Propagate the grant user context to the signed grant to fix image sharing.

endpoints/index.py

@@ -60,7 +60,8 @@ def generate_headers(scope=GrantType.READ_REPOSITORY):
 
         if permission.can():
           # Generate a signed grant which expires here
-          signature = generate_signed_token(grants)
+          user_context = get_authenticated_user() and get_authenticated_user().username
+          signature = generate_signed_token(grants, user_context)
           response.headers['WWW-Authenticate'] = signature
           response.headers['X-Docker-Token'] = signature
         else:

endpoints/registry.py

@@ -9,7 +9,7 @@ from time import time
 
 from app import storage as store, image_diff_queue, app
 from auth.auth import process_auth, extract_namespace_repo_from_session
-from auth.auth_context import get_authenticated_user
+from auth.auth_context import get_authenticated_user, get_grant_user_context
 from util import checksums, changes
 from util.http import abort, exact_abort
 from auth.permissions import (ReadRepositoryPermission,
@@ -463,8 +463,9 @@ def put_image_json(namespace, repository, image_id):
 
   repo_image = model.get_repo_image_extended(namespace, repository, image_id)
   if not repo_image:
-    logger.debug('Image not found, creating image')
-    username = get_authenticated_user() and get_authenticated_user().username
+    username = (get_authenticated_user() and get_authenticated_user().username or
+                get_grant_user_context())
+    logger.debug('Image not found, creating image with initiating user context: %s', username)
     repo_image = model.find_create_or_link_image(image_id, repo, username, {},
                                                  store.preferred_locations[0])