vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Split out organization repo roles and org management roles.

Browse source
This commit is contained in:
jakedt 2014-03-19 14:36:56 -04:00
parent 8ac67e3061
commit f2d0a2f479
2 changed files with 35 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

37
auth/permissions.py
View file

@ -14,6 +14,7 @@ logger = logging.getLogger(__name__)
_ResourceNeed = namedtuple('resource', ['type', 'namespace', 'name', 'role']) _ResourceNeed = namedtuple('resource', ['type', 'namespace', 'name', 'role'])
_RepositoryNeed = partial(_ResourceNeed, 'repository') _RepositoryNeed = partial(_ResourceNeed, 'repository')
_OrganizationNeed = namedtuple('organization', ['orgname', 'role']) _OrganizationNeed = namedtuple('organization', ['orgname', 'role'])
_OrganizationRepoNeed = namedtuple('organization', ['orgname', 'role'])
_TeamNeed = namedtuple('orgteam', ['orgname', 'teamname', 'role']) _TeamNeed = namedtuple('orgteam', ['orgname', 'teamname', 'role'])
_UserNeed = namedtuple('user', ['username', 'role']) _UserNeed = namedtuple('user', ['username', 'role'])
@ -22,6 +23,12 @@ REPO_ROLES = [None, 'read', 'write', 'admin']
TEAM_ROLES = [None, 'member', 'creator', 'admin'] TEAM_ROLES = [None, 'member', 'creator', 'admin']
USER_ROLES = [None, 'read', 'admin'] USER_ROLES = [None, 'read', 'admin']
TEAM_REPO_ROLES = {
'admin': 'admin',
'creator': 'read',
'member': 'read',
}
SCOPE_MAX_REPO_ROLES = defaultdict(lambda: None) SCOPE_MAX_REPO_ROLES = defaultdict(lambda: None)
SCOPE_MAX_REPO_ROLES.update({ SCOPE_MAX_REPO_ROLES.update({
'repo:read': 'read', 'repo:read': 'read',
@ -83,8 +90,14 @@ class QuayDeferredPermissionUser(Identity):
# Every user is the admin of their own 'org' # Every user is the admin of their own 'org'
user_namespace = _OrganizationNeed(user_object.username, self._team_role_for_scopes('admin')) user_namespace = _OrganizationNeed(user_object.username, self._team_role_for_scopes('admin'))
logger.debug('User namespace permission: {0}'.format(user_namespace))
self.provides.add(user_namespace) self.provides.add(user_namespace)
# Org repo roles can differ for scopes
user_repos = _OrganizationRepoNeed(user_object.username, self._repo_role_for_scopes('admin'))
logger.debug('User namespace permission: {0}'.format(user_repos))
self.provides.add(user_repos)
# Add repository permissions # Add repository permissions
for perm in model.get_all_user_permissions(user_object): for perm in model.get_all_user_permissions(user_object):
grant = _RepositoryNeed(perm.repository.namespace, perm.repository.name, grant = _RepositoryNeed(perm.repository.namespace, perm.repository.name,
@ -99,6 +112,13 @@ class QuayDeferredPermissionUser(Identity):
logger.debug('Organization team added permission: {0}'.format(grant)) logger.debug('Organization team added permission: {0}'.format(grant))
self.provides.add(grant) self.provides.add(grant)
team_repo_role = TEAM_REPO_ROLES[team.role.name]
org_repo_grant = _OrganizationRepoNeed(team.organization.username,
self._repo_role_for_scopes(team_repo_role))
logger.debug('Organization team added repo permission: {0}'.format(org_repo_grant))
self.provides.add(org_repo_grant)
team_grant = _TeamNeed(team.organization.username, team.name, team_grant = _TeamNeed(team.organization.username, team.name,
self._team_role_for_scopes(team.role.name)) self._team_role_for_scopes(team.role.name))
logger.debug('Team added permission: {0}'.format(team_grant)) logger.debug('Team added permission: {0}'.format(team_grant))
@ -113,9 +133,10 @@ class ModifyRepositoryPermission(Permission):
def __init__(self, namespace, name): def __init__(self, namespace, name):
admin_need = _RepositoryNeed(namespace, name, 'admin') admin_need = _RepositoryNeed(namespace, name, 'admin')
write_need = _RepositoryNeed(namespace, name, 'write') write_need = _RepositoryNeed(namespace, name, 'write')
org_admin_need = _OrganizationNeed(namespace, 'admin') org_admin_need = _OrganizationRepoNeed(namespace, 'admin')
super(ModifyRepositoryPermission, self).__init__(admin_need, write_need, org_write_need = _OrganizationRepoNeed(namespace, 'write')
org_admin_need) super(ModifyRepositoryPermission, self).__init__(admin_need, write_need, org_admin_need,
org_write_need)
class ReadRepositoryPermission(Permission): class ReadRepositoryPermission(Permission):
@ -123,15 +144,17 @@ class ReadRepositoryPermission(Permission):
admin_need = _RepositoryNeed(namespace, name, 'admin') admin_need = _RepositoryNeed(namespace, name, 'admin')
write_need = _RepositoryNeed(namespace, name, 'write') write_need = _RepositoryNeed(namespace, name, 'write')
read_need = _RepositoryNeed(namespace, name, 'read') read_need = _RepositoryNeed(namespace, name, 'read')
org_admin_need = _OrganizationNeed(namespace, 'admin') org_admin_need = _OrganizationRepoNeed(namespace, 'admin')
super(ReadRepositoryPermission, self).__init__(admin_need, write_need, org_write_need = _OrganizationRepoNeed(namespace, 'write')
read_need, org_admin_need) org_read_need = _OrganizationRepoNeed(namespace, 'read')
super(ReadRepositoryPermission, self).__init__(admin_need, write_need, read_need,
org_admin_need, org_read_need, org_write_need)
class AdministerRepositoryPermission(Permission): class AdministerRepositoryPermission(Permission):
def __init__(self, namespace, name): def __init__(self, namespace, name):
admin_need = _RepositoryNeed(namespace, name, 'admin') admin_need = _RepositoryNeed(namespace, name, 'admin')
org_admin_need = _OrganizationNeed(namespace, 'admin') org_admin_need = _OrganizationRepoNeed(namespace, 'admin')
super(AdministerRepositoryPermission, self).__init__(admin_need, super(AdministerRepositoryPermission, self).__init__(admin_need,
org_admin_need) org_admin_need)

6
endpoints/api/search.py
View file

@ -1,7 +1,9 @@
from endpoints.api import ApiResource, parse_args, query_param, truthy_bool, nickname, resource from endpoints.api import (ApiResource, parse_args, query_param, truthy_bool, nickname, resource,
require_scope)
from data import model from data import model
from auth.permissions import OrganizationMemberPermission, ViewTeamPermission from auth.permissions import OrganizationMemberPermission, ViewTeamPermission
from auth.auth_context import get_authenticated_user from auth.auth_context import get_authenticated_user
from auth import scopes
@resource('/v1/entities/<prefix>') @resource('/v1/entities/<prefix>')
@ -11,6 +13,7 @@ class EntitySearch(ApiResource):
@query_param('namespace', 'Namespace to use when querying for org entities.', type=str, @query_param('namespace', 'Namespace to use when querying for org entities.', type=str,
default='') default='')
@query_param('includeTeams', 'Whether to include team names.', type=truthy_bool, default=False) @query_param('includeTeams', 'Whether to include team names.', type=truthy_bool, default=False)
@require_scope(scopes.READ_USER)
@nickname('getMatchingEntities') @nickname('getMatchingEntities')
def get(self, args, prefix): def get(self, args, prefix):
""" Get a list of entities that match the specified prefix. """ """ Get a list of entities that match the specified prefix. """
@ -84,6 +87,7 @@ class FindRepositories(ApiResource):
""" Resource for finding repositories. """ """ Resource for finding repositories. """
@parse_args @parse_args
@query_param('query', 'The prefix to use when querying for repositories.', type=str, default='') @query_param('query', 'The prefix to use when querying for repositories.', type=str, default='')
@require_scope(scopes.READ_USER)
@nickname('findRepos') @nickname('findRepos')
def get(self, args): def get(self, args):
""" Get a list of repositories that match the specified prefix query. """ """ Get a list of repositories that match the specified prefix query. """