Make images belong to one repository only. Add a description field to the repository. Fix a bug with access tokens. Fix an embarrasing bug with multiple select criteria in peewee. Update the test db.
This commit is contained in:
yackob03
parent
5caa54ffb3
commit
23cbcb2979
6 changed files with 79 additions and 67 deletions
19
auth/auth.py
19
auth/auth.py
|
|
@ -27,7 +27,7 @@ def process_basic_auth():
|
||||||
normalized = [part.strip() for part in auth.split(' ') if part]
|
normalized = [part.strip() for part in auth.split(' ') if part]
|
||||||
if normalized[0].lower() != 'basic' or len(normalized) != 2:
|
if normalized[0].lower() != 'basic' or len(normalized) != 2:
|
||||||
logger.debug('Invalid basic auth format.')
|
logger.debug('Invalid basic auth format.')
|
||||||
return False
|
return
|
||||||
|
|
||||||
credentials = b64decode(normalized[1]).split(':')
|
credentials = b64decode(normalized[1]).split(':')
|
||||||
|
|
||||||
|
|
@ -43,10 +43,11 @@ def process_basic_auth():
|
||||||
|
|
||||||
identity_changed.send(app, identity=Identity(authenticated.username))
|
identity_changed.send(app, identity=Identity(authenticated.username))
|
||||||
|
|
||||||
return True
|
return
|
||||||
|
|
||||||
# We weren't able to authenticate via basic auth.
|
# We weren't able to authenticate via basic auth.
|
||||||
return False
|
logger.debug('Basic auth present but could not be validated.')
|
||||||
|
abort(401)
|
||||||
|
|
||||||
|
|
||||||
def process_token():
|
def process_token():
|
||||||
|
|
@ -56,19 +57,19 @@ def process_token():
|
||||||
normalized = [part.strip() for part in auth.split(' ') if part]
|
normalized = [part.strip() for part in auth.split(' ') if part]
|
||||||
if normalized[0].lower() != 'token' or len(normalized) != 2:
|
if normalized[0].lower() != 'token' or len(normalized) != 2:
|
||||||
logger.debug('Invalid token format.')
|
logger.debug('Invalid token format.')
|
||||||
return False
|
return
|
||||||
|
|
||||||
token_details = normalized[1].split(',')
|
token_details = normalized[1].split(',')
|
||||||
|
|
||||||
if len(token_details) != 2:
|
if len(token_details) != 2:
|
||||||
logger.debug('Invalid token format.')
|
logger.debug('Invalid token format.')
|
||||||
return False
|
return
|
||||||
|
|
||||||
token_vals = {val[0]: val[1] for val in
|
token_vals = {val[0]: val[1] for val in
|
||||||
(detail.split('=') for detail in token_details)}
|
(detail.split('=') for detail in token_details)}
|
||||||
if ('signature' not in token_vals or 'repository' not in token_vals):
|
if ('signature' not in token_vals or 'repository' not in token_vals):
|
||||||
logger.debug('Invalid token components.')
|
logger.debug('Invalid token components.')
|
||||||
return False
|
return
|
||||||
|
|
||||||
unquoted = token_vals['repository'][1:-1]
|
unquoted = token_vals['repository'][1:-1]
|
||||||
namespace, repository = parse_namespace_repository(unquoted)
|
namespace, repository = parse_namespace_repository(unquoted)
|
||||||
|
|
@ -86,11 +87,11 @@ def process_token():
|
||||||
|
|
||||||
identity_changed.send(app, identity=Identity(validated.code))
|
identity_changed.send(app, identity=Identity(validated.code))
|
||||||
|
|
||||||
return True
|
return
|
||||||
|
|
||||||
# WE weren't able to authenticate the token
|
# WE weren't able to authenticate the token
|
||||||
logger.debug('Token could not be validated.')
|
logger.debug('Token present but could not be validated.')
|
||||||
return False
|
abort(401)
|
||||||
|
|
||||||
|
|
||||||
def process_auth(f):
|
def process_auth(f):
|
||||||
|
|
|
||||||
|
|
@ -31,6 +31,7 @@ class Repository(BaseModel):
|
||||||
namespace = CharField()
|
namespace = CharField()
|
||||||
name = CharField()
|
name = CharField()
|
||||||
visibility = ForeignKeyField(Visibility)
|
visibility = ForeignKeyField(Visibility)
|
||||||
|
description = CharField(null=True)
|
||||||
|
|
||||||
class Meta:
|
class Meta:
|
||||||
database = db
|
database = db
|
||||||
|
|
@ -66,8 +67,22 @@ class AccessToken(BaseModel):
|
||||||
|
|
||||||
|
|
||||||
class Image(BaseModel):
|
class Image(BaseModel):
|
||||||
image_id = CharField(unique=True)
|
# This class is intentionally denormalized. Even though images are supposed
|
||||||
|
# to be globally unique we can't treat them as such for permissions and
|
||||||
|
# security reasons. So rather than Repository <-> Image being many to many
|
||||||
|
# each image now belongs to exactly one repository.
|
||||||
|
image_id = CharField()
|
||||||
checksum = CharField(null=True)
|
checksum = CharField(null=True)
|
||||||
|
created = DateTimeField(null=True)
|
||||||
|
comment = CharField(null=True)
|
||||||
|
repository = ForeignKeyField(Repository)
|
||||||
|
|
||||||
|
class Meta:
|
||||||
|
database = db
|
||||||
|
indexes = (
|
||||||
|
# we don't really want duplicates
|
||||||
|
(('repository', 'image_id'), True),
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
class RepositoryTag(BaseModel):
|
class RepositoryTag(BaseModel):
|
||||||
|
|
@ -76,22 +91,9 @@ class RepositoryTag(BaseModel):
|
||||||
repository = ForeignKeyField(Repository)
|
repository = ForeignKeyField(Repository)
|
||||||
|
|
||||||
|
|
||||||
class RepositoryImage(BaseModel):
|
|
||||||
repository = ForeignKeyField(Repository)
|
|
||||||
image = ForeignKeyField(Image)
|
|
||||||
tag = CharField()
|
|
||||||
|
|
||||||
class Meta:
|
|
||||||
database = db
|
|
||||||
indexes = (
|
|
||||||
# we don't really want duplicates
|
|
||||||
(('repository', 'image', 'tag'), True),
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def initialize_db():
|
def initialize_db():
|
||||||
create_model_tables([User, Repository, Image, RepositoryImage, AccessToken,
|
create_model_tables([User, Repository, Image, AccessToken, Role,
|
||||||
Role, RepositoryPermission, Visibility, RepositoryTag])
|
RepositoryPermission, Visibility, RepositoryTag])
|
||||||
Role.create(name='admin')
|
Role.create(name='admin')
|
||||||
Role.create(name='write')
|
Role.create(name='write')
|
||||||
Role.create(name='read')
|
Role.create(name='read')
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,6 @@
|
||||||
import bcrypt
|
import bcrypt
|
||||||
import logging
|
import logging
|
||||||
|
import dateutil.parser
|
||||||
|
|
||||||
from database import *
|
from database import *
|
||||||
|
|
||||||
|
|
@ -34,10 +35,15 @@ def verify_user(username, password):
|
||||||
return None
|
return None
|
||||||
|
|
||||||
|
|
||||||
|
def create_access_token(user, repository):
|
||||||
|
new_token = AccessToken.create(user=user, repository=repository)
|
||||||
|
return new_token
|
||||||
|
|
||||||
|
|
||||||
def verify_token(code, namespace_name, repository_name):
|
def verify_token(code, namespace_name, repository_name):
|
||||||
joined = AccessToken.select(AccessToken, Repository).join(Repository)
|
joined = AccessToken.select(AccessToken, Repository).join(Repository)
|
||||||
tokens = list(joined.where(AccessToken.code == code and
|
tokens = list(joined.where(AccessToken.code == code,
|
||||||
Repository.namespace == namespace_name and
|
Repository.namespace == namespace_name,
|
||||||
Repository.name == repository_name))
|
Repository.name == repository_name))
|
||||||
if tokens:
|
if tokens:
|
||||||
return tokens[0]
|
return tokens[0]
|
||||||
|
|
@ -64,7 +70,7 @@ def get_all_repo_permissions(user):
|
||||||
|
|
||||||
def get_repository(namespace, name):
|
def get_repository(namespace, name):
|
||||||
try:
|
try:
|
||||||
return Repository.get(Repository.name == name and
|
return Repository.get(Repository.name == name,
|
||||||
Repository.namespace == namespace)
|
Repository.namespace == namespace)
|
||||||
except Repository.DoesNotExist:
|
except Repository.DoesNotExist:
|
||||||
return None
|
return None
|
||||||
|
|
@ -88,28 +94,39 @@ def create_repository(namespace, name, owner):
|
||||||
return repo
|
return repo
|
||||||
|
|
||||||
|
|
||||||
def create_image(image_id):
|
def create_image(image_id, repository):
|
||||||
new_image = Image.create(image_id=image_id)
|
new_image = Image.create(image_id=image_id, repository=repository)
|
||||||
return new_image
|
return new_image
|
||||||
|
|
||||||
|
|
||||||
def set_image_checksum(image_id, checksum):
|
def set_image_checksum(image_id, repository, checksum):
|
||||||
fetched = Image.get(Image.image_id == image_id)
|
fetched = Image.get(Image.image_id == image_id,
|
||||||
|
Image.repository == repository)
|
||||||
fetched.checksum = checksum
|
fetched.checksum = checksum
|
||||||
fetched.save()
|
fetched.save()
|
||||||
return fetched
|
return fetched
|
||||||
|
|
||||||
|
|
||||||
def assign_image_repository(repository, image, tag):
|
def set_image_metadata(image_id, namespace_name, repository_name,
|
||||||
repo_image = RepositoryImage.create(repository=repository, image=image,
|
created_date_str, comment):
|
||||||
tag=tag)
|
joined = Image.select().join(Repository)
|
||||||
return repo_image
|
image_list = list(joined.where(Repository.name == repository_name,
|
||||||
|
Repository.namespace == namespace_name,
|
||||||
|
Image.image_id == image_id))
|
||||||
|
|
||||||
|
if not image_list:
|
||||||
|
raise RuntimeError('No image with specified id and repository')
|
||||||
|
|
||||||
|
fetched = image_list[0]
|
||||||
|
fetched.created = dateutil.parser.parse(created_date_str)
|
||||||
|
fetched.comment = comment
|
||||||
|
fetched.save()
|
||||||
|
return fetched
|
||||||
|
|
||||||
|
|
||||||
def get_repository_images(namespace_name, repository_name):
|
def get_repository_images(namespace_name, repository_name):
|
||||||
select = Image.select(Image, RepositoryImage)
|
joined = Image.select().join(Repository)
|
||||||
joined = select.join(RepositoryImage).join(Repository)
|
return joined.where(Repository.name == repository_name,
|
||||||
return joined.where(Repository.name == repository_name and
|
|
||||||
Repository.namespace == namespace_name)
|
Repository.namespace == namespace_name)
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -117,25 +134,25 @@ def list_repository_tags(namespace_name, repository_name):
|
||||||
select = RepositoryTag.select(RepositoryTag, Image)
|
select = RepositoryTag.select(RepositoryTag, Image)
|
||||||
with_repo = select.join(Repository)
|
with_repo = select.join(Repository)
|
||||||
with_image = with_repo.switch(RepositoryTag).join(Image)
|
with_image = with_repo.switch(RepositoryTag).join(Image)
|
||||||
return with_image.where(Repository.name == repository_name and
|
return with_image.where(Repository.name == repository_name,
|
||||||
Repository.namespace == namespace_name)
|
Repository.namespace == namespace_name)
|
||||||
|
|
||||||
|
|
||||||
def get_tag_image(namespace_name, repository_name, tag_name):
|
def get_tag_image(namespace_name, repository_name, tag_name):
|
||||||
joined = Image.select().join(RepositoryTag).join(Repository)
|
joined = Image.select().join(RepositoryTag).join(Repository)
|
||||||
return joined.where(Repository.name == repository_name and
|
return joined.where(Repository.name == repository_name,
|
||||||
Repository.namespace == namespace_name and
|
Repository.namespace == namespace_name,
|
||||||
RepositoryTag.name == tag_name)
|
RepositoryTag.name == tag_name)
|
||||||
|
|
||||||
|
|
||||||
def create_or_update_tag(namespace_name, repository_name, tag_name,
|
def create_or_update_tag(namespace_name, repository_name, tag_name,
|
||||||
tag_image_id):
|
tag_image_id):
|
||||||
repo = Repository.get(Repository.name == repository_name and
|
repo = Repository.get(Repository.name == repository_name,
|
||||||
Repository.namespace == namespace_name)
|
Repository.namespace == namespace_name)
|
||||||
image = Image.get(Image.image_id == tag_image_id)
|
image = Image.get(Image.image_id == tag_image_id)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
tag = RepositoryTag.get(RepositoryTag.repository == repo and
|
tag = RepositoryTag.get(RepositoryTag.repository == repo,
|
||||||
RepositoryTag.name == tag_name)
|
RepositoryTag.name == tag_name)
|
||||||
tag.image = image
|
tag.image = image
|
||||||
tag.save()
|
tag.save()
|
||||||
|
|
@ -146,25 +163,20 @@ def create_or_update_tag(namespace_name, repository_name, tag_name,
|
||||||
|
|
||||||
|
|
||||||
def delete_tag(namespace_name, repository_name, tag_name):
|
def delete_tag(namespace_name, repository_name, tag_name):
|
||||||
repo = Repository.get(Repository.name == repository_name and
|
repo = Repository.get(Repository.name == repository_name,
|
||||||
Repository.namespace == namespace_name)
|
Repository.namespace == namespace_name)
|
||||||
tag = RepositoryTag.get(RepositoryTag.repository == repo and
|
tag = RepositoryTag.get(RepositoryTag.repository == repo,
|
||||||
RepositoryTag.name == tag_name)
|
RepositoryTag.name == tag_name)
|
||||||
tag.delete_instance()
|
tag.delete_instance()
|
||||||
|
|
||||||
|
|
||||||
def delete_all_repository_tags(namespace_name, repository_name):
|
def delete_all_repository_tags(namespace_name, repository_name):
|
||||||
repo = Repository.get(Repository.name == repository_name and
|
repo = Repository.get(Repository.name == repository_name,
|
||||||
Repository.namespace == namespace_name)
|
Repository.namespace == namespace_name)
|
||||||
RepositoryTag.delete().where(RepositoryTag.repository == repo)
|
RepositoryTag.delete().where(RepositoryTag.repository == repo)
|
||||||
|
|
||||||
|
|
||||||
def create_access_token(repository, user):
|
|
||||||
new_token = AccessToken.create(user=user, repository=repository)
|
|
||||||
return new_token
|
|
||||||
|
|
||||||
|
|
||||||
def get_user_repo_permissions(user, repository):
|
def get_user_repo_permissions(user, repository):
|
||||||
select = RepositoryPermission.select()
|
select = RepositoryPermission.select()
|
||||||
return select.where(RepositoryPermission.user == user and
|
return select.where(RepositoryPermission.user == user,
|
||||||
RepositoryPermission.repository == repository)
|
RepositoryPermission.repository == repository)
|
||||||
|
|
|
||||||
|
|
@ -55,9 +55,6 @@ def create_user():
|
||||||
@app.route('/v1/users/', methods=['GET'])
|
@app.route('/v1/users/', methods=['GET'])
|
||||||
@process_auth
|
@process_auth
|
||||||
def get_user():
|
def get_user():
|
||||||
if not get_authenticated_user():
|
|
||||||
abort(401)
|
|
||||||
|
|
||||||
return jsonify({
|
return jsonify({
|
||||||
'username': get_authenticated_user().username,
|
'username': get_authenticated_user().username,
|
||||||
'email': get_authenticated_user().email,
|
'email': get_authenticated_user().email,
|
||||||
|
|
@ -101,14 +98,9 @@ def create_repository(namespace, repository):
|
||||||
if repo:
|
if repo:
|
||||||
permission = ModifyRepositoryPermission(namespace, repository)
|
permission = ModifyRepositoryPermission(namespace, repository)
|
||||||
if not permission.can():
|
if not permission.can():
|
||||||
if get_validated_token() or get_authenticated_user():
|
|
||||||
abort(403)
|
abort(403)
|
||||||
else:
|
|
||||||
abort(401)
|
|
||||||
else:
|
|
||||||
if not get_authenticated_user():
|
|
||||||
abort(401)
|
|
||||||
|
|
||||||
|
else:
|
||||||
if get_authenticated_user().username != namespace:
|
if get_authenticated_user().username != namespace:
|
||||||
abort(403)
|
abort(403)
|
||||||
|
|
||||||
|
|
@ -126,8 +118,7 @@ def create_repository(namespace, repository):
|
||||||
existing.repositoryimage.delete()
|
existing.repositoryimage.delete()
|
||||||
|
|
||||||
for image_description in added_images.values():
|
for image_description in added_images.values():
|
||||||
image = model.create_image(image_description['id'])
|
image = model.create_image(image_description['id'], repo)
|
||||||
model.assign_image_repository(repo, image, image_description['Tag'])
|
|
||||||
|
|
||||||
response = make_response('Created', 201)
|
response = make_response('Created', 201)
|
||||||
return response
|
return response
|
||||||
|
|
@ -141,10 +132,13 @@ def update_images(namespace, repository):
|
||||||
permission = ModifyRepositoryPermission(namespace, repository)
|
permission = ModifyRepositoryPermission(namespace, repository)
|
||||||
|
|
||||||
if permission.can():
|
if permission.can():
|
||||||
|
repository = model.get_repository(namespace, repository)
|
||||||
image_with_checksums = json.loads(request.data)
|
image_with_checksums = json.loads(request.data)
|
||||||
|
|
||||||
for image in image_with_checksums:
|
for image in image_with_checksums:
|
||||||
model.set_image_checksum(image['id'], image['checksum'])
|
logger.debug('Setting checksum for image id: %s to %s' %
|
||||||
|
(image['id'], image['checksum']))
|
||||||
|
model.set_image_checksum(image['id'], repository, image['checksum'])
|
||||||
|
|
||||||
return make_response('Updated', 204)
|
return make_response('Updated', 204)
|
||||||
|
|
||||||
|
|
@ -165,7 +159,6 @@ def get_repository_images(namespace, repository):
|
||||||
for image in model.get_repository_images(namespace, repository):
|
for image in model.get_repository_images(namespace, repository):
|
||||||
new_image_view = {
|
new_image_view = {
|
||||||
'id': image.image_id,
|
'id': image.image_id,
|
||||||
'tag': image.repositoryimage.tag,
|
|
||||||
'checksum': image.checksum,
|
'checksum': image.checksum,
|
||||||
}
|
}
|
||||||
all_images.append(new_image_view)
|
all_images.append(new_image_view)
|
||||||
|
|
|
||||||
|
|
@ -14,6 +14,7 @@ from auth.auth import process_auth, extract_namespace_repo_from_session
|
||||||
from util import checksums
|
from util import checksums
|
||||||
from auth.permissions import (ReadRepositoryPermission,
|
from auth.permissions import (ReadRepositoryPermission,
|
||||||
ModifyRepositoryPermission)
|
ModifyRepositoryPermission)
|
||||||
|
from data import model
|
||||||
|
|
||||||
|
|
||||||
store = storage.load()
|
store = storage.load()
|
||||||
|
|
@ -286,6 +287,9 @@ def put_image_json(namespace, repository, image_id):
|
||||||
abort(409) #'Image already exists', 409)
|
abort(409) #'Image already exists', 409)
|
||||||
# If we reach that point, it means that this is a new image or a retry
|
# If we reach that point, it means that this is a new image or a retry
|
||||||
# on a failed push
|
# on a failed push
|
||||||
|
# save the metadata
|
||||||
|
model.set_image_metadata(image_id, namespace, repository,
|
||||||
|
data.get('created'), data.get('comment'))
|
||||||
store.put_content(mark_path, 'true')
|
store.put_content(mark_path, 'true')
|
||||||
store.put_content(json_path, request.data)
|
store.put_content(json_path, request.data)
|
||||||
generate_ancestry(namespace, repository, image_id, parent_id)
|
generate_ancestry(namespace, repository, image_id, parent_id)
|
||||||
|
|
|
||||||
BIN
test.db
BIN
test.db
Binary file not shown.
Reference in a new issue