Determine which TUF root to show based on actual access, not requested

access

util/security/registry_jwt.py

@@ -8,6 +8,7 @@ logger = logging.getLogger(__name__)
 
 ANONYMOUS_SUB = '(anonymous)'
 ALGORITHM = 'RS256'
+CLAIM_TUF_ROOT = 'com.apostille.root'
 
 # The number of allowed seconds of clock skew for a JWT. The iat, nbf and exp are adjusted with this
 # count.
@@ -99,14 +100,20 @@ def _generate_jwt_object(audience, subject, context, access, lifetime_s, issuer,
   return jwt.encode(token_data, private_key, ALGORITHM, headers=token_headers)
 
 
-def build_context_and_subject(user, token, oauthtoken):
+def build_context_and_subject(user, token, oauthtoken, tuf_root):
   """ Builds the custom context field for the JWT signed token and returns it,
       along with the subject for the JWT signed token. """
+  
+  # Serve quay root if not explicitly granted permission to see signer root
+  if not tuf_root:
+    tuf_root = 'quay'
+    
   if oauthtoken:
     context = {
       'kind': 'oauth',
       'user': user.username,
       'oauth': oauthtoken.uuid,
+      CLAIM_TUF_ROOT: tuf_root,
     }
 
     return (context, user.username)
@@ -115,6 +122,7 @@ def build_context_and_subject(user, token, oauthtoken):
     context = {
       'kind': 'user',
       'user': user.username,
+      CLAIM_TUF_ROOT: tuf_root,
     }
     return (context, user.username)
 
@@ -122,11 +130,13 @@ def build_context_and_subject(user, token, oauthtoken):
     context = {
       'kind': 'token',
       'token': token.code,
+      CLAIM_TUF_ROOT: tuf_root,
     }
     return (context, None)
 
   context = {
     'kind': 'anonymous',
+    CLAIM_TUF_ROOT: tuf_root,
   }
   return (context, ANONYMOUS_SUB)