This also removes the outdated comments around authorship of each
file. If there is still interest in this information, one can just
look at the git history.
The `ImportModuleAPI` calls the `auth.get_user()` which auths the
user using Kerberos. the `ImportModuleAPI` later calls `SCMHandler`
which in its `__init__` method calls the `auth.get_user()` again.
This leads to traceback in GSSAPI, because the user is already
authed.
This commit fixes this by caching the auth results in `flask.g`,
which is reset after each request based on the Note in
http://flask.pocoo.org/docs/1.0/appcontext/#storing-data.
This commit also marks mutual auth as OPTIONAL in `mbs-cli`,
because MBS server currently does not do mutual auth.
This is required for monitoring use-cases, where we can have a Kerberos principal for a
service account but no associated account in LDAP to check group membership.
This removes our query to FAS and fixes#304.
It is more flexible too, where we can now configure production to only
allow in members of the `modularity-wg` group, and then later open it up
to all packagers after F26 is out (as was agreed with FESCo).
In the process of working on this, I discovered that #305 is not
necessary. We don't need our own scope; we can just use the `groups`
scope as done here.
Before this, we were consulting pkgdb to see if the given user was the
maintainer of any packages.
That mostly works... but technically, we want to consult FAS to see if
the user is in the packager group.
We found this when @mprahl was unable to submit builds to rida. I added
him to the packager group, but nothing changed! (As written, he had to
actually own a package).
This change fixes all that so that we query FAS instead of pkgdb.
Tests are added.
