Fix auth and add V2 tests!

endpoints/v2/blob.py

@@ -59,7 +59,7 @@ def _base_blob_fetch(namespace, repo_name, digest):
 
   # Add the Accept-Ranges header if the storage engine supports resumable
   # downloads.
-  if storage.get_supports_resumable_downloads(found.storage.locations):
+  if storage.get_supports_resumable_downloads(found.locations):
     logger.debug('Storage supports resumable downloads')
     headers['Accept-Ranges'] = 'bytes'
 

endpoints/v2/manifest.py

@@ -63,8 +63,10 @@ class SignedManifest(object):
 
   def __init__(self, manifest_bytes):
     self._bytes = manifest_bytes
-    self._parsed = yaml.safe_load(manifest_bytes)
 
+    # TODO(jakedt): If the manifest_bytes doesn't parse as valid YAML, safe_load returns the
+    # same string again. We should throw some sort of exception.
+    self._parsed = yaml.safe_load(manifest_bytes)
     self._signatures = self._parsed[_SIGNATURES_KEY]
     self._namespace, self._repo_name = self._parsed[_REPO_NAME_KEY].split('/')
     self._tag = self._parsed[_REPO_TAG_KEY]
@@ -107,8 +109,10 @@ class SignedManifest(object):
                                                   self._parsed[_HISTORY_KEY])):
       image_digest = digest_tools.Digest.parse_digest(blob_sum_obj[_BLOB_SUM_KEY])
       metadata_string = history_obj[_V1_COMPAT_KEY]
-      v1_metadata = yaml.safe_load(metadata_string)
 
+      # TODO(jakedt): If the metadata_string doesn't parse as valid YAML, safe_load returns the
+      # same string again. We should throw some sort of exception.
+      v1_metadata = yaml.safe_load(metadata_string)
       command_list = v1_metadata.get('container_config', {}).get('Cmd', None)
       command = json.dumps(command_list) if command_list else None
 

endpoints/v2/v2auth.py

@@ -18,13 +18,14 @@ from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermissi
 from endpoints.v2 import v2_bp
 from util.cache import no_cache
 from util.names import parse_namespace_repository
+from endpoints.decorators import anon_protect
 
 
 logger = logging.getLogger(__name__)
 
 
 SCOPE_REGEX = re.compile(
-    r'repository:([\.a-zA-Z0-9_\-]+/[\.a-zA-Z0-9_\-]+):(((push|pull|\*),)*(push|pull|\*))'
+    r'^repository:([\.a-zA-Z0-9_\-]+/[\.a-zA-Z0-9_\-]+):(((push|pull|\*),)*(push|pull|\*))$'
 )
 
 
@@ -43,6 +44,7 @@ def load_private_key(private_key_file_path):
 @v2_bp.route('/auth')
 @process_auth
 @no_cache
+@anon_protect
 def generate_registry_jwt():
   """ This endpoint will generate a JWT conforming to the Docker registry v2 auth spec:
       https://docs.docker.com/registry/spec/auth/token/
@@ -54,15 +56,11 @@ def generate_registry_jwt():
   logger.debug('Scope request: %s', scope_param)
 
   user = get_authenticated_user()
-  if user is None:
-    abort(404)
-
   access = []
   if scope_param is not None:
     match = SCOPE_REGEX.match(scope_param)
-    if match is None or match.end() != len(scope_param):
+    if match is None:
       logger.debug('Match: %s', match)
-      logger.debug('End: %s', match.end())
       logger.debug('len: %s', len(scope_param))
       logger.warning('Unable to decode repository and actions: %s', scope_param)
       abort(400)
@@ -74,17 +72,21 @@ def generate_registry_jwt():
 
     namespace, reponame = parse_namespace_repository(namespace_and_repo)
     if 'pull' in actions and 'push' in actions:
+      if user is None:
+        abort(401)
+
       repo = model.repository.get_repository(namespace, reponame)
       if repo:
-        if not ModifyRepositoryPermission(namespace, reponame):
+        if not ModifyRepositoryPermission(namespace, reponame).can():
           abort(403)
       else:
-        if not CreateRepositoryPermission(namespace):
+        if not CreateRepositoryPermission(namespace).can():
           abort(403)
         logger.debug('Creating repository: %s/%s', namespace, reponame)
         model.repository.create_repository(namespace, reponame, user)
     elif 'pull' in actions:
-      if not ReadRepositoryPermission(namespace, reponame):
+      if (not ReadRepositoryPermission(namespace, reponame).can() and
+          not model.repository.repository_is_public(namespace, reponame)):
         abort(403)
 
 
@@ -99,7 +101,7 @@ def generate_registry_jwt():
     'aud': audience_param,
     'nbf': int(time.time()),
     'exp': int(time.time() + 60),
-    'sub': user.username,
+    'sub': user.username if user else '(anonymous)',
     'access': access,
   }