(namespace, name, 'write')
@ -179,70 +240,90 @@ class ReadRepositoryPermission(Permission):
org_admin_need = _OrganizationRepoNeed(namespace, 'admin') org_admin_need = _OrganizationRepoNeed(namespace, 'admin')
org_write_need = _OrganizationRepoNeed(namespace, 'write') org_write_need = _OrganizationRepoNeed(namespace, 'write')
org_read_need = _OrganizationRepoNeed(namespace, 'read') org_read_need = _OrganizationRepoNeed(namespace, 'read')
self.namespace = namespace
self.repo_name = name
super(ReadRepositoryPermission, self).__init__(admin_need, write_need, read_need, super(ReadRepositoryPermission, self).__init__(admin_need, write_need, read_need,
org_admin_need, org_read_need, org_write_need) org_admin_need, org_read_need, org_write_need)
class AdministerRepositoryPermission(Permission): class AdministerRepositoryPermission(QuayPermission):
def __init__(self, namespace, name): def __init__(self, namespace, name):
admin_need = _RepositoryNeed(namespace, name, 'admin') admin_need = _RepositoryNeed(namespace, name, 'admin')
org_admin_need = _OrganizationRepoNeed(namespace, 'admin') org_admin_need = _OrganizationRepoNeed(namespace, 'admin')
self.namespace = namespace
self.repo_name = name
super(AdministerRepositoryPermission, self).__init__(admin_need, super(AdministerRepositoryPermission, self).__init__(admin_need,
org_admin_need) org_admin_need)
class CreateRepositoryPermission(Permission): class CreateRepositoryPermission(QuayPermission):
def __init__(self, namespace): def __init__(self, namespace):
admin_org = _OrganizationNeed(namespace, 'admin') admin_org = _OrganizationNeed(namespace, 'admin')
create_repo_org = _OrganizationNeed(namespace, 'creator') create_repo_org = _OrganizationNeed(namespace, 'creator')
self.namespace = namespace
super(CreateRepositoryPermission, self).__init__(admin_org, super(CreateRepositoryPermission, self).__init__(admin_org,
create_repo_org) create_repo_org)
class SuperUserPermission(Permission): class SuperUserPermission(QuayPermission):
def __init__(self): def __init__(self):
need = _SuperUserNeed() need = _SuperUserNeed()
super(SuperUserPermission, self).__init__(need) super(SuperUserPermission, self).__init__(need)
class UserAdminPermission(Permission): class UserAdminPermission(QuayPermission):
def __init__(self, username): def __init__(self, username):
user_admin = _UserNeed(username, 'admin') user_admin = _UserNeed(username, 'admin')
super(UserAdminPermission, self).__init__(user_admin) super(UserAdminPermission, self).__init__(user_admin)
class UserReadPermission(Permission): class UserReadPermission(QuayPermission):
def __init__(self, username): def __init__(self, username):
user_admin = _UserNeed(username, 'admin') user_admin = _UserNeed(username, 'admin')
user_read = _UserNeed(username, 'read') user_read = _UserNeed(username, 'read')
super(UserReadPermission, self).__init__(user_read, user_admin) super(UserReadPermission, self).__init__(user_read, user_admin)
class AdministerOrganizationPermission(Permission): class AdministerOrganizationPermission(QuayPermission):
def __init__(self, org_name): def __init__(self, org_name):
admin_org = _OrganizationNeed(org_name, 'admin') admin_org = _OrganizationNeed(org_name, 'admin')
self.namespace = org_name
super(AdministerOrganizationPermission, self).__init__(admin_org) super(AdministerOrganizationPermission, self).__init__(admin_org)
class OrganizationMemberPermission(Permission): class OrganizationMemberPermission(QuayPermission):
def __init__(self, org_name): def __init__(self, org_name):
admin_org = _OrganizationNeed(org_name, 'admin') admin_org = _OrganizationNeed(org_name, 'admin')
repo_creator_org = _OrganizationNeed(org_name, 'creator') repo_creator_org = _OrganizationNeed(org_name, 'creator')
org_member = _OrganizationNeed(org_name, 'member') org_member = _OrganizationNeed(org_name, 'member')
self.namespace = org_name
super(OrganizationMemberPermission, self).__init__(admin_org, org_member, super(OrganizationMemberPermission, self).__init__(admin_org, org_member,
repo_creator_org) repo_creator_org)
class ViewTeamPermission(Permission): class ViewTeamPermission(QuayPermission):
def __init__(self, org_name, team_name): def __init__(self, org_name, team_name):
team_admin = _TeamNeed(org_name, team_name, 'admin') team_admin = _TeamNeed(org_name, team_name, 'admin')
team_creator = _TeamNeed(org_name, team_name, 'creator') team_creator = _TeamNeed(org_name, team_name, 'creator')
team_member = _TeamNeed(org_name, team_name, 'member') team_member = _TeamNeed(org_name, team_name, 'member')
admin_org = _OrganizationNeed(org_name, 'admin') admin_org = _OrganizationNeed(org_name, 'admin')
self.namespace = org_name
super(ViewTeamPermission, self).__init__(team_admin, team_creator, super(ViewTeamPermission, self).__init__(team_admin, team_creator,
team_member, admin_org) team_member, admin_org)
class AlwaysFailPermission(Permission): class AlwaysFailPermission(QuayPermission):
def can(self): def can(self):
return False return False

18
data/model/permission.py
View file

@ -33,7 +33,7 @@ def list_organization_member_permissions(organization, limit_to_user=None):
return query return query
def get_all_user_permissions(user): def get_all_user_repository_permissions(user):
return _get_user_repo_permissions(user) return _get_user_repo_permissions(user)
@ -41,7 +41,12 @@ def get_user_repo_permissions(user, repo):
return _get_user_repo_permissions(user, limit_to_repository_obj=repo) return _get_user_repo_permissions(user, limit_to_repository_obj=repo)
def _get_user_repo_permissions(user, limit_to_repository_obj=None): def get_user_repository_permissions(user, namespace, repo_name):
return _get_user_repo_permissions(user, limit_namespace=namespace, limit_repo_name=repo_name)
def _get_user_repo_permissions(user, limit_to_repository_obj=None, limit_namespace=None,
limit_repo_name=None):
UserThroughTeam = User.alias() UserThroughTeam = User.alias()
base_query = (RepositoryPermission base_query = (RepositoryPermission
@ -54,6 +59,9 @@ def _get_user_repo_permissions(user, limit_to_repository_obj=None):
if limit_to_repository_obj is not None: if limit_to_repository_obj is not None:
base_query = base_query.where(RepositoryPermission.repository == limit_to_repository_obj) base_query = base_query.where(RepositoryPermission.repository == limit_to_repository_obj)
elif limit_namespace and limit_repo_name:
base_query = base_query.where(Repository.name == limit_repo_name,
Namespace.username == limit_namespace)
direct = (base_query direct = (base_query
.clone() .clone()
@ -121,12 +129,16 @@ def add_prototype_permission(org, role_name, activating_user,
delegate_user=delegate_user, delegate_team=delegate_team) delegate_user=delegate_user, delegate_team=delegate_team)
def get_org_wide_permissions(user): def get_org_wide_permissions(user, org_filter=None):
Org = User.alias() Org = User.alias()
team_with_role = Team.select(Team, Org, TeamRole).join(TeamRole) team_with_role = Team.select(Team, Org, TeamRole).join(TeamRole)
with_org = team_with_role.switch(Team).join(Org, on=(Team.organization == with_org = team_with_role.switch(Team).join(Org, on=(Team.organization ==
Org.id)) Org.id))
with_user = with_org.switch(Team).join(TeamMember).join(User) with_user = with_org.switch(Team).join(TeamMember).join(User)
if org_filter:
with_user.where(Org.username == org_filter)
return with_user.where(User.id == user, Org.organization == True) return with_user.where(User.id == user, Org.organization == True)

45
test/test_api_usage.py
View file

@ -69,11 +69,11 @@ app.register_blueprint(webhooks, url_prefix='/webhooks')
BASE_QUERY_COUNT = 0 BASE_QUERY_COUNT = 0
# The number of queries we run for logged in users on API calls. # The number of queries we run for logged in users on API calls.
BASE_LOGGEDIN_QUERY_COUNT = BASE_QUERY_COUNT + 2 BASE_LOGGEDIN_QUERY_COUNT = BASE_QUERY_COUNT + 1
# The number of queries we run for logged in users on API calls that check # The number of queries we run for logged in users on API calls that check
# access permissions. # access permissions.
BASE_ACCESS_QUERY_COUNT = BASE_LOGGEDIN_QUERY_COUNT + 1 BASE_PERM_ACCESS_QUERY_COUNT = BASE_LOGGEDIN_QUERY_COUNT + 2
NO_ACCESS_USER = 'freshuser' NO_ACCESS_USER = 'freshuser'
READ_ACCESS_USER = 'reader' READ_ACCESS_USER = 'reader'
@ -265,7 +265,7 @@ class TestUserStarredRepositoryList(ApiTestCase):
self.login(READ_ACCESS_USER) self.login(READ_ACCESS_USER)
# Queries: Base + the list query # Queries: Base + the list query
with assert_query_count(BASE_ACCESS_QUERY_COUNT + 1): with assert_query_count(BASE_LOGGEDIN_QUERY_COUNT + 1):
self.getJsonResponse(StarredRepositoryList, expected_code=200) self.getJsonResponse(StarredRepositoryList, expected_code=200)
def test_star_repo_guest(self): def test_star_repo_guest(self):
@ -280,7 +280,7 @@ class TestUserStarredRepositoryList(ApiTestCase):
self.login(READ_ACCESS_USER) self.login(READ_ACCESS_USER)
# Queries: Base + the list query # Queries: Base + the list query
with assert_query_count(BASE_ACCESS_QUERY_COUNT + 1): with assert_query_count(BASE_LOGGEDIN_QUERY_COUNT + 1):
json = self.getJsonResponse(StarredRepositoryList) json = self.getJsonResponse(StarredRepositoryList)
assert json['repositories'] == [] assert json['repositories'] == []
@ -686,6 +686,16 @@ class TestConductSearch(ApiTestCase):
self.assertEquals(json['results'][0]['name'], 'readers') self.assertEquals(json['results'][0]['name'], 'readers')
def test_explicit_permission(self):
self.login('reader')
json = self.getJsonResponse(ConductSearch,
params=dict(query='shared'))
self.assertEquals(1, len(json['results']))
self.assertEquals(json['results'][0]['kind'], 'repository')
self.assertEquals(json['results'][0]['name'], 'shared')
class TestGetMatchingEntities(ApiTestCase): class TestGetMatchingEntities(ApiTestCase):
def test_notinorg(self): def test_notinorg(self):
@ -1374,7 +1384,7 @@ class TestListRepos(ApiTestCase):
self.login(READ_ACCESS_USER) self.login(READ_ACCESS_USER)
# Queries: Base + the list query # Queries: Base + the list query
with assert_query_count(BASE_LOGGEDIN_QUERY_COUNT + 1): with assert_query_count(BASE_LOGGEDIN_QUERY_COUNT + 2):
json = self.getJsonResponse(RepositoryList, params=dict(public=True)) json = self.getJsonResponse(RepositoryList, params=dict(public=True))
self.assertGreater(len(json['repositories']), 0) self.assertGreater(len(json['repositories']), 0)
@ -1393,8 +1403,8 @@ class TestListRepos(ApiTestCase):
def test_listrepos_allparams(self): def test_listrepos_allparams(self):
self.login(ADMIN_ACCESS_USER) self.login(ADMIN_ACCESS_USER)
# Queries: Base + the list query + the popularity and last modified queries # Queries: Base + the list query + the popularity and last modified queries + full perms load
with assert_query_count(BASE_LOGGEDIN_QUERY_COUNT + 3): with assert_query_count(BASE_LOGGEDIN_QUERY_COUNT + 4):
json = self.getJsonResponse(RepositoryList, json = self.getJsonResponse(RepositoryList,
params=dict(namespace=ORGANIZATION, params=dict(namespace=ORGANIZATION,
public=False, public=False,
@ -1854,8 +1864,8 @@ class TestRepoBuilds(ApiTestCase):
def test_getrepo_nobuilds(self): def test_getrepo_nobuilds(self):
self.login(ADMIN_ACCESS_USER) self.login(ADMIN_ACCESS_USER)
# Queries: Base + the list query # Queries: Permission + the list query
with assert_query_count(BASE_ACCESS_QUERY_COUNT + 1): with assert_query_count(2):
json = self.getJsonResponse(RepositoryBuildList, json = self.getJsonResponse(RepositoryBuildList,
params=dict(repository=ADMIN_ACCESS_USER + '/simple')) params=dict(repository=ADMIN_ACCESS_USER + '/simple'))
@ -1864,8 +1874,8 @@ class TestRepoBuilds(ApiTestCase):
def test_getrepobuilds(self): def test_getrepobuilds(self):
self.login(ADMIN_ACCESS_USER) self.login(ADMIN_ACCESS_USER)
# Queries: Base + the list query # Queries: Permission + the list query
with assert_query_count(BASE_ACCESS_QUERY_COUNT + 1): with assert_query_count(2):
json = self.getJsonResponse(RepositoryBuildList, json = self.getJsonResponse(RepositoryBuildList,
params=dict(repository=ADMIN_ACCESS_USER + '/building')) params=dict(repository=ADMIN_ACCESS_USER + '/building'))
@ -2295,9 +2305,10 @@ class TestListAndDeleteTag(ApiTestCase):
def test_listtagpagination(self): def test_listtagpagination(self):
self.login(ADMIN_ACCESS_USER) self.login(ADMIN_ACCESS_USER)
latest_image = model.tag.get_tag_image(ADMIN_ACCESS_USER, "complex", "prod")
for i in xrange(1, 100): for i in xrange(1, 100):
model.tag.create_or_update_tag(ADMIN_ACCESS_USER, "complex", "tag" + str(i), model.tag.create_or_update_tag(ADMIN_ACCESS_USER, "complex", "tag" + str(i), latest_image.docker_image_id)
"1d8cbff4e0363d1826c6a0b64ef0bc501d8cbff4e0363d1826c6a0b64ef0bc50")
json = self.getJsonResponse(ListRepositoryTags, json = self.getJsonResponse(ListRepositoryTags,
params=dict(repository=ADMIN_ACCESS_USER + '/complex', page=2)) params=dict(repository=ADMIN_ACCESS_USER + '/complex', page=2))
@ -2591,12 +2602,12 @@ class TestUserRobots(ApiTestCase):
params=dict(robot_shortname='coolbot'), params=dict(robot_shortname='coolbot'),
expected_code=201) expected_code=201)
# Queries: Base + the list query # Queries: Base + the lookup query
with assert_query_count(BASE_ACCESS_QUERY_COUNT + 1): with assert_query_count(BASE_LOGGEDIN_QUERY_COUNT + 1):
self.getJsonResponse(UserRobotList) self.getJsonResponse(UserRobotList)
# Queries: Base + the list query # Queries: Base + the lookup query
with assert_query_count(BASE_ACCESS_QUERY_COUNT + 1): with assert_query_count(BASE_LOGGEDIN_QUERY_COUNT + 1):
self.getJsonResponse(UserRobotList, params=dict(permissions=True)) self.getJsonResponse(UserRobotList, params=dict(permissions=True))