Fix auth and add V2 tests!
This commit is contained in:
Joseph Schorr
parent
afdd687192
commit
42dba8655c
5 changed files with 180 additions and 51 deletions
|
|
@ -18,13 +18,14 @@ from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermissi
|
|||
from endpoints.v2 import v2_bp
|
||||
from util.cache import no_cache
|
||||
from util.names import parse_namespace_repository
|
||||
from endpoints.decorators import anon_protect
|
||||
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
SCOPE_REGEX = re.compile(
|
||||
r'repository:([\.a-zA-Z0-9_\-]+/[\.a-zA-Z0-9_\-]+):(((push|pull|\*),)*(push|pull|\*))'
|
||||
r'^repository:([\.a-zA-Z0-9_\-]+/[\.a-zA-Z0-9_\-]+):(((push|pull|\*),)*(push|pull|\*))$'
|
||||
)
|
||||
|
||||
|
||||
|
|
@ -43,6 +44,7 @@ def load_private_key(private_key_file_path):
|
|||
@v2_bp.route('/auth')
|
||||
@process_auth
|
||||
@no_cache
|
||||
@anon_protect
|
||||
def generate_registry_jwt():
|
||||
""" This endpoint will generate a JWT conforming to the Docker registry v2 auth spec:
|
||||
https://docs.docker.com/registry/spec/auth/token/
|
||||
|
|
@ -54,15 +56,11 @@ def generate_registry_jwt():
|
|||
logger.debug('Scope request: %s', scope_param)
|
||||
|
||||
user = get_authenticated_user()
|
||||
if user is None:
|
||||
abort(404)
|
||||
|
||||
access = []
|
||||
if scope_param is not None:
|
||||
match = SCOPE_REGEX.match(scope_param)
|
||||
if match is None or match.end() != len(scope_param):
|
||||
if match is None:
|
||||
logger.debug('Match: %s', match)
|
||||
logger.debug('End: %s', match.end())
|
||||
logger.debug('len: %s', len(scope_param))
|
||||
logger.warning('Unable to decode repository and actions: %s', scope_param)
|
||||
abort(400)
|
||||
|
|
@ -74,17 +72,21 @@ def generate_registry_jwt():
|
|||
|
||||
namespace, reponame = parse_namespace_repository(namespace_and_repo)
|
||||
if 'pull' in actions and 'push' in actions:
|
||||
if user is None:
|
||||
abort(401)
|
||||
|
||||
repo = model.repository.get_repository(namespace, reponame)
|
||||
if repo:
|
||||
if not ModifyRepositoryPermission(namespace, reponame):
|
||||
if not ModifyRepositoryPermission(namespace, reponame).can():
|
||||
abort(403)
|
||||
else:
|
||||
if not CreateRepositoryPermission(namespace):
|
||||
if not CreateRepositoryPermission(namespace).can():
|
||||
abort(403)
|
||||
logger.debug('Creating repository: %s/%s', namespace, reponame)
|
||||
model.repository.create_repository(namespace, reponame, user)
|
||||
elif 'pull' in actions:
|
||||
if not ReadRepositoryPermission(namespace, reponame):
|
||||
if (not ReadRepositoryPermission(namespace, reponame).can() and
|
||||
not model.repository.repository_is_public(namespace, reponame)):
|
||||
abort(403)
|
||||
|
||||
|
||||
|
|
@ -99,7 +101,7 @@ def generate_registry_jwt():
|
|||
'aud': audience_param,
|
||||
'nbf': int(time.time()),
|
||||
'exp': int(time.time() + 60),
|
||||
'sub': user.username,
|
||||
'sub': user.username if user else '(anonymous)',
|
||||
'access': access,
|
||||
}
|
||||
|
||||
|
|
|
|||
Reference in a new issue