Determine which TUF root to show based on actual access, not requested
access
This commit is contained in:
Evan Cordell
parent
7b411b2c25
commit
43dd974dca
5 changed files with 61 additions and 38 deletions
|
|
@ -17,8 +17,6 @@ from util.cache import no_cache
|
|||
from util.names import parse_namespace_repository, REPOSITORY_NAME_REGEX
|
||||
from util.security.registry_jwt import generate_bearer_token, build_context_and_subject
|
||||
|
||||
CLAIM_APOSTILLE_ROOT = 'com.apostille.root'
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
|
|
@ -67,6 +65,7 @@ def generate_registry_jwt(auth_result):
|
|||
user_event_data = {
|
||||
'action': 'login',
|
||||
}
|
||||
tuf_root = 'quay'
|
||||
|
||||
if len(scope_param) > 0:
|
||||
match = get_scope_regex().match(scope_param)
|
||||
|
|
@ -162,6 +161,8 @@ def generate_registry_jwt(auth_result):
|
|||
'repository': reponame,
|
||||
'namespace': namespace,
|
||||
}
|
||||
|
||||
tuf_root = get_tuf_root(namespace, reponame)
|
||||
|
||||
elif user is None and token is None:
|
||||
# In this case, we are doing an auth flow, and it's not an anonymous pull
|
||||
|
|
@ -174,28 +175,14 @@ def generate_registry_jwt(auth_result):
|
|||
event.publish_event_data('docker-cli', user_event_data)
|
||||
|
||||
# Build the signed JWT.
|
||||
context, subject = build_context_and_subject(user, token, oauthtoken)
|
||||
context = attach_metadata_root_name(context, access)
|
||||
context, subject = build_context_and_subject(user, token, oauthtoken, tuf_root)
|
||||
token = generate_bearer_token(audience_param, subject, context, access,
|
||||
TOKEN_VALIDITY_LIFETIME_S, instance_keys)
|
||||
return jsonify({'token': token})
|
||||
|
||||
|
||||
def attach_metadata_root_name(context, access):
|
||||
"""
|
||||
Adds in metadata_root_name into JWT context when appropriate
|
||||
"""
|
||||
try:
|
||||
actions = access[0]["actions"]
|
||||
except(TypeError, IndexError, KeyError):
|
||||
return context
|
||||
|
||||
if not actions:
|
||||
return context
|
||||
|
||||
if "push" in actions:
|
||||
context[CLAIM_APOSTILLE_ROOT] = 'signer'
|
||||
else:
|
||||
context[CLAIM_APOSTILLE_ROOT] = 'quay'
|
||||
|
||||
return context
|
||||
def get_tuf_root(namespace, reponame):
|
||||
# Users with write access to a repo will see signer-rooted TUF metadata
|
||||
if ModifyRepositoryPermission(namespace, reponame).can():
|
||||
return 'signer'
|
||||
return 'quay'
|
||||
|
|
|
|||
Reference in a new issue