Merge branch 'rbac' into read_roles

2025-10-14 13:33:00 +00:00 · 2021-06-08 15:37:16 +02:00
parent 32d1e3cbea 2113f3424b
commit c92d39659b
49 changed files with 2440 additions and 814 deletions
--- a/jupyterhub/apihandlers/users.py
+++ b/jupyterhub/apihandlers/users.py
@@ -35,20 +35,31 @@ class SelfAPIHandler(APIHandler):
        user = self.current_user
        if user is None:
            raise web.HTTPError(403)
+
+        _added_scopes = set()
        if isinstance(user, orm.Service):
            # ensure we have the minimal 'identify' scopes for the token owner
-            self.raw_scopes.update(scopes.identify_scopes(user))
-            self.parsed_scopes = scopes.parse_scopes(self.raw_scopes)
-            model = self.service_model(user)
+            identify_scopes = scopes.identify_scopes(user)
+            get_model = self.service_model
        else:
-            self.raw_scopes.update(scopes.identify_scopes(user.orm_user))
-            self.parsed_scopes = scopes.parse_scopes(self.raw_scopes)
-            model = self.user_model(user)
-        # validate return, should have at least kind and name,
-        # otherwise our filters did something wrong
-        for key in ("kind", "name"):
-            if key not in model:
-                raise ValueError(f"Missing identify model for {user}: {model}")
+            identify_scopes = scopes.identify_scopes(user.orm_user)
+            get_model = self.user_model
+
+        # ensure we have permission to identify ourselves
+        # all tokens can do this on this endpoint
+        for scope in identify_scopes:
+            if scope not in self.expanded_scopes:
+                _added_scopes.add(scope)
+                self.expanded_scopes.add(scope)
+        if _added_scopes:
+            # re-parse with new scopes
+            self.parsed_scopes = scopes.parse_scopes(self.expanded_scopes)
+
+        model = get_model(user)
+
+        # add scopes to identify model,
+        # but not the scopes we added to ensure we could read our own model
+        model["scopes"] = sorted(self.expanded_scopes.difference(_added_scopes))
        self.write(json.dumps(model))


@@ -338,7 +349,7 @@ class UserTokenListAPIHandler(APIHandler):
            # couldn't identify requester
            raise web.HTTPError(403)
        self._jupyterhub_user = requester
-        self._resolve_scopes()
+        self._resolve_roles_and_scopes()
        user = self.find_user(user_name)
        kind = 'user' if isinstance(requester, User) else 'service'
        scope_filter = self.get_scope_filter('users:tokens')