This repository has been archived on 2020-03-24. You can view files and clone it, but cannot push or open issues or pull requests.
quay/auth/permissions.py

98 lines
3.4 KiB
Python

import logging
from flask.ext.principal import (identity_loaded, UserNeed, Permission,
Identity, identity_changed)
from collections import namedtuple
from functools import partial
from data import model
from app import app
logger = logging.getLogger(__name__)
_ResourceNeed = namedtuple('resource', ['type', 'namespace', 'name', 'role'])
_RepositoryNeed = partial(_ResourceNeed, 'repository')
class QuayDeferredPermissionUser(Identity):
def __init__(self, id, auth_type=None):
super(QuayDeferredPermissionUser, self).__init__(id, auth_type)
self._permissions_loaded = False
def can(self, permission):
if not self._permissions_loaded:
logger.debug('Loading user permissions after deferring.')
user_object = model.get_user(self.id)
for user in model.get_all_user_permissions(user_object):
grant = _RepositoryNeed(user.repositorypermission.repository.namespace,
user.repositorypermission.repository.name,
user.repositorypermission.role.name)
logger.debug('User added permission: {0}'.format(grant))
self.provides.add(grant)
self._permissions_loaded = True
return super(QuayDeferredPermissionUser, self).can(permission)
class ModifyRepositoryPermission(Permission):
def __init__(self, namespace, name):
admin_need = _RepositoryNeed(namespace, name, 'admin')
write_need = _RepositoryNeed(namespace, name, 'write')
super(ModifyRepositoryPermission, self).__init__(admin_need, write_need)
class ReadRepositoryPermission(Permission):
def __init__(self, namespace, name):
admin_need = _RepositoryNeed(namespace, name, 'admin')
write_need = _RepositoryNeed(namespace, name, 'write')
read_need = _RepositoryNeed(namespace, name, 'read')
super(ReadRepositoryPermission, self).__init__(admin_need, write_need,
read_need)
class AdministerRepositoryPermission(Permission):
def __init__(self, namespace, name):
admin_need = _RepositoryNeed(namespace, name, 'admin')
super(AdministerRepositoryPermission, self).__init__(admin_need)
class UserPermission(Permission):
def __init__(self, username):
user_need = UserNeed(username)
super(UserPermission, self).__init__(user_need)
@identity_loaded.connect_via(app)
def on_identity_loaded(sender, identity):
logger.debug('Identity loaded: %s' % identity)
# We have verified an identity, load in all of the permissions
if isinstance(identity, QuayDeferredPermissionUser):
logger.debug('Deferring permissions for user: %s' % identity.id)
elif identity.auth_type == 'username':
switch_to_deferred = QuayDeferredPermissionUser(identity.id, 'username')
identity_changed.send(app, identity=switch_to_deferred)
elif identity.auth_type == 'token':
logger.debug('Computing permissions for token: %s' % identity.id)
token = model.get_token(identity.id)
if token.user:
query = model.get_user_repo_permissions(token.user, token.repository)
for permission in query:
t_grant = _RepositoryNeed(token.repository.namespace,
token.repository.name, permission.role.name)
logger.debug('Token added permission: {0}'.format(t_grant))
identity.provides.add(t_grant)
else:
logger.debug('Token was anonymous.')
else:
logger.error('Unknown identity auth type: %s' % identity.auth_type)