• 
  
    
 
    
 
    

    



    
    
    
    
     
    




    
 
    

  
    



    
 

 

  

  

 

    


  
    





    
 
    



  

    
 
 
    
  
    Add policy enforcement through API tokens.
    
 
    

    



 
    
 
    

  Review Request #6091
  —
  Created July 10, 2014 and submitted 

 
    


    




    




    




 
    
  
    
   Information

  
    



    
 
 
    
  chipx86
 
    

    





    
 
 
    
  Review Board
 
    

    





    
 
 
    
  master
 
    

    





    
 
 
    
  
 
    

    





    
 
 
    
  
 
    

    





    
 
 
    
  66d8888...
 
    

    



 
    



 
    
  
    
   Reviewers

  
    



    
 
 
    
  reviewboard
 
    

    





    
 
 
    
  
 
    

    



 
    



    


    
 
    




  

    
 
 
    
  
    This allows API tokens to dictate what resources can be accessed and
    
with what HTTP methods.
    

    WebAPIToken.policy can now contain a set of rules that apply globally
    
and/or to individual resources, in order to restrict what a client can
    
access and what HTTP methods they can perform.
    

    Policies are in the following format:
    

    {
    "resources": {
        "*": {
            "allow": [<list of methods or "*">],
            "block": [<list of methods or "*">]
        },
        "<resource_policy_id>": {
            "*": {
                "allow": [<list of methods or "*">],
                "block": [<list of methods or "*">]
            },
            "<resource_id>": {
                "allow": [<list of methods or "*">],
                "block": [<list of methods or "*">]
            },
            ...
        },
        ...
    }
}

    

    Specific resource policy IDs take precedence over the global *.
    

    The * rule belonging to a resource covers all access across the list
    
and child resource IDs. The ID-specific entries take precedence over the
    
*.
    

    Each sub-policy in a resource can have allow and/or block. Each
    
contains a list of HTTP method names ("POST", "GET", etc.) or a
    
single item of *, which means "all methods."
    

    Any attempt to access a resource with an HTTP method that is denied by a
    
token's policy will result in a PERMISSION_DENIED error.
    

    If a policy is completely empty, the default is to be permissive.
    
 
    

    





  

    
 
 
    
  
    All new and existing unit tests pass.
    

    I created a couple tokens to play with. I tested global blocking of the API, per-resource blocking, per-ID blocking. I also tested blocking with per-resource and per-ID allow.
    
 
    

    




 
    

    





    
 
    









 





    
 
 
 
    
  
    
   
    
    
    
     
    
    
    
      
     
    • 
      
     
      • 
     
    • 
      
     
      • 
     
    • 
      
     
      • 
     
    • 
      
     
      • 
     
    • 
      
     
      • 
    
    
   
    
   
    
    
     
    
      Description
      From
      Last Updated
     
    
        
    



     
    
      
       
       
    Can't this just be resource_id = kwargs.get(self.uri_object_key) ?
    
          		
      
       daviddavid
      
      
       
      
     
    



     
    
      
       
       
    I think 'permission' is a better name than 'allowance'
    
          		
      
       daviddavid
      
      
       
      
     
    



     
    
      
       
       
    Maybe include an explicit return None at the end?
    
          		
      
       daviddavid
      
      
       
      
     
    

        
   
    
  
    
 
    

    




 
    

    



  
    
 
    

    


    


 













    
 





 
    
  
    
   
    



reviewbot




   
    
   
    



    
  
    
 
    


 
    
  
    

   
    
   
    
    
     
reviewbot


    
    
   
    

  
    
  
    
  
    


      




    1. 
 
      
  
      
   
      Tool: Pyflakes
Processed Files:
    reviewboard/webapi/base.py
    reviewboard/webapi/resources/review_screenshot_comment.py
    reviewboard/webapi/resources/draft_filediff.py
    reviewboard/webapi/resources/repository_info.py
    reviewboard/webapi/resources/filediff.py
    reviewboard/webapi/resources/root.py
    reviewboard/webapi/tests/test_api_policy.py
    reviewboard/webapi/resources/review_request_draft.py
    reviewboard/webapi/resources/review_request_last_update.py
    reviewboard/webapi/resources/review_reply_screenshot_comment.py
    reviewboard/webapi/resources/server_info.py
    reviewboard/webapi/resources/review_file_attachment_comment.py
    reviewboard/webapi/resources/review_group_user.py
    reviewboard/webapi/resources/review_reply_diff_comment.py
    reviewboard/webapi/resources/repository_commits.py
    reviewboard/webapi/resources/repository_branches.py
    reviewboard/webapi/resources/review_reply_draft.py
    reviewboard/webapi/resources/filediff_comment.py
    reviewboard/webapi/resources/review_diff_comment.py
    reviewboard/webapi/resources/review_reply.py
    reviewboard/webapi/resources/review_reply_file_attachment_comment.py



Tool: PEP8 Style Checker
Processed Files:
    reviewboard/webapi/base.py
    reviewboard/webapi/resources/review_screenshot_comment.py
    reviewboard/webapi/resources/draft_filediff.py
    reviewboard/webapi/resources/repository_info.py
    reviewboard/webapi/resources/filediff.py
    reviewboard/webapi/resources/root.py
    reviewboard/webapi/tests/test_api_policy.py
    reviewboard/webapi/resources/review_request_draft.py
    reviewboard/webapi/resources/review_request_last_update.py
    reviewboard/webapi/resources/review_reply_screenshot_comment.py
    reviewboard/webapi/resources/server_info.py
    reviewboard/webapi/resources/review_file_attachment_comment.py
    reviewboard/webapi/resources/review_group_user.py
    reviewboard/webapi/resources/review_reply_diff_comment.py
    reviewboard/webapi/resources/repository_commits.py
    reviewboard/webapi/resources/repository_branches.py
    reviewboard/webapi/resources/review_reply_draft.py
    reviewboard/webapi/resources/filediff_comment.py
    reviewboard/webapi/resources/review_diff_comment.py
    reviewboard/webapi/resources/review_reply.py
    reviewboard/webapi/resources/review_reply_file_attachment_comment.py


      
  
      
 
      

 
      
  


      
 
      
 
        

  

 
      


      

 
      

      2. 















    2. 
 
      
  
      
   
      
  
      
 
      

 
      
  


      
 
      
 
        

  

 
      


      

 
      

      3. 


    

  
    
 
    

    












    
 



 
    
  
    
   
    



chipx86




   
    
   
    
  
    
 
    


 

    












    
 





 
    
  
    
   
    



david




   
    
   
    





    
  
    
 
    


 
    
  
    

   
    
   
    
    
     
david


    
    
   
    

  
    
  
    
  
    


      




    1. 
 
      
  
      
   
      
  
      
 
      

 
      
  


      
 
      
 
        

  

 
      


      

 
      

      2. 

















    2. 
 
      
  
  
      
  
 
      
  
      
   
      
    
     
      
      
       reviewboard/webapi/base.py
       


        (Diff revision 1)


       
      
     
      
          
    
     
       
      

     
       
      

     
       
      

     
       
      

     
       
      

          
   
      
  
      
 
      

   
      
    
    




      
 
      
  
  
  

  
  
   Show all issues
  
 
      

      



    
      Can't this just be resource_id = kwargs.get(self.uri_object_key) ?
      
  
      
 
      

 
      
  


      
 
      
 
        

  

 
      


      

 
      

      3. 






    3. 
 
      
  
  
      
  
 
      
  
      
   
      
    
     
      
      
       reviewboard/webapi/base.py
       


        (Diff revision 1)


       
      
     
      
          
    
     
       
      

     
       
      

          
   
      
  
      
 
      

   
      
    
    




      
 
      
  
  
  

  
  
   Show all issues
  
 
      

      



    
      I think 'permission' is a better name than 'allowance'
      
  
      
 
      

 
      
  


      
 
      
 
        

  

 
      


      

 
      

      4. 






    4. 
 
      
  
  
      
  
 
      
  
      
   
      
    
     
      
      
       reviewboard/webapi/base.py
       


        (Diff revision 1)


       
      
     
      
          
    
     
       
      

     
       
      

          
   
      
  
      
 
      

   
      
    
    




      
 
      
  
  
  

  
  
   Show all issues
  
 
      

      



    
      Maybe include an explicit return None at the end?
      
  
      
 
      

 
      
  


      
 
      
 
        

  

 
      


      

 
      

      5. 




    5. 
 
      
  
      
   
      
  
      
 
      

 
      
  


      
 
      
 
        

  

 
      


      

 
      

      6. 


    

  
    
 
    

    












    
 



 
    
  
    
   
    



chipx86




   
    
   
    
  
    
 
    


 

    












    
 





 
    
  
    
   
    



reviewbot




   
    
   
    



    
  
    
 
    


 
    
  
    

   
    
   
    
    
     
reviewbot


    
    
   
    

  
    
  
    
  
    


      




    1. 
 
      
  
      
   
      Tool: Pyflakes
Processed Files:
    reviewboard/webapi/base.py
    reviewboard/webapi/resources/review_screenshot_comment.py
    reviewboard/webapi/resources/draft_filediff.py
    reviewboard/webapi/resources/repository_info.py
    reviewboard/webapi/resources/filediff.py
    reviewboard/webapi/resources/root.py
    reviewboard/webapi/tests/test_api_policy.py
    reviewboard/webapi/resources/review_request_draft.py
    reviewboard/webapi/resources/review_request_last_update.py
    reviewboard/webapi/resources/review_reply_screenshot_comment.py
    reviewboard/webapi/resources/server_info.py
    reviewboard/webapi/resources/review_file_attachment_comment.py
    reviewboard/webapi/resources/review_group_user.py
    reviewboard/webapi/resources/review_reply_diff_comment.py
    reviewboard/webapi/resources/repository_commits.py
    reviewboard/webapi/resources/repository_branches.py
    reviewboard/webapi/resources/review_reply_draft.py
    reviewboard/webapi/resources/filediff_comment.py
    reviewboard/webapi/resources/review_diff_comment.py
    reviewboard/webapi/resources/review_reply.py
    reviewboard/webapi/resources/review_reply_file_attachment_comment.py



Tool: PEP8 Style Checker
Processed Files:
    reviewboard/webapi/base.py
    reviewboard/webapi/resources/review_screenshot_comment.py
    reviewboard/webapi/resources/draft_filediff.py
    reviewboard/webapi/resources/repository_info.py
    reviewboard/webapi/resources/filediff.py
    reviewboard/webapi/resources/root.py
    reviewboard/webapi/tests/test_api_policy.py
    reviewboard/webapi/resources/review_request_draft.py
    reviewboard/webapi/resources/review_request_last_update.py
    reviewboard/webapi/resources/review_reply_screenshot_comment.py
    reviewboard/webapi/resources/server_info.py
    reviewboard/webapi/resources/review_file_attachment_comment.py
    reviewboard/webapi/resources/review_group_user.py
    reviewboard/webapi/resources/review_reply_diff_comment.py
    reviewboard/webapi/resources/repository_commits.py
    reviewboard/webapi/resources/repository_branches.py
    reviewboard/webapi/resources/review_reply_draft.py
    reviewboard/webapi/resources/filediff_comment.py
    reviewboard/webapi/resources/review_diff_comment.py
    reviewboard/webapi/resources/review_reply.py
    reviewboard/webapi/resources/review_reply_file_attachment_comment.py


      
  
      
 
      

 
      
  


      
 
      
 
        

  

 
      


      

 
      

      2. 















    2. 
 
      
  
      
   
      
  
      
 
      

 
      
  


      
 
      
 
        

  

 
      


      

 
      

      3. 


    

  
    
 
    

    












    
 





 
    
  
    
   
    



david




   
    
   
    





    
  
    
 
    


 
    
  
    

   
    
   
    
    
     
david


    
    
   
    

  
    
  
    
  
    


      




    1. 
 
      
  
      
   
      Ship It!
      
  
      
 
      

 
      
  


      
 
      
 
        

  

 
      


      

 
      

      2. 















    2. 
 
      
  
      
   
      
  
      
 
      

 
      
  


      
 
      
 
        

  

 
      


      

 
      

      3. 


    

  
    
 
    

    












    
 



 
    
  
    
   
    



chipx86




   
    
   
    
  
    
 
    


 
    
  
    

   
    
   
    
    
     Review request changed
    
    
   
    

  
    
  
    
  
    




    

  
    
   
    
    Status:
   
    
   
    

    Completed

   
    
  
    



  
    
   
    
    Change Summary:
   
    
   
    
    
    Pushed to master (058eb89)