quay/endpoints/v2/v2auth.py

import logging
import re
import time
import jwt

from flask import request, jsonify, abort

from data import model
from auth.auth import process_auth
from auth.auth_context import get_authenticated_user
from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermission,
                              CreateRepositoryPermission)
from endpoints.v2 import v2_bp
from util.cache import no_cache
from util.names import parse_namespace_repository


logger = logging.getLogger(__name__)


SCOPE_REGEX = re.compile(
    r'repository:([\.a-zA-Z0-9_\-]+/[\.a-zA-Z0-9_\-]+):(((push|pull|\*),)*(push|pull|\*))'
)


@v2_bp.route('/auth')
@process_auth
@no_cache
def generate_registry_jwt():
  audience_param = request.args.get('service')
  logger.debug('Request audience: %s', audience_param)

  scope_param = request.args.get('scope')
  logger.debug('Scope request: %s', scope_param)

  user = get_authenticated_user()

  access = []
  if scope_param is not None:
    match = SCOPE_REGEX.match(scope_param)
    if match is None or match.end() != len(scope_param):
      logger.debug('Match: %s', match)
      logger.debug('End: %s', match.end())
      logger.debug('len: %s', len(scope_param))
      logger.warning('Unable to decode repository and actions: %s', scope_param)
      abort(400)

    logger.debug('Match: %s', match.groups())

    namespace_and_repo = match.group(1)
    actions = match.group(2).split(',')

    namespace, reponame = parse_namespace_repository(namespace_and_repo)
    if 'pull' in actions and 'push' in actions:
      repo = model.get_repository(namespace, reponame)
      if repo:
        if not ModifyRepositoryPermission(namespace, reponame):
          abort(403)
      else:
        if not CreateRepositoryPermission(namespace):
          abort(403)
        logger.debug('Creating repository: %s/%s', namespace, reponame)
        model.create_repository(namespace, reponame, user)
    elif 'pull' in actions:
      if not ReadRepositoryPermission(namespace, reponame):
        abort(403)


    access.append({
      'type': 'repository',
      'name': namespace_and_repo,
      'actions': actions,
    })

  token_data = {
    'iss': 'token-issuer',
    'aud': audience_param,
    'nbf': int(time.time()),
    'exp': int(time.time() + 60),
    'sub': user.username,
    'access': access,
  }

  with open('/Users/jake/Projects/registry-v2/ca/quay.host.crt') as cert_file:
    certificate = ''.join(cert_file.readlines()[1:-1]).rstrip('\n')

  token_headers = {
    'x5c': [certificate],
  }

  with open('/Users/jake/Projects/registry-v2/ca/quay.host.key.insecure') as private_key_file:
    private_key = private_key_file.read()

  return jsonify({'token':jwt.encode(token_data, private_key, 'RS256', headers=token_headers)})
Start of a v2 API. 2015-06-22 21:37:13 +00:00			`import logging`
			`import re`
			`import time`
			`import jwt`

			`from flask import request, jsonify, abort`

			`from data import model`
			`from auth.auth import process_auth`
			`from auth.auth_context import get_authenticated_user`
			`from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermission,`
			`CreateRepositoryPermission)`
			`from endpoints.v2 import v2_bp`
			`from util.cache import no_cache`
			`from util.names import parse_namespace_repository`


			`logger = logging.getLogger(__name__)`


			`SCOPE_REGEX = re.compile(`
			`r'repository:([\.a-zA-Z0-9_\-]+/[\.a-zA-Z0-9_\-]+):(((push\|pull\|\),)(push\|pull\|\*))'`
			`)`


			`@v2_bp.route('/auth')`
			`@process_auth`
			`@no_cache`
			`def generate_registry_jwt():`
			`audience_param = request.args.get('service')`
			`logger.debug('Request audience: %s', audience_param)`

			`scope_param = request.args.get('scope')`
			`logger.debug('Scope request: %s', scope_param)`

			`user = get_authenticated_user()`

			`access = []`
			`if scope_param is not None:`
			`match = SCOPE_REGEX.match(scope_param)`
			`if match is None or match.end() != len(scope_param):`
			`logger.debug('Match: %s', match)`
			`logger.debug('End: %s', match.end())`
			`logger.debug('len: %s', len(scope_param))`
			`logger.warning('Unable to decode repository and actions: %s', scope_param)`
			`abort(400)`

			`logger.debug('Match: %s', match.groups())`

			`namespace_and_repo = match.group(1)`
			`actions = match.group(2).split(',')`

			`namespace, reponame = parse_namespace_repository(namespace_and_repo)`
			`if 'pull' in actions and 'push' in actions:`
			`repo = model.get_repository(namespace, reponame)`
			`if repo:`
			`if not ModifyRepositoryPermission(namespace, reponame):`
			`abort(403)`
			`else:`
			`if not CreateRepositoryPermission(namespace):`
			`abort(403)`
			`logger.debug('Creating repository: %s/%s', namespace, reponame)`
			`model.create_repository(namespace, reponame, user)`
			`elif 'pull' in actions:`
			`if not ReadRepositoryPermission(namespace, reponame):`
			`abort(403)`


			`access.append({`
			`'type': 'repository',`
			`'name': namespace_and_repo,`
			`'actions': actions,`
			`})`

			`token_data = {`
			`'iss': 'token-issuer',`
			`'aud': audience_param,`
			`'nbf': int(time.time()),`
			`'exp': int(time.time() + 60),`
			`'sub': user.username,`
			`'access': access,`
			`}`

			`with open('/Users/jake/Projects/registry-v2/ca/quay.host.crt') as cert_file:`
			`certificate = ''.join(cert_file.readlines()[1:-1]).rstrip('\n')`

			`token_headers = {`
			`'x5c': [certificate],`
			`}`

			`with open('/Users/jake/Projects/registry-v2/ca/quay.host.key.insecure') as private_key_file:`
			`private_key = private_key_file.read()`

			`return jsonify({'token':jwt.encode(token_data, private_key, 'RS256', headers=token_headers)})`