This repository has been archived on 2020-03-24. You can view files and clone it, but cannot push or open issues or pull requests.
quay/endpoints/v2/v2auth.py

218 lines
8.2 KiB
Python
Raw Normal View History

2015-06-22 21:37:13 +00:00
import logging
import re
from collections import namedtuple
2016-07-26 22:41:51 +00:00
from cachetools import lru_cache
from flask import request, jsonify
2015-06-22 21:37:13 +00:00
import features
from app import app, userevents, instance_keys
from auth.auth_context import get_authenticated_context, get_authenticated_user
from auth.decorators import process_basic_auth
2015-06-22 21:37:13 +00:00
from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermission,
CreateRepositoryPermission, AdministerRepositoryPermission)
from endpoints.decorators import anon_protect
from endpoints.v2 import v2_bp
from endpoints.v2.errors import InvalidLogin, NameInvalid, InvalidRequest, Unsupported, Unauthorized
from endpoints.v2.models_pre_oci import data_model as model
2015-06-22 21:37:13 +00:00
from util.cache import no_cache
2015-10-05 18:19:52 +00:00
from util.names import parse_namespace_repository, REPOSITORY_NAME_REGEX
2017-06-26 22:16:15 +00:00
from util.security.registry_jwt import (generate_bearer_token, build_context_and_subject,
QUAY_TUF_ROOT, SIGNER_TUF_ROOT, DISABLED_TUF_ROOT)
2015-06-22 21:37:13 +00:00
logger = logging.getLogger(__name__)
TOKEN_VALIDITY_LIFETIME_S = 60 * 60 # 1 hour
SCOPE_REGEX_TEMPLATE = r'^repository:((?:{}\/)?((?:[\.a-zA-Z0-9_\-]+\/)*[\.a-zA-Z0-9_\-]+)):((?:push|pull|\*)(?:,(?:push|pull|\*))*)$'
scopeResult = namedtuple('scopeResult', ['actions', 'namespace', 'repository', 'registry_and_repo',
'tuf_root'])
2015-06-22 21:37:13 +00:00
@v2_bp.route('/auth')
@process_basic_auth
2015-06-22 21:37:13 +00:00
@no_cache
2015-08-27 18:55:33 +00:00
@anon_protect
def generate_registry_jwt(auth_result):
2016-08-02 00:59:39 +00:00
"""
This endpoint will generate a JWT conforming to the Docker Registry v2 Auth Spec:
https://docs.docker.com/registry/spec/auth/token/
"""
2015-06-22 21:37:13 +00:00
audience_param = request.args.get('service')
logger.debug('Request audience: %s', audience_param)
scope_params = request.args.getlist('scope') or []
logger.debug('Scope request: %s', scope_params)
2015-06-22 21:37:13 +00:00
auth_header = request.headers.get('authorization', '')
auth_credentials_sent = bool(auth_header)
# Load the auth context and verify thatg we've directly received credentials.
has_valid_auth_context = False
if get_authenticated_context():
has_valid_auth_context = not get_authenticated_context().is_anonymous
if auth_credentials_sent and not has_valid_auth_context:
# The auth credentials sent for the user are invalid.
raise InvalidLogin(auth_result.error_message)
if not has_valid_auth_context and len(scope_params) == 0:
# In this case, we are doing an auth flow, and it's not an anonymous pull.
logger.debug('No user and no token sent for empty scope list')
raise Unauthorized()
# Build the access list for the authenticated context.
access = []
scope_results = []
for scope_param in scope_params:
scope_result = _authorize_or_downscope_request(scope_param, has_valid_auth_context)
if scope_result is None:
continue
scope_results.append(scope_result)
2015-06-22 21:37:13 +00:00
access.append({
'type': 'repository',
'name': scope_result.registry_and_repo,
'actions': scope_result.actions,
})
2015-06-22 21:37:13 +00:00
# Issue user events.
user_event_data = {
'action': 'login',
}
# Set the user event data for when authed.
if len(scope_results) > 0:
if 'push' in scope_results[0].actions:
user_action = 'push_start'
elif 'pull' in scope_results[0].actions:
user_action = 'pull_start'
else:
user_action = 'login'
user_event_data = {
'action': user_action,
'namespace': scope_results[0].namespace,
'repository': scope_results[0].repository,
}
# Send the user event.
if get_authenticated_user() is not None:
event = userevents.get_event(get_authenticated_user().username)
event.publish_event_data('docker-cli', user_event_data)
# Build the signed JWT.
tuf_roots = {'%s/%s' % (scope_result.namespace, scope_result.repository): scope_result.tuf_root
for scope_result in scope_results}
context, subject = build_context_and_subject(get_authenticated_context(), tuf_roots=tuf_roots)
token = generate_bearer_token(audience_param, subject, context, access,
TOKEN_VALIDITY_LIFETIME_S, instance_keys)
return jsonify({'token': token})
@lru_cache(maxsize=1)
def _get_scope_regex():
hostname = re.escape(app.config['SERVER_HOSTNAME'])
scope_regex_string = SCOPE_REGEX_TEMPLATE.format(hostname)
return re.compile(scope_regex_string)
def _get_tuf_root(repo, namespace, reponame):
if not features.SIGNING or repo is None or not repo.trust_enabled:
return DISABLED_TUF_ROOT
# Users with write access to a repo will see signer-rooted TUF metadata
if ModifyRepositoryPermission(namespace, reponame).can():
2017-03-22 20:14:56 +00:00
return SIGNER_TUF_ROOT
return QUAY_TUF_ROOT
def _authorize_or_downscope_request(scope_param, has_valid_auth_context):
if len(scope_param) == 0:
if not has_valid_auth_context:
# In this case, we are doing an auth flow, and it's not an anonymous pull.
logger.debug('No user and no token sent for empty scope list')
raise Unauthorized()
return None
match = _get_scope_regex().match(scope_param)
if match is None:
logger.debug('Match: %s', match)
logger.debug('len: %s', len(scope_param))
logger.warning('Unable to decode repository and actions: %s', scope_param)
raise InvalidRequest('Unable to decode repository and actions: %s' % scope_param)
logger.debug('Match: %s', match.groups())
registry_and_repo = match.group(1)
namespace_and_repo = match.group(2)
actions = match.group(3).split(',')
lib_namespace = app.config['LIBRARY_NAMESPACE']
namespace, reponame = parse_namespace_repository(namespace_and_repo, lib_namespace)
# Ensure that we are never creating an invalid repository.
if not REPOSITORY_NAME_REGEX.match(reponame):
logger.debug('Found invalid repository name in auth flow: %s', reponame)
if len(namespace_and_repo.split('/')) > 1:
msg = 'Nested repositories are not supported. Found: %s' % namespace_and_repo
raise NameInvalid(message=msg)
raise NameInvalid(message='Invalid repository name: %s' % namespace_and_repo)
final_actions = []
repo = model.get_repository(namespace, reponame)
repo_is_public = repo is not None and repo.is_public
invalid_repo_message = ''
if repo is not None and repo.kind != 'image':
invalid_repo_message = ((
'This repository is for managing %s resources ' + 'and not container images.') % repo.kind)
if 'push' in actions:
# Check if there is a valid user or token, as otherwise the repository cannot be
# accessed.
if has_valid_auth_context:
# Lookup the repository. If it exists, make sure the entity has modify
# permission. Otherwise, make sure the entity has create permission.
if repo:
if ModifyRepositoryPermission(namespace, reponame).can():
if repo.kind != 'image':
raise Unsupported(message=invalid_repo_message)
final_actions.append('push')
else:
logger.debug('No permission to modify repository %s/%s', namespace, reponame)
else:
user = get_authenticated_user()
if CreateRepositoryPermission(namespace).can() and user is not None:
logger.debug('Creating repository: %s/%s', namespace, reponame)
model.create_repository(namespace, reponame, user)
final_actions.append('push')
else:
logger.debug('No permission to create repository %s/%s', namespace, reponame)
if 'pull' in actions:
# Grant pull if the user can read the repo or it is public.
if ReadRepositoryPermission(namespace, reponame).can() or repo_is_public:
if repo is not None and repo.kind != 'image':
raise Unsupported(message=invalid_repo_message)
final_actions.append('pull')
else:
logger.debug('No permission to pull repository %s/%s', namespace, reponame)
if '*' in actions:
# Grant * user is admin
if AdministerRepositoryPermission(namespace, reponame).can():
if repo is not None and repo.kind != 'image':
raise Unsupported(message=invalid_repo_message)
final_actions.append('*')
else:
logger.debug("No permission to administer repository %s/%s", namespace, reponame)
return scopeResult(actions=final_actions, namespace=namespace, repository=reponame,
registry_and_repo=registry_and_repo,
tuf_root=_get_tuf_root(repo, namespace, reponame))