2015-07-16 19:49:06 +00:00
|
|
|
# XXX This code is not yet ready to be run in production, and should remain disabled until such
|
|
|
|
# XXX time as this notice is removed.
|
|
|
|
|
2015-06-22 21:37:13 +00:00
|
|
|
import logging
|
|
|
|
import re
|
|
|
|
import time
|
|
|
|
import jwt
|
|
|
|
|
|
|
|
from flask import request, jsonify, abort
|
2015-07-16 19:49:06 +00:00
|
|
|
from cachetools import lru_cache
|
2015-06-22 21:37:13 +00:00
|
|
|
|
2015-07-16 19:49:06 +00:00
|
|
|
from app import app
|
2015-06-22 21:37:13 +00:00
|
|
|
from data import model
|
|
|
|
from auth.auth import process_auth
|
|
|
|
from auth.auth_context import get_authenticated_user
|
|
|
|
from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermission,
|
|
|
|
CreateRepositoryPermission)
|
|
|
|
from endpoints.v2 import v2_bp
|
|
|
|
from util.cache import no_cache
|
|
|
|
from util.names import parse_namespace_repository
|
2015-08-27 18:55:33 +00:00
|
|
|
from endpoints.decorators import anon_protect
|
2015-06-22 21:37:13 +00:00
|
|
|
|
|
|
|
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
|
|
|
2015-09-10 16:24:33 +00:00
|
|
|
TOKEN_VALIDITY_LIFETIME_S = 60 * 60 # 1 hour
|
2015-06-22 21:37:13 +00:00
|
|
|
SCOPE_REGEX = re.compile(
|
2015-08-27 18:55:33 +00:00
|
|
|
r'^repository:([\.a-zA-Z0-9_\-]+/[\.a-zA-Z0-9_\-]+):(((push|pull|\*),)*(push|pull|\*))$'
|
2015-06-22 21:37:13 +00:00
|
|
|
)
|
2015-09-10 16:24:33 +00:00
|
|
|
ANONYMOUS_SUB = '(anonymous)'
|
2015-06-22 21:37:13 +00:00
|
|
|
|
|
|
|
|
2015-07-16 19:49:06 +00:00
|
|
|
@lru_cache(maxsize=1)
|
|
|
|
def load_certificate_bytes(certificate_file_path):
|
|
|
|
with open(certificate_file_path) as cert_file:
|
|
|
|
return ''.join(cert_file.readlines()[1:-1]).rstrip('\n')
|
|
|
|
|
|
|
|
|
|
|
|
@lru_cache(maxsize=1)
|
|
|
|
def load_private_key(private_key_file_path):
|
|
|
|
with open(private_key_file_path) as private_key_file:
|
|
|
|
return private_key_file.read()
|
|
|
|
|
|
|
|
|
2015-06-22 21:37:13 +00:00
|
|
|
@v2_bp.route('/auth')
|
|
|
|
@process_auth
|
|
|
|
@no_cache
|
2015-08-27 18:55:33 +00:00
|
|
|
@anon_protect
|
2015-06-22 21:37:13 +00:00
|
|
|
def generate_registry_jwt():
|
2015-07-16 19:49:06 +00:00
|
|
|
""" This endpoint will generate a JWT conforming to the Docker registry v2 auth spec:
|
|
|
|
https://docs.docker.com/registry/spec/auth/token/
|
|
|
|
"""
|
2015-06-22 21:37:13 +00:00
|
|
|
audience_param = request.args.get('service')
|
|
|
|
logger.debug('Request audience: %s', audience_param)
|
|
|
|
|
|
|
|
scope_param = request.args.get('scope')
|
|
|
|
logger.debug('Scope request: %s', scope_param)
|
|
|
|
|
|
|
|
user = get_authenticated_user()
|
|
|
|
access = []
|
|
|
|
if scope_param is not None:
|
|
|
|
match = SCOPE_REGEX.match(scope_param)
|
2015-08-27 18:55:33 +00:00
|
|
|
if match is None:
|
2015-06-22 21:37:13 +00:00
|
|
|
logger.debug('Match: %s', match)
|
|
|
|
logger.debug('len: %s', len(scope_param))
|
|
|
|
logger.warning('Unable to decode repository and actions: %s', scope_param)
|
|
|
|
abort(400)
|
|
|
|
|
|
|
|
logger.debug('Match: %s', match.groups())
|
|
|
|
|
|
|
|
namespace_and_repo = match.group(1)
|
|
|
|
actions = match.group(2).split(',')
|
|
|
|
|
|
|
|
namespace, reponame = parse_namespace_repository(namespace_and_repo)
|
|
|
|
if 'pull' in actions and 'push' in actions:
|
2015-08-27 18:55:33 +00:00
|
|
|
if user is None:
|
|
|
|
abort(401)
|
|
|
|
|
2015-07-15 21:25:41 +00:00
|
|
|
repo = model.repository.get_repository(namespace, reponame)
|
2015-06-22 21:37:13 +00:00
|
|
|
if repo:
|
2015-08-27 18:55:33 +00:00
|
|
|
if not ModifyRepositoryPermission(namespace, reponame).can():
|
2015-06-22 21:37:13 +00:00
|
|
|
abort(403)
|
|
|
|
else:
|
2015-08-27 18:55:33 +00:00
|
|
|
if not CreateRepositoryPermission(namespace).can():
|
2015-06-22 21:37:13 +00:00
|
|
|
abort(403)
|
|
|
|
logger.debug('Creating repository: %s/%s', namespace, reponame)
|
2015-07-15 21:25:41 +00:00
|
|
|
model.repository.create_repository(namespace, reponame, user)
|
2015-06-22 21:37:13 +00:00
|
|
|
elif 'pull' in actions:
|
2015-08-27 18:55:33 +00:00
|
|
|
if (not ReadRepositoryPermission(namespace, reponame).can() and
|
|
|
|
not model.repository.repository_is_public(namespace, reponame)):
|
2015-06-22 21:37:13 +00:00
|
|
|
abort(403)
|
|
|
|
|
|
|
|
access.append({
|
|
|
|
'type': 'repository',
|
|
|
|
'name': namespace_and_repo,
|
|
|
|
'actions': actions,
|
|
|
|
})
|
|
|
|
|
|
|
|
token_data = {
|
2015-09-10 16:24:33 +00:00
|
|
|
'iss': app.config['JWT_AUTH_TOKEN_ISSUER'],
|
2015-06-22 21:37:13 +00:00
|
|
|
'aud': audience_param,
|
|
|
|
'nbf': int(time.time()),
|
2015-09-10 16:24:33 +00:00
|
|
|
'iat': int(time.time()),
|
|
|
|
'exp': int(time.time() + TOKEN_VALIDITY_LIFETIME_S),
|
|
|
|
'sub': user.username if user else ANONYMOUS_SUB,
|
2015-06-22 21:37:13 +00:00
|
|
|
'access': access,
|
|
|
|
}
|
|
|
|
|
2015-07-16 19:49:06 +00:00
|
|
|
certificate = load_certificate_bytes(app.config['JWT_AUTH_CERTIFICATE_PATH'])
|
2015-06-22 21:37:13 +00:00
|
|
|
|
|
|
|
token_headers = {
|
|
|
|
'x5c': [certificate],
|
|
|
|
}
|
|
|
|
|
2015-07-16 19:49:06 +00:00
|
|
|
private_key = load_private_key(app.config['JWT_AUTH_PRIVATE_KEY_PATH'])
|
2015-06-22 21:37:13 +00:00
|
|
|
|
2015-07-16 19:49:06 +00:00
|
|
|
return jsonify({'token':jwt.encode(token_data, private_key, 'RS256', headers=token_headers)})
|