-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgavel_permissions.py
96 lines (65 loc) · 2.33 KB
/
gavel_permissions.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# Copyright (C) 2018 Foundries.io
# Author: Andy Doan <[email protected]>
import os
import jwt
from flask import request
from gavel_jwt import User
from jobserv.jsend import ApiError
from jobserv.models import Project
JWT_SECRET_FILE = os.environ.get('JWT_SECRET_FILE')
def _jwt_secret():
if not JWT_SECRET_FILE:
raise RuntimeError('No JWT_SECRET_FILE defined for deployment')
with open(JWT_SECRET_FILE) as f:
return f.read()
class JobServUser(User):
@staticmethod
def _authenticate_bearer(bearer):
try:
bearer = jwt.decode(bearer, _jwt_secret(), algorithms=['HS256'])
return JobServUser(bearer['login'], bearer['email'],
bearer['name'], bearer['is_admin'])
except jwt.PyJWTError as e:
raise ApiError(401, str(e))
@classmethod
def authenticate(clazz, request_headers):
auth = request_headers.get('Authorization')
if auth:
if auth and auth.startswith('Bearer '):
return clazz._authenticate_bearer(auth.split(' ', 1)[1])
else:
ApiError(400, 'Invalid Authorization header')
@staticmethod
def get_internal():
return JobServUser('gavin', '[email protected]', 'Gavin Gavel', True)
def projects_list():
"""User see list of all Projects."""
return Project.query
def project_can_access(project_path):
"""User can see Builds of all Projects."""
return True
def run_can_access_secrets(run):
"""Can user access .rundef.json for a Run."""
try:
assert_internal_user()
except ApiError:
return False
return True
def health_can_access(health_path):
"""User has access to all health endpoints."""
return True
def assert_internal_user():
u = JobServUser.authenticate(request.headers)
if not u or not u.is_admin:
raise ApiError(403, 'You are not allowed to perform this operation')
return u
def assert_can_promote(project, build_id):
assert_internal_user()
def assert_can_build(project):
assert_internal_user()
def assert_worker_list():
pass
def internal_get(url, *args, **kwargs):
return JobServUser.get_internal().authenticated_get(url, *args, **kwargs)
def internal_post(url, *args, **kwargs):
return JobServUser.get_internal().authenticated_post(url, *args, **kwargs)