Skip to content

Commit 563f831

Browse files
iberryfuliberryful
committed
Allow project_jobs api endpoints for project token
1 parent 185f903 commit 563f831

2 files changed

Lines changed: 138 additions & 8 deletions

File tree

src/api/handlers/projects/jobs.py

Lines changed: 21 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -197,7 +197,12 @@ def get(self, project_id, job_id):
197197
'''
198198
Restart job
199199
'''
200-
user_id = g.token['user']['id']
200+
user_id = None
201+
if g.token['type'] == 'user':
202+
user_id = g.token['user']['id']
203+
elif g.token['type'] == 'project':
204+
if g.token['project']['id'] != project_id:
205+
abort(400, "invalid project token")
201206

202207
job = g.db.execute_one_dict('''
203208
SELECT state, type, build_id, restarted
@@ -265,13 +270,21 @@ def get(self, project_id, job_id):
265270
if j['state'] not in restart_states and j['state'] not in ('skipped', 'queued'):
266271
abort(400, 'Some children jobs are still running')
267272

268-
result = g.db.execute_one_dict('''
269-
SELECT username
270-
FROM "user"
271-
WHERE id = %s
272-
''', [user_id])
273-
username = result['username']
274-
msg = 'Job restarted by %s\n' % username
273+
if user_id is not None:
274+
result = g.db.execute_one_dict('''
275+
SELECT username
276+
FROM "user"
277+
WHERE id = %s
278+
''', [user_id])
279+
username_or_token = result['username']
280+
else:
281+
result = g.db.execute_one_dict('''
282+
SELECT description
283+
FROM auth_token
284+
WHERE id = %s
285+
''', [g.token['id']])
286+
username_or_token = "project token " + result['description']
287+
msg = 'Job restarted by %s\n' % username_or_token
275288

276289
# Clone Jobs and adjust dependencies
277290
jobs = []

src/openpolicyagent/policies/projects_jobs.rego

Lines changed: 117 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,11 @@ project_jobs_public(project){
1515
projects[i].public = true
1616
}
1717

18+
valid_project_token([token, project_id]) {
19+
token.type = "project"
20+
token.project.id = project_id
21+
}
22+
1823
# Allow GET /api/v1/projects/<id>/jobs for collaborators
1924
allow {
2025
api.method = "GET"
@@ -30,6 +35,13 @@ allow {
3035
project_jobs_public(project_id)
3136
}
3237

38+
# Allow GET /api/v1/projects/<id>/jobs for valid project token
39+
allow {
40+
api.method = "GET"
41+
api.path = ["api", "v1", "projects", project_id, "jobs"]
42+
valid_project_token([api.token, project_id])
43+
}
44+
3345
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/restart for collaborators
3446
allow {
3547
api.method = "GET"
@@ -38,6 +50,13 @@ allow {
3850
project_jobs_collaborator([api.token.user.id, project_id])
3951
}
4052

53+
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/restart for valid project token
54+
allow {
55+
api.method = "GET"
56+
api.path = ["api", "v1", "projects", project_id, "jobs", _, "restart"]
57+
valid_project_token([api.token, project_id])
58+
}
59+
4160
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/abort for collaborators
4261
allow {
4362
api.method = "GET"
@@ -46,6 +65,13 @@ allow {
4665
project_jobs_collaborator([api.token.user.id, project_id])
4766
}
4867

68+
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/abort for valid project token
69+
allow {
70+
api.method = "GET"
71+
api.path = ["api", "v1", "projects", project_id, "jobs", _, "abort"]
72+
valid_project_token([api.token, project_id])
73+
}
74+
4975
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/testresults for collaborators
5076
allow {
5177
api.method = "GET"
@@ -54,13 +80,27 @@ allow {
5480
project_jobs_collaborator([api.token.user.id, project_id])
5581
}
5682

83+
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/testresults for valid project token
84+
allow {
85+
api.method = "GET"
86+
api.path = ["api", "v1", "projects", project_id, "jobs", _, "testresults"]
87+
valid_project_token([api.token, project_id])
88+
}
89+
5790
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/testresults if project is public
5891
allow {
5992
api.method = "GET"
6093
api.path = ["api", "v1", "projects", project_id, "jobs", _, "testresults"]
6194
project_jobs_public(project_id)
6295
}
6396

97+
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/testresults for valid project token
98+
allow {
99+
api.method = "GET"
100+
api.path = ["api", "v1", "projects", project_id, "jobs", _, "testresults"]
101+
valid_project_token([api.token, project_id])
102+
}
103+
64104
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/tabs for collaborators
65105
allow {
66106
api.method = "GET"
@@ -76,6 +116,13 @@ allow {
76116
project_jobs_public(project_id)
77117
}
78118

119+
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/tabs if project for valid project token
120+
allow {
121+
api.method = "GET"
122+
api.path = ["api", "v1", "projects", project_id, "jobs", _, "tabs"]
123+
valid_project_token([api.token, project_id])
124+
}
125+
79126
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/archive for collaborators
80127
allow {
81128
api.method = "GET"
@@ -91,6 +138,13 @@ allow {
91138
project_jobs_public(project_id)
92139
}
93140

141+
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/archive for valid project token
142+
allow {
143+
api.method = "GET"
144+
api.path = ["api", "v1", "projects", project_id, "jobs", _, "archive"]
145+
valid_project_token([api.token, project_id])
146+
}
147+
94148
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/archive/download for collaborators
95149
allow {
96150
api.method = "GET"
@@ -106,6 +160,13 @@ allow {
106160
project_jobs_public(project_id)
107161
}
108162

163+
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/archive/download for valid project token
164+
allow {
165+
api.method = "GET"
166+
api.path = ["api", "v1", "projects", project_id, "jobs", _, "archive", "download"]
167+
valid_project_token([api.token, project_id])
168+
}
169+
109170
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/archive/download/all for collaborators
110171
allow {
111172
api.method = "GET"
@@ -121,6 +182,13 @@ allow {
121182
project_jobs_public(project_id)
122183
}
123184

185+
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/archive/download/all for valid project token
186+
allow {
187+
api.method = "GET"
188+
api.path = ["api", "v1", "projects", project_id, "jobs", _, "archive", "download", "all"]
189+
valid_project_token([api.token, project_id])
190+
}
191+
124192
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/console for collaborators
125193
allow {
126194
api.method = "GET"
@@ -136,6 +204,13 @@ allow {
136204
project_jobs_public(project_id)
137205
}
138206

207+
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/console for valid project token
208+
allow {
209+
api.method = "GET"
210+
api.path = ["api", "v1", "projects", project_id, "jobs", _, "console"]
211+
valid_project_token([api.token, project_id])
212+
}
213+
139214
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/output for collaborators
140215
allow {
141216
api.method = "GET"
@@ -151,6 +226,13 @@ allow {
151226
project_jobs_public(project_id)
152227
}
153228

229+
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/output for valid project token
230+
allow {
231+
api.method = "GET"
232+
api.path = ["api", "v1", "projects", project_id, "jobs", _, "output"]
233+
valid_project_token([api.token, project_id])
234+
}
235+
154236
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/testruns for collaborators
155237
allow {
156238
api.method = "GET"
@@ -166,6 +248,13 @@ allow {
166248
project_jobs_public(project_id)
167249
}
168250

251+
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/testruns for valid project token
252+
allow {
253+
api.method = "GET"
254+
api.path = ["api", "v1", "projects", project_id, "jobs", _, "testruns"]
255+
valid_project_token([api.token, project_id])
256+
}
257+
169258
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/tests/history for collaborators
170259
allow {
171260
api.method = "GET"
@@ -181,6 +270,13 @@ allow {
181270
project_jobs_public(project_id)
182271
}
183272

273+
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/tests/history for valid project token
274+
allow {
275+
api.method = "GET"
276+
api.path = ["api", "v1", "projects", project_id, "jobs", _, "tests", "history"]
277+
valid_project_token([api.token, project_id])
278+
}
279+
184280
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/badges for collaborators
185281
allow {
186282
api.method = "GET"
@@ -196,6 +292,13 @@ allow {
196292
project_jobs_public(project_id)
197293
}
198294

295+
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/badges for valid project token
296+
allow {
297+
api.method = "GET"
298+
api.path = ["api", "v1", "projects", project_id, "jobs", _, "badges"]
299+
valid_project_token([api.token, project_id])
300+
}
301+
199302
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/stats for collaborators
200303
allow {
201304
api.method = "GET"
@@ -211,10 +314,24 @@ allow {
211314
project_jobs_public(project_id)
212315
}
213316

317+
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/stats for valid project token
318+
allow {
319+
api.method = "GET"
320+
api.path = ["api", "v1", "projects", project_id, "jobs", _, "stats"]
321+
valid_project_token([api.token, project_id])
322+
}
323+
214324
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/cache/clear for collaborators
215325
allow {
216326
api.method = "GET"
217327
api.path = ["api", "v1", "projects", project_id, "jobs", _, "cache", "clear"]
218328
api.token.type = "user"
219329
project_jobs_collaborator([api.token.user.id, project_id])
220330
}
331+
332+
# Allow GET /api/v1/projects/<project_id>/jobs/<job_id>/cache/clear for valid project token
333+
allow {
334+
api.method = "GET"
335+
api.path = ["api", "v1", "projects", project_id, "jobs", _, "cache", "clear"]
336+
valid_project_token([api.token, project_id])
337+
}

0 commit comments

Comments
 (0)