quay/auth/registry_jwt_auth.py

import logging

from functools import wraps

from jsonschema import validate, ValidationError
from flask import request, url_for
from flask_principal import identity_changed, Identity

from app import app, get_app_url, instance_keys
from auth.auth_context import (set_grant_context, get_grant_context)
from auth.permissions import repository_read_grant, repository_write_grant, repository_admin_grant
from util.http import abort
from util.names import parse_namespace_repository
from util.security.registry_jwt import (ANONYMOUS_SUB, decode_bearer_header,
                                        InvalidBearerTokenException)
from data import model


logger = logging.getLogger(__name__)


CONTEXT_KINDS = ['user', 'token', 'oauth', 'app_specific_token']


ACCESS_SCHEMA = {
  'type': 'array',
  'description': 'List of access granted to the subject',
  'items': {
    'type': 'object',
    'required': [
      'type',
      'name',
      'actions',
    ],
    'properties': {
      'type': {
        'type': 'string',
        'description': 'We only allow repository permissions',
        'enum': [
          'repository',
        ],
      },
      'name': {
        'type': 'string',
        'description': 'The name of the repository for which we are receiving access'
      },
      'actions': {
        'type': 'array',
        'description': 'List of specific verbs which can be performed against repository',
        'items': {
          'type': 'string',
          'enum': [
            'push',
            'pull',
            '*',
          ],
        },
      },
    },
  },
}


class InvalidJWTException(Exception):
  pass


class GrantedEntity(object):
  def __init__(self, user=None, token=None, oauth=None, app_specific_token=None):
    self.user = user
    self.token = token
    self.oauth = oauth
    self.app_specific_token = app_specific_token


def get_granted_entity():
  """ Returns the entity granted in the current context, if any. Returns the GrantedEntity or None
      if none.
  """
  context = get_grant_context()
  if not context:
    return None

  kind = context.get('kind', 'anonymous')

  if not kind in CONTEXT_KINDS:
    return None

  if kind == 'app_specific_token':
    app_specific_token = model.appspecifictoken.get_token_by_uuid(context.get('ast', ''))
    if app_specific_token is None:
      return None
    
    return GrantedEntity(app_specific_token=app_specific_token, user=app_specific_token.user)

  if kind == 'user':
    user = model.user.get_user(context.get('user', ''))
    if not user:
      return None

    return GrantedEntity(user=user)

  if kind == 'token':
    token = model.token.load_token_data(context.get('token'))
    if not token:
      return None

    return GrantedEntity(token=token)

  if kind == 'oauth':
    user = model.user.get_user(context.get('user', ''))
    if not user:
      return None

    oauthtoken = model.oauth.lookup_access_token_for_user(user, context.get('oauth', ''))
    if not oauthtoken:
      return None

    return GrantedEntity(oauth=oauthtoken, user=user)

  return None


def get_granted_username():
  """ Returns the username inside the grant, if any. """
  granted = get_granted_entity()
  if not granted or not granted.user:
    return None

  return granted.user.username


def get_auth_headers(repository=None, scopes=None):
  """ Returns a dictionary of headers for auth responses. """
  headers = {}
  realm_auth_path = url_for('v2.generate_registry_jwt')
  authenticate = 'Bearer realm="{0}{1}",service="{2}"'.format(get_app_url(),
                                                              realm_auth_path,
                                                              app.config['SERVER_HOSTNAME'])
  if repository:
    scopes_string = "repository:{0}".format(repository)
    if scopes:
      scopes_string += ':' + ','.join(scopes)

    authenticate += ',scope="{0}"'.format(scopes_string)

  headers['WWW-Authenticate'] = authenticate
  headers['Docker-Distribution-API-Version'] = 'registry/2.0'
  return headers


def identity_from_bearer_token(bearer_header):
  """ Process a bearer header and return the loaded identity, or raise InvalidJWTException if an
      identity could not be loaded. Expects tokens and grants in the format of the Docker registry
      v2 auth spec: https://docs.docker.com/registry/spec/auth/token/
  """
  logger.debug('Validating auth header: %s', bearer_header)

  try:
    payload = decode_bearer_header(bearer_header, instance_keys, app.config)
  except InvalidBearerTokenException as bte:
    logger.exception('Invalid bearer token: %s', bte)
    raise InvalidJWTException(bte)

  loaded_identity = Identity(payload['sub'], 'signed_jwt')

  # Process the grants from the payload
  if 'access' in payload:
    try:
      validate(payload['access'], ACCESS_SCHEMA)
    except ValidationError:
      logger.exception('We should not be minting invalid credentials')
      raise InvalidJWTException('Token contained invalid or malformed access grants')

    lib_namespace = app.config['LIBRARY_NAMESPACE']
    for grant in payload['access']:
      namespace, repo_name = parse_namespace_repository(grant['name'], lib_namespace)

      if '*' in grant['actions']:
        loaded_identity.provides.add(repository_admin_grant(namespace, repo_name))
      elif 'push' in grant['actions']:
        loaded_identity.provides.add(repository_write_grant(namespace, repo_name))
      elif 'pull' in grant['actions']:
        loaded_identity.provides.add(repository_read_grant(namespace, repo_name))

  default_context = {
    'kind': 'anonymous'
  }

  if payload['sub'] != ANONYMOUS_SUB:
    default_context = {
      'kind': 'user',
      'user': payload['sub'],
    }

  return loaded_identity, payload.get('context', default_context)


def process_registry_jwt_auth(scopes=None):
  def inner(func):
    @wraps(func)
    def wrapper(*args, **kwargs):
      logger.debug('Called with params: %s, %s', args, kwargs)
      auth = request.headers.get('authorization', '').strip()
      if auth:
        try:
          extracted_identity, context = identity_from_bearer_token(auth)
          identity_changed.send(app, identity=extracted_identity)
          set_grant_context(context)
          logger.debug('Identity changed to %s', extracted_identity.id)
        except InvalidJWTException as ije:
          repository = None
          if 'namespace_name' in kwargs and 'repo_name' in kwargs:
            repository = kwargs['namespace_name'] + '/' + kwargs['repo_name']

          abort(401, message=ije.message, headers=get_auth_headers(repository=repository,
                                                                   scopes=scopes))
      else:
        logger.debug('No auth header.')

      return func(*args, **kwargs)
    return wrapper
  return inner
Start of a v2 API. 2015-06-22 21:37:13 +00:00			`import logging`

			`from functools import wraps`
use kwargs for parse_repository_name 2016-03-09 21:20:28 +00:00
			`from jsonschema import validate, ValidationError`
Handle empty scopes and always send the WWW-Authenticate header, as per spec Fixes #1045 2015-12-09 20:07:37 +00:00			`from flask import request, url_for`
*: fix legacy imports This change reorganizes imports and renames the legacy flask extensions. 2016-09-29 00:17:14 +00:00			`from flask_principal import identity_changed, Identity`
Start of a v2 API. 2015-06-22 21:37:13 +00:00
Use the instance service key for registry JWT signing 2016-05-31 20:48:19 +00:00			`from app import app, get_app_url, instance_keys`
auth: remove relative imports 2017-05-16 00:41:43 +00:00			`from auth.auth_context import (set_grant_context, get_grant_context)`
			`from auth.permissions import repository_read_grant, repository_write_grant, repository_admin_grant`
Fix and templatize the logic for external JWT AuthN and registry v2 Auth. Make it explicit that the registry-v2 stuff is not ready for prime time. 2015-07-16 19:49:06 +00:00			`from util.http import abort`
auth: remove relative imports 2017-05-16 00:41:43 +00:00			`from util.names import parse_namespace_repository`
Add feature flag to force all direct download URLs to be proxied Fixes #1667 2016-08-24 16:55:33 +00:00			`from util.security.registry_jwt import (ANONYMOUS_SUB, decode_bearer_header,`
Use the instance service key for registry JWT signing 2016-05-31 20:48:19 +00:00			`InvalidBearerTokenException)`
Make our JWT subjects better and log using the info Fixes #1039 2015-12-09 21:10:39 +00:00			`from data import model`
Start of a v2 API. 2015-06-22 21:37:13 +00:00

			`logger = logging.getLogger(__name__)`

auth: remove relative imports 2017-05-16 00:41:43 +00:00
Add an AppSpecificAuthToken data model for app-specific auth tokens. These will be used for the Docker CLI in place of username+password 2017-12-08 22:05:59 +00:00			`CONTEXT_KINDS = ['user', 'token', 'oauth', 'app_specific_token']`
Some fixes and tests for v2 auth Fixes #395 2015-09-10 16:24:33 +00:00
auth: remove relative imports 2017-05-16 00:41:43 +00:00
Some fixes and tests for v2 auth Fixes #395 2015-09-10 16:24:33 +00:00			`ACCESS_SCHEMA = {`
			`'type': 'array',`
			`'description': 'List of access granted to the subject',`
			`'items': {`
			`'type': 'object',`
			`'required': [`
			`'type',`
			`'name',`
			`'actions',`
			`],`
			`'properties': {`
			`'type': {`
			`'type': 'string',`
			`'description': 'We only allow repository permissions',`
			`'enum': [`
			`'repository',`
			`],`
			`},`
			`'name': {`
			`'type': 'string',`
			`'description': 'The name of the repository for which we are receiving access'`
			`},`
			`'actions': {`
			`'type': 'array',`
			`'description': 'List of specific verbs which can be performed against repository',`
			`'items': {`
			`'type': 'string',`
			`'enum': [`
			`'push',`
			`'pull',`
registry auth tests: test more access types 2016-11-28 15:43:38 +00:00			`'*',`
Some fixes and tests for v2 auth Fixes #395 2015-09-10 16:24:33 +00:00			`],`
			`},`
			`},`
			`},`
			`},`
			`}`
Start of a v2 API. 2015-06-22 21:37:13 +00:00

Fix and templatize the logic for external JWT AuthN and registry v2 Auth. Make it explicit that the registry-v2 stuff is not ready for prime time. 2015-07-16 19:49:06 +00:00			`class InvalidJWTException(Exception):`
			`pass`


Make our JWT subjects better and log using the info Fixes #1039 2015-12-09 21:10:39 +00:00			`class GrantedEntity(object):`
Add an AppSpecificAuthToken data model for app-specific auth tokens. These will be used for the Docker CLI in place of username+password 2017-12-08 22:05:59 +00:00			`def __init__(self, user=None, token=None, oauth=None, app_specific_token=None):`
Make our JWT subjects better and log using the info Fixes #1039 2015-12-09 21:10:39 +00:00			`self.user = user`
			`self.token = token`
			`self.oauth = oauth`
Add an AppSpecificAuthToken data model for app-specific auth tokens. These will be used for the Docker CLI in place of username+password 2017-12-08 22:05:59 +00:00			`self.app_specific_token = app_specific_token`
Make our JWT subjects better and log using the info Fixes #1039 2015-12-09 21:10:39 +00:00

			`def get_granted_entity():`
			`""" Returns the entity granted in the current context, if any. Returns the GrantedEntity or None`
			`if none.`
			`"""`
			`context = get_grant_context()`
			`if not context:`
			`return None`

			`kind = context.get('kind', 'anonymous')`

			`if not kind in CONTEXT_KINDS:`
			`return None`

Add an AppSpecificAuthToken data model for app-specific auth tokens. These will be used for the Docker CLI in place of username+password 2017-12-08 22:05:59 +00:00			`if kind == 'app_specific_token':`
			`app_specific_token = model.appspecifictoken.get_token_by_uuid(context.get('ast', ''))`
			`if app_specific_token is None:`
			`return None`

			`return GrantedEntity(app_specific_token=app_specific_token, user=app_specific_token.user)`

Make our JWT subjects better and log using the info Fixes #1039 2015-12-09 21:10:39 +00:00			`if kind == 'user':`
			`user = model.user.get_user(context.get('user', ''))`
			`if not user:`
			`return None`

			`return GrantedEntity(user=user)`

			`if kind == 'token':`
Fix handling of tokens in the new context block of the JWT 2015-12-15 21:52:22 +00:00			`token = model.token.load_token_data(context.get('token'))`
			`if not token:`
			`return None`

			`return GrantedEntity(token=token)`
Make our JWT subjects better and log using the info Fixes #1039 2015-12-09 21:10:39 +00:00
			`if kind == 'oauth':`
			`user = model.user.get_user(context.get('user', ''))`
			`if not user:`
			`return None`

			`oauthtoken = model.oauth.lookup_access_token_for_user(user, context.get('oauth', ''))`
			`if not oauthtoken:`
			`return None`

			`return GrantedEntity(oauth=oauthtoken, user=user)`

			`return None`


			`def get_granted_username():`
			`""" Returns the username inside the grant, if any. """`
			`granted = get_granted_entity()`
			`if not granted or not granted.user:`
			`return None`

			`return granted.user.username`


v2: send proper scopes for authorization failures Fixes #1278. 2016-03-09 23:09:20 +00:00			`def get_auth_headers(repository=None, scopes=None):`
Handle empty scopes and always send the WWW-Authenticate header, as per spec Fixes #1045 2015-12-09 20:07:37 +00:00			`""" Returns a dictionary of headers for auth responses. """`
			`headers = {}`
			`realm_auth_path = url_for('v2.generate_registry_jwt')`
			`authenticate = 'Bearer realm="{0}{1}",service="{2}"'.format(get_app_url(),`
			`realm_auth_path,`
			`app.config['SERVER_HOSTNAME'])`
v2: send proper scopes for authorization failures Fixes #1278. 2016-03-09 23:09:20 +00:00			`if repository:`
Fix quoting of scopes in WWW-Authenticate header Fixes part of #2002 2016-10-17 18:32:43 +00:00			`scopes_string = "repository:{0}".format(repository)`
v2: send proper scopes for authorization failures Fixes #1278. 2016-03-09 23:09:20 +00:00			`if scopes:`
Fix quoting of scopes in WWW-Authenticate header Fixes part of #2002 2016-10-17 18:32:43 +00:00			`scopes_string += ':' + ','.join(scopes)`

			`authenticate += ',scope="{0}"'.format(scopes_string)`
v2: send proper scopes for authorization failures Fixes #1278. 2016-03-09 23:09:20 +00:00
Handle empty scopes and always send the WWW-Authenticate header, as per spec Fixes #1045 2015-12-09 20:07:37 +00:00			`headers['WWW-Authenticate'] = authenticate`
			`headers['Docker-Distribution-API-Version'] = 'registry/2.0'`
			`return headers`


Add feature flag to force all direct download URLs to be proxied Fixes #1667 2016-08-24 16:55:33 +00:00			`def identity_from_bearer_token(bearer_header):`
			`""" Process a bearer header and return the loaded identity, or raise InvalidJWTException if an`
Fix and templatize the logic for external JWT AuthN and registry v2 Auth. Make it explicit that the registry-v2 stuff is not ready for prime time. 2015-07-16 19:49:06 +00:00			`identity could not be loaded. Expects tokens and grants in the format of the Docker registry`
			`v2 auth spec: https://docs.docker.com/registry/spec/auth/token/`
			`"""`
Add feature flag to force all direct download URLs to be proxied Fixes #1667 2016-08-24 16:55:33 +00:00			`logger.debug('Validating auth header: %s', bearer_header)`
Fix and templatize the logic for external JWT AuthN and registry v2 Auth. Make it explicit that the registry-v2 stuff is not ready for prime time. 2015-07-16 19:49:06 +00:00
			`try:`
Add explicit config parameter to the JWT auth methods 2016-09-19 20:19:29 +00:00			`payload = decode_bearer_header(bearer_header, instance_keys, app.config)`
Use the instance service key for registry JWT signing 2016-05-31 20:48:19 +00:00			`except InvalidBearerTokenException as bte:`
			`logger.exception('Invalid bearer token: %s', bte)`
			`raise InvalidJWTException(bte)`
Fix and templatize the logic for external JWT AuthN and registry v2 Auth. Make it explicit that the registry-v2 stuff is not ready for prime time. 2015-07-16 19:49:06 +00:00
Make our JWT subjects better and log using the info Fixes #1039 2015-12-09 21:10:39 +00:00			`loaded_identity = Identity(payload['sub'], 'signed_jwt')`
Fix and templatize the logic for external JWT AuthN and registry v2 Auth. Make it explicit that the registry-v2 stuff is not ready for prime time. 2015-07-16 19:49:06 +00:00
			`# Process the grants from the payload`
			`if 'access' in payload:`
Some fixes and tests for v2 auth Fixes #395 2015-09-10 16:24:33 +00:00			`try:`
			`validate(payload['access'], ACCESS_SCHEMA)`
			`except ValidationError:`
			`logger.exception('We should not be minting invalid credentials')`
			`raise InvalidJWTException('Token contained invalid or malformed access grants')`
Fix and templatize the logic for external JWT AuthN and registry v2 Auth. Make it explicit that the registry-v2 stuff is not ready for prime time. 2015-07-16 19:49:06 +00:00
Fix Docker Auth and our V2 registry paths to support library (i.e. namespace-less) repositories. This support is placed behind a feature flag. 2016-01-21 20:40:51 +00:00			`lib_namespace = app.config['LIBRARY_NAMESPACE']`
Some fixes and tests for v2 auth Fixes #395 2015-09-10 16:24:33 +00:00			`for grant in payload['access']:`
Fix Docker Auth and our V2 registry paths to support library (i.e. namespace-less) repositories. This support is placed behind a feature flag. 2016-01-21 20:40:51 +00:00			`namespace, repo_name = parse_namespace_repository(grant['name'], lib_namespace)`
Fix and templatize the logic for external JWT AuthN and registry v2 Auth. Make it explicit that the registry-v2 stuff is not ready for prime time. 2015-07-16 19:49:06 +00:00
registry auth tests: test more access types 2016-11-28 15:43:38 +00:00			`if '*' in grant['actions']:`
			`loaded_identity.provides.add(repository_admin_grant(namespace, repo_name))`
			`elif 'push' in grant['actions']:`
Fix and templatize the logic for external JWT AuthN and registry v2 Auth. Make it explicit that the registry-v2 stuff is not ready for prime time. 2015-07-16 19:49:06 +00:00			`loaded_identity.provides.add(repository_write_grant(namespace, repo_name))`
			`elif 'pull' in grant['actions']:`
			`loaded_identity.provides.add(repository_read_grant(namespace, repo_name))`

Make our JWT subjects better and log using the info Fixes #1039 2015-12-09 21:10:39 +00:00			`default_context = {`
			`'kind': 'anonymous'`
			`}`

			`if payload['sub'] != ANONYMOUS_SUB:`
			`default_context = {`
			`'kind': 'user',`
			`'user': payload['sub'],`
			`}`

			`return loaded_identity, payload.get('context', default_context)`
Fix and templatize the logic for external JWT AuthN and registry v2 Auth. Make it explicit that the registry-v2 stuff is not ready for prime time. 2015-07-16 19:49:06 +00:00

v2: send proper scopes for authorization failures Fixes #1278. 2016-03-09 23:09:20 +00:00			`def process_registry_jwt_auth(scopes=None):`
			`def inner(func):`
			`@wraps(func)`
			`def wrapper(args, *kwargs):`
			`logger.debug('Called with params: %s, %s', args, kwargs)`
			`auth = request.headers.get('authorization', '').strip()`
			`if auth:`
			`try:`
Use the instance service key for registry JWT signing 2016-05-31 20:48:19 +00:00			`extracted_identity, context = identity_from_bearer_token(auth)`
v2: send proper scopes for authorization failures Fixes #1278. 2016-03-09 23:09:20 +00:00			`identity_changed.send(app, identity=extracted_identity)`
			`set_grant_context(context)`
			`logger.debug('Identity changed to %s', extracted_identity.id)`
			`except InvalidJWTException as ije:`
			`repository = None`
			`if 'namespace_name' in kwargs and 'repo_name' in kwargs:`
			`repository = kwargs['namespace_name'] + '/' + kwargs['repo_name']`

			`abort(401, message=ije.message, headers=get_auth_headers(repository=repository,`
			`scopes=scopes))`
			`else:`
			`logger.debug('No auth header.')`

			`return func(args, *kwargs)`
			`return wrapper`
			`return inner`