Updated distribution creation policy.

closes #8244 https://pulp.plan.io/issues/8244
pulp · Jun 11, 2021 · b3d4fab · b3d4fab
1 parent 862e0e6
commit b3d4fab
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 1 deletion.
diff --git a/CHANGES/8244.bugfix b/CHANGES/8244.bugfix
@@ -0,0 +1 @@
+Updated distribution creation policy.
diff --git a/pulp_container/app/access_policy.py b/pulp_container/app/access_policy.py
@@ -30,6 +30,20 @@ def has_namespace_obj_perms(self, request, view, action, permission):
                     return True
         return False
 
+    def has_namespace_perms(self, request, view, action, permission):
+        """
+        Check if a user has a namespace-level perms
+        """
+        ns_perm = "container.namespace_{}".format(permission.split(".", 1)[1])
+        base_path = request.data.get("base_path")
+        namespace = base_path.split("/")[0]
+        try:
+            namespace = models.ContainerNamespace.objects.get(name=namespace)
+        except models.ContainerNamespace.DoesNotExist:
+            return False
+        else:
+            return request.user.has_perm(permission) or request.user.has_perm(ns_perm, namespace)
+
     def has_namespace_or_obj_perms(self, request, view, action, permission):
         """
         Check if a user has a namespace-level perms or object-level permission
@@ -54,6 +68,22 @@ def is_private(self, request, view, action):
         """
         return view.get_object().private
 
+    def namespace_is_username(self, request, view, action):
+        """
+        Check if the namespace in the request matches the username.
+        """
+        base_path = request.data.get("base_path")
+        namespace = base_path.split("/")[0]
+        return namespace == request.user.username
+
+    def has_namespace_model_perms(self, request, view, action):
+        """
+        Check ifthe user can create namespaces.
+        """
+        if request.user.has_perm("container.add_containernamespace"):
+            return True
+        return False
+
 
 class NamespacedAccessPolicyFromDB(AccessPolicyFromDB, NamespacedAccessPolicyMixin):
     """

diff --git a/pulp_container/app/viewsets.py b/pulp_container/app/viewsets.py
@@ -997,7 +997,19 @@ class ContainerDistributionViewSet(DistributionViewSet):
                 "action": ["create"],
                 "principal": "authenticated",
                 "effect": "allow",
-                "condition": "has_model_perms:container.add_containerdistribution",
+                "condition": "has_namespace_model_perms",
+            },
+            {
+                "action": ["create"],
+                "principal": "authenticated",
+                "effect": "allow",
+                "condition": "has_namespace_perms:container.add_containerdistribution",
+            },
+            {
+                "action": ["create"],
+                "principal": "authenticated",
+                "effect": "allow",
+                "condition": "namespace_is_username",
             },
             {
                 "action": ["retrieve"],

diff --git a/pulp_container/tests/functional/api/test_push_content.py b/pulp_container/tests/functional/api/test_push_content.py
@@ -285,6 +285,24 @@ def test_matching_username(self):
         with self.assertRaises(exceptions.CalledProcessError):
             self._push(image_path, invalid_local_url, self.user_helpless)
 
+        # test you can create distribution under the namespace that matches login
+        repo_name2 = f"{namespace_name}/matching2"
+        distribution = {"name": repo_name2, "base_path": repo_name2, "private": True}
+        distribution_response = self.user_helpless["distribution_api"].create(distribution)
+        created_resources = monitor_task(distribution_response.task).created_resources
+        distribution = self.user_helpless["distribution_api"].read(created_resources[0])
+
+        # cleanup, namespace removal also removes related distributions
+        namespace = self.namespace_api.list(name=namespace_name).results[0]
+        namespace_response = self.namespace_api.delete(namespace.pulp_href)
+        monitor_task(namespace_response.task)
+
+        # test you can create distribution if namespace does not exist but matches login
+        distribution = {"name": repo_name, "base_path": repo_name, "private": True}
+        distribution_response = self.user_helpless["distribution_api"].create(distribution)
+        created_resources = monitor_task(distribution_response.task).created_resources
+        distribution = self.user_helpless["distribution_api"].read(created_resources[0])
+
         # cleanup, namespace removal also removes related distributions
         namespace = self.namespace_api.list(name=namespace_name).results[0]
         self.addCleanup(self.namespace_api.delete, namespace.pulp_href)