Namespace the storage in the registry to prevent leaking images if one acquires the image id.

2013-09-25 20:00:22 -04:00 · 2013-09-25 20:00:22 -04:00 · 44255421df
commit 44255421df
parent deee70d53b
5 changed files with 116 additions and 93 deletions
--- a/endpoints/index.py
+++ b/endpoints/index.py
@ -21,27 +21,25 @@ logger = logging.getLogger(__name__)
 REGISTRY_SERVER = 'localhost:5003'


-def generate_headers(access):
-  def add_headers(f):
-    @wraps(f)
-    def wrapper(namespace, repository, *args, **kwargs):
-      response = f(namespace, repository, *args, **kwargs)
+def generate_headers(f):
+  @wraps(f)
+  def wrapper(namespace, repository, *args, **kwargs):
+    response = f(namespace, repository, *args, **kwargs)

-      response.headers['X-Docker-Endpoints'] = REGISTRY_SERVER
+    response.headers['X-Docker-Endpoints'] = REGISTRY_SERVER

-      has_token_request = request.headers.get('X-Docker-Token', '')
+    has_token_request = request.headers.get('X-Docker-Token', '')

-      if has_token_request and get_authenticated_user():
-        repo = model.get_repository(namespace, repository)
-        token = model.create_access_token(get_authenticated_user(), repo)
-        token_str = ('Token signature=%s,repository="%s/%s",access=%s' %
-                     (token.code, namespace, repository, access))
-        response.headers['WWW-Authenticate'] = token_str
-        response.headers['X-Docker-Token'] = token_str
+    if has_token_request and get_authenticated_user():
+      repo = model.get_repository(namespace, repository)
+      token = model.create_access_token(get_authenticated_user(), repo)
+      token_str = 'signature=%s,repository="%s/%s"' % (token.code, namespace,
+                                                     repository)
+      response.headers['WWW-Authenticate'] = token_str
+      response.headers['X-Docker-Token'] = token_str

-      return response
-    return wrapper
-  return add_headers
+    return response
+  return wrapper


@app.route('/v1/users', methods=['POST'])
@ -94,7 +92,7 @@ def update_user(username):
@app.route('/v1/repositories/<path:repository>', methods=['PUT'])
@process_auth
@parse_repository_name
-@generate_headers(access='write')
+@generate_headers
 def create_repository(namespace, repository):
  image_descriptions = json.loads(request.data)

@ -138,7 +136,7 @@ def create_repository(namespace, repository):
@app.route('/v1/repositories/<path:repository>/images', methods=['PUT'])
@process_auth
@parse_repository_name
-@generate_headers(access='write')
+@generate_headers
 def update_images(namespace, repository):
  permission = ModifyRepositoryPermission(namespace, repository)

@ -156,7 +154,7 @@ def update_images(namespace, repository):
@app.route('/v1/repositories/<path:repository>/images', methods=['GET'])
@process_auth
@parse_repository_name
-@generate_headers(access='read')
+@generate_headers
 def get_repository_images(namespace, repository):
  permission = ReadRepositoryPermission(namespace, repository)

@ -183,7 +181,7 @@ def get_repository_images(namespace, repository):
@app.route('/v1/repositories/<path:repository>/images', methods=['DELETE'])
@process_auth
@parse_repository_name
-@generate_headers(access='delete')
+@generate_headers
 def delete_repository_images(namespace, repository):
  pass