Skip to content

Commit

Permalink
Update allowlisting script to be able to deny namespaces
Browse files Browse the repository at this point in the history
Related to #1964
  • Loading branch information
lbarcziova committed May 10, 2023
1 parent 2e1fed7 commit 0c925d3
Show file tree
Hide file tree
Showing 2 changed files with 55 additions and 7 deletions.
34 changes: 29 additions & 5 deletions files/scripts/README.md
Original file line number Diff line number Diff line change
@@ -1,28 +1,52 @@
# Allowlisting an account
# Allowlisting/denylisting an account

You need to login to our OpenShift cluster and list all pods. Use the `allowlist.py` script inside the worker pod to manipulate the allowlist.

## List pending namespaces

List all requests pending approval:

```
$ oc exec packit-worker-0 allowlist.py waiting
$ oc exec packit-worker-short-running-0 allowlist.py waiting
```

Use `oc exec -it ...` instead if you also want to approve a namespace from the waiting list and specify the number of namespace to approve. In order to add to the allowlist manually:
Use `oc exec -it ...` instead if you also want to approve a namespace from the waiting list and specify the number of namespace to approve.

## Manual approval

In order to add to the allowlist manually:

```
$ oc exec -it packit-worker-0 allowlist.py approve <path_to_namespace>
$ oc exec -it packit-worker-short-running-0 allowlist.py approve <path_to_namespace>
```

The `<path_to_namespace>` string should follow the same format which is used in the list of waiting requests, i.e. the domain should be included.
For example, for an organization/user `packit` at Github, `github.com/packit` should be used for the allowlist.
In order to add only a single repository to the allowlist, the `.git` suffix must explicitly be used, e.g. `github.com/packit/ogr.git`.
After approving, close the corresponding issue at [packit-service/notifications](https://github.com/packit/notifications/issues).

## List denied namespaces

List all denied namespaces:

```
$ oc exec packit-worker-short-running-0 allowlist.py denied
```

## Denying

Denying a user:

```
$ oc exec -it packit-worker-short-running-0 allowlist.py deny <path_to_namespace>
```

## Removal

Removing a user or from the allowlist:

```
$ oc exec packit-worker-0 allowlist.py remove <path_to_namespace>
$ oc exec -it packit-worker-short-running-0 allowlist.py remove <path_to_namespace>
```

# Cleaning up the database
Expand Down
28 changes: 26 additions & 2 deletions files/scripts/allowlist.py
Original file line number Diff line number Diff line change
Expand Up @@ -118,15 +118,30 @@ def approve(full_path: Optional[str]):
if full_path is None:
full_path = RepoUrl().convert(construct_path())

is_approved_before = Allowlist.is_approved(full_path)
is_approved_before = Allowlist.is_namespace_or_parent_approved(full_path)

Allowlist.approve_namespace(full_path)
if Allowlist.is_approved(full_path) != is_approved_before:
if Allowlist.is_namespace_or_parent_approved(full_path) != is_approved_before:
click.secho(f"Namespace ‹{full_path}› has been approved.", fg="green")
else:
click.secho(f"Status of namespace ‹{full_path}› has not changed.", fg="yellow")


@cli.command(short_help="Deny namespace.", help=PATH_HELP.format("denied"))
@click.argument("full_path", type=RepoUrl(), required=False)
def deny(full_path: Optional[str]):
if full_path is None:
full_path = RepoUrl().convert(construct_path())

is_denied_before = Allowlist.is_denied(full_path)
if is_denied_before:
click.secho(f"Namespace ‹{full_path}› already denied.", fg="yellow")
return

Allowlist.deny_namespace(full_path)
click.secho(f"Namespace ‹{full_path}› has been denied.", fg="green")


@cli.command(
short_help="Remove namespace from allowlist. Removes the entry.",
help=PATH_HELP.format("removed"),
Expand Down Expand Up @@ -156,5 +171,14 @@ def waiting(ctx):
ctx.invoke(approve, full_path=prompt_variant(waiting_list[choice - 1]))


@cli.command(short_help="Show namespaces that are denied.")
def denied():
click.echo("Denied namespaces:")

waiting_list = Allowlist.denied_namespaces()
for i, namespace in enumerate(waiting_list, 1):
click.echo(f"{i}. {namespace}")


if __name__ == "__main__":
cli()

0 comments on commit 0c925d3

Please sign in to comment.