* fix(api): fix superuser panel access and permission bypass behavior
Fixed multiple issues with superuser functionality related to FEATURE_SUPERUSERS_FULL_ACCESS:
1. **Superuser Panel Access**: Fixed bug where superuser panel endpoints returned 403
when FEATURE_SUPERUSERS_FULL_ACCESS was disabled. Basic superuser panel operations
(user list, logs, org list, messages) now work with just FEATURE_SUPER_USERS enabled.
2. **Permission Bypass Logic**: Updated decorators to properly differentiate between:
- Basic superuser operations (don't require FULL_ACCESS)
- Permission bypass operations (require FULL_ACCESS)
- Read operations (allow global readonly superusers with FULL_ACCESS)
- Write operations (only allow regular superusers with FULL_ACCESS)
3. **Global Readonly Superuser Support**: Fixed decorators to allow global readonly
superusers read access when FULL_ACCESS is enabled, while blocking write operations.
4. **License Bypass**: Superusers with FULL_ACCESS now bypass license/quota limits
when creating or modifying private repositories in any namespace.
Changes:
- endpoints/api/__init__.py: Fixed allow_if_superuser() and decorators
- endpoints/api/organization.py: Updated 4 GET endpoints to require FULL_ACCESS
- endpoints/api/namespacequota.py: Updated 2 GET endpoints to require FULL_ACCESS
- endpoints/api/team.py: Updated 2 GET endpoints to require FULL_ACCESS
- endpoints/api/prototype.py: Updated 1 GET endpoint to require FULL_ACCESS
- endpoints/api/repository.py: Added license bypass for superusers with FULL_ACCESS
- endpoints/api/logs.py: Fixed log access to require FULL_ACCESS for permission bypass
- endpoints/api/test/test_superuser_full_access.py: Added comprehensive test suite
- test/test_api_usage.py: Updated test expectations for license bypass behavior
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* test(api): add plan limit test for regular users
Adds test_plan_limit_enforcement_for_regular_users to verify that
license limits still apply to non-superuser accounts. This restores
test coverage for plan limit enforcement that was changed when we
updated test_trychangevisibility to validate superuser bypass behavior.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix(api): correct superuser cross-namespace permission model
Fixes permission checks to properly implement the superuser access model:
- Global Readonly Superusers (auditors): Always have read access to all
content, independent of FEATURE_SUPERUSERS_FULL_ACCESS setting
- Regular Superusers: Can access /v1/superuser endpoints and their own
content. Require FEATURE_SUPERUSERS_FULL_ACCESS=true for cross-namespace
read access
- Full Access Superusers: Regular superusers with FULL_ACCESS enabled,
can perform CRUD on content they don't own
- Write operations: Only allowed for full access superusers (global
readonly superusers never get write access)
Updated 18 permission checks across 7 files:
- endpoints/api/__init__.py: require_repo_permission decorator
- endpoints/api/organization.py: org view, teams, collaborators, proxy cache
- endpoints/api/namespacequota.py: quota listing and individual quota
- endpoints/api/policy.py: auto-prune policies for orgs and repos
- endpoints/api/robot.py: robot listing, details, permissions, federation
- endpoints/api/build.py: repository build logs
- endpoints/api/repository_models_pre_oci.py: repository visibility query
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix(api): require FULL_ACCESS for regular superusers on /v1/superuser/apptokens
Updates the SuperUserAppTokens endpoint to properly enforce permission model:
- Regular superusers WITHOUT FULL_ACCESS: Get 403 Unauthorized
- Global readonly superusers: Always get 200 (auditor access, independent of FULL_ACCESS)
- Full access superusers (FULL_ACCESS=true): Get 200 with all tokens
This ensures regular superusers can only audit app tokens across the system
when they have full access privileges enabled, while global readonly superusers
(auditors) always maintain read access for auditing purposes.
Changes:
- endpoints/api/superuser.py: Update permission check in SuperUserAppTokens.get()
- endpoints/api/test/test_appspecifictoken.py: Update test mocking and add new test
for 403 behavior
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
---------
Co-authored-by: Dave O'Connor <doconnor@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Dave O'Connor <1656866+HammerMeetNail@users.noreply.github.com>
Implements global read-only superuser permissions for v1 endpoints, adjusts superuser write checks, and updates app token listing and detail endpoints; includes comprehensive tests.
---------
Co-authored-by: Claude <noreply@anthropic.com>
* Convert all Python2 to Python3 syntax.
* Removes oauth2lib dependency
* Replace mockredis with fakeredis
* byte/str conversions
* Removes nonexisting __nonzero__ in Python3
* Python3 Dockerfile and related
* [PROJQUAY-98] Replace resumablehashlib with rehash
* PROJQUAY-123 - replace gpgme with python3-gpg
* [PROJQUAY-135] Fix unhashable class error
* Update external dependencies for Python 3
- Move github.com/app-registry/appr to github.com/quay/appr
- github.com/coderanger/supervisor-stdout
- github.com/DevTable/container-cloud-config
- Update to latest mockldap with changes applied from coreos/mockldap
- Update dependencies in requirements.txt and requirements-dev.txt
* Default FLOAT_REPR function to str in json encoder and removes keyword assignment
True, False, and str were not keywords in Python2...
* [PROJQUAY-165] Replace package `bencode` with `bencode.py`
- Bencode is not compatible with Python 3.x and is no longer
maintained. Bencode.py appears to be a drop-in replacement/fork
that is compatible with Python 3.
* Make sure monkey.patch is called before anything else (
* Removes anunidecode dependency and replaces it with text_unidecode
* Base64 encode/decode pickle dumps/loads when storing value in DB
Base64 encodes/decodes the serialized values when storing them in the
DB. Also make sure to return a Python3 string instead of a Bytes when
coercing for db, otherwise, Postgres' TEXT field will convert it into
a hex representation when storing the value.
* Implement __hash__ on Digest class
In Python 3, if a class defines __eq__() but not __hash__(), its
instances will not be usable as items in hashable collections (e.g sets).
* Remove basestring check
* Fix expected message in credentials tests
* Fix usage of Cryptography.Fernet for Python3 (#219)
- Specifically, this addresses the issue where Byte<->String
conversions weren't being applied correctly.
* Fix utils
- tar+stream layer format utils
- filelike util
* Fix storage tests
* Fix endpoint tests
* Fix workers tests
* Fix docker's empty layer bytes
* Fix registry tests
* Appr
* Enable CI for Python 3.6
* Skip buildman tests
Skip buildman tests while it's being rewritten to allow ci to pass.
* Install swig for CI
* Update expected exception type in redis validation test
* Fix gpg signing calls
Fix gpg calls for updated gpg wrapper, and add signing tests.
* Convert / to // for Python3 integer division
* WIP: Update buildman to use asyncio instead of trollius.
This dependency is considered deprecated/abandoned and was only
used as an implementation/backport of asyncio on Python 2.x
This is a work in progress, and is included in the PR just to get the
rest of the tests passing. The builder is actually being rewritten.
* Target Python 3.8
* Removes unused files
- Removes unused files that were added accidentally while rebasing
- Small fixes/cleanup
- TODO tasks comments
* Add TODO to verify rehash backward compat with resumablehashlib
* Revert "[PROJQUAY-135] Fix unhashable class error" and implements __hash__ instead.
This reverts commit 735e38e3c1d072bf50ea864bc7e119a55d3a8976.
Instead, defines __hash__ for encryped fields class, using the parent
field's implementation.
* Remove some unused files ad imports
Co-authored-by: Kenny Lee Sin Cheong <kenny.lee@redhat.com>
Co-authored-by: Tom McKay <thomasmckay@redhat.com>
