From 21cb272d15cd1c4e191ae9a39eb5019eafdfc5cf Mon Sep 17 00:00:00 2001 From: Laura Barcziova Date: Wed, 10 May 2023 20:17:54 +0200 Subject: [PATCH] Update allowlisting script to be able to deny namespaces Related to #1964 --- files/scripts/README.md | 34 +++++++++++++++++++++++++++++----- files/scripts/allowlist.py | 28 ++++++++++++++++++++++++++-- 2 files changed, 55 insertions(+), 7 deletions(-) diff --git a/files/scripts/README.md b/files/scripts/README.md index bf91d641fd..42792852e8 100644 --- a/files/scripts/README.md +++ b/files/scripts/README.md @@ -1,17 +1,23 @@ -# Allowlisting an account +# Allowlisting/denylisting an account You need to login to our OpenShift cluster and list all pods. Use the `allowlist.py` script inside the worker pod to manipulate the allowlist. +## List pending namespaces + List all requests pending approval: ``` -$ oc exec packit-worker-0 allowlist.py waiting +$ oc exec packit-worker-short-running-0 allowlist.py waiting ``` -Use `oc exec -it ...` instead if you also want to approve a namespace from the waiting list and specify the number of namespace to approve. In order to add to the allowlist manually: +Use `oc exec -it ...` instead if you also want to approve a namespace from the waiting list and specify the number of namespace to approve. + +## Manual approval + +In order to add to the allowlist manually: ``` -$ oc exec -it packit-worker-0 allowlist.py approve +$ oc exec -it packit-worker-short-running-0 allowlist.py approve ``` The `` string should follow the same format which is used in the list of waiting requests, i.e. the domain should be included. @@ -19,10 +25,28 @@ For example, for an organization/user `packit` at Github, `github.com/packit` sh In order to add only a single repository to the allowlist, the `.git` suffix must explicitly be used, e.g. `github.com/packit/ogr.git`. After approving, close the corresponding issue at [packit-service/notifications](https://github.com/packit/notifications/issues). +## List denied namespaces + +List all denied namespaces: + +``` +$ oc exec packit-worker-short-running-0 allowlist.py denied +``` + +## Denying + +Denying a user: + +``` +$ oc exec -it packit-worker-short-running-0 allowlist.py deny +``` + +## Removal + Removing a user or from the allowlist: ``` -$ oc exec packit-worker-0 allowlist.py remove +$ oc exec -it packit-worker-short-running-0 allowlist.py remove ``` # Cleaning up the database diff --git a/files/scripts/allowlist.py b/files/scripts/allowlist.py index d923d881c9..e8896d5cf8 100644 --- a/files/scripts/allowlist.py +++ b/files/scripts/allowlist.py @@ -118,15 +118,30 @@ def approve(full_path: Optional[str]): if full_path is None: full_path = RepoUrl().convert(construct_path()) - is_approved_before = Allowlist.is_approved(full_path) + is_approved_before = Allowlist.is_namespace_or_parent_approved(full_path) Allowlist.approve_namespace(full_path) - if Allowlist.is_approved(full_path) != is_approved_before: + if Allowlist.is_namespace_or_parent_approved(full_path) != is_approved_before: click.secho(f"Namespace ‹{full_path}› has been approved.", fg="green") else: click.secho(f"Status of namespace ‹{full_path}› has not changed.", fg="yellow") +@cli.command(short_help="Deny namespace.", help=PATH_HELP.format("denied")) +@click.argument("full_path", type=RepoUrl(), required=False) +def deny(full_path: Optional[str]): + if full_path is None: + full_path = RepoUrl().convert(construct_path()) + + is_denied_before = Allowlist.is_denied(full_path) + if is_denied_before: + click.secho(f"Namespace ‹{full_path}› already denied.", fg="yellow") + return + + Allowlist.deny_namespace(full_path) + click.secho(f"Namespace ‹{full_path}› has been denied.", fg="green") + + @cli.command( short_help="Remove namespace from allowlist. Removes the entry.", help=PATH_HELP.format("removed"), @@ -156,5 +171,14 @@ def waiting(ctx): ctx.invoke(approve, full_path=prompt_variant(waiting_list[choice - 1])) +@cli.command(short_help="Show namespaces that are denied.") +def denied(): + click.echo("Denied namespaces:") + + waiting_list = Allowlist.denied_namespaces() + for i, namespace in enumerate(waiting_list, 1): + click.echo(f"{i}. {namespace}") + + if __name__ == "__main__": cli()