Teach CQ status app to check login status of users.

appengine/chromium_cq_status/shared/utils.py

Index: appengine/chromium_cq_status/shared/utils.py
diff --git a/appengine/chromium_cq_status/shared/utils.py b/appengine/chromium_cq_status/shared/utils.py
index 7312725d4f3dd54789d0a6b8fd58ca80630b23af..48fac3c4a1fea2e9f2c6c09017c2d7f566c17268 100644
--- a/appengine/chromium_cq_status/shared/utils.py
+++ b/appengine/chromium_cq_status/shared/utils.py
@@ -4,14 +4,17 @@
 
 import calendar
 from datetime import datetime
+import functools
 import hashlib
 import json
 import logging
+import os
 
 from google.appengine.api import memcache
 from google.appengine.api import users
+from google.appengine.api import app_identity
 
-from shared.config import VALID_EMAIL_RE
+from shared.config import HOST_ACLS
 
 compressed_separators = (',', ':')
 minutes_per_day = 24 * 60
@@ -24,6 +27,7 @@ def cronjob(cronjob_handler):
   return checked_cronjob_handler
 
 def cross_origin_json(handler):
+  @functools.wraps(handler)
   def headered_json_handler(self, *args):
     self.response.headers.add_header("Access-Control-Allow-Origin", "*")
     result = handler(self, *args)
@@ -35,11 +39,43 @@ def cross_origin_json(handler):
 def filter_dict(d, keys):
   return {key: d[key] for key in d if key in keys}
 
-def is_valid_user():
+
+def get_host_permissions(kind):
+  """Returns compiled regex of allowed user email or True if everyone is
+  allowed."""
+  assert kind in ('read', 'write')
+  if os.environ.get('SERVER_SOFTWARE', '').startswith('Development'):
+    host = 'Development'
+  else:
+    host = app_identity.get_default_version_hostname()
+  return HOST_ACLS[host][kind]
+
+def has_permission(kind):
   if users.is_current_user_admin():
+    logging.info('user is admin')
+    return True
+  email_pattern = get_host_permissions(kind)
+  if email_pattern is True:  # Everyone.

[Sergiy Byelozyorov, 2016/07/01 17:13:06]

I'd use 'everyone' rather than True. Then it's also clear in the config file.

[tandrii(chromium), 2016/07/01 18:56:55]

good idea.

     return True
   user = users.get_current_user()
-  return user and VALID_EMAIL_RE.match(user.email())
+  return user and bool(email_pattern.match(user.email()))
+
+
+def read_access(handler):
+  """Decorator ensuring current user has read access to this host."""
+  @functools.wraps(handler)
+  def ensure(self, *args, **kwargs):
+    if not has_permission('read'):
+      self.redirect(users.create_login_url(self.request.url))
+      return
+    return handler(self, *args, **kwargs)
+  return ensure
+
+
+def get_friendly_hostname():
+  host = app_identity.get_default_version_hostname()
+  return host.split('-')[0].capitalize()

[Sergiy Byelozyorov, 2016/07/01 17:13:06]

Not so friendly to developers trying to understand where the the resulting
string is coming from, but I like the approach anyway :-).

[tandrii(chromium), 2016/07/01 18:56:55]

added comment.

+
 
 def memcachize(cache_check):
   def decorator(f):