Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
Backend
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Deploy
Releases
Container Registry
Analyze
Contributor analytics
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Arkindex
Backend
Commits
f3c0b0d0
Commit
f3c0b0d0
authored
2 years ago
by
Erwan Rouchet
Committed by
Bastien Abadie
2 years ago
Browse files
Options
Downloads
Patches
Plain Diff
Allow task auth on RetrieveSecret and UpdateWorkerActivity
parent
a2fbcd94
No related branches found
No related tags found
No related merge requests found
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
arkindex/ponos/api.py
+5
-3
5 additions, 3 deletions
arkindex/ponos/api.py
arkindex/ponos/permissions.py
+21
-8
21 additions, 8 deletions
arkindex/ponos/permissions.py
arkindex/process/api.py
+5
-4
5 additions, 4 deletions
arkindex/process/api.py
with
31 additions
and
15 deletions
arkindex/ponos/api.py
+
5
−
3
View file @
f3c0b0d0
...
...
@@ -26,7 +26,7 @@ from arkindex.ponos.models import Agent, Artifact, Farm, Secret, State, Task, Wo
from
arkindex.ponos.permissions
import
(
IsAgent
,
IsAgentOrArtifactAdmin
,
IsAgentOr
Internal
,
IsAgentOr
Task
,
IsAgentOrTaskAdmin
,
IsAssignedAgentOrReadOnly
,
)
...
...
@@ -411,10 +411,12 @@ class TaskUpdate(UpdateAPIView):
)
class
SecretDetails
(
RetrieveAPIView
):
"""
Retrieve a Ponos secret content as cleartext
Retrieve a Ponos secret content as cleartext.
Requires authentication as an internal user, a Ponos agent or a Ponos task.
"""
permission_classes
=
(
IsAgentOr
Internal
,
)
permission_classes
=
(
IsAgentOr
Task
,
)
serializer_class
=
ClearTextSecretSerializer
def
get_object
(
self
):
...
...
This diff is collapsed.
Click to expand it.
arkindex/ponos/permissions.py
+
21
−
8
View file @
f3c0b0d0
...
...
@@ -5,19 +5,28 @@ from arkindex.project.mixins import CorpusACLMixin
from
arkindex.project.permissions
import
IsAuthenticated
,
require_internal
def
require_agent
(
request
,
view
):
def
require_agent
_or_admin
(
request
,
view
):
return
getattr
(
request
.
user
,
'
is_admin
'
,
False
)
or
getattr
(
request
.
user
,
'
is_agent
'
,
False
)
def
require_agent_or_internal
(
request
,
view
):
return
require_internal
(
request
,
view
)
or
getattr
(
request
.
user
,
'
is_agent
'
,
False
)
def
require_task
(
request
,
view
):
# For backwards compatibility, internal users are considered to be authenticated as a Ponos task.
# TODO: Remove the internal check once APIs should be restricted to the new authentication
return
isinstance
(
request
.
auth
,
Task
)
or
require_internal
(
request
,
view
)
def
require_agent_or_task
(
request
,
view
):
return
(
getattr
(
request
.
user
,
'
is_agent
'
,
False
)
or
require_task
(
request
,
view
)
)
class
IsAgent
(
IsAuthenticated
):
"""
Only allow Ponos agents and admins.
"""
checks
=
IsAuthenticated
.
checks
+
(
require_agent
,
)
checks
=
IsAuthenticated
.
checks
+
(
require_agent
_or_admin
,
)
class
IsAgentOrReadOnly
(
IsAgent
):
...
...
@@ -59,7 +68,7 @@ class IsAgentOrTaskAdmin(CorpusACLMixin, IsAuthenticated):
self
.
request
=
request
return
(
require_agent
(
request
,
view
)
require_agent
_or_admin
(
request
,
view
)
or
require_internal
(
request
,
view
)
or
(
task
.
workflow
.
process
is
not
None
...
...
@@ -79,8 +88,12 @@ class IsAgentOrArtifactAdmin(IsAgentOrTaskAdmin):
return
super
().
has_object_permission
(
request
,
view
,
artifact
.
task
)
class
IsAgentOrInternal
(
IsAuthenticated
):
class
IsTask
(
IsAuthenticated
):
checks
=
(
require_task
,
)
class
IsAgentOrTask
(
IsAuthenticated
):
"""
Allow access to agents or
internal users, and not admin
s.
Allow access to
Ponos
agents or
task
s.
"""
checks
=
(
require_agent_or_
internal
,
)
checks
=
(
require_agent_or_
task
,
)
This diff is collapsed.
Click to expand it.
arkindex/process/api.py
+
5
−
4
View file @
f3c0b0d0
...
...
@@ -39,6 +39,7 @@ from rest_framework.views import APIView
from
arkindex.documents.models
import
Corpus
,
Element
from
arkindex.ponos.models
import
STATES_ORDERING
,
State
from
arkindex.ponos.permissions
import
IsTask
from
arkindex.process.models
import
(
ActivityState
,
DataFile
,
...
...
@@ -100,7 +101,7 @@ from arkindex.project.mixins import (
WorkerACLMixin
,
)
from
arkindex.project.pagination
import
CustomCursorPagination
from
arkindex.project.permissions
import
IsInternal
,
IsVerified
,
IsVerifiedOrReadOnly
from
arkindex.project.permissions
import
IsVerified
,
IsVerifiedOrReadOnly
from
arkindex.project.tools
import
PercentileCont
,
RTrimChr
from
arkindex.project.triggers
import
process_delete
from
arkindex.training.models
import
ModelVersionState
...
...
@@ -1475,10 +1476,10 @@ class ListProcessElements(CorpusACLMixin, ListAPIView):
class
UpdateWorkerActivity
(
GenericAPIView
):
"""
Makes a worker (
internal user
) able
to update
its activity on
an element
Allow a Ponos task or an
internal user to update an element
'
s state
Only allow defined evolutions of the element
'
s state
"""
permission_classes
=
(
Is
Internal
,
)
permission_classes
=
(
Is
Task
,
)
serializer_class
=
WorkerActivitySerializer
queryset
=
WorkerActivity
.
objects
.
none
()
...
...
@@ -1511,7 +1512,7 @@ class UpdateWorkerActivity(GenericAPIView):
operation_id
=
'
UpdateWorkerActivity
'
,
description
=
(
'
Updates the activity of a worker version on an element.
\n\n
'
'
The user must be **internal** to perform this request.
\n\n
'
'
The user must be **internal**
or a Ponos task
to perform this request.
\n\n
'
'
A **HTTP_409_CONFLICT** is returned in case the body is valid but the update failed.
'
),
)
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
