Make images belong to one repository only. Add a description field to the repository. Fix a bug with access tokens. Fix an embarrasing bug with multiple select criteria in peewee. Update the test db.
This commit is contained in:
yackob03
parent
5caa54ffb3
commit
23cbcb2979
6 changed files with 79 additions and 67 deletions
19
auth/auth.py
19
auth/auth.py
|
|
@ -27,7 +27,7 @@ def process_basic_auth():
|
|||
normalized = [part.strip() for part in auth.split(' ') if part]
|
||||
if normalized[0].lower() != 'basic' or len(normalized) != 2:
|
||||
logger.debug('Invalid basic auth format.')
|
||||
return False
|
||||
return
|
||||
|
||||
credentials = b64decode(normalized[1]).split(':')
|
||||
|
||||
|
|
@ -43,10 +43,11 @@ def process_basic_auth():
|
|||
|
||||
identity_changed.send(app, identity=Identity(authenticated.username))
|
||||
|
||||
return True
|
||||
return
|
||||
|
||||
# We weren't able to authenticate via basic auth.
|
||||
return False
|
||||
logger.debug('Basic auth present but could not be validated.')
|
||||
abort(401)
|
||||
|
||||
|
||||
def process_token():
|
||||
|
|
@ -56,19 +57,19 @@ def process_token():
|
|||
normalized = [part.strip() for part in auth.split(' ') if part]
|
||||
if normalized[0].lower() != 'token' or len(normalized) != 2:
|
||||
logger.debug('Invalid token format.')
|
||||
return False
|
||||
return
|
||||
|
||||
token_details = normalized[1].split(',')
|
||||
|
||||
if len(token_details) != 2:
|
||||
logger.debug('Invalid token format.')
|
||||
return False
|
||||
return
|
||||
|
||||
token_vals = {val[0]: val[1] for val in
|
||||
(detail.split('=') for detail in token_details)}
|
||||
if ('signature' not in token_vals or 'repository' not in token_vals):
|
||||
logger.debug('Invalid token components.')
|
||||
return False
|
||||
return
|
||||
|
||||
unquoted = token_vals['repository'][1:-1]
|
||||
namespace, repository = parse_namespace_repository(unquoted)
|
||||
|
|
@ -86,11 +87,11 @@ def process_token():
|
|||
|
||||
identity_changed.send(app, identity=Identity(validated.code))
|
||||
|
||||
return True
|
||||
return
|
||||
|
||||
# WE weren't able to authenticate the token
|
||||
logger.debug('Token could not be validated.')
|
||||
return False
|
||||
logger.debug('Token present but could not be validated.')
|
||||
abort(401)
|
||||
|
||||
|
||||
def process_auth(f):
|
||||
|
|
|
|||
|
|
@ -31,6 +31,7 @@ class Repository(BaseModel):
|
|||
namespace = CharField()
|
||||
name = CharField()
|
||||
visibility = ForeignKeyField(Visibility)
|
||||
description = CharField(null=True)
|
||||
|
||||
class Meta:
|
||||
database = db
|
||||
|
|
@ -66,8 +67,22 @@ class AccessToken(BaseModel):
|
|||
|
||||
|
||||
class Image(BaseModel):
|
||||
image_id = CharField(unique=True)
|
||||
# This class is intentionally denormalized. Even though images are supposed
|
||||
# to be globally unique we can't treat them as such for permissions and
|
||||
# security reasons. So rather than Repository <-> Image being many to many
|
||||
# each image now belongs to exactly one repository.
|
||||
image_id = CharField()
|
||||
checksum = CharField(null=True)
|
||||
created = DateTimeField(null=True)
|
||||
comment = CharField(null=True)
|
||||
repository = ForeignKeyField(Repository)
|
||||
|
||||
class Meta:
|
||||
database = db
|
||||
indexes = (
|
||||
# we don't really want duplicates
|
||||
(('repository', 'image_id'), True),
|
||||
)
|
||||
|
||||
|
||||
class RepositoryTag(BaseModel):
|
||||
|
|
@ -76,22 +91,9 @@ class RepositoryTag(BaseModel):
|
|||
repository = ForeignKeyField(Repository)
|
||||
|
||||
|
||||
class RepositoryImage(BaseModel):
|
||||
repository = ForeignKeyField(Repository)
|
||||
image = ForeignKeyField(Image)
|
||||
tag = CharField()
|
||||
|
||||
class Meta:
|
||||
database = db
|
||||
indexes = (
|
||||
# we don't really want duplicates
|
||||
(('repository', 'image', 'tag'), True),
|
||||
)
|
||||
|
||||
|
||||
def initialize_db():
|
||||
create_model_tables([User, Repository, Image, RepositoryImage, AccessToken,
|
||||
Role, RepositoryPermission, Visibility, RepositoryTag])
|
||||
create_model_tables([User, Repository, Image, AccessToken, Role,
|
||||
RepositoryPermission, Visibility, RepositoryTag])
|
||||
Role.create(name='admin')
|
||||
Role.create(name='write')
|
||||
Role.create(name='read')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
import bcrypt
|
||||
import logging
|
||||
import dateutil.parser
|
||||
|
||||
from database import *
|
||||
|
||||
|
|
@ -34,10 +35,15 @@ def verify_user(username, password):
|
|||
return None
|
||||
|
||||
|
||||
def create_access_token(user, repository):
|
||||
new_token = AccessToken.create(user=user, repository=repository)
|
||||
return new_token
|
||||
|
||||
|
||||
def verify_token(code, namespace_name, repository_name):
|
||||
joined = AccessToken.select(AccessToken, Repository).join(Repository)
|
||||
tokens = list(joined.where(AccessToken.code == code and
|
||||
Repository.namespace == namespace_name and
|
||||
tokens = list(joined.where(AccessToken.code == code,
|
||||
Repository.namespace == namespace_name,
|
||||
Repository.name == repository_name))
|
||||
if tokens:
|
||||
return tokens[0]
|
||||
|
|
@ -64,7 +70,7 @@ def get_all_repo_permissions(user):
|
|||
|
||||
def get_repository(namespace, name):
|
||||
try:
|
||||
return Repository.get(Repository.name == name and
|
||||
return Repository.get(Repository.name == name,
|
||||
Repository.namespace == namespace)
|
||||
except Repository.DoesNotExist:
|
||||
return None
|
||||
|
|
@ -88,28 +94,39 @@ def create_repository(namespace, name, owner):
|
|||
return repo
|
||||
|
||||
|
||||
def create_image(image_id):
|
||||
new_image = Image.create(image_id=image_id)
|
||||
def create_image(image_id, repository):
|
||||
new_image = Image.create(image_id=image_id, repository=repository)
|
||||
return new_image
|
||||
|
||||
|
||||
def set_image_checksum(image_id, checksum):
|
||||
fetched = Image.get(Image.image_id == image_id)
|
||||
def set_image_checksum(image_id, repository, checksum):
|
||||
fetched = Image.get(Image.image_id == image_id,
|
||||
Image.repository == repository)
|
||||
fetched.checksum = checksum
|
||||
fetched.save()
|
||||
return fetched
|
||||
|
||||
|
||||
def assign_image_repository(repository, image, tag):
|
||||
repo_image = RepositoryImage.create(repository=repository, image=image,
|
||||
tag=tag)
|
||||
return repo_image
|
||||
def set_image_metadata(image_id, namespace_name, repository_name,
|
||||
created_date_str, comment):
|
||||
joined = Image.select().join(Repository)
|
||||
image_list = list(joined.where(Repository.name == repository_name,
|
||||
Repository.namespace == namespace_name,
|
||||
Image.image_id == image_id))
|
||||
|
||||
if not image_list:
|
||||
raise RuntimeError('No image with specified id and repository')
|
||||
|
||||
fetched = image_list[0]
|
||||
fetched.created = dateutil.parser.parse(created_date_str)
|
||||
fetched.comment = comment
|
||||
fetched.save()
|
||||
return fetched
|
||||
|
||||
|
||||
def get_repository_images(namespace_name, repository_name):
|
||||
select = Image.select(Image, RepositoryImage)
|
||||
joined = select.join(RepositoryImage).join(Repository)
|
||||
return joined.where(Repository.name == repository_name and
|
||||
joined = Image.select().join(Repository)
|
||||
return joined.where(Repository.name == repository_name,
|
||||
Repository.namespace == namespace_name)
|
||||
|
||||
|
||||
|
|
@ -117,25 +134,25 @@ def list_repository_tags(namespace_name, repository_name):
|
|||
select = RepositoryTag.select(RepositoryTag, Image)
|
||||
with_repo = select.join(Repository)
|
||||
with_image = with_repo.switch(RepositoryTag).join(Image)
|
||||
return with_image.where(Repository.name == repository_name and
|
||||
return with_image.where(Repository.name == repository_name,
|
||||
Repository.namespace == namespace_name)
|
||||
|
||||
|
||||
def get_tag_image(namespace_name, repository_name, tag_name):
|
||||
joined = Image.select().join(RepositoryTag).join(Repository)
|
||||
return joined.where(Repository.name == repository_name and
|
||||
Repository.namespace == namespace_name and
|
||||
return joined.where(Repository.name == repository_name,
|
||||
Repository.namespace == namespace_name,
|
||||
RepositoryTag.name == tag_name)
|
||||
|
||||
|
||||
def create_or_update_tag(namespace_name, repository_name, tag_name,
|
||||
tag_image_id):
|
||||
repo = Repository.get(Repository.name == repository_name and
|
||||
repo = Repository.get(Repository.name == repository_name,
|
||||
Repository.namespace == namespace_name)
|
||||
image = Image.get(Image.image_id == tag_image_id)
|
||||
|
||||
try:
|
||||
tag = RepositoryTag.get(RepositoryTag.repository == repo and
|
||||
tag = RepositoryTag.get(RepositoryTag.repository == repo,
|
||||
RepositoryTag.name == tag_name)
|
||||
tag.image = image
|
||||
tag.save()
|
||||
|
|
@ -146,25 +163,20 @@ def create_or_update_tag(namespace_name, repository_name, tag_name,
|
|||
|
||||
|
||||
def delete_tag(namespace_name, repository_name, tag_name):
|
||||
repo = Repository.get(Repository.name == repository_name and
|
||||
repo = Repository.get(Repository.name == repository_name,
|
||||
Repository.namespace == namespace_name)
|
||||
tag = RepositoryTag.get(RepositoryTag.repository == repo and
|
||||
tag = RepositoryTag.get(RepositoryTag.repository == repo,
|
||||
RepositoryTag.name == tag_name)
|
||||
tag.delete_instance()
|
||||
|
||||
|
||||
def delete_all_repository_tags(namespace_name, repository_name):
|
||||
repo = Repository.get(Repository.name == repository_name and
|
||||
repo = Repository.get(Repository.name == repository_name,
|
||||
Repository.namespace == namespace_name)
|
||||
RepositoryTag.delete().where(RepositoryTag.repository == repo)
|
||||
|
||||
|
||||
def create_access_token(repository, user):
|
||||
new_token = AccessToken.create(user=user, repository=repository)
|
||||
return new_token
|
||||
|
||||
|
||||
def get_user_repo_permissions(user, repository):
|
||||
select = RepositoryPermission.select()
|
||||
return select.where(RepositoryPermission.user == user and
|
||||
return select.where(RepositoryPermission.user == user,
|
||||
RepositoryPermission.repository == repository)
|
||||
|
|
|
|||
|
|
@ -55,9 +55,6 @@ def create_user():
|
|||
@app.route('/v1/users/', methods=['GET'])
|
||||
@process_auth
|
||||
def get_user():
|
||||
if not get_authenticated_user():
|
||||
abort(401)
|
||||
|
||||
return jsonify({
|
||||
'username': get_authenticated_user().username,
|
||||
'email': get_authenticated_user().email,
|
||||
|
|
@ -101,14 +98,9 @@ def create_repository(namespace, repository):
|
|||
if repo:
|
||||
permission = ModifyRepositoryPermission(namespace, repository)
|
||||
if not permission.can():
|
||||
if get_validated_token() or get_authenticated_user():
|
||||
abort(403)
|
||||
else:
|
||||
abort(401)
|
||||
else:
|
||||
if not get_authenticated_user():
|
||||
abort(401)
|
||||
|
||||
else:
|
||||
if get_authenticated_user().username != namespace:
|
||||
abort(403)
|
||||
|
||||
|
|
@ -126,8 +118,7 @@ def create_repository(namespace, repository):
|
|||
existing.repositoryimage.delete()
|
||||
|
||||
for image_description in added_images.values():
|
||||
image = model.create_image(image_description['id'])
|
||||
model.assign_image_repository(repo, image, image_description['Tag'])
|
||||
image = model.create_image(image_description['id'], repo)
|
||||
|
||||
response = make_response('Created', 201)
|
||||
return response
|
||||
|
|
@ -141,10 +132,13 @@ def update_images(namespace, repository):
|
|||
permission = ModifyRepositoryPermission(namespace, repository)
|
||||
|
||||
if permission.can():
|
||||
repository = model.get_repository(namespace, repository)
|
||||
image_with_checksums = json.loads(request.data)
|
||||
|
||||
for image in image_with_checksums:
|
||||
model.set_image_checksum(image['id'], image['checksum'])
|
||||
logger.debug('Setting checksum for image id: %s to %s' %
|
||||
(image['id'], image['checksum']))
|
||||
model.set_image_checksum(image['id'], repository, image['checksum'])
|
||||
|
||||
return make_response('Updated', 204)
|
||||
|
||||
|
|
@ -165,7 +159,6 @@ def get_repository_images(namespace, repository):
|
|||
for image in model.get_repository_images(namespace, repository):
|
||||
new_image_view = {
|
||||
'id': image.image_id,
|
||||
'tag': image.repositoryimage.tag,
|
||||
'checksum': image.checksum,
|
||||
}
|
||||
all_images.append(new_image_view)
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ from auth.auth import process_auth, extract_namespace_repo_from_session
|
|||
from util import checksums
|
||||
from auth.permissions import (ReadRepositoryPermission,
|
||||
ModifyRepositoryPermission)
|
||||
from data import model
|
||||
|
||||
|
||||
store = storage.load()
|
||||
|
|
@ -286,6 +287,9 @@ def put_image_json(namespace, repository, image_id):
|
|||
abort(409) #'Image already exists', 409)
|
||||
# If we reach that point, it means that this is a new image or a retry
|
||||
# on a failed push
|
||||
# save the metadata
|
||||
model.set_image_metadata(image_id, namespace, repository,
|
||||
data.get('created'), data.get('comment'))
|
||||
store.put_content(mark_path, 'true')
|
||||
store.put_content(json_path, request.data)
|
||||
generate_ancestry(namespace, repository, image_id, parent_id)
|
||||
|
|
|
|||
BIN
test.db
BIN
test.db
Binary file not shown.
Reference in a new issue