Change to always granting a signed token if there is a valid user OR if there is valid permissions on a repository

This fixes the issue whereby attempting to pull a public repository as an authenticated user with anonymous access disabled caused an unexpected 401. This change also adds tests for a few other use cases to verify we haven't broken anything.
2015-06-02 15:16:22 -04:00 · 2015-06-02 15:16:22 -04:00 · 075c75d031
commit 075c75d031
parent 3602b59465
2 changed files with 41 additions and 13 deletions
--- a/endpoints/index.py
+++ b/endpoints/index.py
@ -43,6 +43,7 @@ def generate_headers(scope=GrantType.READ_REPOSITORY):
      # Setting session namespace and repository
      session['namespace'] = namespace
      session['repository'] = repository
+
      # We run our index and registry on the same hosts for now
      registry_server = urlparse.urlparse(request.url).netloc
      response.headers['X-Docker-Endpoints'] = registry_server
@ -50,24 +51,22 @@ def generate_headers(scope=GrantType.READ_REPOSITORY):
      has_token_request = request.headers.get('X-Docker-Token', '')

      if has_token_request:
-        permission = AlwaysFailPermission()
        grants = []
-        if scope == GrantType.READ_REPOSITORY:
-          permission = ReadRepositoryPermission(namespace, repository)
-          grants.append(repository_read_grant(namespace, repository))
-        elif scope == GrantType.WRITE_REPOSITORY:
-          permission = ModifyRepositoryPermission(namespace, repository)
-          grants.append(repository_write_grant(namespace, repository))

-        if permission.can():
-          # Generate a signed grant which expires here
+        if scope == GrantType.READ_REPOSITORY:
+          if ReadRepositoryPermission(namespace, repository).can():
+            grants.append(repository_read_grant(namespace, repository))
+        elif scope == GrantType.WRITE_REPOSITORY:
+          if ModifyRepositoryPermission(namespace, repository).can():
+            grants.append(repository_write_grant(namespace, repository))
+
+        # Generate a signed token for the user (if any) and the grants (if any)
+        if grants or get_authenticated_user():
          user_context = get_authenticated_user() and get_authenticated_user().username
          signature = generate_signed_token(grants, user_context)
          response.headers['WWW-Authenticate'] = signature
          response.headers['X-Docker-Token'] = signature
-        else:
-          logger.warning('Registry request with invalid credentials on repository: %s/%s',
-                         namespace, repository)
+
      return response
    return wrapper
  return decorator_method