Cleanup runtime access token scope (#308)

* Cleanup runtime access token scope * minor * Fix helm
AzureCR · Apr 8, 2019 · f158bc2 · f158bc2
1 parent 2a4b8b6
commit f158bc2
Show file tree

Hide file tree

Showing 6 changed files with 17 additions and 13 deletions.
diff --git a/src/command_modules/azure-cli-acr/HISTORY.rst b/src/command_modules/azure-cli-acr/HISTORY.rst
@@ -2,10 +2,14 @@
 
 Release History
 ===============
+
+2.2.4
++++++
+* Support running an image contextlessly.
+
 2.2.3
 +++++
 * Minor fixes
-* Support running an image contextlessly.
 
 2.2.2
 +++++

diff --git a/src/command_modules/azure-cli-acr/azure/cli/command_modules/acr/_docker_utils.py b/src/command_modules/azure-cli-acr/azure/cli/command_modules/acr/_docker_utils.py
@@ -35,7 +35,7 @@
 
 EMPTY_GUID = '00000000-0000-0000-0000-000000000000'
 ALLOWED_HTTP_METHOD = ['get', 'patch', 'put', 'delete']
-ACCESS_TOKEN_PERMISSION = ['*', 'pull']
+ACCESS_TOKEN_PERMISSION = ['pull', 'push', 'delete', 'push,pull', 'delete,pull']
 
 AAD_TOKEN_BASE_ERROR_MESSAGE = "Unable to get AAD authorization tokens with message"
 ADMIN_USER_BASE_ERROR_MESSAGE = "Unable to get admin user credentials with message"
@@ -266,7 +266,7 @@ def get_access_credentials(cmd,
     :param str password: The password used to log into the container registry
     :param str repository: Repository for which the access token is requested
     :param str artifact_repository: Artifact repository for which the access token is requested
-    :param str permission: The requested permission on the repository, '*' or 'pull'
+    :param str permission: The requested permission on the repository
     """
     return _get_credentials(cmd,
                             registry_name,

diff --git a/src/command_modules/azure-cli-acr/azure/cli/command_modules/acr/helm.py b/src/command_modules/azure-cli-acr/azure/cli/command_modules/acr/helm.py
@@ -88,7 +88,7 @@ def acr_helm_delete(cmd,
         username=username,
         password=password,
         artifact_repository=repository,
-        permission='*')
+        permission='delete')
 
     return request_data_from_registry(
         http_method='delete',
@@ -119,7 +119,7 @@ def acr_helm_push(cmd,
         username=username,
         password=password,
         artifact_repository=repository,
-        permission='*')
+        permission='push,pull')
 
     path = _get_blobs_path(repository, basename(chart_package))
 

diff --git a/src/command_modules/azure-cli-acr/azure/cli/command_modules/acr/repository.py b/src/command_modules/azure-cli-acr/azure/cli/command_modules/acr/repository.py
@@ -297,7 +297,7 @@ def acr_repository_update(cmd,
         registry_name=registry_name,
         http_method='patch' if json_payload else 'get',
         json_payload=json_payload,
-        permission='*',
+        permission='push,pull' if json_payload else 'pull',
         repository=repository,
         image=image,
         tenant_suffix=tenant_suffix,
@@ -391,7 +391,7 @@ def acr_repository_untag(cmd,
         username=username,
         password=password,
         repository=repository,
-        permission='*')
+        permission='delete')
 
     try:
         return request_data_from_registry(
@@ -432,7 +432,7 @@ def acr_repository_delete(cmd,
         username=username,
         password=password,
         repository=repository,
-        permission='*')
+        permission='delete,pull')
 
     if tag or manifest:
         manifest = _delete_manifest_confirmation(

diff --git a/...odules/azure-cli-acr/azure/cli/command_modules/acr/tests/latest/test_acr_commands_mock.py b/...odules/azure-cli-acr/azure/cli/command_modules/acr/tests/latest/test_acr_commands_mock.py
@@ -375,12 +375,12 @@ def _core_token_scenarios(self, mock_get_raw_token, mock_requests_get, mock_requ
         self._validate_refresh_token_request(mock_requests_get, mock_requests_post, login_server)
 
         # Test get access token for container image repository
-        get_access_credentials(cmd, registry_name, tenant_suffix=tenant_suffix, repository=TEST_REPOSITORY, permission='*')
-        self._validate_access_token_request(mock_requests_get, mock_requests_post, login_server, 'repository:{}:*'.format(TEST_REPOSITORY))
+        get_access_credentials(cmd, registry_name, tenant_suffix=tenant_suffix, repository=TEST_REPOSITORY, permission='pull')
+        self._validate_access_token_request(mock_requests_get, mock_requests_post, login_server, 'repository:{}:pull'.format(TEST_REPOSITORY))
 
         # Test get access token for artifact image repository
-        get_access_credentials(cmd, registry_name, tenant_suffix=tenant_suffix, artifact_repository=TEST_REPOSITORY, permission='*')
-        self._validate_access_token_request(mock_requests_get, mock_requests_post, login_server, 'artifact-repository:{}:*'.format(TEST_REPOSITORY))
+        get_access_credentials(cmd, registry_name, tenant_suffix=tenant_suffix, artifact_repository=TEST_REPOSITORY, permission='pull')
+        self._validate_access_token_request(mock_requests_get, mock_requests_post, login_server, 'artifact-repository:{}:pull'.format(TEST_REPOSITORY))
 
     def _setup_mock_token_requests(self, mock_get_aad_token, mock_requests_get, mock_requests_post, login_server):
         # Set up AAD token with only access token

diff --git a/src/command_modules/azure-cli-acr/setup.py b/src/command_modules/azure-cli-acr/setup.py
@@ -14,7 +14,7 @@
     logger.warn("Wheel is not available, disabling bdist_wheel hook")
     cmdclass = {}
 
-VERSION = "2.2.3"
+VERSION = "2.2.4"
 CLASSIFIERS = [
     'Development Status :: 4 - Beta',
     'Intended Audience :: Developers',