def create_repository(
namespace, name, creating_user, visibility="private", repo_kind="image", description=None
):
namespace_user = User.get(username=namespace)
yesterday = datetime.now() - timedelta(days=1)
with db_transaction():
repo = Repository.create(
name=name,
visibility=Repository.visibility.get_id(visibility),
namespace_user=namespace_user,
kind=Repository.kind.get_id(repo_kind),
description=description,
)
RepositoryActionCount.create(repository=repo, count=0, date=yesterday)
RepositorySearchScore.create(repository=repo, score=0)
# Note: We put the admin create permission under the transaction to ensure it is created.
if creating_user and not creating_user.organization:
admin = Role.get(name="admin")
RepositoryPermission.create(user=creating_user, repository=repo, role=admin)
# Apply default permissions (only occurs for repositories under organizations)
if creating_user and not creating_user.organization and creating_user.username != namespace:
permission.apply_default_permissions(repo, creating_user)
return repo
def process(resources):
response = []
changed = True
for resource in resources:
p_state = resource["state"]
p_name = resource["name"]
try:
role = Role.get(name=p_name)
except Role.DoesNotExist:
role = None
if p_state == "absent":
if role is not None:
changed = True
role.delete_instance()
response.append("Role '%s' deleted" % p_name)
changed = True
else:
response.append("Role '%s' does not exist" % p_name)
else:
if role is None:
changed = True
role = Role.create(name=p_name)
response.append("Role '%s' created" % p_name)
else:
response.append("Role '%s' exists" % p_name)
return {"failed": False, "changed": changed, "meta": response}, 200
def update_prototype_permission(org, uid, role_name):
found = get_prototype_permission(org, uid)
if not found:
return None
new_role = Role.get(Role.name == role_name)
found.role = new_role
found.save()
return found
def create_repository(namespace,
name,
creating_user,
visibility="private",
repo_kind="image",
description=None):
namespace_user = User.get(username=namespace)
yesterday = datetime.now() - timedelta(days=1)
try:
with db_transaction():
# Check if the repository exists to avoid an IntegrityError if possible.
existing = get_repository(namespace, name)
if existing is not None:
return None
try:
repo = Repository.create(
name=name,
visibility=Repository.visibility.get_id(visibility),
namespace_user=namespace_user,
kind=Repository.kind.get_id(repo_kind),
description=description,
)
except IntegrityError as ie:
raise _RepositoryExistsException(ie)
RepositoryActionCount.create(repository=repo,
count=0,
date=yesterday)
RepositorySearchScore.create(repository=repo, score=0)
# Note: We put the admin create permission under the transaction to ensure it is created.
if creating_user and not creating_user.organization:
admin = Role.get(name="admin")
RepositoryPermission.create(user=creating_user,
repository=repo,
role=admin)
except _RepositoryExistsException as ree:
try:
return Repository.get(namespace_user=namespace_user, name=name)
except Repository.DoesNotExist:
logger.error(
"Got integrity error when trying to create repository %s/%s: %s",
namespace,
name,
ree.internal_exception,
)
return None
# Apply default permissions (only occurs for repositories under organizations)
if creating_user and not creating_user.organization and creating_user.username != namespace:
permission.apply_default_permissions(repo, creating_user)
return repo
def create_delegate_token(namespace_name,
repository_name,
friendly_name,
role="read"):
read_only = Role.get(name=role)
repo = _basequery.get_existing_repository(namespace_name, repository_name)
new_token = AccessToken.create(repository=repo,
role=read_only,
friendly_name=friendly_name,
temporary=False)
return new_token
def create_access_token(repo, role, kind=None, friendly_name=None):
role = Role.get(Role.name == role)
kind_ref = None
if kind is not None:
kind_ref = AccessTokenKind.get(AccessTokenKind.name == kind)
new_token = AccessToken.create(repository=repo,
temporary=True,
role=role,
kind=kind_ref,
friendly_name=friendly_name)
return new_token
def add_prototype_permission(org,
role_name,
activating_user,
delegate_user=None,
delegate_team=None):
new_role = Role.get(Role.name == role_name)
return PermissionPrototype.create(
org=org,
role=new_role,
activating_user=activating_user,
delegate_user=delegate_user,
delegate_team=delegate_team,
)
def __set_entity_repo_permission(entity, permission_entity_property,
namespace_name, repository_name, role_name):
repo = _basequery.get_existing_repository(namespace_name, repository_name)
new_role = Role.get(Role.name == role_name)
# Fetch any existing permission for this entity on the repo
try:
entity_attr = getattr(RepositoryPermission, permission_entity_property)
perm = RepositoryPermission.get(entity_attr == entity, RepositoryPermission.repository == repo)
perm.role = new_role
perm.save()
return perm
except RepositoryPermission.DoesNotExist:
set_entity_kwargs = {permission_entity_property: entity}
new_perm = RepositoryPermission.create(repository=repo, role=new_role, **set_entity_kwargs)
return new_perm
from app import app
from data.database import Namespace, Repository, RepositoryPermission, Role
from data.model.permission import get_user_repo_permissions
from data.model.user import get_active_users, get_nonrobot_user
DESCRIPTION = """
Fix user repositories missing admin permissions for owning user.
"""
parser = argparse.ArgumentParser(description=DESCRIPTION)
parser.add_argument("users", nargs="*", help="Users to check")
parser.add_argument("-a", "--all", action="store_true", help="Check all users")
parser.add_argument("-n", "--dry-run", action="store_true", help="Don't act")
ADMIN = Role.get(name="admin")
def repos_for_namespace(namespace):
return (Repository.select(Repository.id, Repository.name,
Namespace.username).join(Namespace).where(
Namespace.username == namespace))
def has_admin(user, repo):
perms = get_user_repo_permissions(user, repo)
return any(p.role == ADMIN for p in perms)
def get_users(all_users=False, users_list=None):
if all_users:
from app import app
from data.database import Namespace, Repository, RepositoryPermission, Role
from data.model.permission import get_user_repo_permissions
from data.model.user import get_active_users, get_nonrobot_user
DESCRIPTION = '''
Fix user repositories missing admin permissions for owning user.
'''
parser = argparse.ArgumentParser(description=DESCRIPTION)
parser.add_argument('users', nargs='*', help='Users to check')
parser.add_argument('-a', '--all', action='store_true', help='Check all users')
parser.add_argument('-n', '--dry-run', action='store_true', help="Don't act")
ADMIN = Role.get(name='admin')
def repos_for_namespace(namespace):
return (Repository.select(Repository.id, Repository.name,
Namespace.username).join(Namespace).where(
Namespace.username == namespace))
def has_admin(user, repo):
perms = get_user_repo_permissions(user, repo)
return any(p.role == ADMIN for p in perms)
def get_users(all_users=False, users_list=None):
if all_users: