-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add content guard #976
Add content guard #976
Conversation
c0ef890
to
8aef07e
Compare
886e3aa
to
d46e1a0
Compare
AnsibleDistribution = apps.get_model('ansible', 'AnsibleDistribution') | ||
ContentGuard = apps.get_model('galaxy', 'CollectionDownloadContentGuard') | ||
|
||
cg = ContentGuard( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should use get_or_create
to initialize the object if it doesn't exist.
galaxy_ng/app/models/contentguard.py
Outdated
|
||
view = CollectionArtifactDownloadView() | ||
setattr(view, "get_object", lambda: self) | ||
setattr(view, "action", "download") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe the action on this view is already set to "download"
galaxy_ng/app/models/contentguard.py
Outdated
from galaxy_ng.app.api.v3.viewsets import CollectionArtifactDownloadView | ||
|
||
view = CollectionArtifactDownloadView() | ||
setattr(view, "get_object", lambda: self) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is overriding the get_object
function so that it always returns the content guard instance. What we need to do is make it so that get_object
returns the collection that is being accessed.
However, looking through the access policy, it looks like the download action doesn't take any conditions, so we can probably get away without defining a get_object
method on the viewset until we get to a point where we need to add conditions to the download function.
{
"action": ["download"],
"principal": 'authenticated',
"effect": "allow",
},
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For context, DRF access policy gets passed the view that is being accessed and can optionally use 'get_object' to load the object that is being accessed and check permissions on it. Here's one example where we do that: https://github.com/ansible/galaxy_ng/blob/master/galaxy_ng/app/access_control/access_policy.py#L75
galaxy_ng/app/migrations/0025_add_content_guard_to_distributions.py
Outdated
Show resolved
Hide resolved
9507ba8
to
8369d5d
Compare
galaxy_ng/app/migrations/0025_add_content_guard_to_distributions.py
Outdated
Show resolved
Hide resolved
@chouseknecht, @rochacbruno updated migration and signal. |
eca480c
to
93dcdb9
Compare
Issue: AAH-923
Issue: AAH-923
Issue: AAH-923
Issue: AAH-923
ci erroring on
|
Issue: AAH-923
93dcdb9
to
f1f1830
Compare
…RK__DEFAULT_AUTHENTICATION_CLASSES Issue: AAH-923
/retest |
@@ -11,11 +11,13 @@ def permit(self, request): | |||
""" | |||
Authorize the specified request based on if the request is authenticated. | |||
""" | |||
if not (drequest := request.get("drf_request", None)): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bmclaughlin can you provide a testing workflow for this PR? here in comments, something like
I want to help testing, but I checked out to this PR and I don't know what to check during my manual testing. |
Issue: AAH-923
@rochacbruno The manual testing that I've done for this PR started as:
That is working as expected, I attempted to download an uploaded collection which now results in a 403 from the content-app. The content app is being re-enabled in #977, so I assume downloads should continue to work as they did prior to this PR. |
Issue: AAH-923