import logging from flask.ext.principal import (identity_loaded, UserNeed, Permission, Identity, identity_changed) from collections import namedtuple from functools import partial from data import model from app import app logger = logging.getLogger(__name__) _ResourceNeed = namedtuple('resource', ['type', 'namespace', 'name', 'role']) _RepositoryNeed = partial(_ResourceNeed, 'repository') _OrganizationNeed = namedtuple('organization', ['orgname', 'role']) _TeamNeed = namedtuple('orgteam', ['orgname', 'teamname', 'role']) class QuayDeferredPermissionUser(Identity): def __init__(self, id, auth_type=None): super(QuayDeferredPermissionUser, self).__init__(id, auth_type) self._permissions_loaded = False def can(self, permission): if not self._permissions_loaded: logger.debug('Loading user permissions after deferring.') user_object = model.get_user(self.id) # Add the user specific permissions user_grant = UserNeed(user_object.username) self.provides.add(user_grant) # Every user is the admin of their own 'org' user_namespace = _OrganizationNeed(user_object.username, 'admin') self.provides.add(user_namespace) # Add repository permissions for perm in model.get_all_user_permissions(user_object): grant = _RepositoryNeed(perm.repository.namespace, perm.repository.name, perm.role.name) logger.debug('User added permission: {0}'.format(grant)) self.provides.add(grant) # Add namespace permissions derived for team in model.get_org_wide_permissions(user_object): grant = _OrganizationNeed(team.organization.username, team.role.name) logger.debug('Organization team added permission: {0}'.format(grant)) self.provides.add(grant) team_grant = _TeamNeed(team.organization.username, team.name, team.role.name) logger.debug('Team added permission: {0}'.format(team_grant)) self.provides.add(team_grant) self._permissions_loaded = True return super(QuayDeferredPermissionUser, self).can(permission) class ModifyRepositoryPermission(Permission): def __init__(self, namespace, name): admin_need = _RepositoryNeed(namespace, name, 'admin') write_need = _RepositoryNeed(namespace, name, 'write') org_admin_need = _OrganizationNeed(namespace, 'admin') super(ModifyRepositoryPermission, self).__init__(admin_need, write_need) class ReadRepositoryPermission(Permission): def __init__(self, namespace, name): admin_need = _RepositoryNeed(namespace, name, 'admin') write_need = _RepositoryNeed(namespace, name, 'write') read_need = _RepositoryNeed(namespace, name, 'read') org_admin_need = _OrganizationNeed(namespace, 'admin') super(ReadRepositoryPermission, self).__init__(admin_need, write_need, read_need, org_admin_need) class AdministerRepositoryPermission(Permission): def __init__(self, namespace, name): admin_need = _RepositoryNeed(namespace, name, 'admin') org_admin_need = _OrganizationNeed(namespace, 'admin') super(AdministerRepositoryPermission, self).__init__(admin_need, org_admin_need) class CreateRepositoryPermission(Permission): def __init__(self, namespace): admin_org = _OrganizationNeed(namespace, 'admin') create_repo_org = _OrganizationNeed(namespace, 'creator') super(CreateRepositoryPermission, self).__init__(admin_org, create_repo_org) class UserPermission(Permission): def __init__(self, username): user_need = UserNeed(username) super(UserPermission, self).__init__(user_need) class AdministerOrganizationPermission(Permission): def __init__(self, org_name): admin_org = _OrganizationNeed(org_name, 'admin') super(AdministerOrganizationPermission, self).__init__(admin_org) class OrganizationMemberPermission(Permission): def __init__(self, org_name): admin_org = _OrganizationNeed(org_name, 'admin') repo_creator_org = _OrganizationNeed(org_name, 'creator') org_member = _OrganizationNeed(org_name, 'member') super(OrganizationMemberPermission, self).__init__(admin_org, org_member, repo_creator_org) class ViewTeamPermission(Permission): def __init__(self, org_name, team_name): team_admin = _TeamNeed(org_name, team_name, 'admin') team_creator = _TeamNeed(org_name, team_name, 'creator') team_member = _TeamNeed(org_name, team_name, 'member') admin_org = _OrganizationNeed(org_name, 'admin') super(ViewTeamPermission, self).__init__(team_admin, team_creator, team_member, admin_org) @identity_loaded.connect_via(app) def on_identity_loaded(sender, identity): logger.debug('Identity loaded: %s' % identity) # We have verified an identity, load in all of the permissions if isinstance(identity, QuayDeferredPermissionUser): logger.debug('Deferring permissions for user: %s' % identity.id) elif identity.auth_type == 'username': switch_to_deferred = QuayDeferredPermissionUser(identity.id, 'username') identity_changed.send(app, identity=switch_to_deferred) elif identity.auth_type == 'token': logger.debug('Loading permissions for token: %s' % identity.id) token_data = model.load_token_data(identity.id) repo_grant = _RepositoryNeed(token_data.repository.namespace, token_data.repository.name, token_data.role.name) logger.debug('Delegate token added permission: {0}'.format(repo_grant)) identity.provides.add(repo_grant) else: logger.error('Unknown identity auth type: %s' % identity.auth_type)