Namespace the storage in the registry to prevent leaking images if one acquires the image id.
This commit is contained in:
yackob03
parent
deee70d53b
commit
44255421df
5 changed files with 116 additions and 93 deletions
28
auth/auth.py
28
auth/auth.py
|
|
@ -1,7 +1,7 @@
|
|||
import logging
|
||||
|
||||
from functools import wraps
|
||||
from flask import request, make_response, _request_ctx_stack, abort
|
||||
from flask import request, make_response, _request_ctx_stack, abort, session
|
||||
from flask.ext.principal import identity_changed, Identity
|
||||
from base64 import b64decode
|
||||
|
||||
|
|
@ -54,29 +54,32 @@ def process_token():
|
|||
logger.debug('Validating auth token: %s' % auth)
|
||||
|
||||
normalized = [part.strip() for part in auth.split(' ') if part]
|
||||
if normalized[0].lower() != 'token' or len(normalized) != 3:
|
||||
if normalized[0].lower() != 'token' or len(normalized) != 2:
|
||||
logger.debug('Invalid token format.')
|
||||
return False
|
||||
|
||||
token_details = normalized[2].split(',')
|
||||
token_details = normalized[1].split(',')
|
||||
|
||||
if len(token_details) != 3:
|
||||
if len(token_details) != 2:
|
||||
logger.debug('Invalid token format.')
|
||||
return False
|
||||
|
||||
token_vals = {val[0]: val[1] for val in
|
||||
(detail.split('=') for detail in token_details)}
|
||||
if ('signature' not in token_vals or 'access' not in token_vals or
|
||||
'repository' not in token_vals):
|
||||
if ('signature' not in token_vals or 'repository' not in token_vals):
|
||||
logger.debug('Invalid token components.')
|
||||
return False
|
||||
|
||||
unquoted = token_vals['repository'][1:-1]
|
||||
namespace, repository = parse_namespace_repository(unquoted)
|
||||
logger.debug('Validing signature: %s' % token_vals['signature'])
|
||||
validated = model.verify_token(token_vals['signature'])
|
||||
validated = model.verify_token(token_vals['signature'], namespace,
|
||||
repository)
|
||||
|
||||
if validated:
|
||||
session['repository'] = repository
|
||||
session['namespace'] = namespace
|
||||
|
||||
logger.debug('Successfully validated token: %s' % validated.code)
|
||||
ctx = _request_ctx_stack.top
|
||||
ctx.validated_token = validated
|
||||
|
|
@ -97,3 +100,14 @@ def process_auth(f):
|
|||
process_basic_auth()
|
||||
return f(*args, **kwargs)
|
||||
return wrapper
|
||||
|
||||
|
||||
def extract_namespace_repo_from_session(f):
|
||||
@wraps(f)
|
||||
def wrapper(*args, **kwargs):
|
||||
if 'namespace' not in session or 'repository' not in session:
|
||||
logger.debug('Unable to load namespace or repository from session.')
|
||||
abort(400)
|
||||
|
||||
return f(session['namespace'], session['repository'], *args, **kwargs)
|
||||
return wrapper
|
||||
Reference in a new issue