diff --git a/.pylintrc b/.pylintrc
index bb63264..905b561 100644
--- a/.pylintrc
+++ b/.pylintrc
@@ -6,9 +6,6 @@ disable=cyclic-import,
duplicate-code,
fixme,
locally-disabled,
- locally-enabled,
- relative-import,
- star-args,
too-few-public-methods,
too-many-instance-attributes,
@@ -17,7 +14,6 @@ output-format=colorized
reports=no
[BASIC]
-bad-functions=
include-naming-hint=yes
[FORMAT]
diff --git a/README.md b/README.md
index e570765..0c92135 100644
--- a/README.md
+++ b/README.md
@@ -77,6 +77,8 @@ We have chosen not to create a new Vault secrets engine, as we could deliver thi
| password | string | true | | Password to connect to Bitbucket
Server |
| pat_id | string | false | | The ID of the PAT
to revoke (only used if
`mode` is `revoke`) |
| pat_uri | string | false | `"rest/access-tokens/1.0/users"` | The REST endpoint for PAT
actions |
+| project_permissions | string | false | `"write"` | Project permissions: read, write or
admin |
+| repository_permissions | string | false | `"write"` | Repository permissions: read, write or
admin |
| seconds_between_attempts | string | false | `"30"` | Number of seconds to wait
before retrying to generate a
PAT |
| username | string | true | | Username to connect to Bitbucket
Server |
| valid_days | string | false | `"1"` | Days the PAT will be
valid |
@@ -97,11 +99,6 @@ We have chosen not to create a new Vault secrets engine, as we could deliver thi
-## 🚧 Limitations
-
-Currently the Action will only generate PATs with REPO_WRITE and PROJECT_WRITE permissions. Further contributions
-are required to support either read-only or admin PATs.
-
## 💕 Contributing
Please raise a pull request, but note the testing tools below
diff --git a/action.yaml b/action.yaml
index 0cf1c38..79cd339 100644
--- a/action.yaml
+++ b/action.yaml
@@ -58,6 +58,14 @@ inputs:
description: 'The REST endpoint for PAT actions'
required: false
default: 'rest/access-tokens/1.0/users'
+ project_permissions:
+ description: 'Project permissions: read, write or admin'
+ required: false
+ default: 'write'
+ repository_permissions:
+ description: 'Repository permissions: read, write or admin'
+ required: false
+ default: 'write'
outputs:
username:
@@ -77,6 +85,8 @@ runs:
args:
- ${{ inputs.mode }}
- --check-using-ldap-bind=${{ inputs.check_using_ldap_bind }}
+ - --project-permissions=${{ inputs.project_permissions }}
+ - --repository-permissions=${{ inputs.repository_permissions }}
entrypoint: '/app/entrypoint_main.sh'
post-entrypoint: '/app/entrypoint_post_cleanup.sh'
env:
diff --git a/pat_helper.py b/pat_helper.py
index 9a0c2b0..24f7d89 100644
--- a/pat_helper.py
+++ b/pat_helper.py
@@ -41,7 +41,9 @@
def parse_args():
parser = argparse.ArgumentParser()
parser.add_argument('mode', choices=['create', 'revoke'])
- parser.add_argument('--check-using-ldap-bind', choices=['true', 'false'], default='false')
+ parser.add_argument('-P', '--project-permissions', choices=['read', 'write', 'admin'], default='write')
+ parser.add_argument('-R', '--repository-permissions', choices=['read', 'write', 'admin'], default='write')
+ parser.add_argument('-L', '--check-using-ldap-bind', choices=['true', 'false'], default='false')
parsed = parser.parse_args()
return parsed
@@ -125,13 +127,41 @@ def token_name():
return name
-def create_pat():
+def map_permissions(project, repository):
+ permissions = []
+
+ if project == 'admin':
+ permissions.append("REPO_ADMIN") # Can't be less than `project`
+ permissions.append("PROJECT_ADMIN")
+ return permissions
+
+ if project == 'write':
+ if repository == 'admin':
+ permissions.append("REPO_ADMIN")
+ else:
+ permissions.append("REPO_WRITE") # Can't be less than `project`
+ permissions.append("PROJECT_WRITE")
+ return permissions
+
+ if project == 'read':
+ if repository == 'admin':
+ permissions.append("REPO_ADMIN")
+ elif repository == 'write':
+ permissions.append("REPO_WRITE")
+ else:
+ permissions.append("REPO_READ")
+ permissions.append("PROJECT_READ")
+ return permissions
+
+ if not permissions:
+ raise RuntimeError("No permissions mapped")
+ return permissions
+
+
+def create_pat(permissions):
data = {
"name": token_name(),
- "permissions": [
- "REPO_WRITE",
- "PROJECT_WRITE",
- ],
+ "permissions": permissions,
"expiryDays": PAT_VALID,
}
@@ -232,7 +262,8 @@ def print_outputs():
test_password(ldap_host)
if args.mode == 'create':
- create_pat()
+ perms = map_permissions(args.project_permissions, args.repository_permissions)
+ create_pat(perms)
else: # revoke
revoke_pat()