Oracle (#91)

* Exposed oAuth scope configuration * Integrated into ConfigFactory * Adjusted the chart * Integrated new attributes * Reformatted
neuro-inc · Jul 29, 2019 · 3d8c744 · 3d8c744
1 parent 33e692b
commit 3d8c744
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 4 deletions.
diff --git a/deploy/platformregistryapi/templates/platformregistryapi.yml b/deploy/platformregistryapi/templates/platformregistryapi.yml
@@ -63,6 +63,14 @@ spec:
             secretKeyRef:
               name: gcr-secret
               key: password
+        {{- if .Values.NP_REGISTRY_UPSTREAM_TOKEN_REGISTRY_SCOPE }}
+        - name: NP_REGISTRY_UPSTREAM_TOKEN_REGISTRY_SCOPE
+          value: {{ .Values.NP_REGISTRY_UPSTREAM_TOKEN_REGISTRY_SCOPE }}
+        {{- end }}
+        {{- if .Values.NP_REGISTRY_UPSTREAM_TOKEN_REPO_SCOPE_ACTIONS }}
+        - name: NP_REGISTRY_UPSTREAM_TOKEN_REPO_SCOPE_ACTIONS
+          value: {{ .Values.NP_REGISTRY_UPSTREAM_TOKEN_REPO_SCOPE_ACTIONS }}
+        {{- end }}
         {{- end }}
         {{- if eq .Values.NP_REGISTRY_UPSTREAM_TYPE "aws_ecr" }}
         - name: AWS_DEFAULT_REGION

diff --git a/platform_registry_api/api.py b/platform_registry_api/api.py
@@ -458,7 +458,9 @@ async def create_oauth_upstream(
             service=config.token_service,
             username=config.token_endpoint_username,
             password=config.token_endpoint_password,
-        )
+        ),
+        registry_catalog_scope=config.token_registry_catalog_scope,
+        repository_scope_actions=config.token_repository_scope_actions,
     )
 
 

diff --git a/platform_registry_api/config.py b/platform_registry_api/config.py
@@ -36,6 +36,8 @@ class UpstreamRegistryConfig:
     token_service: str = ""
     token_endpoint_username: str = field(repr=False, default="")
     token_endpoint_password: str = field(repr=False, default="")
+    token_registry_catalog_scope: str = "registry:catalog:*"
+    token_repository_scope_actions: str = "*"
 
     sock_connect_timeout_s: Optional[float] = 30.0
     sock_read_timeout_s: Optional[float] = 30.0
@@ -97,6 +99,14 @@ def create_upstream_registry(self) -> UpstreamRegistryConfig:
                     ],
                 )
             )
+            if "NP_REGISTRY_UPSTREAM_TOKEN_REGISTRY_SCOPE" in self._environ:
+                upstream["token_registry_catalog_scope"] = self._environ[
+                    "NP_REGISTRY_UPSTREAM_TOKEN_REGISTRY_SCOPE"
+                ]
+            if "NP_REGISTRY_UPSTREAM_TOKEN_REPO_SCOPE_ACTIONS" in self._environ:
+                upstream["token_repository_scope_actions"] = self._environ[
+                    "NP_REGISTRY_UPSTREAM_TOKEN_REPO_SCOPE_ACTIONS"
+                ]
         return UpstreamRegistryConfig(**upstream)  # type: ignore
 
     def create_auth(self) -> AuthConfig:

diff --git a/platform_registry_api/oauth.py b/platform_registry_api/oauth.py
@@ -9,6 +9,7 @@
 from yarl import URL
 
 from .cache import ExpiringCache
+from .config import UpstreamRegistryConfig
 from .typedefs import TimeFactory
 from .upstream import Upstream
 
@@ -91,9 +92,22 @@ async def get_token(self, scope: Optional[str] = None) -> OAuthToken:
 
 class OAuthUpstream(Upstream):
     def __init__(
-        self, *, client: OAuthClient, time_factory: TimeFactory = time.time
+        self,
+        *,
+        client: OAuthClient,
+        registry_catalog_scope: str = (
+            UpstreamRegistryConfig.token_registry_catalog_scope
+        ),
+        repository_scope_actions: str = (
+            UpstreamRegistryConfig.token_repository_scope_actions
+        ),
+        time_factory: TimeFactory = time.time,
     ) -> None:
         self._client = client
+        self._registry_catalog_scope = registry_catalog_scope
+        self._repository_scope_template = (
+            "repository:{repo}:" + repository_scope_actions
+        )
         self._cache = ExpiringCache[Dict[str, str]](time_factory=time_factory)
 
     async def _get_headers(self, scope: Optional[str] = None) -> Dict[str, str]:
@@ -108,7 +122,8 @@ async def get_headers_for_version(self) -> Dict[str, str]:
         return await self._get_headers()
 
     async def get_headers_for_catalog(self) -> Dict[str, str]:
-        return await self._get_headers("registry:catalog:*")
+        return await self._get_headers(self._registry_catalog_scope)
 
     async def get_headers_for_repo(self, repo: str) -> Dict[str, str]:
-        return await self._get_headers(f"repository:{repo}:*")
+        scope = self._repository_scope_template.format(repo=repo)
+        return await self._get_headers(scope)
diff --git a/tests/unit/test_config.py b/tests/unit/test_config.py
@@ -33,6 +33,8 @@ def test_defaults_oauth(self) -> None:
                 token_service="test_host",
                 token_endpoint_username="test_username",
                 token_endpoint_password="test_password",
+                token_registry_catalog_scope="registry:catalog:*",
+                token_repository_scope_actions="*",
                 max_catalog_entries=100,
             ),
             auth=AuthConfig(
@@ -55,6 +57,8 @@ def test_oauth(self) -> None:
             "NP_REGISTRY_UPSTREAM_TOKEN_PASSWORD": "test_password",
             "NP_REGISTRY_AUTH_URL": "https://test_auth",
             "NP_REGISTRY_AUTH_TOKEN": "test_auth_token",
+            "NP_REGISTRY_UPSTREAM_TOKEN_REGISTRY_SCOPE": "",
+            "NP_REGISTRY_UPSTREAM_TOKEN_REPO_SCOPE_ACTIONS": "push,pull",
         }
         config = EnvironConfigFactory(environ=environ).create()
         assert config == Config(
@@ -67,6 +71,8 @@ def test_oauth(self) -> None:
                 token_service="test_host",
                 token_endpoint_username="test_username",
                 token_endpoint_password="test_password",
+                token_registry_catalog_scope="",
+                token_repository_scope_actions="push,pull",
                 max_catalog_entries=10000,
             ),
             auth=AuthConfig(