2015-06-22 21:37:13 +00:00
|
|
|
import logging
|
|
|
|
import re
|
|
|
|
|
2016-07-26 22:41:51 +00:00
|
|
|
from cachetools import lru_cache
|
2015-06-22 21:37:13 +00:00
|
|
|
from flask import request, jsonify, abort
|
|
|
|
|
2016-05-31 20:48:19 +00:00
|
|
|
from app import app, userevents, instance_keys
|
2015-12-09 21:10:39 +00:00
|
|
|
from auth.auth_context import get_authenticated_user, get_validated_token, get_validated_oauth_token
|
2015-06-22 21:37:13 +00:00
|
|
|
from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermission,
|
|
|
|
CreateRepositoryPermission)
|
2016-09-29 19:24:57 +00:00
|
|
|
from auth.process import process_auth
|
2015-06-22 21:37:13 +00:00
|
|
|
from endpoints.v2 import v2_bp
|
2016-05-04 21:40:09 +00:00
|
|
|
from endpoints.decorators import anon_protect
|
2016-09-23 21:50:09 +00:00
|
|
|
from data.interfaces.v2 import pre_oci_model as model
|
2015-06-22 21:37:13 +00:00
|
|
|
from util.cache import no_cache
|
2015-10-05 18:19:52 +00:00
|
|
|
from util.names import parse_namespace_repository, REPOSITORY_NAME_REGEX
|
2016-05-31 20:48:19 +00:00
|
|
|
from util.security.registry_jwt import generate_bearer_token, build_context_and_subject
|
2016-05-04 21:40:09 +00:00
|
|
|
|
2015-06-22 21:37:13 +00:00
|
|
|
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
|
|
|
2015-09-10 16:24:33 +00:00
|
|
|
TOKEN_VALIDITY_LIFETIME_S = 60 * 60 # 1 hour
|
2016-08-02 00:59:39 +00:00
|
|
|
SCOPE_REGEX_TEMPLATE = r'^repository:((?:{}\/)?((?:[\.a-zA-Z0-9_\-]+\/)?[\.a-zA-Z0-9_\-]+)):((?:push|pull|\*)(?:,(?:push|pull|\*))*)$'
|
2015-06-22 21:37:13 +00:00
|
|
|
|
2016-05-23 20:36:48 +00:00
|
|
|
|
|
|
|
@lru_cache(maxsize=1)
|
|
|
|
def get_scope_regex():
|
|
|
|
hostname = re.escape(app.config['SERVER_HOSTNAME'])
|
|
|
|
scope_regex_string = SCOPE_REGEX_TEMPLATE.format(hostname)
|
|
|
|
return re.compile(scope_regex_string)
|
|
|
|
|
|
|
|
|
2015-06-22 21:37:13 +00:00
|
|
|
@v2_bp.route('/auth')
|
|
|
|
@process_auth
|
|
|
|
@no_cache
|
2015-08-27 18:55:33 +00:00
|
|
|
@anon_protect
|
2015-06-22 21:37:13 +00:00
|
|
|
def generate_registry_jwt():
|
2016-08-02 00:59:39 +00:00
|
|
|
"""
|
|
|
|
This endpoint will generate a JWT conforming to the Docker Registry v2 Auth Spec:
|
|
|
|
https://docs.docker.com/registry/spec/auth/token/
|
2015-07-16 19:49:06 +00:00
|
|
|
"""
|
2015-06-22 21:37:13 +00:00
|
|
|
audience_param = request.args.get('service')
|
|
|
|
logger.debug('Request audience: %s', audience_param)
|
|
|
|
|
2015-12-09 20:07:37 +00:00
|
|
|
scope_param = request.args.get('scope') or ''
|
2015-06-22 21:37:13 +00:00
|
|
|
logger.debug('Scope request: %s', scope_param)
|
|
|
|
|
|
|
|
user = get_authenticated_user()
|
2015-11-19 00:04:40 +00:00
|
|
|
logger.debug('Authenticated user: %s', user)
|
|
|
|
|
|
|
|
token = get_validated_token()
|
|
|
|
logger.debug('Authenticated token: %s', token)
|
2015-12-09 21:10:39 +00:00
|
|
|
|
|
|
|
oauthtoken = get_validated_oauth_token()
|
|
|
|
logger.debug('Authenticated OAuth token: %s', oauthtoken)
|
|
|
|
|
2016-01-22 21:49:32 +00:00
|
|
|
auth_credentials_sent = bool(request.headers.get('authorization', ''))
|
|
|
|
if auth_credentials_sent and not user and not token:
|
|
|
|
# The auth credentials sent for the user are invalid.
|
|
|
|
logger.debug('Invalid auth credentials')
|
|
|
|
abort(401)
|
|
|
|
|
2015-06-22 21:37:13 +00:00
|
|
|
access = []
|
2016-01-19 19:01:43 +00:00
|
|
|
user_event_data = {
|
|
|
|
'action': 'login',
|
|
|
|
}
|
2015-12-09 20:07:37 +00:00
|
|
|
|
|
|
|
if len(scope_param) > 0:
|
2016-05-23 20:36:48 +00:00
|
|
|
match = get_scope_regex().match(scope_param)
|
2015-08-27 18:55:33 +00:00
|
|
|
if match is None:
|
2015-06-22 21:37:13 +00:00
|
|
|
logger.debug('Match: %s', match)
|
|
|
|
logger.debug('len: %s', len(scope_param))
|
|
|
|
logger.warning('Unable to decode repository and actions: %s', scope_param)
|
|
|
|
abort(400)
|
|
|
|
|
|
|
|
logger.debug('Match: %s', match.groups())
|
|
|
|
|
2016-05-23 20:36:48 +00:00
|
|
|
registry_and_repo = match.group(1)
|
|
|
|
namespace_and_repo = match.group(2)
|
2016-01-21 20:40:51 +00:00
|
|
|
actions = match.group(3).split(',')
|
2015-06-22 21:37:13 +00:00
|
|
|
|
2016-01-21 20:40:51 +00:00
|
|
|
lib_namespace = app.config['LIBRARY_NAMESPACE']
|
|
|
|
namespace, reponame = parse_namespace_repository(namespace_and_repo, lib_namespace)
|
2015-10-05 18:19:52 +00:00
|
|
|
|
|
|
|
# Ensure that we are never creating an invalid repository.
|
|
|
|
if not REPOSITORY_NAME_REGEX.match(reponame):
|
2016-01-22 21:49:32 +00:00
|
|
|
logger.debug('Found invalid repository name in auth flow: %s', reponame)
|
2015-10-05 18:19:52 +00:00
|
|
|
abort(400)
|
|
|
|
|
2015-11-24 04:46:05 +00:00
|
|
|
final_actions = []
|
|
|
|
|
|
|
|
if 'push' in actions:
|
|
|
|
# If there is no valid user or token, then the repository cannot be
|
|
|
|
# accessed.
|
2016-01-22 21:49:32 +00:00
|
|
|
if user is not None or token is not None:
|
|
|
|
# Lookup the repository. If it exists, make sure the entity has modify
|
|
|
|
# permission. Otherwise, make sure the entity has create permission.
|
2016-08-30 19:05:15 +00:00
|
|
|
repo = model.get_repository(namespace, reponame)
|
2016-01-22 21:49:32 +00:00
|
|
|
if repo:
|
|
|
|
if ModifyRepositoryPermission(namespace, reponame).can():
|
|
|
|
final_actions.append('push')
|
|
|
|
else:
|
|
|
|
logger.debug('No permission to modify repository %s/%s', namespace, reponame)
|
|
|
|
else:
|
|
|
|
if CreateRepositoryPermission(namespace).can() and user is not None:
|
|
|
|
logger.debug('Creating repository: %s/%s', namespace, reponame)
|
2016-08-30 19:05:15 +00:00
|
|
|
model.create_repository(namespace, reponame, user)
|
2016-01-22 21:49:32 +00:00
|
|
|
final_actions.append('push')
|
|
|
|
else:
|
|
|
|
logger.debug('No permission to create repository %s/%s', namespace, reponame)
|
2015-11-24 04:46:05 +00:00
|
|
|
|
|
|
|
if 'pull' in actions:
|
2016-01-22 21:49:32 +00:00
|
|
|
# Grant pull if the user can read the repo or it is public.
|
2015-11-24 04:46:05 +00:00
|
|
|
if (ReadRepositoryPermission(namespace, reponame).can() or
|
2016-08-30 19:05:15 +00:00
|
|
|
model.repository_is_public(namespace, reponame)):
|
2015-11-24 04:46:05 +00:00
|
|
|
final_actions.append('pull')
|
|
|
|
else:
|
2016-01-22 21:49:32 +00:00
|
|
|
logger.debug('No permission to pull repository %s/%s', namespace, reponame)
|
2015-06-22 21:37:13 +00:00
|
|
|
|
2016-01-19 19:01:43 +00:00
|
|
|
# Add the access for the JWT.
|
2015-06-22 21:37:13 +00:00
|
|
|
access.append({
|
|
|
|
'type': 'repository',
|
2016-05-23 20:36:48 +00:00
|
|
|
'name': registry_and_repo,
|
2015-11-24 04:46:05 +00:00
|
|
|
'actions': final_actions,
|
2015-06-22 21:37:13 +00:00
|
|
|
})
|
|
|
|
|
2016-01-19 19:01:43 +00:00
|
|
|
# Set the user event data for the auth.
|
|
|
|
if 'push' in final_actions:
|
|
|
|
user_action = 'push_start'
|
|
|
|
elif 'pull' in final_actions:
|
|
|
|
user_action = 'pull_start'
|
2016-01-22 21:49:32 +00:00
|
|
|
else:
|
|
|
|
user_action = 'login'
|
2016-01-19 19:01:43 +00:00
|
|
|
|
|
|
|
user_event_data = {
|
|
|
|
'action': user_action,
|
|
|
|
'repository': reponame,
|
|
|
|
'namespace': namespace,
|
|
|
|
}
|
|
|
|
|
2015-11-20 23:35:02 +00:00
|
|
|
elif user is None and token is None:
|
|
|
|
# In this case, we are doing an auth flow, and it's not an anonymous pull
|
2016-01-20 23:06:46 +00:00
|
|
|
logger.debug('No user and no token sent for empty scope list')
|
|
|
|
abort(401)
|
2015-11-20 23:35:02 +00:00
|
|
|
|
2016-01-19 19:01:43 +00:00
|
|
|
# Send the user event.
|
|
|
|
if user is not None:
|
|
|
|
event = userevents.get_event(user.username)
|
|
|
|
event.publish_event_data('docker-cli', user_event_data)
|
|
|
|
|
|
|
|
# Build the signed JWT.
|
2015-12-09 21:10:39 +00:00
|
|
|
context, subject = build_context_and_subject(user, token, oauthtoken)
|
2016-05-31 20:48:19 +00:00
|
|
|
token = generate_bearer_token(audience_param, subject, context, access,
|
|
|
|
TOKEN_VALIDITY_LIFETIME_S, instance_keys)
|
|
|
|
return jsonify({'token': token})
|