reecetech · ps-jay · Jun 15, 2022 · Jun 15, 2022 · Jun 15, 2022 · Jun 15, 2022
diff --git a/.pylintrc b/.pylintrc
@@ -6,9 +6,6 @@ disable=cyclic-import,
         duplicate-code,
         fixme,
         locally-disabled,
-        locally-enabled,
-        relative-import,
-        star-args,
         too-few-public-methods,
         too-many-instance-attributes,
 
@@ -17,7 +14,6 @@ output-format=colorized
 reports=no
 
 [BASIC]
-bad-functions=
 include-naming-hint=yes
 
 [FORMAT]

diff --git a/README.md b/README.md
@@ -77,6 +77,8 @@ We have chosen not to create a new Vault secrets engine, as we could deliver thi
 | password                 | string | true     |                                  | Password to connect to Bitbucket<br>Server                                                                                                                                                                                                                                             |
 | pat_id                   | string | false    |                                  | The ID of the PAT<br>to revoke (only used if<br>`mode` is `revoke`)                                                                                                                                                                                                                    |
 | pat_uri                  | string | false    | `"rest/access-tokens/1.0/users"` | The REST endpoint for PAT<br>actions                                                                                                                                                                                                                                                   |
+| project_permissions      | string | false    | `"write"`                        | Project permissions: read, write or<br>admin                                                                                                                                                                                                                                           |
+| repository_permissions   | string | false    | `"write"`                        | Repository permissions: read, write or<br>admin                                                                                                                                                                                                                                        |
 | seconds_between_attempts | string | false    | `"30"`                           | Number of seconds to wait<br>before retrying to generate a<br>PAT                                                                                                                                                                                                                      |
 | username                 | string | true     |                                  | Username to connect to Bitbucket<br>Server                                                                                                                                                                                                                                             |
 | valid_days               | string | false    | `"1"`                            | Days the PAT will be<br>valid                                                                                                                                                                                                                                                          |
@@ -97,11 +99,6 @@ We have chosen not to create a new Vault secrets engine, as we could deliver thi
 
 <!-- AUTO-DOC-OUTPUT:END -->
 
-## 🚧 Limitations
-
-Currently the Action will only generate PATs with REPO_WRITE and PROJECT_WRITE permissions.  Further contributions
-are required to support either read-only or admin PATs.
-
 ## 💕 Contributing
 
 Please raise a pull request, but note the testing tools below

diff --git a/action.yaml b/action.yaml
@@ -58,6 +58,14 @@ inputs:
     description: 'The REST endpoint for PAT actions'
     required: false
     default: 'rest/access-tokens/1.0/users'
+  project_permissions:
+    description: 'Project permissions: read, write or admin'
+    required: false
+    default: 'write'
+  repository_permissions:
+    description: 'Repository permissions: read, write or admin'
+    required: false
+    default: 'write'
 
 outputs:
   username:
@@ -77,6 +85,8 @@ runs:
   args:
     - ${{ inputs.mode }}
     - --check-using-ldap-bind=${{ inputs.check_using_ldap_bind }}
+    - --project-permissions=${{ inputs.project_permissions }}
+    - --repository-permissions=${{ inputs.repository_permissions }}
   entrypoint: '/app/entrypoint_main.sh'
   post-entrypoint: '/app/entrypoint_post_cleanup.sh'
   env:

diff --git a/pat_helper.py b/pat_helper.py
@@ -41,7 +41,9 @@
 def parse_args():
     parser = argparse.ArgumentParser()
     parser.add_argument('mode', choices=['create', 'revoke'])
-    parser.add_argument('--check-using-ldap-bind', choices=['true', 'false'], default='false')
+    parser.add_argument('-P', '--project-permissions', choices=['read', 'write', 'admin'], default='write')
+    parser.add_argument('-R', '--repository-permissions', choices=['read', 'write', 'admin'], default='write')
+    parser.add_argument('-L', '--check-using-ldap-bind', choices=['true', 'false'], default='false')
     parsed = parser.parse_args()
     return parsed
 
@@ -125,13 +127,41 @@ def token_name():
     return name
 
 
-def create_pat():
+def map_permissions(project, repository):
+    permissions = []
+
+    if project == 'admin':
+        permissions.append("REPO_ADMIN")  # Can't be less than `project`
+        permissions.append("PROJECT_ADMIN")
+        return permissions
+
+    if project == 'write':
+        if repository == 'admin':
+            permissions.append("REPO_ADMIN")
+        else:
+            permissions.append("REPO_WRITE")  # Can't be less than `project`
+        permissions.append("PROJECT_WRITE")
+        return permissions
+
+    if project == 'read':
+        if repository == 'admin':
+            permissions.append("REPO_ADMIN")
+        elif repository == 'write':
+            permissions.append("REPO_WRITE")
+        else:
+            permissions.append("REPO_READ")
+        permissions.append("PROJECT_READ")
+        return permissions
+
+    if not permissions:
+        raise RuntimeError("No permissions mapped")
+    return permissions
+
+
+def create_pat(permissions):
     data = {
         "name": token_name(),
-        "permissions": [
-            "REPO_WRITE",
-            "PROJECT_WRITE",
-        ],
+        "permissions": permissions,
         "expiryDays": PAT_VALID,
     }
 
@@ -232,7 +262,8 @@ def print_outputs():
         test_password(ldap_host)
 
 if args.mode == 'create':
-    create_pat()
+    perms = map_permissions(args.project_permissions, args.repository_permissions)
+    create_pat(perms)
 else:  # revoke
     revoke_pat()