Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Keys, Script and Signing Service to dev environment #1076

Closed
wants to merge 23 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
d97aead
Add Keys, Script and Signing Service to dev environment
rochacbruno Dec 9, 2021
ff00444
Add SS on entrypoint
rochacbruno Dec 20, 2021
d2c619c
Add auto sign on approval workflow
rochacbruno Jan 6, 2022
cacdd46
Add URL to sign collections on-demand
rochacbruno Jan 7, 2022
e546f5a
Fixes on promotion tasks
rochacbruno Jan 14, 2022
f55066c
Add signing permissions to Collection policies
rochacbruno Jan 18, 2022
9cf2705
Surface signatures and sign_state on UI api
rochacbruno Jan 19, 2022
8688259
Add filter for sign_state on CollectionViewset
rochacbruno Jan 26, 2022
5a71776
enable collection signing for ephemeral and c.rh.c
drodowic Jan 27, 2022
bd5730e
fix missing whitespace
drodowic Jan 27, 2022
e6f7de1
fix syntax
drodowic Jan 27, 2022
766e16a
Only enable signing if envvar is set
drodowic Jan 28, 2022
b9af81f
use the same key location as dev
drodowic Jan 28, 2022
f2b5629
Add version_sign_state to version detail, expose signature data
rochacbruno Jan 27, 2022
453781b
Attempt to build appsre
rochacbruno Jan 31, 2022
0940e1f
Merge remote-tracking branch 'drodowic/clowder-deploy-signing' into A…
rochacbruno Feb 1, 2022
7bac421
Including drodowic PR changes for ephemeral env
rochacbruno Feb 1, 2022
2bd3030
set signing-script mode to executable
drodowic Feb 1, 2022
9f80164
add --homedir to signing script
drodowic Feb 1, 2022
32ef7fb
Merge remote-tracking branch 'drodowic/clowder-deploy-signing' into A…
rochacbruno Feb 1, 2022
01859b4
Move signatures when moving collections
rochacbruno Feb 1, 2022
8fe8a60
Add signed_only field
rochacbruno Feb 3, 2022
7e2e975
Merge branch 'master' into AAH-1181
rochacbruno Feb 3, 2022
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .compose.env.example
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,9 @@ LOCK_REQUIREMENTS=1
# where the script is executed in initContainers.
WAIT_FOR_MIGRATIONS=1

# Enable setup of signing service in dev environment. Defaults to `0` for other environments
ENABLE_SIGNING=1

#### PULP SETTINGS
## Variables prefixed with `PULP_` are added to the `django.conf.settings` for pulp
####
Expand Down
1 change: 0 additions & 1 deletion .dockerignore
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,3 @@ venv/
pip-wheel-metadata/
**/__pycache__/
.git/
dev/
11 changes: 11 additions & 0 deletions .github/workflows/scripts/post_before_script.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,17 @@ set -mveuo pipefail
source .github/workflows/scripts/utils.sh
cmd_prefix bash -c "django-admin compilemessages"


cmd_stdin_prefix bash -c "cat > /var/lib/pulp/sign-metadata.sh" < "$GITHUB_WORKSPACE"/galaxy_ng/tests/assets/sign-metadata.sh

cmd_prefix bash -c "curl -L https://github.com/pulp/pulp-fixtures/raw/master/common/GPG-PRIVATE-KEY-pulp-qe | gpg --import"
cmd_prefix bash -c "curl -L https://github.com/pulp/pulp-fixtures/raw/master/common/GPG-KEY-pulp-qe | cat > /tmp/GPG-KEY-pulp-qe"
cmd_prefix chmod a+x /var/lib/pulp/sign-metadata.sh

KEY_FINGERPRINT="6EDF301256480B9B801EBA3D05A5E6DA269D9D98"
TRUST_LEVEL="6"
echo "$KEY_FINGERPRINT:$TRUST_LEVEL:" | cmd_stdin_prefix gpg --import-ownertrust

echo "machine pulp
login admin
password password
Expand Down
1 change: 1 addition & 0 deletions CHANGES/1181.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add keys, script and signing service to dev env
1 change: 1 addition & 0 deletions CHANGES/1247.misc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
enable collection signing for ephemeral and other c.rh.c environments
1 change: 1 addition & 0 deletions Dockerfile.rhel8
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ COPY . /app

RUN set -ex; \
pip install --no-deps --editable /app && \
pip install https://github.com/pulp/pulp_ansible/archive/main.zip && \
PULP_CONTENT_ORIGIN=x django-admin collectstatic && \
install -dm 0775 -o galaxy /var/lib/pulp/artifact \
/var/lib/pulp/tmp \
Expand Down
11 changes: 8 additions & 3 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,13 @@ DJ_MANAGER = $(shell if [ "$(RUNNING)" = "" ]; then echo manage; else echo djang

define exec_or_run
# Tries to run on existing container if it exists, otherwise starts a new one.
@echo $(1)$(2)$(3)$(4)$(5)
@echo $(1)$(2)$(3)$(4)$(5)$(6)
@if [ "$(RUNNING)" != "" ]; then \
echo "Running on existing container $(RUNNING)" 1>&2; \
./compose exec $(1) $(2) $(3) $(4) $(5); \
./compose exec $(1) $(2) $(3) $(4) $(5) $(6); \
else \
echo "Starting new container" 1>&2; \
./compose run --use-aliases --service-ports --rm $(1) $(2) $(3) $(4) $(5); \
./compose run --use-aliases --service-ports --rm $(1) $(2) $(3) $(4) $(5) $(6); \
fi
endef

Expand Down Expand Up @@ -96,6 +96,10 @@ docker/makemigrations: ## Run django migrations
docker/migrate: ## Run django migrations
$(call exec_or_run, api, $(DJ_MANAGER), migrate)

.PHONY: docker/add-signing-service
docker/add-signing-service: ## Add a Signing service using default GPG key
$(call exec_or_run, worker, $(DJ_MANAGER), add-signing-service, ansible-default, /var/lib/pulp/scripts/collection_sign.sh, [email protected])

.PHONY: docker/resetdb
docker/resetdb: ## Cleans database
# Databases must be stopped to be able to reset them.
Expand All @@ -113,6 +117,7 @@ docker/all: ## Build, migrate, loaddata, transl
make docker/migrate
make docker/loaddata
make docker/translations
make docker/add-signing-service

# Application management and debugging

Expand Down
1 change: 1 addition & 0 deletions compose
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ declare -xr DEV_SOURCE_PATH=${DEV_SOURCE_PATH:-galaxy_ng}
declare -xr COMPOSE_CONTEXT=".."
declare -xr LOCK_REQUIREMENTS="${LOCK_REQUIREMENTS:-1}"
declare -xr COMPOSE_PROFILE="${COMPOSE_PROFILE}"
declare -xr ENABLE_SIGNING="${ENABLE_SIGNING:-1}"
declare -xr DEV_IMAGE_SUFFIX="${DEV_IMAGE_SUFFIX:-}"
declare -xr DEV_VOLUME_SUFFIX="${DEV_VOLUME_SUFFIX:-${DEV_IMAGE_SUFFIX}}"
declare -xr COMPOSE_PROJECT_NAME="${COMPOSE_PROJECT_NAME:-galaxy_ng${DEV_IMAGE_SUFFIX:-}}"
Expand Down
8 changes: 7 additions & 1 deletion dev/Dockerfile.base
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ RUN set -ex; \
python38-devel \
libpq \
libpq-devel \
pinentry \
&& dnf clean all \
&& rm -rf /var/cache/dnf/ \
&& rm -f /var/lib/rpm/__db.* \
Expand All @@ -54,6 +55,7 @@ ENV PATH="/venv/bin:${PATH}" \
VIRTUAL_ENV="/venv"

COPY ./requirements/requirements.common.txt /tmp/requirements.txt
COPY ./dev/common/ansible-sign.key /tmp/ansible-sign.key

RUN set -ex; \
pip install --no-cache-dir --upgrade pip \
Expand Down Expand Up @@ -83,9 +85,11 @@ RUN set -ex; \
&& mkdir --mode=2775 -p \
/var/lib/pulp/artifact \
/var/lib/pulp/tmp \
/var/lib/pulp/scripts \
/tmp/ansible \
&& chown ${USER_NAME}:${USER_GROUP} /var/lib/pulp/artifact \
&& chown ${USER_NAME}:${USER_GROUP} /var/lib/pulp/tmp \
&& chown ${USER_NAME}:${USER_GROUP} /var/lib/pulp/scripts \
&& chown ${USER_NAME}:${USER_GROUP} \
/tmp/ansible \
/etc/ansible \
Expand All @@ -98,7 +102,9 @@ RUN set -ex; \
&& chmod 0644 /var/log/galaxy_api_access.log \
&& chown galaxy:galaxy /var/log/galaxy_api_access.log \
&& mkdir -p /etc/pulp/certs/ \
&& echo "DNmNdwgyZugTax9S64J0FITTr9IHPxbuoF1F1CGPr68=" > /etc/pulp/certs/database_fields.symmetric.key
&& echo "DNmNdwgyZugTax9S64J0FITTr9IHPxbuoF1F1CGPr68=" > /etc/pulp/certs/database_fields.symmetric.key \
&& gpg --batch --import /tmp/ansible-sign.key &>/dev/null \
&& (echo trust &echo 5 &echo y &echo quit &echo save) | gpg --batch --command-fd 0 --edit-key galaxy3 &>/dev/null

# This symmetric.key is for dev only and should not be used in production
# DNmNdwgyZugTax9S64J0FITTr9IHPxbuoF1F1CGPr68=
Expand Down
Binary file added dev/common/ansible-sign-pub.gpg
Binary file not shown.
41 changes: 41 additions & 0 deletions dev/common/ansible-sign-pub.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGGyPsgBDACpWO2BexH3orSI2ksseqLjQ9h6Eq2HaBQdJLLQZZvkiWB/e3Gy
8gvO3wgP7XxcIH09kddvmEFa4BXheXNd74qKTdoKh5UX2oFnw1rDwrQjcMKxJnjm
Yku6br68kMfaNkwyQrSY7wwZ3XG/UfoWtdMehZKDZWD1YwTuaSJ5kxhsmQVxlN+U
pTMG3uEC7aykogyzIH2PWvMoaP+XDvUb7XXJs0Z54tPzF9ngYpNiwTlMrm7+Q2FG
1qognKlzEfKJ9FVSE9cO7MGCYOYCUrKcPahEMMnNDRnY5FwCEVTZhH/LgXg0pY7x
pyKAvCFi+j2QSlYlvhGKJWgZG2v9qH6DPRla5mf8+f6/gviEGum9DwwjlJ2bFWrw
fVGH7Ij9L1D3qjxFuMJkumEF9qpdfG8NZYingDsbgwjdKn6VXqmdVkUXNDwnk3gG
tPQ9wd46qrUPzjwJ+66c28XKnjOJbJ7HU1bth9q7uvnoOqgNJGJVJhX+1+CXhSIA
UnPsTOq5ivx/2DUAEQEAAbQiR2FsYXh5IERldiAzIDxnYWxheHkzQGFuc2libGUu
Y29tPokB1AQTAQgAPhYhBOvtFw6MlIDiKh0FmxUlDp7ApiV3BQJhsj7IAhsDBQkD
wmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEBUlDp7ApiV3i0UL/1mjlc08
IHJDA64xIqifN96s7TEpuSw1DNkCrvBpZkbcZjEpLYW8QiTatTUbf2NgEFlOl6Xi
H1Q9+oU03BAF1e8ymTRFuCkPdhqcjbkORke5/1PuemGG39SfRVsjVNrceXh9kWs0
eOfnOvDt4RpNUO2lHf34NmQuxRqiALSb4gK5xrS2K2Y2hySEZldy6RcGURdm+pmf
o4XQIZuzlGo7bV1vEmfZ/81kkOS5FlmOZt+Qm+YB8B7VjGY1RLtH7kY0y75j9Xea
XMeraK+g3Om5TkCsqryR5EMs+xlX2B20rmVJ4NIxkq8o+llr3Yac/+T261XMjHGr
2Sg/mVHVKTqtLlRwNDfg+iAQsr9AuUe4azp1EFAZL7zVQaFGlDRo1FX4EyTiVi7j
nSNWl5j3Jm2+n7ddG7qi1v8OYxMFwtJoGeqLI3QFCu7la/hQVg8M7bifeMx4O9/G
w4Q2EemGGMhSuC3p8Wig0sUIxu84xTHBGttFdwGimNS+pEd5LjTgwbulcrkBjQRh
sj7IAQwArHLjcJTMfDuxOLF6cVprf7eidcC5YMKf5zIp2kRHLJdLGC2IbvLPcegM
s9qh/GAfpO+3MbdUycoTJF7QrFxXqilJPbSEgQQN7J+SKjQ2UE95GxjSAijZ7moo
a87crV/wvk+qth0XZCF3flKGJ2KQHIWN/9R6hRiPRjSy8KAHpxgjpEIjdhz4emPr
aRzyK9zOqXWymcnTO2LcEP5NdBK8QIEXg7XYO2k7i08okhMzA+u0+Ke2ZDT/pI1e
wd+xnBwpGoycQvVNSJg8bG5rPhWD9ADiR0SB+r12fLmReQBF/wVG9rB7pW3F3KqU
m7CjgC3mP9EuqbDA2G4ruH1+T4Ff1zbaXmB5BzRu+VgRoQ50m6j84IJvq1kKAn5E
UbRn6583ltgNPid9dzmslCN7upuzzq2fV7PRWCKcd0aT/wJ94UBO4ufjo8hIFwxa
RbSAruBRJfWsS9rDwYs32QwfmSLrDXYlGpjG1HUZ3J5LLjHipvZeZlmNt5rUvni/
ajQcyiP5ABEBAAGJAbwEGAEIACYWIQTr7RcOjJSA4iodBZsVJQ6ewKYldwUCYbI+
yAIbDAUJA8JnAAAKCRAVJQ6ewKYldz/uC/9JiVlWge5sswUYUiV+TcXtATN3UKRE
BEKtQYNgBW6geLwMyIsxSTBfpSoioezSZrriFirnQAtvrygUqTeX/uq4TD5qY502
EejE+onF7bHpUEfJ/biyXQuFDBqNGBsWYnXxPbhXBY+mGhY5un5mg6TEGL2SMdSj
5uhTBcaQ3BkGaqNng1nVC710nwQcMm8f9qs4uOogqy7Ndl1xtoRQZa9/Vbi3vIDC
P9GYGUdAPu1OuXvl9wFYIKlWy95CS+L25o/59JbqT+XLLiyAnEmyMvWF+JUScm6H
6wAjDoZOenmBSzgKs/7POb7z3ktZrEWvTcNHWCuH7hwYOP/zAWrble9RdUsRZF/K
dcWrMZmkDSqOch6Qbp+vc8n/Z1rFiNvyfbiAkQ/Z9BW3+iHolEGHwq4i/O9Xx5bq
NWuRMs3XgtmQpAxFi2C8nGo5E8eDUw4qKHXYNkcuOraay0wBNpoffISO4+d24GB4
I6KUd9Bv1wf+etJ50jZ0dzt+T1Qs2wKbtf0=
=PHJy
-----END PGP PUBLIC KEY BLOCK-----
Binary file added dev/common/ansible-sign.key
Binary file not shown.
20 changes: 20 additions & 0 deletions dev/common/collection_sign.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
#!/usr/bin/env bash

FILE_PATH=$1
SIGNATURE_PATH="$1.asc"

ADMIN_ID="[email protected]"
PASSWORD="Galaxy2022"

# Create a detached signature
gpg --quiet --batch --pinentry-mode loopback --yes --passphrase \
$PASSWORD --homedir ~/.gnupg/ --detach-sign --default-key $ADMIN_ID \
--armor --output $SIGNATURE_PATH $FILE_PATH

# Check the exit status
STATUS=$?
if [ $STATUS -eq 0 ]; then
echo {\"file\": \"$FILE_PATH\", \"signature\": \"$SIGNATURE_PATH\"}
else
exit $STATUS
fi
8 changes: 8 additions & 0 deletions dev/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,11 @@ services:
- "LOCK_REQUIREMENTS=${LOCK_REQUIREMENTS}"
- "DEV_SOURCE_PATH=${DEV_SOURCE_PATH}"
- "COMPOSE_PROFILE=${COMPOSE_PROFILE}"
- "ENABLE_SIGNING=${ENABLE_SIGNING}"
entrypoint: "/bin/true"
tmpfs:
- "/var/lib/pulp/artifact"
- "/var/lib/pulp/scripts"
- "/var/lib/pulp/tmp"
- "/tmp/ansible"

Expand All @@ -40,10 +42,12 @@ services:
- "LOCK_REQUIREMENTS=${LOCK_REQUIREMENTS}"
- "DEV_SOURCE_PATH=${DEV_SOURCE_PATH}"
- "COMPOSE_PROFILE=${COMPOSE_PROFILE}"
- "ENABLE_SIGNING=${ENABLE_SIGNING}"
env_file:
- './common/galaxy_ng.env'
volumes:
- "./common/settings.py:/etc/pulp/settings.py:z"
- "./common/collection_sign.sh:/var/lib/pulp/scripts/collection_sign.sh:z"
- "${COMPOSE_CONTEXT}/..:/src:z"
- "pulp:/var/lib/pulp"
tmpfs:
Expand All @@ -61,10 +65,12 @@ services:
- "LOCK_REQUIREMENTS=${LOCK_REQUIREMENTS}"
- "DEV_SOURCE_PATH=${DEV_SOURCE_PATH}"
- "COMPOSE_PROFILE=${COMPOSE_PROFILE}"
- "ENABLE_SIGNING=${ENABLE_SIGNING}"
env_file:
- './common/galaxy_ng.env'
volumes:
- "./common/settings.py:/etc/pulp/settings.py:z"
- "./common/collection_sign.sh:/var/lib/pulp/scripts/collection_sign.sh:z"
- "${COMPOSE_CONTEXT}/..:/src:z"
- "pulp:/var/lib/pulp"
tmpfs:
Expand All @@ -84,10 +90,12 @@ services:
- "LOCK_REQUIREMENTS=${LOCK_REQUIREMENTS}"
- "DEV_SOURCE_PATH=${DEV_SOURCE_PATH}"
- "COMPOSE_PROFILE=${COMPOSE_PROFILE}"
- "ENABLE_SIGNING=${ENABLE_SIGNING}"
env_file:
- './common/galaxy_ng.env'
volumes:
- "./common/settings.py:/etc/pulp/settings.py:z"
- "./common/collection_sign.sh:/var/lib/pulp/scripts/collection_sign.sh:z"
- "${COMPOSE_CONTEXT}/..:/src:z"
- "pulp:/var/lib/pulp"
tmpfs:
Expand Down
2 changes: 2 additions & 0 deletions dev/standalone/galaxy_ng.env
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ PULP_GALAXY_API_PATH_PREFIX=/api/automation-hub/
PULP_GALAXY_AUTHENTICATION_CLASSES=['rest_framework.authentication.SessionAuthentication', 'rest_framework.authentication.TokenAuthentication', 'rest_framework.authentication.BasicAuthentication']
PULP_GALAXY_DEPLOYMENT_MODE=standalone
PULP_GALAXY_REQUIRE_CONTENT_APPROVAL=false
PULP_GALAXY_AUTO_SIGN_COLLECTIONS=true
PULP_GALAXY_COLLECTION_SIGNING_SERVICE=ansible-default
PULP_RH_ENTITLEMENT_REQUIRED=insights

PULP_ANSIBLE_API_HOSTNAME=http://localhost:5001
Expand Down
26 changes: 25 additions & 1 deletion docker/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@ readonly WITH_DEV_INSTALL="${WITH_DEV_INSTALL:-0}"
readonly DEV_SOURCE_PATH="${DEV_SOURCE_PATH:-}"
readonly LOCK_REQUIREMENTS="${LOCK_REQUIREMENTS:-1}"
readonly WAIT_FOR_MIGRATIONS="${WAIT_FOR_MIGRATIONS:-0}"
readonly ENABLE_SIGNING="${ENABLE_SIGNING:-0}"


log_message() {
echo "$@" >&2
}


# TODO(cutwater): This function should be moved to entrypoint hooks.
install_local_deps() {
local src_path_list
Expand Down Expand Up @@ -89,6 +89,10 @@ run_service() {

process_init_files /entrypoints.d/*

if [[ "$ENABLE_SIGNING" -eq "1" ]]; then
setup_signing_service
fi

exec "${service_path}" "$@"
}

Expand All @@ -97,9 +101,29 @@ run_manage() {
if [[ "$WITH_DEV_INSTALL" -eq "1" ]]; then
install_local_deps
fi

if [[ "$ENABLE_SIGNING" -eq "1" ]]; then
setup_signing_service
fi

exec django-admin "$@"
}

setup_signing_service() {
log_message "Setting up signing service."
export KEY_FINGERPRINT=$(gpg --show-keys --with-colons --with-fingerprint /tmp/ansible-sign.key | awk -F: '$1 == "fpr" {print $10;}' | head -n1)
export KEY_ID=${KEY_FINGERPRINT: -16}
gpg --batch --import /tmp/ansible-sign.key &>/dev/null
echo "${KEY_FINGERPRINT}:6:" | gpg --import-ownertrust &>/dev/null

HAS_SIGNING=$(django-admin shell -c 'from pulpcore.app.models import SigningService;print(SigningService.objects.filter(name="ansible-default").count())' 2>/dev/null || true)
if [[ "$HAS_SIGNING" -eq "0" ]]; then
log_message "Creating signing service. using key ${KEY_ID}"
django-admin add-signing-service ansible-default /var/lib/pulp/scripts/collection_sign.sh ${KEY_ID} 2>/dev/null || true
else
log_message "Signing service already exists."
fi
}

redis_connection_hack() {
redis_host="${PULP_REDIS_HOST:-}"
Expand Down
3 changes: 3 additions & 0 deletions docker/etc/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@
GALAXY_PERMISSION_CLASSES = ['rest_framework.permissions.IsAuthenticated',
'galaxy_ng.app.auth.auth.RHEntitlementRequired']

GALAXY_AUTO_SIGN_COLLECTIONS = "true"
GALAXY_COLLECTION_SIGNING_SERVICE = "ansible-default"

X_PULP_CONTENT_HOST = "pulp-content-app"
X_PULP_CONTENT_PORT = 24816

Expand Down
20 changes: 20 additions & 0 deletions galaxy_ng/app/access_control/access_policy.py
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,26 @@ def can_create_collection(self, request, view, permission):
raise NotFound(_('Namespace in filename not found.'))
return request.user.has_perm('galaxy.upload_to_namespace', namespace)

def can_sign_collections(self, request, view, permission):
# Repository is required on the CollectionSign payload
# Assumed that if user can modify repo they can sign everything in it
repository = view.get_repository(request)
can_modify_repo = request.user.has_perm('ansible.modify_ansible_repo_content', repository)

# Payload can optionally specify a namespace to filter its contents
# Assumed that if user has access to modify namespace they can sign its contents.
data = request.data
if namespace := data.get('namespace'):
try:
namespace = models.Namespace.objects.get(name=namespace)
except models.Namespace.DoesNotExist:
raise NotFound(_('Namespace not found.'))
return request.user.has_perm('galaxy.upload_to_namespace', namespace)

# the other filtering options are content_units and name/version
# and falls on the same permissions as modifying the main repo
return can_modify_repo

def unauthenticated_collection_download_enabled(self, request, view, permission):
return settings.GALAXY_ENABLE_UNAUTHENTICATED_COLLECTION_DOWNLOAD

Expand Down
8 changes: 8 additions & 0 deletions galaxy_ng/app/access_control/statements/insights.py
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,14 @@
"has_model_perms:ansible.modify_ansible_repo_content",
"has_rh_entitlements"]
},
{
"action": "sign",
"principal": "authenticated",
"effect": "allow",
"condition": [
"can_sign_collections",
"has_rh_entitlements"]
},
{
"action": "curate",
"principal": "authenticated",
Expand Down
6 changes: 6 additions & 0 deletions galaxy_ng/app/access_control/statements/standalone.py
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,12 @@
"principal": "authenticated",
"effect": "allow",
"condition": "has_model_perms:ansible.modify_ansible_repo_content"
},
{
"action": "sign",
"principal": "authenticated",
"effect": "allow",
"condition": "can_sign_collections"
}
],
'CollectionRemoteViewSet': [
Expand Down
Loading