add get_owner and use for package upload

mamba-org · Jun 9, 2023 · dcbc366 · dcbc366
1 parent a189de8
commit dcbc366
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 7 deletions.
diff --git a/quetz/authorization.py b/quetz/authorization.py
@@ -39,6 +39,28 @@ def __init__(self, API_key: Optional[str], session: dict, db: Session):
         self.session = session
         self.db = db
 
+    def get_owner(self) -> Optional[bytes]:
+        owner_id = None
+
+        if self.API_key:
+            api_key = (
+                self.db.query(ApiKey)
+                .filter(ApiKey.key == self.API_key, ~ApiKey.deleted)
+                .filter(
+                    ApiKey.key == self.API_key,
+                    or_(ApiKey.expire_at >= date.today(), ApiKey.expire_at.is_(None)),
+                )
+                .one_or_none()
+            )
+            if api_key:
+                owner_id = api_key.owner_id
+        else:
+            user_id = self.session.get("user_id")
+            if user_id:
+                owner_id = uuid.UUID(user_id).bytes
+
+        return owner_id
+
     def get_user(self) -> Optional[bytes]:
         user_id = None
 

diff --git a/quetz/main.py b/quetz/main.py
@@ -913,6 +913,8 @@ def post_package(
     dao: Dao = Depends(get_dao),
 ):
     user_id = auth.assert_user()
+    owner_id = auth.get_owner()
+
     auth.assert_create_package(channel.name)
     pm.hook.validate_new_package(
         channel_name=channel.name,
@@ -927,7 +929,7 @@ def post_package(
             detail=f"Package {channel.name}/{new_package.name} exists",
         )
 
-    dao.create_package(channel.name, new_package, user_id, authorization.OWNER)
+    dao.create_package(channel.name, new_package, owner_id, authorization.OWNER)
 
 
 @api_router.get(
@@ -1382,14 +1384,18 @@ async def post_upload(
             status_code=status.HTTP_406_NOT_ACCEPTABLE, detail="Wrong SHA256 checksum"
         )
 
-    user_id = auth.assert_user()
+    _ = auth.assert_user()
+
     auth.assert_create_package(channel_name)
     condainfo = CondaInfo((body), filename)
     dest = os.path.join(condainfo.info["subdir"], filename)
 
     body.seek(0)
     await pkgstore.add_package_async(body, channel_name, dest)
 
+    # get the id of the owner, in case auth was done through an API key
+    owner_id = auth.get_owner()
+
     package_name = str(condainfo.info.get("name"))
     package_data = rest_models.Package(
         name=package_name,
@@ -1400,7 +1406,7 @@ async def post_upload(
         dao.create_package(
             channel_name,
             package_data,
-            user_id,
+            owner_id,
             authorization.OWNER,
         )
 
@@ -1419,7 +1425,7 @@ async def post_upload(
             size=condainfo.info["size"],
             filename=filename,
             info=json.dumps(condainfo.info),
-            uploader_id=user_id,
+            uploader_id=owner_id,
             upsert=force,
         )
     except IntegrityError:
@@ -1504,7 +1510,8 @@ def handle_package_files(
     package=None,
     is_mirror_op=False,
 ):
-    user_id = auth.assert_user()
+    _ = auth.assert_user()
+    owner_id = auth.get_owner()
 
     # quick fail if not allowed to upload
     # note: we're checking later that `parts[0] == conda_info.package_name`
@@ -1648,7 +1655,7 @@ def _delete_file(condainfo, filename):
             dao.create_package(
                 channel.name,
                 package_data,
-                user_id,
+                owner_id,
                 authorization.OWNER,
             )
 
@@ -1669,7 +1676,7 @@ def _delete_file(condainfo, filename):
                 size=condainfo.info["size"],
                 filename=file.filename,
                 info=json.dumps(condainfo.info),
-                uploader_id=user_id,
+                uploader_id=owner_id,
                 upsert=force,
             )
         except IntegrityError: