cipd: registerPackage method implementation.

appengine/chrome_infra_packages/cas/api.py

Index: appengine/chrome_infra_packages/cas/api.py
diff --git a/appengine/chrome_infra_packages/cas/api.py b/appengine/chrome_infra_packages/cas/api.py
index a383532a9c98b0a921db44ab06f4cf0772e5ce54..4c983e7f994f72642dfbd53d9419d1d16a2e15df 100644
--- a/appengine/chrome_infra_packages/cas/api.py
+++ b/appengine/chrome_infra_packages/cas/api.py
@@ -14,7 +14,6 @@ from components import auth
 
 from . import impl
 
-# TODO(vadimsh): Improve authorization scheme.
 
 # This is used by endpoints indirectly.
 package = 'cipd'
@@ -89,7 +88,7 @@ class CASServiceApi(remote.Service):
       path='upload/{hash_algo}/{file_hash}',
       http_method='POST',
       name='beginUpload')
-  @auth.require(lambda: not auth.get_current_identity().is_anonymous)
+  @auth.require(auth.is_admin)
   def begin_upload(self, request):
     """Initiates an upload operation if file is missing.
 
@@ -98,6 +97,11 @@ class CASServiceApi(remote.Service):
     with call to 'finishUpload'.
 
     If file is already in the store, returns ALREADY_UPLOADED status.
+
+    This method is not intended to be used directly by all clients (only by
+    admins in case some files has to be injected into CAS store directly). Use
+    PackageRepositoryApi.register_package instead to initiate an upload of some
+    package and get upload_url and upload_session_id.
     """
     if not impl.is_supported_hash_algo(request.hash_algo):
       raise endpoints.BadRequestException('Unsupported hash algo')
@@ -141,6 +145,8 @@ class CASServiceApi(remote.Service):
     is finalized and 'finishUpload' is called, the server starts hash
     verification. Uploading client will get 'VERIFYING' status response. It
     can continue polling on this method until server returns 'PUBLISHED' status.
+
+    upload_session_id implicitly authorizes the request.
     """
     service = impl.get_cas_service()
     if service is None: