quay/endpoints/v2/v2auth.py

import logging
import re
import time
import jwt

from flask import request, jsonify, abort
from cachetools import lru_cache

from app import app
from data import model
from auth.auth import process_auth
from auth.jwt_auth import build_context_and_subject
from auth.auth_context import get_authenticated_user, get_validated_token, get_validated_oauth_token
from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermission,
                              CreateRepositoryPermission)
from endpoints.v2 import v2_bp
from util.cache import no_cache
from util.names import parse_namespace_repository, REPOSITORY_NAME_REGEX
from endpoints.decorators import anon_protect

logger = logging.getLogger(__name__)


TOKEN_VALIDITY_LIFETIME_S = 60 * 60  # 1 hour
SCOPE_REGEX = re.compile(
    r'^repository:([\.a-zA-Z0-9_\-]+/[\.a-zA-Z0-9_\-]+):(((push|pull|\*),)*(push|pull|\*))$'
)

@lru_cache(maxsize=1)
def load_certificate_bytes(certificate_file_path):
  with open(certificate_file_path) as cert_file:
    return ''.join(cert_file.readlines()[1:-1]).rstrip('\n')


@lru_cache(maxsize=1)
def load_private_key(private_key_file_path):
  with open(private_key_file_path) as private_key_file:
    return private_key_file.read()


@v2_bp.route('/auth')
@process_auth
@no_cache
@anon_protect
def generate_registry_jwt():
  """ This endpoint will generate a JWT conforming to the Docker registry v2 auth spec:
      https://docs.docker.com/registry/spec/auth/token/
  """
  audience_param = request.args.get('service')
  logger.debug('Request audience: %s', audience_param)

  scope_param = request.args.get('scope')
  logger.debug('Scope request: %s', scope_param)

  user = get_authenticated_user()
  logger.debug('Authenticated user: %s', user)

  token = get_validated_token()
  logger.debug('Authenticated token: %s', token)

  oauthtoken = get_validated_oauth_token()
  logger.debug('Authenticated OAuth token: %s', oauthtoken)

  access = []
  if scope_param is not None:
    match = SCOPE_REGEX.match(scope_param)
    if match is None:
      logger.debug('Match: %s', match)
      logger.debug('len: %s', len(scope_param))
      logger.warning('Unable to decode repository and actions: %s', scope_param)
      abort(400)

    logger.debug('Match: %s', match.groups())

    namespace_and_repo = match.group(1)
    actions = match.group(2).split(',')

    namespace, reponame = parse_namespace_repository(namespace_and_repo)

    # Ensure that we are never creating an invalid repository.
    if not REPOSITORY_NAME_REGEX.match(reponame):
      abort(400)

    final_actions = []

    if 'push' in actions:
      # If there is no valid user or token, then the repository cannot be
      # accessed.
      if user is None and token is None:
        abort(401)

      # Lookup the repository. If it exists, make sure the entity has modify
      # permission. Otherwise, make sure the entity has create permission.
      repo = model.repository.get_repository(namespace, reponame)
      if repo:
        if not ModifyRepositoryPermission(namespace, reponame).can():
          abort(403)
      else:
        if not CreateRepositoryPermission(namespace).can() or user is None:
          abort(403)

        logger.debug('Creating repository: %s/%s', namespace, reponame)
        model.repository.create_repository(namespace, reponame, user)

      final_actions.append('push')

    if 'pull' in actions:
      # Grant pull if the user can read the repo or it is public. We also
      # grant it if the user already has push, as they can clearly change
      # the repository.
      if (ReadRepositoryPermission(namespace, reponame).can() or
          model.repository.repository_is_public(namespace, reponame) or
          'push' in final_actions):
        final_actions.append('pull')
      else:
        abort(403)


    access.append({
      'type': 'repository',
      'name': namespace_and_repo,
      'actions': final_actions,
    })

  elif user is None and token is None:
    # In this case, we are doing an auth flow, and it's not an anonymous pull
    return abort(401)

  context, subject = build_context_and_subject(user, token, oauthtoken)
  token_data = {
    'iss': app.config['JWT_AUTH_TOKEN_ISSUER'],
    'aud': audience_param,
    'nbf': int(time.time()),
    'iat': int(time.time()),
    'exp': int(time.time() + TOKEN_VALIDITY_LIFETIME_S),
    'sub': subject,
    'access': access,
    'context': context,
  }

  certificate = load_certificate_bytes(app.config['JWT_AUTH_CERTIFICATE_PATH'])

  token_headers = {
    'x5c': [certificate],
  }

  private_key = load_private_key(app.config['JWT_AUTH_PRIVATE_KEY_PATH'])

  return jsonify({'token':jwt.encode(token_data, private_key, 'RS256', headers=token_headers)})
Start of a v2 API. 2015-06-22 21:37:13 +00:00			`import logging`
			`import re`
			`import time`
			`import jwt`

			`from flask import request, jsonify, abort`
Fix and templatize the logic for external JWT AuthN and registry v2 Auth. Make it explicit that the registry-v2 stuff is not ready for prime time. 2015-07-16 19:49:06 +00:00			`from cachetools import lru_cache`
Start of a v2 API. 2015-06-22 21:37:13 +00:00
Fix and templatize the logic for external JWT AuthN and registry v2 Auth. Make it explicit that the registry-v2 stuff is not ready for prime time. 2015-07-16 19:49:06 +00:00			`from app import app`
Start of a v2 API. 2015-06-22 21:37:13 +00:00			`from data import model`
			`from auth.auth import process_auth`
Make our JWT subjects better and log using the info Fixes #1039 2015-12-09 21:10:39 +00:00			`from auth.jwt_auth import build_context_and_subject`
			`from auth.auth_context import get_authenticated_user, get_validated_token, get_validated_oauth_token`
Start of a v2 API. 2015-06-22 21:37:13 +00:00			`from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermission,`
			`CreateRepositoryPermission)`
			`from endpoints.v2 import v2_bp`
			`from util.cache import no_cache`
Add repo name check to V2 Fixes #592 2015-10-05 18:19:52 +00:00			`from util.names import parse_namespace_repository, REPOSITORY_NAME_REGEX`
Fix auth and add V2 tests! 2015-08-27 18:55:33 +00:00			`from endpoints.decorators import anon_protect`
Start of a v2 API. 2015-06-22 21:37:13 +00:00
			`logger = logging.getLogger(__name__)`


Some fixes and tests for v2 auth Fixes #395 2015-09-10 16:24:33 +00:00			`TOKEN_VALIDITY_LIFETIME_S = 60 * 60 # 1 hour`
Start of a v2 API. 2015-06-22 21:37:13 +00:00			`SCOPE_REGEX = re.compile(`
Fix auth and add V2 tests! 2015-08-27 18:55:33 +00:00			`r'^repository:([\.a-zA-Z0-9_\-]+/[\.a-zA-Z0-9_\-]+):(((push\|pull\|\),)(push\|pull\|\*))$'`
Start of a v2 API. 2015-06-22 21:37:13 +00:00			`)`

Fix and templatize the logic for external JWT AuthN and registry v2 Auth. Make it explicit that the registry-v2 stuff is not ready for prime time. 2015-07-16 19:49:06 +00:00			`@lru_cache(maxsize=1)`
			`def load_certificate_bytes(certificate_file_path):`
			`with open(certificate_file_path) as cert_file:`
			`return ''.join(cert_file.readlines()[1:-1]).rstrip('\n')`


			`@lru_cache(maxsize=1)`
			`def load_private_key(private_key_file_path):`
			`with open(private_key_file_path) as private_key_file:`
			`return private_key_file.read()`


Start of a v2 API. 2015-06-22 21:37:13 +00:00			`@v2_bp.route('/auth')`
			`@process_auth`
			`@no_cache`
Fix auth and add V2 tests! 2015-08-27 18:55:33 +00:00			`@anon_protect`
Start of a v2 API. 2015-06-22 21:37:13 +00:00			`def generate_registry_jwt():`
Fix and templatize the logic for external JWT AuthN and registry v2 Auth. Make it explicit that the registry-v2 stuff is not ready for prime time. 2015-07-16 19:49:06 +00:00			`""" This endpoint will generate a JWT conforming to the Docker registry v2 auth spec:`
			`https://docs.docker.com/registry/spec/auth/token/`
			`"""`
Start of a v2 API. 2015-06-22 21:37:13 +00:00			`audience_param = request.args.get('service')`
			`logger.debug('Request audience: %s', audience_param)`

			`scope_param = request.args.get('scope')`
			`logger.debug('Scope request: %s', scope_param)`

			`user = get_authenticated_user()`
Fix token pushes for v2 auth, tokens have no user 2015-11-19 00:04:40 +00:00			`logger.debug('Authenticated user: %s', user)`

			`token = get_validated_token()`
			`logger.debug('Authenticated token: %s', token)`
Make our JWT subjects better and log using the info Fixes #1039 2015-12-09 21:10:39 +00:00
			`oauthtoken = get_validated_oauth_token()`
			`logger.debug('Authenticated OAuth token: %s', oauthtoken)`

Start of a v2 API. 2015-06-22 21:37:13 +00:00			`access = []`
			`if scope_param is not None:`
			`match = SCOPE_REGEX.match(scope_param)`
Fix auth and add V2 tests! 2015-08-27 18:55:33 +00:00			`if match is None:`
Start of a v2 API. 2015-06-22 21:37:13 +00:00			`logger.debug('Match: %s', match)`
			`logger.debug('len: %s', len(scope_param))`
			`logger.warning('Unable to decode repository and actions: %s', scope_param)`
			`abort(400)`

			`logger.debug('Match: %s', match.groups())`

			`namespace_and_repo = match.group(1)`
			`actions = match.group(2).split(',')`

			`namespace, reponame = parse_namespace_repository(namespace_and_repo)`
Add repo name check to V2 Fixes #592 2015-10-05 18:19:52 +00:00
			`# Ensure that we are never creating an invalid repository.`
			`if not REPOSITORY_NAME_REGEX.match(reponame):`
			`abort(400)`

Add login tests and fix scope security issue 2015-11-24 04:46:05 +00:00			`final_actions = []`

			`if 'push' in actions:`
			`# If there is no valid user or token, then the repository cannot be`
			`# accessed.`
Fix anonymous repository pulls 2015-11-19 01:11:06 +00:00			`if user is None and token is None:`
			`abort(401)`

Add login tests and fix scope security issue 2015-11-24 04:46:05 +00:00			`# Lookup the repository. If it exists, make sure the entity has modify`
			`# permission. Otherwise, make sure the entity has create permission.`
Accidental refactor, split out legacy.py into separate sumodules and update all call sites. 2015-07-15 21:25:41 +00:00			`repo = model.repository.get_repository(namespace, reponame)`
Start of a v2 API. 2015-06-22 21:37:13 +00:00			`if repo:`
Fix auth and add V2 tests! 2015-08-27 18:55:33 +00:00			`if not ModifyRepositoryPermission(namespace, reponame).can():`
Start of a v2 API. 2015-06-22 21:37:13 +00:00			`abort(403)`
			`else:`
Fix token pushes for v2 auth, tokens have no user 2015-11-19 00:04:40 +00:00			`if not CreateRepositoryPermission(namespace).can() or user is None:`
Start of a v2 API. 2015-06-22 21:37:13 +00:00			`abort(403)`
Fix token pushes for v2 auth, tokens have no user 2015-11-19 00:04:40 +00:00
Start of a v2 API. 2015-06-22 21:37:13 +00:00			`logger.debug('Creating repository: %s/%s', namespace, reponame)`
Accidental refactor, split out legacy.py into separate sumodules and update all call sites. 2015-07-15 21:25:41 +00:00			`model.repository.create_repository(namespace, reponame, user)`
Add login tests and fix scope security issue 2015-11-24 04:46:05 +00:00
			`final_actions.append('push')`

			`if 'pull' in actions:`
			`# Grant pull if the user can read the repo or it is public. We also`
			`# grant it if the user already has push, as they can clearly change`
			`# the repository.`
			`if (ReadRepositoryPermission(namespace, reponame).can() or`
			`model.repository.repository_is_public(namespace, reponame) or`
			`'push' in final_actions):`
			`final_actions.append('pull')`
			`else:`
Start of a v2 API. 2015-06-22 21:37:13 +00:00			`abort(403)`

Add login tests and fix scope security issue 2015-11-24 04:46:05 +00:00
Start of a v2 API. 2015-06-22 21:37:13 +00:00			`access.append({`
			`'type': 'repository',`
			`'name': namespace_and_repo,`
Add login tests and fix scope security issue 2015-11-24 04:46:05 +00:00			`'actions': final_actions,`
Start of a v2 API. 2015-06-22 21:37:13 +00:00			`})`

Return a 401 when doing a login with bad credentials 2015-11-20 23:35:02 +00:00			`elif user is None and token is None:`
			`# In this case, we are doing an auth flow, and it's not an anonymous pull`
			`return abort(401)`

Make our JWT subjects better and log using the info Fixes #1039 2015-12-09 21:10:39 +00:00			`context, subject = build_context_and_subject(user, token, oauthtoken)`
Start of a v2 API. 2015-06-22 21:37:13 +00:00			`token_data = {`
Some fixes and tests for v2 auth Fixes #395 2015-09-10 16:24:33 +00:00			`'iss': app.config['JWT_AUTH_TOKEN_ISSUER'],`
Start of a v2 API. 2015-06-22 21:37:13 +00:00			`'aud': audience_param,`
			`'nbf': int(time.time()),`
Some fixes and tests for v2 auth Fixes #395 2015-09-10 16:24:33 +00:00			`'iat': int(time.time()),`
			`'exp': int(time.time() + TOKEN_VALIDITY_LIFETIME_S),`
Make our JWT subjects better and log using the info Fixes #1039 2015-12-09 21:10:39 +00:00			`'sub': subject,`
Start of a v2 API. 2015-06-22 21:37:13 +00:00			`'access': access,`
Make our JWT subjects better and log using the info Fixes #1039 2015-12-09 21:10:39 +00:00			`'context': context,`
Start of a v2 API. 2015-06-22 21:37:13 +00:00			`}`

Fix and templatize the logic for external JWT AuthN and registry v2 Auth. Make it explicit that the registry-v2 stuff is not ready for prime time. 2015-07-16 19:49:06 +00:00			`certificate = load_certificate_bytes(app.config['JWT_AUTH_CERTIFICATE_PATH'])`
Start of a v2 API. 2015-06-22 21:37:13 +00:00
			`token_headers = {`
			`'x5c': [certificate],`
			`}`

Fix and templatize the logic for external JWT AuthN and registry v2 Auth. Make it explicit that the registry-v2 stuff is not ready for prime time. 2015-07-16 19:49:06 +00:00			`private_key = load_private_key(app.config['JWT_AUTH_PRIVATE_KEY_PATH'])`
Start of a v2 API. 2015-06-22 21:37:13 +00:00
Fix and templatize the logic for external JWT AuthN and registry v2 Auth. Make it explicit that the registry-v2 stuff is not ready for prime time. 2015-07-16 19:49:06 +00:00			`return jsonify({'token':jwt.encode(token_data, private_key, 'RS256', headers=token_headers)})`