Make our JWT subjects better and log using the info

Fixes #1039

endpoints/v2/v2auth.py

@@ -9,7 +9,8 @@ from cachetools import lru_cache
 from app import app
 from data import model
 from auth.auth import process_auth
-from auth.auth_context import get_authenticated_user, get_validated_token
+from auth.jwt_auth import build_context_and_subject
+from auth.auth_context import get_authenticated_user, get_validated_token, get_validated_oauth_token
 from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermission,
                               CreateRepositoryPermission)
 from endpoints.v2 import v2_bp
@@ -24,8 +25,6 @@ TOKEN_VALIDITY_LIFETIME_S = 60 * 60  # 1 hour
 SCOPE_REGEX = re.compile(
     r'^repository:([\.a-zA-Z0-9_\-]+/[\.a-zA-Z0-9_\-]+):(((push|pull|\*),)*(push|pull|\*))$'
 )
-ANONYMOUS_SUB = '(anonymous)'
-
 
 @lru_cache(maxsize=1)
 def load_certificate_bytes(certificate_file_path):
@@ -58,6 +57,10 @@ def generate_registry_jwt():
 
   token = get_validated_token()
   logger.debug('Authenticated token: %s', token)
+
+  oauthtoken = get_validated_oauth_token()
+  logger.debug('Authenticated OAuth token: %s', oauthtoken)
+
   access = []
   if scope_param is not None:
     match = SCOPE_REGEX.match(scope_param)
@@ -123,14 +126,16 @@ def generate_registry_jwt():
     # In this case, we are doing an auth flow, and it's not an anonymous pull
     return abort(401)
 
+  context, subject = build_context_and_subject(user, token, oauthtoken)
   token_data = {
     'iss': app.config['JWT_AUTH_TOKEN_ISSUER'],
     'aud': audience_param,
     'nbf': int(time.time()),
     'iat': int(time.time()),
     'exp': int(time.time() + TOKEN_VALIDITY_LIFETIME_S),
-    'sub': user.username if user else ANONYMOUS_SUB,
+    'sub': subject,
     'access': access,
+    'context': context,
   }
 
   certificate = load_certificate_bytes(app.config['JWT_AUTH_CERTIFICATE_PATH'])