quay/auth/auth.py

import logging

from functools import wraps
from uuid import UUID
from datetime import datetime
from flask import request, session
from flask.ext.principal import identity_changed, Identity
from flask.ext.login import current_user
from base64 import b64decode

import scopes

from data import model
from data.model import oauth
from app import app, authentication
from permissions import QuayDeferredPermissionUser
from auth_context import (set_authenticated_user, set_validated_token,
                          set_authenticated_user_deferred, set_validated_oauth_token)
from util.http import abort


logger = logging.getLogger(__name__)


def _load_user_from_cookie():
  if not current_user.is_anonymous():
    try:
      # Attempt to parse the user uuid to make sure the cookie has the right value type
      UUID(current_user.get_id())
    except ValueError:
      return None

    logger.debug('Loading user from cookie: %s', current_user.get_id())
    set_authenticated_user_deferred(current_user.get_id())
    loaded = QuayDeferredPermissionUser(current_user.get_id(), 'user_uuid', {scopes.DIRECT_LOGIN})
    identity_changed.send(app, identity=loaded)
    return current_user.db_user()
  return None


def _validate_and_apply_oauth_token(token):
  validated = oauth.validate_access_token(token)
  if not validated:
    logger.warning('OAuth access token could not be validated: %s', token)
    authenticate_header = {
      'WWW-Authenticate': ('Bearer error="invalid_token", '
                           'error_description="The access token is invalid"'),
    }
    abort(401, message='OAuth access token could not be validated: %(token)s',
          issue='invalid-oauth-token', token=token, headers=authenticate_header)
  elif validated.expires_at <= datetime.utcnow():
    logger.info('OAuth access with an expired token: %s', token)
    authenticate_header = {
      'WWW-Authenticate': ('Bearer error="invalid_token", '
                           'error_description="The access token expired"'),
    }
    abort(401, message='OAuth access token has expired: %(token)s',
          issue='invalid-oauth-token', token=token, headers=authenticate_header)

  # We have a valid token
  scope_set = scopes.scopes_from_scope_string(validated.scope)
  logger.debug('Successfully validated oauth access token: %s with scope: %s', token,
               scope_set)

  set_authenticated_user(validated.authorized_user)
  set_validated_oauth_token(validated)

  new_identity = QuayDeferredPermissionUser(validated.authorized_user.uuid, 'user_uuid', scope_set)
  identity_changed.send(app, identity=new_identity)


def process_basic_auth(auth):
  normalized = [part.strip() for part in auth.split(' ') if part]
  if normalized[0].lower() != 'basic' or len(normalized) != 2:
    logger.debug('Invalid basic auth format.')
    return

  credentials = [part.decode('utf-8') for part in b64decode(normalized[1]).split(':', 1)]

  if len(credentials) != 2:
    logger.debug('Invalid basic auth credential format.')

  elif credentials[0] == '$token':
    # Use as token auth
    try:
      token = model.load_token_data(credentials[1])
      logger.debug('Successfully validated token: %s' % credentials[1])
      set_validated_token(token)

      identity_changed.send(app, identity=Identity(token.code, 'token'))
      return

    except model.DataModelException:
      logger.debug('Invalid token: %s' % credentials[1])

  elif credentials[0] == '$oauthtoken':
    oauth_token = credentials[1]
    _validate_and_apply_oauth_token(oauth_token)

  elif '+' in credentials[0]:
    logger.debug('Trying robot auth with credentials %s' % str(credentials))
    # Use as robot auth
    try:
      robot = model.verify_robot(credentials[0], credentials[1])
      logger.debug('Successfully validated robot: %s' % credentials[0])
      set_authenticated_user(robot)

      deferred_robot = QuayDeferredPermissionUser(robot.uuid, 'user_uuid', {scopes.DIRECT_LOGIN})
      identity_changed.send(app, identity=deferred_robot)
      return
    except model.InvalidRobotException:
      logger.debug('Invalid robot or password for robot: %s' % credentials[0])

  else:
    authenticated = authentication.verify_user(credentials[0], credentials[1])

    if authenticated:
      logger.debug('Successfully validated user: %s' % authenticated.username)
      set_authenticated_user(authenticated)

      new_identity = QuayDeferredPermissionUser(authenticated.uuid, 'user_uuid',
                                                {scopes.DIRECT_LOGIN})
      identity_changed.send(app, identity=new_identity)
      return

  # We weren't able to authenticate via basic auth.
  logger.debug('Basic auth present but could not be validated.')


def process_token(auth):
  normalized = [part.strip() for part in auth.split(' ') if part]
  if normalized[0].lower() != 'token' or len(normalized) != 2:
    logger.debug('Not an auth token: %s' % auth)
    return

  token_details = normalized[1].split(',')

  if len(token_details) != 1:
    logger.warning('Invalid token format: %s' % auth)
    abort(401, message='Invalid token format: %(auth)s', issue='invalid-auth-token', auth=auth)

  def safe_get(lst, index, default_value):
    try:
      return lst[index]
    except IndexError:
      return default_value

  token_vals = {val[0]: safe_get(val, 1, '') for val in
                (detail.split('=') for detail in token_details)}

  if 'signature' not in token_vals:
    logger.warning('Token does not contain signature: %s' % auth)
    abort(401, message='Token does not contain a valid signature: %(auth)s',
          issue='invalid-auth-token', auth=auth)

  try:
    token_data = model.load_token_data(token_vals['signature'])

  except model.InvalidTokenException:
    logger.warning('Token could not be validated: %s', token_vals['signature'])
    abort(401, message='Token could not be validated: %(auth)s', issue='invalid-auth-token',
          auth=auth)

  logger.debug('Successfully validated token: %s', token_data.code)
  set_validated_token(token_data)

  identity_changed.send(app, identity=Identity(token_data.code, 'token'))


def process_oauth(func):
  @wraps(func)
  def wrapper(*args, **kwargs):
    auth = request.headers.get('authorization', '')
    if auth:
      normalized = [part.strip() for part in auth.split(' ') if part]
      if normalized[0].lower() != 'bearer' or len(normalized) != 2:
        logger.debug('Invalid oauth bearer token format.')
        return

      token = normalized[1]
      _validate_and_apply_oauth_token(token)
    elif _load_user_from_cookie() is None:
      logger.debug('No auth header or login cookie.')
    return func(*args, **kwargs)
  return wrapper


def process_auth(func):
  @wraps(func)
  def wrapper(*args, **kwargs):
    auth = request.headers.get('authorization', '')

    if auth:
      logger.debug('Validating auth header: %s' % auth)
      process_token(auth)
      process_basic_auth(auth)
    else:
      logger.debug('No auth header.')

    return func(*args, **kwargs)
  return wrapper


def require_session_login(func):
  @wraps(func)
  def wrapper(*args, **kwargs):
    loaded = _load_user_from_cookie()
    if loaded is None or loaded.organization:
      abort(401, message='Method requires login and no valid login could be loaded.')
    return func(*args, **kwargs)
  return wrapper


def extract_namespace_repo_from_session(func):
  @wraps(func)
  def wrapper(*args, **kwargs):
    if 'namespace' not in session or 'repository' not in session:
      logger.error('Unable to load namespace or repository from session: %s' % session)
      abort(400, message='Missing namespace in request')

    return func(session['namespace'], session['repository'], *args, **kwargs)
  return wrapper
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00			`import logging`

			`from functools import wraps`
Make sure if we are going to treat the cookie as valid, it's actually a user id of the proper type. 2014-11-21 15:28:50 +00:00			`from uuid import UUID`
Add scope ordinality and translations. Process oauth tokens and limit scopes accordingly. 2014-03-12 20:31:37 +00:00			`from datetime import datetime`
Fix cookie auth to work with oauth token auth. Make sure user loading is truly deferred to save DB connections. 2014-03-17 16:01:13 +00:00			`from flask import request, session`
Integrate flask-principal in order to provide RBAC. 2013-09-20 22:38:17 +00:00			`from flask.ext.principal import identity_changed, Identity`
Fix cookie auth to work with oauth token auth. Make sure user loading is truly deferred to save DB connections. 2014-03-17 16:01:13 +00:00			`from flask.ext.login import current_user`
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00			`from base64 import b64decode`

Fix cookie auth to work with oauth token auth. Make sure user loading is truly deferred to save DB connections. 2014-03-17 16:01:13 +00:00			`import scopes`

Refactor the code into modules, it was getting unweildy. 2013-09-25 16:45:12 +00:00			`from data import model`
Add scope ordinality and translations. Process oauth tokens and limit scopes accordingly. 2014-03-12 20:31:37 +00:00			`from data.model import oauth`
Add an alembic migration for the full initial database with the data. Switch LDAP to using bind and creating a federated login entry. Add LDAP support to the registry and index endpoints. Add a username transliteration and suggestion mechanism. Switch the database and model to require a manual initialization call. 2014-05-13 16:17:26 +00:00			`from app import app, authentication`
Remove unnecessary calls to the database for user and permission metadata. 2013-10-15 18:48:49 +00:00			`from permissions import QuayDeferredPermissionUser`
Fix cookie auth to work with oauth token auth. Make sure user loading is truly deferred to save DB connections. 2014-03-17 16:01:13 +00:00			`from auth_context import (set_authenticated_user, set_validated_token,`
Add OAuth usage information the API logs, have it be displayed in the logs UI and start on the code to display application information when clicked. Note that this does not (yet) do anything with the information returned as we need to wait for the mainline merge of Angular 1.2.9 (which is in master) before I can continue on the display 2014-03-18 20:45:18 +00:00			`set_authenticated_user_deferred, set_validated_oauth_token)`
Make sure all aborts have message information 2014-02-25 19:15:12 +00:00			`from util.http import abort`
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00
Integrate flask-principal in order to provide RBAC. 2013-09-20 22:38:17 +00:00
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00			`logger = logging.getLogger(__name__)`

Add some sort of oauth. 2014-03-12 16:37:06 +00:00
Fix the problem with login on new triggers. 2014-03-26 19:52:24 +00:00			`def _load_user_from_cookie():`
			`if not current_user.is_anonymous():`
Make sure if we are going to treat the cookie as valid, it's actually a user id of the proper type. 2014-11-21 15:28:50 +00:00			`try:`
			`# Attempt to parse the user uuid to make sure the cookie has the right value type`
			`UUID(current_user.get_id())`
			`except ValueError:`
			`return None`

Fix the problem with login on new triggers. 2014-03-26 19:52:24 +00:00			`logger.debug('Loading user from cookie: %s', current_user.get_id())`
			`set_authenticated_user_deferred(current_user.get_id())`
Base sessions on UUIDs. Now that a backfill has been applied, sessions can now be based on UUIDs because all users will have one. 2014-11-20 23:44:36 +00:00			`loaded = QuayDeferredPermissionUser(current_user.get_id(), 'user_uuid', {scopes.DIRECT_LOGIN})`
Fix the problem with login on new triggers. 2014-03-26 19:52:24 +00:00			`identity_changed.send(app, identity=loaded)`
			`return current_user.db_user()`
			`return None`


			`def _validate_and_apply_oauth_token(token):`
Add the ability to use an oauth token to interact with the index and registry. 2014-03-20 16:09:25 +00:00			`validated = oauth.validate_access_token(token)`
			`if not validated:`
			`logger.warning('OAuth access token could not be validated: %s', token)`
			`authenticate_header = {`
			`'WWW-Authenticate': ('Bearer error="invalid_token", '`
			`'error_description="The access token is invalid"'),`
			`}`
			`abort(401, message='OAuth access token could not be validated: %(token)s',`
Fix typo 2014-03-25 20:50:39 +00:00			`issue='invalid-oauth-token', token=token, headers=authenticate_header)`
Fix the metrics so they are usable for scaling the workers down and up. Switch all datetimes which touch the database from now to utcnow. Fix the worker Dockerfile. 2014-05-23 18:16:26 +00:00			`elif validated.expires_at <= datetime.utcnow():`
Add the ability to use an oauth token to interact with the index and registry. 2014-03-20 16:09:25 +00:00			`logger.info('OAuth access with an expired token: %s', token)`
			`authenticate_header = {`
			`'WWW-Authenticate': ('Bearer error="invalid_token", '`
			`'error_description="The access token expired"'),`
			`}`
			`abort(401, message='OAuth access token has expired: %(token)s',`
			`issue='invalid-oauth-token', token=token, headers=authenticate_header)`

			`# We have a valid token`
			`scope_set = scopes.scopes_from_scope_string(validated.scope)`
			`logger.debug('Successfully validated oauth access token: %s with scope: %s', token,`
			`scope_set)`

			`set_authenticated_user(validated.authorized_user)`
			`set_validated_oauth_token(validated)`

Base sessions on UUIDs. Now that a backfill has been applied, sessions can now be based on UUIDs because all users will have one. 2014-11-20 23:44:36 +00:00			`new_identity = QuayDeferredPermissionUser(validated.authorized_user.uuid, 'user_uuid', scope_set)`
Add the ability to use an oauth token to interact with the index and registry. 2014-03-20 16:09:25 +00:00			`identity_changed.send(app, identity=new_identity)`


Handle the case where there is no auth at all. 2013-10-01 04:37:28 +00:00			`def process_basic_auth(auth):`
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00			`normalized = [part.strip() for part in auth.split(' ') if part]`
			`if normalized[0].lower() != 'basic' or len(normalized) != 2:`
			`logger.debug('Invalid basic auth format.')`
Make images belong to one repository only. Add a description field to the repository. Fix a bug with access tokens. Fix an embarrasing bug with multiple select criteria in peewee. Update the test db. 2013-09-26 19:58:11 +00:00			`return`
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00
Fix the registry to work with unicode usernames in LDAP. 2014-05-13 19:22:31 +00:00			`credentials = [part.decode('utf-8') for part in b64decode(normalized[1]).split(':', 1)]`
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00
			`if len(credentials) != 2:`
First stab at token auth. The UI could use a little bit of polishing. 2013-10-16 18:24:10 +00:00			`logger.debug('Invalid basic auth credential format.')`
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00
Allow a request with invalid basic auth to still be considered anonymous, rather than throwing a 401. 2013-12-19 20:18:14 +00:00			`elif credentials[0] == '$token':`
First stab at token auth. The UI could use a little bit of polishing. 2013-10-16 18:24:10 +00:00			`# Use as token auth`
			`try:`
			`token = model.load_token_data(credentials[1])`
			`logger.debug('Successfully validated token: %s' % credentials[1])`
Fix cookie auth to work with oauth token auth. Make sure user loading is truly deferred to save DB connections. 2014-03-17 16:01:13 +00:00			`set_validated_token(token)`
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00
First stab at token auth. The UI could use a little bit of polishing. 2013-10-16 18:24:10 +00:00			`identity_changed.send(app, identity=Identity(token.code, 'token'))`
			`return`
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00
First stab at token auth. The UI could use a little bit of polishing. 2013-10-16 18:24:10 +00:00			`except model.DataModelException:`
			`logger.debug('Invalid token: %s' % credentials[1])`

Add the ability to use an oauth token to interact with the index and registry. 2014-03-20 16:09:25 +00:00			`elif credentials[0] == '$oauthtoken':`
			`oauth_token = credentials[1]`
Fix the problem with login on new triggers. 2014-03-26 19:52:24 +00:00			`_validate_and_apply_oauth_token(oauth_token)`
Add the ability to use an oauth token to interact with the index and registry. 2014-03-20 16:09:25 +00:00
Add the ability to login with a robot, use the wrench icon for robots all over the place. 2013-11-21 00:43:19 +00:00			`elif '+' in credentials[0]:`
			`logger.debug('Trying robot auth with credentials %s' % str(credentials))`
			`# Use as robot auth`
			`try:`
			`robot = model.verify_robot(credentials[0], credentials[1])`
			`logger.debug('Successfully validated robot: %s' % credentials[0])`
Fix cookie auth to work with oauth token auth. Make sure user loading is truly deferred to save DB connections. 2014-03-17 16:01:13 +00:00			`set_authenticated_user(robot)`
Add UUID to User model and use in cookie. 2014-11-11 22:22:37 +00:00
Base sessions on UUIDs. Now that a backfill has been applied, sessions can now be based on UUIDs because all users will have one. 2014-11-20 23:44:36 +00:00			`deferred_robot = QuayDeferredPermissionUser(robot.uuid, 'user_uuid', {scopes.DIRECT_LOGIN})`
Add scope ordinality and translations. Process oauth tokens and limit scopes accordingly. 2014-03-12 20:31:37 +00:00			`identity_changed.send(app, identity=deferred_robot)`
Add the ability to login with a robot, use the wrench icon for robots all over the place. 2013-11-21 00:43:19 +00:00			`return`
			`except model.InvalidRobotException:`
			`logger.debug('Invalid robot or password for robot: %s' % credentials[0])`

First stab at token auth. The UI could use a little bit of polishing. 2013-10-16 18:24:10 +00:00			`else:`
Add an alembic migration for the full initial database with the data. Switch LDAP to using bind and creating a federated login entry. Add LDAP support to the registry and index endpoints. Add a username transliteration and suggestion mechanism. Switch the database and model to require a manual initialization call. 2014-05-13 16:17:26 +00:00			`authenticated = authentication.verify_user(credentials[0], credentials[1])`
First stab at token auth. The UI could use a little bit of polishing. 2013-10-16 18:24:10 +00:00
			`if authenticated:`
			`logger.debug('Successfully validated user: %s' % authenticated.username)`
Fix cookie auth to work with oauth token auth. Make sure user loading is truly deferred to save DB connections. 2014-03-17 16:01:13 +00:00			`set_authenticated_user(authenticated)`
First stab at token auth. The UI could use a little bit of polishing. 2013-10-16 18:24:10 +00:00
Base sessions on UUIDs. Now that a backfill has been applied, sessions can now be based on UUIDs because all users will have one. 2014-11-20 23:44:36 +00:00			`new_identity = QuayDeferredPermissionUser(authenticated.uuid, 'user_uuid',`
Fix some permissions problems still around due to some usage of scopes as strings. 2014-03-19 22:21:58 +00:00			`{scopes.DIRECT_LOGIN})`
First stab at token auth. The UI could use a little bit of polishing. 2013-10-16 18:24:10 +00:00			`identity_changed.send(app, identity=new_identity)`
			`return`
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00
			`# We weren't able to authenticate via basic auth.`
Make images belong to one repository only. Add a description field to the repository. Fix a bug with access tokens. Fix an embarrasing bug with multiple select criteria in peewee. Update the test db. 2013-09-26 19:58:11 +00:00			`logger.debug('Basic auth present but could not be validated.')`
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00

Handle the case where there is no auth at all. 2013-10-01 04:37:28 +00:00			`def process_token(auth):`
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00			`normalized = [part.strip() for part in auth.split(' ') if part]`
Namespace the storage in the registry to prevent leaking images if one acquires the image id. 2013-09-26 00:00:22 +00:00			`if normalized[0].lower() != 'token' or len(normalized) != 2:`
First stab at token auth. The UI could use a little bit of polishing. 2013-10-16 18:24:10 +00:00			`logger.debug('Not an auth token: %s' % auth)`
Make images belong to one repository only. Add a description field to the repository. Fix a bug with access tokens. Fix an embarrasing bug with multiple select criteria in peewee. Update the test db. 2013-09-26 19:58:11 +00:00			`return`
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00
Namespace the storage in the registry to prevent leaking images if one acquires the image id. 2013-09-26 00:00:22 +00:00			`token_details = normalized[1].split(',')`
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00
First stab at token auth. The UI could use a little bit of polishing. 2013-10-16 18:24:10 +00:00			`if len(token_details) != 1:`
			`logger.warning('Invalid token format: %s' % auth)`
Fix the formats for some errors. 2014-03-17 18:38:50 +00:00			`abort(401, message='Invalid token format: %(auth)s', issue='invalid-auth-token', auth=auth)`
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00
Lots of small NPE and other exception fixes 2014-09-15 15:27:33 +00:00			`def safe_get(lst, index, default_value):`
			`try:`
			`return lst[index]`
			`except IndexError:`
			`return default_value`

			`token_vals = {val[0]: safe_get(val, 1, '') for val in`
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00			`(detail.split('=') for detail in token_details)}`
Lots of small NPE and other exception fixes 2014-09-15 15:27:33 +00:00
First stab at token auth. The UI could use a little bit of polishing. 2013-10-16 18:24:10 +00:00			`if 'signature' not in token_vals:`
			`logger.warning('Token does not contain signature: %s' % auth)`
Fix the formats for some errors. 2014-03-17 18:38:50 +00:00			`abort(401, message='Token does not contain a valid signature: %(auth)s',`
Add some sort of oauth. 2014-03-12 16:37:06 +00:00			`issue='invalid-auth-token', auth=auth)`
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00
First stab at token auth. The UI could use a little bit of polishing. 2013-10-16 18:24:10 +00:00			`try:`
			`token_data = model.load_token_data(token_vals['signature'])`
Namespace the storage in the registry to prevent leaking images if one acquires the image id. 2013-09-26 00:00:22 +00:00
First stab at token auth. The UI could use a little bit of polishing. 2013-10-16 18:24:10 +00:00			`except model.InvalidTokenException:`
Add scope ordinality and translations. Process oauth tokens and limit scopes accordingly. 2014-03-12 20:31:37 +00:00			`logger.warning('Token could not be validated: %s', token_vals['signature'])`
Fix the formats for some errors. 2014-03-17 18:38:50 +00:00			`abort(401, message='Token could not be validated: %(auth)s', issue='invalid-auth-token',`
Add some sort of oauth. 2014-03-12 16:37:06 +00:00			`auth=auth)`
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00
Add scope ordinality and translations. Process oauth tokens and limit scopes accordingly. 2014-03-12 20:31:37 +00:00			`logger.debug('Successfully validated token: %s', token_data.code)`
Fix cookie auth to work with oauth token auth. Make sure user loading is truly deferred to save DB connections. 2014-03-17 16:01:13 +00:00			`set_validated_token(token_data)`
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00
First stab at token auth. The UI could use a little bit of polishing. 2013-10-16 18:24:10 +00:00			`identity_changed.send(app, identity=Identity(token_data.code, 'token'))`
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00

Fix the problem with login on new triggers. 2014-03-26 19:52:24 +00:00			`def process_oauth(func):`
			`@wraps(func)`
Port a few more repository methods to the new API interface. 2014-03-13 00:33:57 +00:00			`def wrapper(args, *kwargs):`
			`auth = request.headers.get('authorization', '')`
			`if auth:`
			`normalized = [part.strip() for part in auth.split(' ') if part]`
			`if normalized[0].lower() != 'bearer' or len(normalized) != 2:`
			`logger.debug('Invalid oauth bearer token format.')`
			`return`

			`token = normalized[1]`
Fix the problem with login on new triggers. 2014-03-26 19:52:24 +00:00			`_validate_and_apply_oauth_token(token)`
			`elif _load_user_from_cookie() is None:`
Fix the formats for some errors. 2014-03-17 18:38:50 +00:00			`logger.debug('No auth header or login cookie.')`
Fix the problem with login on new triggers. 2014-03-26 19:52:24 +00:00			`return func(args, *kwargs)`
Port a few more repository methods to the new API interface. 2014-03-13 00:33:57 +00:00			`return wrapper`
Add scope ordinality and translations. Process oauth tokens and limit scopes accordingly. 2014-03-12 20:31:37 +00:00

Fix the problem with login on new triggers. 2014-03-26 19:52:24 +00:00			`def process_auth(func):`
			`@wraps(func)`
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00			`def wrapper(args, *kwargs):`
Handle the case where there is no auth at all. 2013-10-01 04:37:28 +00:00			`auth = request.headers.get('authorization', '')`

			`if auth:`
			`logger.debug('Validating auth header: %s' % auth)`
			`process_token(auth)`
			`process_basic_auth(auth)`
			`else:`
			`logger.debug('No auth header.')`

Fix the problem with login on new triggers. 2014-03-26 19:52:24 +00:00			`return func(args, *kwargs)`
			`return wrapper`


			`def require_session_login(func):`
			`@wraps(func)`
			`def wrapper(args, *kwargs):`
			`loaded = _load_user_from_cookie()`
			`if loaded is None or loaded.organization:`
			`abort(401, message='Method requires login and no valid login could be loaded.')`
			`return func(args, *kwargs)`
Index that kinda works and is backed by a database. Still lots to do. 2013-09-20 15:55:44 +00:00			`return wrapper`
Namespace the storage in the registry to prevent leaking images if one acquires the image id. 2013-09-26 00:00:22 +00:00

Fix the problem with login on new triggers. 2014-03-26 19:52:24 +00:00			`def extract_namespace_repo_from_session(func):`
			`@wraps(func)`
Namespace the storage in the registry to prevent leaking images if one acquires the image id. 2013-09-26 00:00:22 +00:00			`def wrapper(args, *kwargs):`
			`if 'namespace' not in session or 'repository' not in session:`
Add scope ordinality and translations. Process oauth tokens and limit scopes accordingly. 2014-03-12 20:31:37 +00:00			`logger.error('Unable to load namespace or repository from session: %s' % session)`
Fix the formats for some errors. 2014-03-17 18:38:50 +00:00			`abort(400, message='Missing namespace in request')`
Namespace the storage in the registry to prevent leaking images if one acquires the image id. 2013-09-26 00:00:22 +00:00
Fix the problem with login on new triggers. 2014-03-26 19:52:24 +00:00			`return func(session['namespace'], session['repository'], args, *kwargs)`
Load flask principal permissions even for web and api endpoints. 2013-09-26 20:32:09 +00:00			`return wrapper`