hazza/jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/jupyterhub.git synced 2025-10-09 02:54:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Clarify some function names in rbac utils

Browse Source
This commit is contained in:
IvanaH8
2021-05-26 12:04:21 +02:00
committed by Min RK
parent 2ab6c61e9a
commit e6845a68f5
4 changed files with 23 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
jupyterhub/apihandlers/users.py
View File

@@ -336,7 +336,7 @@ class UserTokenListAPIHandler(APIHandler):
# couldn't identify requester
raise web.HTTPError(403)
self._jupyterhub_user = requester
self._resolve_scopes()
self._resolve_roles_and_scopes()
user = self.find_user(user_name)
kind = 'user' if isinstance(requester, User) else 'service'
scope_filter = self.get_scope_filter('users:tokens')

4
jupyterhub/handlers/base.py
View File

@@ -87,7 +87,7 @@ class BaseHandler(RequestHandler):
except Exception:
self.log.exception("Failed to get current user")
self._jupyterhub_user = None
self._resolve_scopes()
self._resolve_roles_and_scopes()
return await maybe_future(super().prepare())
@property
@@ -416,7 +416,7 @@ class BaseHandler(RequestHandler):
self.log.exception("Error getting current user")
return self._jupyterhub_user
def _resolve_scopes(self):
def _resolve_roles_and_scopes(self):
self.raw_scopes = set()
app_log.debug("Loading and parsing scopes")
if self.current_user:

10
jupyterhub/scopes.py
View File

@@ -108,7 +108,7 @@ class Scope(Enum):
ALL = True
def _intersect_scopes(scopes_a, scopes_b):
def _intersect_expanded_scopes(scopes_a, scopes_b):
"""Intersect two sets of expanded scopes by comparing their permissions
Arguments:
@@ -192,7 +192,7 @@ def _intersect_scopes(scopes_a, scopes_b):
def get_scopes_for(orm_object):
"""Find scopes for a given user or token and resolve permissions
"""Find scopes for a given user or token from their roles and resolve permissions
Arguments:
orm_object: orm object or User wrapper
@@ -225,7 +225,7 @@ def get_scopes_for(orm_object):
token_scopes.remove('all')
token_scopes |= owner_scopes
intersection = _intersect_scopes(token_scopes, owner_scopes)
intersection = _intersect_expanded_scopes(token_scopes, owner_scopes)
discarded_token_scopes = token_scopes - intersection
# Not taking symmetric difference here because token owner can naturally have more scopes than token
@@ -263,7 +263,7 @@ def _check_user_in_expanded_scope(handler, user_name, scope_group_names):
return bool(set(scope_group_names) & group_names)
def _check_scope(api_handler, req_scope, **kwargs):
def _check_scope_access(api_handler, req_scope, **kwargs):
"""Check if scopes satisfy requirements
Returns True for (potentially restricted) access, False for refused access
"""
@@ -375,7 +375,7 @@ def needs_scope(*scopes):
s_kwargs[resource] = resource_value
for scope in scopes:
app_log.debug("Checking access via scope %s", scope)
has_access = _check_scope(self, scope, **s_kwargs)
has_access = _check_scope_access(self, scope, **s_kwargs)
if has_access:
return func(self, *args, **kwargs)
try:

28
jupyterhub/tests/test_scopes.py
View File

@@ -9,8 +9,8 @@ from tornado.httputil import HTTPServerRequest
from .. import orm
from .. import roles
from ..handlers import BaseHandler
from ..scopes import _check_scope
from ..scopes import _intersect_scopes
from ..scopes import _check_scope_access
from ..scopes import _intersect_expanded_scopes
from ..scopes import get_scopes_for
from ..scopes import needs_scope
from ..scopes import parse_scopes
@@ -49,37 +49,39 @@ def test_scope_precendence():
def test_scope_check_present():
handler = get_handler_with_scopes(['read:users'])
assert _check_scope(handler, 'read:users')
assert _check_scope(handler, 'read:users', user='maeby')
assert _check_scope_access(handler, 'read:users')
assert _check_scope_access(handler, 'read:users', user='maeby')
def test_scope_check_not_present():
handler = get_handler_with_scopes(['read:users!user=maeby'])
assert _check_scope(handler, 'read:users')
assert _check_scope_access(handler, 'read:users')
with pytest.raises(web.HTTPError):
_check_scope(handler, 'read:users', user='gob')
_check_scope_access(handler, 'read:users', user='gob')
with pytest.raises(web.HTTPError):
_check_scope(handler, 'read:users', user='gob', server='server')
_check_scope_access(handler, 'read:users', user='gob', server='server')
def test_scope_filters():
handler = get_handler_with_scopes(
['read:users', 'read:users!group=bluths', 'read:users!user=maeby']
)
assert _check_scope(handler, 'read:users', group='bluth')
assert _check_scope(handler, 'read:users', user='maeby')
assert _check_scope_access(handler, 'read:users', group='bluth')
assert _check_scope_access(handler, 'read:users', user='maeby')
def test_scope_multiple_filters():
handler = get_handler_with_scopes(['read:users!user=george_michael'])
assert _check_scope(handler, 'read:users', user='george_michael', group='bluths')
assert _check_scope_access(
handler, 'read:users', user='george_michael', group='bluths'
)
def test_scope_parse_server_name():
handler = get_handler_with_scopes(
['users:servers!server=maeby/server1', 'read:users!user=maeby']
)
assert _check_scope(handler, 'users:servers', user='maeby', server='server1')
assert _check_scope_access(handler, 'users:servers', user='maeby', server='server1')
class MockAPIHandler:
@@ -828,10 +830,10 @@ async def test_resolve_token_permissions(
),
],
)
def test_intersect_scopes(left, right, expected, should_warn, recwarn):
def test_intersect_expanded_scopes(left, right, expected, should_warn, recwarn):
# run every test in both directions, to ensure symmetry of the inputs
for a, b in [(left, right), (right, left)]:
intersection = _intersect_scopes(set(left), set(right))
intersection = _intersect_expanded_scopes(set(left), set(right))
assert intersection == set(expected)
if should_warn: