Add policy enforcement through API tokens.
Review Request #6091 — Created July 10, 2014 and submitted
This allows API tokens to dictate what resources can be accessed and
with what HTTP methods.
WebAPIToken.policy
can now contain a set of rules that apply globally
and/or to individual resources, in order to restrict what a client can
access and what HTTP methods they can perform.Policies are in the following format:
{ "resources": { "*": { "allow": [<list of methods or "*">], "block": [<list of methods or "*">] }, "<resource_policy_id>": { "*": { "allow": [<list of methods or "*">], "block": [<list of methods or "*">] }, "<resource_id>": { "allow": [<list of methods or "*">], "block": [<list of methods or "*">] }, ... }, ... } }
Specific resource policy IDs take precedence over the global
*
.The
*
rule belonging to a resource covers all access across the list
and child resource IDs. The ID-specific entries take precedence over the
*
.Each sub-policy in a resource can have
allow
and/orblock
. Each
contains a list of HTTP method names ("POST", "GET", etc.) or a
single item of*
, which means "all methods."Any attempt to access a resource with an HTTP method that is denied by a
token's policy will result in aPERMISSION_DENIED
error.If a policy is completely empty, the default is to be permissive.
All new and existing unit tests pass.
I created a couple tokens to play with. I tested global blocking of the API, per-resource blocking, per-ID blocking. I also tested blocking with per-resource and per-ID allow.
Description: |
|
---|
-
-
reviewboard/webapi/base.py (Diff revision 1) Can't this just be
resource_id = kwargs.get(self.uri_object_key)
? -
-
Change Summary:
- Fixed a bone-headed bit of logic that could easily be condensed.
- Changed
allowance
topermission
. - Added an explicit return statement in
_check_resource_policy
.
Commit: |
|
||||
---|---|---|---|---|---|
Diff: |
Revision 2 (+458 -3) |
-
Tool: Pyflakes Processed Files: reviewboard/webapi/base.py reviewboard/webapi/resources/review_screenshot_comment.py reviewboard/webapi/resources/draft_filediff.py reviewboard/webapi/resources/repository_info.py reviewboard/webapi/resources/filediff.py reviewboard/webapi/resources/root.py reviewboard/webapi/tests/test_api_policy.py reviewboard/webapi/resources/review_request_draft.py reviewboard/webapi/resources/review_request_last_update.py reviewboard/webapi/resources/review_reply_screenshot_comment.py reviewboard/webapi/resources/server_info.py reviewboard/webapi/resources/review_file_attachment_comment.py reviewboard/webapi/resources/review_group_user.py reviewboard/webapi/resources/review_reply_diff_comment.py reviewboard/webapi/resources/repository_commits.py reviewboard/webapi/resources/repository_branches.py reviewboard/webapi/resources/review_reply_draft.py reviewboard/webapi/resources/filediff_comment.py reviewboard/webapi/resources/review_diff_comment.py reviewboard/webapi/resources/review_reply.py reviewboard/webapi/resources/review_reply_file_attachment_comment.py Tool: PEP8 Style Checker Processed Files: reviewboard/webapi/base.py reviewboard/webapi/resources/review_screenshot_comment.py reviewboard/webapi/resources/draft_filediff.py reviewboard/webapi/resources/repository_info.py reviewboard/webapi/resources/filediff.py reviewboard/webapi/resources/root.py reviewboard/webapi/tests/test_api_policy.py reviewboard/webapi/resources/review_request_draft.py reviewboard/webapi/resources/review_request_last_update.py reviewboard/webapi/resources/review_reply_screenshot_comment.py reviewboard/webapi/resources/server_info.py reviewboard/webapi/resources/review_file_attachment_comment.py reviewboard/webapi/resources/review_group_user.py reviewboard/webapi/resources/review_reply_diff_comment.py reviewboard/webapi/resources/repository_commits.py reviewboard/webapi/resources/repository_branches.py reviewboard/webapi/resources/review_reply_draft.py reviewboard/webapi/resources/filediff_comment.py reviewboard/webapi/resources/review_diff_comment.py reviewboard/webapi/resources/review_reply.py reviewboard/webapi/resources/review_reply_file_attachment_comment.py