Joseph Schorr
b5b2df2063
Make test more resilient to changes in IDs
2016-03-30 16:19:15 -04:00
Joseph Schorr
a3aa4592cf
Change permissions to only load required by default
...
Permissions now load just the namespace and/or repository permissions requested, with a fallback to a full permissions load if necessary.
2016-03-28 16:33:32 -04:00
Joseph Schorr
354f4109d0
Switch to returning an empty set when there are invalid auth scopes
2015-07-31 12:49:42 -04:00
Jake Moshenko
3efaa255e8
Accidental refactor, split out legacy.py into separate sumodules and update all call sites.
2015-07-17 11:56:15 -04:00
Jake Moshenko
bea8b9ac53
More changes for registry-v2 in python.
...
Implement the minimal changes to the local filesystem storage driver and feed them through the distributed storage driver.
Create a digest package which contains digest_tools and checksums.
Fix the tests to use the new v1 endpoint locations.
Fix repository.delete_instance to properly filter the generated queries to avoid most subquery deletes, but still generate them when not explicitly filtered.
2015-07-17 11:50:41 -04:00
Jake Moshenko
7b470237a1
The superuser capability does not require the idea of ordinality since it is a binary permission.
2015-06-30 11:02:13 -04:00
Joseph Schorr
87efcb9e3d
Delegated superuser API access
...
Add a new scope for SUPERUSER that allows delegated access to the superuser endpoints. CA needs this so they can programmatically create and remove users.
2015-06-30 11:08:26 +03:00
Jake Moshenko
03e1636ff2
Clean up log format to use lazy string substitution.
2015-06-23 17:10:03 -04:00
Joseph Schorr
8eb9c376cd
Add constructors for the QuayDeferredPermissionUser so that we can avoid extraneous DB lookups of the user whenever we already have the object
2015-05-07 15:04:12 -04:00
Jake Moshenko
3bc8b8161c
Make the AlwaysFailPermission live up to its name.
2015-02-19 16:58:13 -05:00
Jake Moshenko
78c8354174
Switch our temporary token lookups for signed grants which will not require DB access.
2015-02-19 16:54:23 -05:00
Joseph Schorr
30b895b795
Merge branch 'grunt-js-folder' of https://github.com/coreos-inc/quay into ackbar
2015-01-23 17:26:14 -05:00
Joseph Schorr
28d319ad26
Add an in-memory superusermanager, which stores the current list of superusers in a process-shared Value. We do this because in the ER, when we add a new superuser, we need to ensure that ALL workers have their lists updated (otherwise we get the behavior that some workers validate the new permission and others do not).
2015-01-20 12:43:11 -05:00
Joseph Schorr
42ea3b835c
Fix NPE
2015-01-12 11:42:09 -05:00
Joseph Schorr
1bf25f25c1
WIP
2015-01-04 14:38:41 -05:00
Jimmy Zelinskie
dee4c389a8
Base sessions on UUIDs.
...
Now that a backfill has been applied, sessions can now be based on UUIDs
because all users will have one.
2014-11-20 18:44:36 -05:00
Jimmy Zelinskie
12ff4b107c
Undo sessions being driven by UUID.
...
Basing sessions on UUIDs must be done in phases. First all users
must obtain an UUID. Once a backfill has given all previous users
UUIDs and new users are being generated with UUIDs, then we can
actually change the session to be based on that value.
2014-11-20 12:57:17 -05:00
Jimmy Zelinskie
606ad21bec
Apply reviewed changes.
...
Adds a length to the UUID field, renames QuayDeferredPermissionUser
parameter id->uuid, adds transactions to backfill script.
2014-11-19 13:28:16 -05:00
Jimmy Zelinskie
9d677b8eb3
Add UUID to User model and use in cookie.
2014-11-19 13:28:16 -05:00
Jake Moshenko
03190efde3
Phase 2 of migrating repo namespaces to referencing user objects, backfilling the rows without a value for namespace_user, and changing all accesses to go through the namespace_user object. All tests are passing, manual testing still required.
2014-09-24 18:01:35 -04:00
Jake Moshenko
8626d1cd70
Initial changes to move repositories from using a namespace string to referencing a user object. Also stores the user id in the cookie rather than the username, to allow users to be renamed. This commit must not be used unmodified because the database migration is too aggressive for live migration.
2014-09-19 10:17:23 -04:00
Jake Moshenko
02e47ed572
Begin the work to allow robots and teams to be managed via API.
2014-08-05 20:53:00 -04:00
jakedt
0fd5da172e
Fix the super user default config. Slight style tweaks to the super user permission implementation.
2014-04-10 15:51:39 -04:00
Joseph Schorr
0e320c964f
- Add support for super users
...
- Add a super user API
- Add a super user interface
2014-04-10 00:26:55 -04:00
jakedt
41cfadac23
Protect the search and repository list endpoints appropriately. Add more differentiating data to some need types. Remove the notification about password change from the user admin page. Select the dependent models for the visible repo list.
2014-03-25 17:26:45 -04:00
jakedt
0992c8a47e
Fix some permissions problems still around due to some usage of scopes as strings.
2014-03-19 18:21:58 -04:00
jakedt
3b7b12085d
User scope objects everywhere. Switch scope objects to namedtuples. Pass the user when validating whether the user has authorized such scopes in the past. Make sure we calculate the scope string using all user scopes form all previously granted tokens.
2014-03-19 18:09:09 -04:00
jakedt
f2d0a2f479
Split out organization repo roles and org management roles.
2014-03-19 14:36:56 -04:00
jakedt
64071b9e8e
Add a user info scope and thread it through the code. Protect the org modification API.
2014-03-18 19:21:27 -04:00
jakedt
5bb4008880
Fix cookie auth to work with oauth token auth. Make sure user loading is truly deferred to save DB connections.
2014-03-17 12:01:13 -04:00
jakedt
0e3fe8f3b1
Port a few more repository methods to the new API interface.
2014-03-12 20:33:57 -04:00
jakedt
e74eb3ee87
Add scope ordinality and translations. Process oauth tokens and limit scopes accordingly.
2014-03-12 16:31:37 -04:00
yackob03
d064af2800
Fix a bug where org admin was not sufficient for the modify repository permission.
2013-11-07 12:52:46 -05:00
yackob03
d14a292896
Org admins should be able to view all teams.
2013-11-04 16:44:38 -05:00
yackob03
f8d3c95b74
Fix a typo in the team need permissions.
2013-11-04 16:39:52 -05:00
yackob03
2eb7ff2442
Add a bunch of the missing permissions from the API.
2013-11-04 16:18:40 -05:00
yackob03
dd77ebd64f
Next batch of backend permissions for orgs.
2013-11-04 15:42:08 -05:00
yackob03
283f9b81ae
First stab at token auth. The UI could use a little bit of polishing.
2013-10-16 14:24:10 -04:00
yackob03
959016a6eb
Remove unnecessary calls to the database for user and permission metadata.
2013-10-15 14:48:49 -04:00
yackob03
891f992bf2
Allow for anonymous access tokens for public repositories.
2013-10-01 01:18:05 -04:00
yackob03
6bcb5cfcaa
Flesh out some permissions APIs.
2013-09-27 13:24:07 -04:00
yackob03
9278871381
Load flask principal permissions even for web and api endpoints.
2013-09-26 16:32:09 -04:00
yackob03
08446ef59e
Fix some stuff with logins and permissions, add tags to the mode.
2013-09-25 16:46:28 -04:00
yackob03
ee5ea51532
Refactor the code into modules, it was getting unweildy.
2013-09-25 12:45:12 -04:00