First stab at token auth. The UI could use a little bit of polishing.
This commit is contained in:
yackob03
parent
f1746417b1
commit
283f9b81ae
9 changed files with 360 additions and 91 deletions
|
|
@ -456,6 +456,92 @@ def delete_permissions(namespace, repository, username):
|
|||
abort(403) # Permission denied
|
||||
|
||||
|
||||
def token_view(token_obj):
|
||||
return {
|
||||
'friendlyName': token_obj.friendly_name,
|
||||
'code': token_obj.code,
|
||||
'role': token_obj.role.name,
|
||||
}
|
||||
|
||||
|
||||
@app.route('/api/repository/<path:repository>/tokens/', methods=['GET'])
|
||||
@api_login_required
|
||||
@parse_repository_name
|
||||
def list_repo_tokens(namespace, repository):
|
||||
permission = AdministerRepositoryPermission(namespace, repository)
|
||||
if permission.can():
|
||||
tokens = model.get_repository_delegate_tokens(namespace, repository)
|
||||
|
||||
return jsonify({
|
||||
'tokens': {token.code: token_view(token) for token in tokens}
|
||||
})
|
||||
|
||||
abort(403) # Permission denied
|
||||
|
||||
|
||||
@app.route('/api/repository/<path:repository>/tokens/<code>', methods=['GET'])
|
||||
@api_login_required
|
||||
@parse_repository_name
|
||||
def get_tokens(namespace, repository, code):
|
||||
permission = AdministerRepositoryPermission(namespace, repository)
|
||||
if permission.can():
|
||||
perm = model.get_repo_delegate_token(namespace, repository, code)
|
||||
return jsonify(token_view(perm))
|
||||
|
||||
abort(403) # Permission denied
|
||||
|
||||
|
||||
@app.route('/api/repository/<path:repository>/tokens/', methods=['POST'])
|
||||
@api_login_required
|
||||
@parse_repository_name
|
||||
def create_token(namespace, repository):
|
||||
permission = AdministerRepositoryPermission(namespace, repository)
|
||||
if permission.can():
|
||||
token_params = request.get_json()
|
||||
|
||||
token = model.create_delegate_token(namespace, repository,
|
||||
token_params['friendlyName'])
|
||||
|
||||
resp = jsonify(token_view(token))
|
||||
resp.status_code = 201
|
||||
return resp
|
||||
|
||||
abort(403) # Permission denied
|
||||
|
||||
|
||||
@app.route('/api/repository/<path:repository>/tokens/<code>', methods=['PUT'])
|
||||
@api_login_required
|
||||
@parse_repository_name
|
||||
def change_token(namespace, repository, code):
|
||||
permission = AdministerRepositoryPermission(namespace, repository)
|
||||
if permission.can():
|
||||
new_permission = request.get_json()
|
||||
|
||||
logger.debug('Setting permission to: %s for code %s' %
|
||||
(new_permission['role'], code))
|
||||
|
||||
token = model.set_repo_delegate_token_role(namespace, repository, code,
|
||||
new_permission['role'])
|
||||
|
||||
resp = jsonify(token_view(token))
|
||||
return resp
|
||||
|
||||
abort(403) # Permission denied
|
||||
|
||||
|
||||
@app.route('/api/repository/<path:repository>/tokens/<code>',
|
||||
methods=['DELETE'])
|
||||
@api_login_required
|
||||
@parse_repository_name
|
||||
def delete_token(namespace, repository, code):
|
||||
permission = AdministerRepositoryPermission(namespace, repository)
|
||||
if permission.can():
|
||||
model.delete_delegate_token(namespace, repository, code)
|
||||
return make_response('Deleted', 204)
|
||||
|
||||
abort(403) # Permission denied
|
||||
|
||||
|
||||
def subscription_view(stripe_subscription, used_repos):
|
||||
return {
|
||||
'currentPeriodStart': stripe_subscription.current_period_start,
|
||||
|
|
|
|||
|
|
@ -19,25 +19,26 @@ from auth.permissions import (ModifyRepositoryPermission,
|
|||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
def generate_headers(f):
|
||||
@wraps(f)
|
||||
def wrapper(namespace, repository, *args, **kwargs):
|
||||
response = f(namespace, repository, *args, **kwargs)
|
||||
def generate_headers(role='read'):
|
||||
def decorator_method(f):
|
||||
@wraps(f)
|
||||
def wrapper(namespace, repository, *args, **kwargs):
|
||||
response = f(namespace, repository, *args, **kwargs)
|
||||
|
||||
response.headers['X-Docker-Endpoints'] = app.config['REGISTRY_SERVER']
|
||||
response.headers['X-Docker-Endpoints'] = app.config['REGISTRY_SERVER']
|
||||
|
||||
has_token_request = request.headers.get('X-Docker-Token', '')
|
||||
has_token_request = request.headers.get('X-Docker-Token', '')
|
||||
|
||||
if has_token_request:
|
||||
repo = model.get_repository(namespace, repository)
|
||||
token = model.create_access_token(get_authenticated_user(), repo)
|
||||
token_str = 'signature=%s,repository="%s/%s"' % (token.code, namespace,
|
||||
repository)
|
||||
response.headers['WWW-Authenticate'] = token_str
|
||||
response.headers['X-Docker-Token'] = token_str
|
||||
if has_token_request:
|
||||
repo = model.get_repository(namespace, repository)
|
||||
token = model.create_access_token(repo, role)
|
||||
token_str = 'signature=%s' % token.code
|
||||
response.headers['WWW-Authenticate'] = token_str
|
||||
response.headers['X-Docker-Token'] = token_str
|
||||
|
||||
return response
|
||||
return wrapper
|
||||
return response
|
||||
return wrapper
|
||||
return decorator_method
|
||||
|
||||
|
||||
@app.route('/v1/users', methods=['POST'])
|
||||
|
|
@ -47,6 +48,13 @@ def create_user():
|
|||
username = user_data['username']
|
||||
password = user_data['password']
|
||||
|
||||
if username == '$token':
|
||||
try:
|
||||
token = model.load_token_data(password)
|
||||
return make_response('Verified', 201)
|
||||
except model.InvalidTokenException:
|
||||
abort(401)
|
||||
|
||||
existing_user = model.get_user(username)
|
||||
if existing_user:
|
||||
verified = model.verify_user(username, password)
|
||||
|
|
@ -100,13 +108,17 @@ def update_user(username):
|
|||
@app.route('/v1/repositories/<path:repository>', methods=['PUT'])
|
||||
@process_auth
|
||||
@parse_repository_name
|
||||
@generate_headers
|
||||
@generate_headers(role='write')
|
||||
def create_repository(namespace, repository):
|
||||
image_descriptions = json.loads(request.data)
|
||||
|
||||
repo = model.get_repository(namespace, repository)
|
||||
|
||||
if repo:
|
||||
if not repo and get_authenticated_user() is None:
|
||||
logger.debug('Attempt to create new repository with token auth.')
|
||||
abort(400)
|
||||
|
||||
elif repo:
|
||||
permission = ModifyRepositoryPermission(namespace, repository)
|
||||
if not permission.can():
|
||||
abort(403)
|
||||
|
|
@ -135,7 +147,10 @@ def create_repository(namespace, repository):
|
|||
|
||||
response = make_response('Created', 201)
|
||||
|
||||
mixpanel.track(get_authenticated_user().username, 'push_repo')
|
||||
if get_authenticated_user():
|
||||
mixpanel.track(get_authenticated_user().username, 'push_repo')
|
||||
else:
|
||||
mixpanel.track(get_validated_token().code, 'push_repo')
|
||||
|
||||
return response
|
||||
|
||||
|
|
@ -143,7 +158,7 @@ def create_repository(namespace, repository):
|
|||
@app.route('/v1/repositories/<path:repository>/images', methods=['PUT'])
|
||||
@process_auth
|
||||
@parse_repository_name
|
||||
@generate_headers
|
||||
@generate_headers(role='write')
|
||||
def update_images(namespace, repository):
|
||||
permission = ModifyRepositoryPermission(namespace, repository)
|
||||
|
||||
|
|
@ -164,7 +179,7 @@ def update_images(namespace, repository):
|
|||
@app.route('/v1/repositories/<path:repository>/images', methods=['GET'])
|
||||
@process_auth
|
||||
@parse_repository_name
|
||||
@generate_headers
|
||||
@generate_headers(role='read')
|
||||
def get_repository_images(namespace, repository):
|
||||
permission = ReadRepositoryPermission(namespace, repository)
|
||||
|
||||
|
|
@ -196,7 +211,7 @@ def get_repository_images(namespace, repository):
|
|||
@app.route('/v1/repositories/<path:repository>/images', methods=['DELETE'])
|
||||
@process_auth
|
||||
@parse_repository_name
|
||||
@generate_headers
|
||||
@generate_headers(role='write')
|
||||
def delete_repository_images(namespace, repository):
|
||||
pass
|
||||
|
||||
|
|
|
|||
Reference in a new issue