diff --git a/app.py b/app.py index 7d551189c..006084bda 100644 --- a/app.py +++ b/app.py @@ -50,15 +50,6 @@ DOCKER_V2_SIGNINGKEY_FILENAME = 'docker_v2.pem' app = Flask(__name__) logger = logging.getLogger(__name__) - -class RegexConverter(BaseConverter): - def __init__(self, url_map, *items): - super(RegexConverter, self).__init__(url_map) - self.regex = items[0] - - -app.url_map.converters['regex'] = RegexConverter - # Instantiate the configuration. is_testing = 'TEST' in os.environ is_kubernetes = 'KUBERNETES_SERVICE_HOST' in os.environ @@ -126,6 +117,41 @@ if app.config['SECRET_KEY'] is None: features.import_features(app.config) +# Register custom converters. +class RegexConverter(BaseConverter): + """ Converter for handling custom regular expression patterns in paths. """ + def __init__(self, url_map, *items): + super(RegexConverter, self).__init__(url_map) + self.regex = items[0] + +class RepositoryPathConverter(BaseConverter): + """ Converter for handling repository paths. Handles both library and non-library paths (if + configured). + """ + def __init__(self, url_map, *items): + super(RepositoryPathConverter, self).__init__(url_map) + self.weight = 200 + + if features.LIBRARY_SUPPORT: + # Allow names without namespaces. + self.regex = r'[^/]+(/[^/]+)?' + else: + self.regex = r'([^/]+/[^/]+)' + + +class APIRepositoryPathConverter(BaseConverter): + """ Converter for handling repository paths. Does not handle library paths. + """ + def __init__(self, url_map, *items): + super(APIRepositoryPathConverter, self).__init__(url_map) + self.weight = 200 + self.regex = r'([^/]+/[^/]+)' + + +app.url_map.converters['regex'] = RegexConverter +app.url_map.converters['repopath'] = RepositoryPathConverter +app.url_map.converters['apirepopath'] = APIRepositoryPathConverter + Principal(app, use_sessions=False) avatar = Avatar(app) diff --git a/auth/registry_jwt_auth.py b/auth/registry_jwt_auth.py index 9145dc1c0..42ca5329b 100644 --- a/auth/registry_jwt_auth.py +++ b/auth/registry_jwt_auth.py @@ -207,8 +207,9 @@ def identity_from_bearer_token(bearer_token, max_signed_s, public_key): logger.exception('We should not be minting invalid credentials') raise InvalidJWTException('Token contained invalid or malformed access grants') + lib_namespace = app.config['LIBRARY_NAMESPACE'] for grant in payload['access']: - namespace, repo_name = parse_namespace_repository(grant['name']) + namespace, repo_name = parse_namespace_repository(grant['name'], lib_namespace) if 'push' in grant['actions']: loaded_identity.provides.add(repository_write_grant(namespace, repo_name)) diff --git a/config.py b/config.py index 49ecdd50e..ac0d6ff95 100644 --- a/config.py +++ b/config.py @@ -199,6 +199,16 @@ class DefaultConfig(object): # Feature Flag: Whether or not to rotate old action logs to storage. FEATURE_ACTION_LOG_ROTATION = False + # Feature Flag: Whether to allow for "namespace-less" repositories when pulling and pushing from + # Docker. + FEATURE_LIBRARY_SUPPORT = True + + # The namespace to use for library repositories. + # Note: This must remain 'library' until Docker removes their hard-coded namespace for libraries. + # See: https://github.com/docker/docker/blob/master/registry/session.go#L320 + LIBRARY_NAMESPACE = 'library' + + BUILD_MANAGER = ('enterprise', {}) DISTRIBUTED_STORAGE_CONFIG = { diff --git a/endpoints/api/__init__.py b/endpoints/api/__init__.py index a83a7ac58..018b5277d 100644 --- a/endpoints/api/__init__.py +++ b/endpoints/api/__init__.py @@ -227,7 +227,7 @@ def parse_args(func): def parse_repository_name(func): @wraps(func) def wrapper(repository, *args, **kwargs): - (namespace, repository) = parse_namespace_repository(repository) + (namespace, repository) = parse_namespace_repository(repository, app.config['LIBRARY_NAMESPACE']) return func(namespace, repository, *args, **kwargs) return wrapper diff --git a/endpoints/api/build.py b/endpoints/api/build.py index c517e1f35..97857638f 100644 --- a/endpoints/api/build.py +++ b/endpoints/api/build.py @@ -145,7 +145,7 @@ def build_status_view(build_obj): return resp -@resource('/v1/repository//build/') +@resource('/v1/repository//build/') @path_param('repository', 'The full path of the repository. e.g. namespace/name') class RepositoryBuildList(RepositoryParamResource): """ Resource related to creating and listing repository builds. """ @@ -288,7 +288,7 @@ class RepositoryBuildList(RepositoryParamResource): -@resource('/v1/repository//build/') +@resource('/v1/repository//build/') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('build_uuid', 'The UUID of the build') class RepositoryBuildResource(RepositoryParamResource): @@ -322,7 +322,7 @@ class RepositoryBuildResource(RepositoryParamResource): raise InvalidRequest('Build is currently running or has finished') -@resource('/v1/repository//build//status') +@resource('/v1/repository//build//status') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('build_uuid', 'The UUID of the build') class RepositoryBuildStatus(RepositoryParamResource): @@ -339,7 +339,7 @@ class RepositoryBuildStatus(RepositoryParamResource): return build_status_view(build) -@resource('/v1/repository//build//logs') +@resource('/v1/repository//build//logs') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('build_uuid', 'The UUID of the build') class RepositoryBuildLogs(RepositoryParamResource): diff --git a/endpoints/api/image.py b/endpoints/api/image.py index 55c8da0a2..53e38409d 100644 --- a/endpoints/api/image.py +++ b/endpoints/api/image.py @@ -43,7 +43,7 @@ def historical_image_view(image, image_map): return normal_view -@resource('/v1/repository//image/') +@resource('/v1/repository//image/') @path_param('repository', 'The full path of the repository. e.g. namespace/name') class RepositoryImageList(RepositoryParamResource): """ Resource for listing repository images. """ @@ -82,7 +82,7 @@ class RepositoryImageList(RepositoryParamResource): } -@resource('/v1/repository//image/') +@resource('/v1/repository//image/') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('image_id', 'The Docker image ID') class RepositoryImage(RepositoryParamResource): diff --git a/endpoints/api/logs.py b/endpoints/api/logs.py index 4610dfb91..b3e910401 100644 --- a/endpoints/api/logs.py +++ b/endpoints/api/logs.py @@ -106,7 +106,7 @@ def get_aggregate_logs(start_time, end_time, performer_name=None, repository=Non } -@resource('/v1/repository//logs') +@resource('/v1/repository//logs') @path_param('repository', 'The full path of the repository. e.g. namespace/name') class RepositoryLogs(RepositoryParamResource): """ Resource for fetching logs for the specific repository. """ @@ -175,7 +175,7 @@ class OrgLogs(ApiResource): raise Unauthorized() -@resource('/v1/repository//aggregatelogs') +@resource('/v1/repository//aggregatelogs') @path_param('repository', 'The full path of the repository. e.g. namespace/name') class RepositoryAggregateLogs(RepositoryParamResource): """ Resource for fetching aggregated logs for the specific repository. """ diff --git a/endpoints/api/permission.py b/endpoints/api/permission.py index 81150abb2..3039346ea 100644 --- a/endpoints/api/permission.py +++ b/endpoints/api/permission.py @@ -38,7 +38,7 @@ def wrap_role_view_team(role_json, team): return role_json -@resource('/v1/repository//permissions/team/') +@resource('/v1/repository//permissions/team/') @path_param('repository', 'The full path of the repository. e.g. namespace/name') class RepositoryTeamPermissionList(RepositoryParamResource): """ Resource for repository team permissions. """ @@ -57,7 +57,7 @@ class RepositoryTeamPermissionList(RepositoryParamResource): } -@resource('/v1/repository//permissions/user/') +@resource('/v1/repository//permissions/user/') @path_param('repository', 'The full path of the repository. e.g. namespace/name') class RepositoryUserPermissionList(RepositoryParamResource): """ Resource for repository user permissions. """ @@ -97,7 +97,7 @@ class RepositoryUserPermissionList(RepositoryParamResource): } -@resource('/v1/repository//permissions/user//transitive') +@resource('/v1/repository//permissions/user//transitive') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('username', 'The username of the user to which the permissions apply') class RepositoryUserTransitivePermission(RepositoryParamResource): @@ -121,7 +121,7 @@ class RepositoryUserTransitivePermission(RepositoryParamResource): } -@resource('/v1/repository//permissions/user/') +@resource('/v1/repository//permissions/user/') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('username', 'The username of the user to which the permission applies') class RepositoryUserPermission(RepositoryParamResource): @@ -215,7 +215,7 @@ class RepositoryUserPermission(RepositoryParamResource): return 'Deleted', 204 -@resource('/v1/repository//permissions/team/') +@resource('/v1/repository//permissions/team/') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('teamname', 'The name of the team to which the permission applies') class RepositoryTeamPermission(RepositoryParamResource): diff --git a/endpoints/api/repoemail.py b/endpoints/api/repoemail.py index 8f01480fa..ce3d61294 100644 --- a/endpoints/api/repoemail.py +++ b/endpoints/api/repoemail.py @@ -30,7 +30,7 @@ def record_view(record): @internal_only @show_if(features.MAILING) -@resource('/v1/repository//authorizedemail/') +@resource('/v1/repository//authorizedemail/') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('email', 'The e-mail address') class RepositoryAuthorizedEmail(RepositoryParamResource): diff --git a/endpoints/api/repository.py b/endpoints/api/repository.py index d89475dca..18f4fc432 100644 --- a/endpoints/api/repository.py +++ b/endpoints/api/repository.py @@ -225,7 +225,7 @@ class RepositoryList(ApiResource): } -@resource('/v1/repository/') +@resource('/v1/repository/') @path_param('repository', 'The full path of the repository. e.g. namespace/name') class Repository(RepositoryParamResource): """Operations for managing a specific repository.""" @@ -339,7 +339,7 @@ class Repository(RepositoryParamResource): return 'Deleted', 204 -@resource('/v1/repository//changevisibility') +@resource('/v1/repository//changevisibility') @path_param('repository', 'The full path of the repository. e.g. namespace/name') class RepositoryVisibility(RepositoryParamResource): """ Custom verb for changing the visibility of the repository. """ diff --git a/endpoints/api/repositorynotification.py b/endpoints/api/repositorynotification.py index f1b9e013a..2441ca451 100644 --- a/endpoints/api/repositorynotification.py +++ b/endpoints/api/repositorynotification.py @@ -38,7 +38,7 @@ def notification_view(note): } -@resource('/v1/repository//notification/') +@resource('/v1/repository//notification/') @path_param('repository', 'The full path of the repository. e.g. namespace/name') class RepositoryNotificationList(RepositoryParamResource): """ Resource for dealing with listing and creating notifications on a repository. """ @@ -116,7 +116,7 @@ class RepositoryNotificationList(RepositoryParamResource): } -@resource('/v1/repository//notification/') +@resource('/v1/repository//notification/') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('uuid', 'The UUID of the notification') class RepositoryNotification(RepositoryParamResource): @@ -149,7 +149,7 @@ class RepositoryNotification(RepositoryParamResource): return 'No Content', 204 -@resource('/v1/repository//notification//test') +@resource('/v1/repository//notification//test') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('uuid', 'The UUID of the notification') class TestRepositoryNotification(RepositoryParamResource): diff --git a/endpoints/api/repotoken.py b/endpoints/api/repotoken.py index 46208c5ec..57aefc9a5 100644 --- a/endpoints/api/repotoken.py +++ b/endpoints/api/repotoken.py @@ -20,7 +20,7 @@ def token_view(token_obj): } -@resource('/v1/repository//tokens/') +@resource('/v1/repository//tokens/') @path_param('repository', 'The full path of the repository. e.g. namespace/name') class RepositoryTokenList(RepositoryParamResource): """ Resource for creating and listing repository tokens. """ @@ -66,7 +66,7 @@ class RepositoryTokenList(RepositoryParamResource): return token_view(token), 201 -@resource('/v1/repository//tokens/') +@resource('/v1/repository//tokens/') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('code', 'The token code') class RepositoryToken(RepositoryParamResource): diff --git a/endpoints/api/secscan.py b/endpoints/api/secscan.py index b4b3681fc..272437bc4 100644 --- a/endpoints/api/secscan.py +++ b/endpoints/api/secscan.py @@ -54,7 +54,7 @@ def _get_status(repo_image): @show_if(features.SECURITY_SCANNER) -@resource('/v1/repository//image//vulnerabilities') +@resource('/v1/repository//image//vulnerabilities') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('imageid', 'The image ID') class RepositoryImageVulnerabilities(RepositoryParamResource): @@ -89,7 +89,7 @@ class RepositoryImageVulnerabilities(RepositoryParamResource): @show_if(features.SECURITY_SCANNER) -@resource('/v1/repository//image//packages') +@resource('/v1/repository//image//packages') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('imageid', 'The image ID') class RepositoryImagePackages(RepositoryParamResource): diff --git a/endpoints/api/tag.py b/endpoints/api/tag.py index 416d3e3f3..2de6b90ee 100644 --- a/endpoints/api/tag.py +++ b/endpoints/api/tag.py @@ -11,7 +11,7 @@ from auth.auth_context import get_authenticated_user from util.names import TAG_ERROR, TAG_REGEX -@resource('/v1/repository//tag/') +@resource('/v1/repository//tag/') @path_param('repository', 'The full path of the repository. e.g. namespace/name') class ListRepositoryTags(RepositoryParamResource): """ Resource for listing full repository tag history, alive *and dead*. """ @@ -60,7 +60,7 @@ class ListRepositoryTags(RepositoryParamResource): } -@resource('/v1/repository//tag/') +@resource('/v1/repository//tag/') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('tag', 'The name of the tag') class RepositoryTag(RepositoryParamResource): @@ -128,7 +128,7 @@ class RepositoryTag(RepositoryParamResource): return 'Deleted', 204 -@resource('/v1/repository//tag//images') +@resource('/v1/repository//tag//images') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('tag', 'The name of the tag') class RepositoryTagImages(RepositoryParamResource): @@ -179,7 +179,7 @@ class RepositoryTagImages(RepositoryParamResource): -@resource('/v1/repository//tag//revert') +@resource('/v1/repository//tag//revert') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('tag', 'The name of the tag') class RevertTag(RepositoryParamResource): diff --git a/endpoints/api/trigger.py b/endpoints/api/trigger.py index b1f37f727..66ca30a76 100644 --- a/endpoints/api/trigger.py +++ b/endpoints/api/trigger.py @@ -33,7 +33,7 @@ def _prepare_webhook_url(scheme, username, password, hostname, path): return urlunparse((scheme, auth_hostname, path, '', '', '')) -@resource('/v1/repository//trigger/') +@resource('/v1/repository//trigger/') @path_param('repository', 'The full path of the repository. e.g. namespace/name') class BuildTriggerList(RepositoryParamResource): """ Resource for listing repository build triggers. """ @@ -48,7 +48,7 @@ class BuildTriggerList(RepositoryParamResource): } -@resource('/v1/repository//trigger/') +@resource('/v1/repository//trigger/') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('trigger_uuid', 'The UUID of the build trigger') class BuildTrigger(RepositoryParamResource): @@ -95,7 +95,7 @@ class BuildTrigger(RepositoryParamResource): return 'No Content', 204 -@resource('/v1/repository//trigger//subdir') +@resource('/v1/repository//trigger//subdir') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('trigger_uuid', 'The UUID of the build trigger') @internal_only @@ -143,7 +143,7 @@ class BuildTriggerSubdirs(RepositoryParamResource): raise Unauthorized() -@resource('/v1/repository//trigger//activate') +@resource('/v1/repository//trigger//activate') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('trigger_uuid', 'The UUID of the build trigger') class BuildTriggerActivate(RepositoryParamResource): @@ -245,7 +245,7 @@ class BuildTriggerActivate(RepositoryParamResource): raise Unauthorized() -@resource('/v1/repository//trigger//analyze') +@resource('/v1/repository//trigger//analyze') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('trigger_uuid', 'The UUID of the build trigger') @internal_only @@ -384,7 +384,7 @@ class BuildTriggerAnalyze(RepositoryParamResource): raise NotFound() -@resource('/v1/repository//trigger//start') +@resource('/v1/repository//trigger//start') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('trigger_uuid', 'The UUID of the build trigger') class ActivateBuildTrigger(RepositoryParamResource): @@ -444,7 +444,7 @@ class ActivateBuildTrigger(RepositoryParamResource): return resp, 201, headers -@resource('/v1/repository//trigger//builds') +@resource('/v1/repository//trigger//builds') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('trigger_uuid', 'The UUID of the build trigger') class TriggerBuildList(RepositoryParamResource): @@ -464,7 +464,7 @@ class TriggerBuildList(RepositoryParamResource): FIELD_VALUE_LIMIT = 30 -@resource('/v1/repository//trigger//fields/') +@resource('/v1/repository//trigger//fields/') @internal_only class BuildTriggerFieldValues(RepositoryParamResource): """ Custom verb to fetch a values list for a particular field name. """ @@ -493,7 +493,7 @@ class BuildTriggerFieldValues(RepositoryParamResource): raise Unauthorized() -@resource('/v1/repository//trigger//sources') +@resource('/v1/repository//trigger//sources') @path_param('repository', 'The full path of the repository. e.g. namespace/name') @path_param('trigger_uuid', 'The UUID of the build trigger') @internal_only diff --git a/endpoints/api/user.py b/endpoints/api/user.py index b97040c32..0c4868b39 100644 --- a/endpoints/api/user.py +++ b/endpoints/api/user.py @@ -876,7 +876,7 @@ class StarredRepositoryList(ApiResource): }, 201 -@resource('/v1/user/starred/') +@resource('/v1/user/starred/') @path_param('repository', 'The full path of the repository. e.g. namespace/name') class StarredRepository(RepositoryParamResource): """ Operations for managing a specific starred repository. """ diff --git a/endpoints/bitbuckettrigger.py b/endpoints/bitbuckettrigger.py index 7045200f9..b3a9ca63a 100644 --- a/endpoints/bitbuckettrigger.py +++ b/endpoints/bitbuckettrigger.py @@ -8,7 +8,6 @@ from buildtrigger.bitbuckethandler import BitbucketBuildTrigger from endpoints.common import route_show_if from app import app from data import model -from util.names import parse_repository_name from util.http import abort from auth.auth import require_session_login diff --git a/endpoints/common.py b/endpoints/common.py index 371c66384..5d5a8258e 100644 --- a/endpoints/common.py +++ b/endpoints/common.py @@ -23,6 +23,7 @@ from functools import wraps from config import frontend_visible_config from external_libraries import get_external_javascript, get_external_css from util.secscan.api import PRIORITY_LEVELS +from util.names import parse_namespace_repository import features @@ -47,11 +48,24 @@ def get_cache_busters(): return CACHE_BUSTERS -class RepoPathConverter(BaseConverter): - regex = '[\.a-zA-Z0-9_\-]+/[\.a-zA-Z0-9_\-]+' - weight = 200 +def parse_repository_name(f): + @wraps(f) + def wrapper(repository, *args, **kwargs): + lib_namespace = app.config['LIBRARY_NAMESPACE'] + (namespace, repository) = parse_namespace_repository(repository, lib_namespace) + return f(namespace, repository, *args, **kwargs) + return wrapper + + +def parse_repository_name_and_tag(f): + @wraps(f) + def wrapper(repository, *args, **kwargs): + lib_namespace = app.config['LIBRARY_NAMESPACE'] + namespace, repository, tag = parse_namespace_repository(repository, lib_namespace, + include_tag=True) + return f(namespace, repository, tag, *args, **kwargs) + return wrapper -app.url_map.converters['repopath'] = RepoPathConverter def route_show_if(value): def decorator(f): diff --git a/endpoints/githubtrigger.py b/endpoints/githubtrigger.py index 40b00ae04..5e2553d22 100644 --- a/endpoints/githubtrigger.py +++ b/endpoints/githubtrigger.py @@ -3,10 +3,9 @@ import logging from flask import request, redirect, url_for, Blueprint from flask.ext.login import current_user -from endpoints.common import route_show_if +from endpoints.common import route_show_if, parse_repository_name from app import app, github_trigger from data import model -from util.names import parse_repository_name from util.http import abort from auth.permissions import AdministerRepositoryPermission from auth.auth import require_session_login @@ -17,7 +16,7 @@ logger = logging.getLogger(__name__) client = app.config['HTTPCLIENT'] githubtrigger = Blueprint('callback', __name__) -@githubtrigger.route('/github/callback/trigger/', methods=['GET']) +@githubtrigger.route('/github/callback/trigger/', methods=['GET']) @route_show_if(features.GITHUB_BUILD) @require_session_login @parse_repository_name diff --git a/endpoints/oauthlogin.py b/endpoints/oauthlogin.py index 3ca75574b..9c99836b6 100644 --- a/endpoints/oauthlogin.py +++ b/endpoints/oauthlogin.py @@ -4,11 +4,10 @@ import requests from flask import request, redirect, url_for, Blueprint from flask.ext.login import current_user -from endpoints.common import common_login, route_show_if +from endpoints.common import common_login, route_show_if, parse_repository_name from endpoints.web import render_page_template_with_routedata from app import app, analytics, get_app_url, github_login, google_login, dex_login from data import model -from util.names import parse_repository_name from util.validation import generate_valid_usernames from util.http import abort from auth.auth import require_session_login diff --git a/endpoints/v1/index.py b/endpoints/v1/index.py index 1d4ad2365..13a2c4ed9 100644 --- a/endpoints/v1/index.py +++ b/endpoints/v1/index.py @@ -9,12 +9,13 @@ from data import model from app import app, authentication, userevents, storage from auth.auth import process_auth, generate_signed_token from auth.auth_context import get_authenticated_user, get_validated_token, get_validated_oauth_token -from util.names import parse_repository_name, REPOSITORY_NAME_REGEX +from util.names import REPOSITORY_NAME_REGEX from auth.permissions import (ModifyRepositoryPermission, UserAdminPermission, ReadRepositoryPermission, CreateRepositoryPermission, repository_read_grant, repository_write_grant) from util.http import abort +from endpoints.common import parse_repository_name from endpoints.v1 import v1_bp from endpoints.trackhelper import track_and_log from endpoints.notificationhelper import spawn_notification @@ -167,7 +168,7 @@ def update_user(username): abort(403) -@v1_bp.route('/repositories/', methods=['PUT']) +@v1_bp.route('/repositories/', methods=['PUT']) @process_auth @parse_repository_name @generate_headers(scope=GrantType.WRITE_REPOSITORY, add_grant_for_status=201) @@ -221,7 +222,7 @@ def create_repository(namespace, repository): return make_response('Created', 201) -@v1_bp.route('/repositories//images', methods=['PUT']) +@v1_bp.route('/repositories//images', methods=['PUT']) @process_auth @parse_repository_name @generate_headers(scope=GrantType.WRITE_REPOSITORY) @@ -251,7 +252,7 @@ def update_images(namespace, repository): abort(403) -@v1_bp.route('/repositories//images', methods=['GET']) +@v1_bp.route('/repositories//images', methods=['GET']) @process_auth @parse_repository_name @generate_headers(scope=GrantType.READ_REPOSITORY) @@ -277,7 +278,7 @@ def get_repository_images(namespace, repository): abort(403) -@v1_bp.route('/repositories//images', methods=['DELETE']) +@v1_bp.route('/repositories//images', methods=['DELETE']) @process_auth @parse_repository_name @generate_headers(scope=GrantType.WRITE_REPOSITORY) @@ -286,7 +287,7 @@ def delete_repository_images(namespace, repository): abort(501, 'Not Implemented', issue='not-implemented') -@v1_bp.route('/repositories//auth', methods=['PUT']) +@v1_bp.route('/repositories//auth', methods=['PUT']) @parse_repository_name @anon_allowed def put_repository_auth(namespace, repository): diff --git a/endpoints/v1/tag.py b/endpoints/v1/tag.py index 644431d2f..d9fd509e5 100644 --- a/endpoints/v1/tag.py +++ b/endpoints/v1/tag.py @@ -5,11 +5,12 @@ import json from flask import abort, request, jsonify, make_response, session from app import app -from util.names import TAG_ERROR, TAG_REGEX, parse_repository_name +from util.names import TAG_ERROR, TAG_REGEX from auth.auth import process_auth from auth.permissions import (ReadRepositoryPermission, ModifyRepositoryPermission) from data import model +from endpoints.common import parse_repository_name from endpoints.decorators import anon_protect from endpoints.v1 import v1_bp from endpoints.trackhelper import track_and_log @@ -18,7 +19,7 @@ from endpoints.trackhelper import track_and_log logger = logging.getLogger(__name__) -@v1_bp.route('/repositories//tags', methods=['GET']) +@v1_bp.route('/repositories//tags', methods=['GET']) @process_auth @anon_protect @parse_repository_name @@ -33,7 +34,7 @@ def get_tags(namespace, repository): abort(403) -@v1_bp.route('/repositories//tags/', methods=['GET']) +@v1_bp.route('/repositories//tags/', methods=['GET']) @process_auth @anon_protect @parse_repository_name @@ -53,7 +54,7 @@ def get_tag(namespace, repository, tag): abort(403) -@v1_bp.route('/repositories//tags/', methods=['PUT']) +@v1_bp.route('/repositories//tags/', methods=['PUT']) @process_auth @anon_protect @parse_repository_name @@ -78,7 +79,7 @@ def put_tag(namespace, repository, tag): abort(403) -@v1_bp.route('/repositories//tags/', methods=['DELETE']) +@v1_bp.route('/repositories//tags/', methods=['DELETE']) @process_auth @anon_protect @parse_repository_name diff --git a/endpoints/v2/blob.py b/endpoints/v2/blob.py index 745adf79a..9883ee74a 100644 --- a/endpoints/v2/blob.py +++ b/endpoints/v2/blob.py @@ -17,13 +17,14 @@ from util.cache import cache_control from util.registry.filelike import wrap_with_handler, StreamSlice from util.registry.gzipstream import calculate_size_handler from util.registry.torrent import PieceHasher +from endpoints.common import parse_repository_name from storage.basestorage import InvalidChunkException logger = logging.getLogger(__name__) -BASE_BLOB_ROUTE = '///blobs/' +BASE_BLOB_ROUTE = '//blobs/' BLOB_DIGEST_ROUTE = BASE_BLOB_ROUTE.format(digest_tools.DIGEST_PATTERN) RANGE_HEADER_REGEX = re.compile(r'^bytes=([0-9]+)-([0-9]+)$') BLOB_CONTENT_TYPE = 'application/octet-stream' @@ -57,6 +58,7 @@ def _base_blob_fetch(namespace, repo_name, digest): @v2_bp.route(BLOB_DIGEST_ROUTE, methods=['HEAD']) @process_registry_jwt_auth +@parse_repository_name @require_repo_read @anon_protect @cache_control(max_age=31436000) @@ -72,6 +74,7 @@ def check_blob_exists(namespace, repo_name, digest): @v2_bp.route(BLOB_DIGEST_ROUTE, methods=['GET']) @process_registry_jwt_auth +@parse_repository_name @require_repo_read @anon_protect @cache_control(max_age=31536000) @@ -103,8 +106,9 @@ def _render_range(num_uploaded_bytes, with_bytes_prefix=True): return '{0}0-{1}'.format('bytes=' if with_bytes_prefix else '', num_uploaded_bytes - 1) -@v2_bp.route('///blobs/uploads/', methods=['POST']) +@v2_bp.route('//blobs/uploads/', methods=['POST']) @process_registry_jwt_auth +@parse_repository_name @require_repo_write @anon_protect def start_blob_upload(namespace, repo_name): @@ -121,8 +125,10 @@ def start_blob_upload(namespace, repo_name): if digest is None: # The user will send the blob data in another request accepted = make_response('', 202) - accepted.headers['Location'] = url_for('v2.upload_chunk', namespace=namespace, - repo_name=repo_name, upload_uuid=new_upload_uuid) + accepted.headers['Location'] = url_for('v2.upload_chunk', + repository='%s/%s' % (namespace, repo_name), + upload_uuid=new_upload_uuid) + accepted.headers['Range'] = _render_range(0) accepted.headers['Docker-Upload-UUID'] = new_upload_uuid return accepted @@ -136,8 +142,9 @@ def start_blob_upload(namespace, repo_name): return _finish_upload(namespace, repo_name, uploaded, digest) -@v2_bp.route('///blobs/uploads/', methods=['GET']) +@v2_bp.route('//blobs/uploads/', methods=['GET']) @process_registry_jwt_auth +@parse_repository_name @require_repo_write @anon_protect def fetch_existing_upload(namespace, repo_name, upload_uuid): @@ -311,13 +318,15 @@ def _finish_upload(namespace, repo_name, upload_obj, expected_digest): response = make_response('', 201) response.headers['Docker-Content-Digest'] = expected_digest - response.headers['Location'] = url_for('v2.download_blob', namespace=namespace, - repo_name=repo_name, digest=expected_digest) + response.headers['Location'] = url_for('v2.download_blob', + repository='%s/%s' % (namespace, repo_name), + digest=expected_digest) return response -@v2_bp.route('///blobs/uploads/', methods=['PATCH']) +@v2_bp.route('//blobs/uploads/', methods=['PATCH']) @process_registry_jwt_auth +@parse_repository_name @require_repo_write @anon_protect def upload_chunk(namespace, repo_name, upload_uuid): @@ -334,8 +343,9 @@ def upload_chunk(namespace, repo_name, upload_uuid): return accepted -@v2_bp.route('///blobs/uploads/', methods=['PUT']) +@v2_bp.route('//blobs/uploads/', methods=['PUT']) @process_registry_jwt_auth +@parse_repository_name @require_repo_write @anon_protect def monolithic_upload_or_last_chunk(namespace, repo_name, upload_uuid): @@ -352,8 +362,9 @@ def monolithic_upload_or_last_chunk(namespace, repo_name, upload_uuid): return _finish_upload(namespace, repo_name, found, digest) -@v2_bp.route('///blobs/uploads/', methods=['DELETE']) +@v2_bp.route('//blobs/uploads/', methods=['DELETE']) @process_registry_jwt_auth +@parse_repository_name @require_repo_write @anon_protect def cancel_upload(namespace, repo_name, upload_uuid): @@ -371,8 +382,9 @@ def cancel_upload(namespace, repo_name, upload_uuid): -@v2_bp.route('///blobs/', methods=['DELETE']) +@v2_bp.route('//blobs/', methods=['DELETE']) @process_registry_jwt_auth +@parse_repository_name @require_repo_write @anon_protect def delete_digest(namespace, repo_name, upload_uuid): diff --git a/endpoints/v2/manifest.py b/endpoints/v2/manifest.py index 6a6d5cb13..f09f365d5 100644 --- a/endpoints/v2/manifest.py +++ b/endpoints/v2/manifest.py @@ -1,6 +1,7 @@ import logging import jwt.utils import json +import features from peewee import IntegrityError from flask import make_response, request, url_for @@ -8,25 +9,25 @@ from collections import namedtuple, OrderedDict from jwkest.jws import SIGNER_ALGS, keyrep from datetime import datetime -from app import docker_v2_signing_key +from app import docker_v2_signing_key, app from auth.registry_jwt_auth import process_registry_jwt_auth from endpoints.decorators import anon_protect from endpoints.v2 import v2_bp, require_repo_read, require_repo_write -from endpoints.v2.errors import (BlobUnknown, ManifestInvalid, ManifestUnverified, - ManifestUnknown, TagInvalid, NameInvalid) +from endpoints.v2.errors import (BlobUnknown, ManifestInvalid, ManifestUnknown, TagInvalid, + NameInvalid) from endpoints.trackhelper import track_and_log from endpoints.notificationhelper import spawn_notification from digest import digest_tools from data import model from data.database import RepositoryTag - +from endpoints.common import parse_repository_name logger = logging.getLogger(__name__) VALID_TAG_PATTERN = r'[\w][\w.-]{0,127}' -BASE_MANIFEST_ROUTE = '///manifests/' +BASE_MANIFEST_ROUTE = '//manifests/' MANIFEST_DIGEST_ROUTE = BASE_MANIFEST_ROUTE.format(digest_tools.DIGEST_PATTERN) MANIFEST_TAGNAME_ROUTE = BASE_MANIFEST_ROUTE.format(VALID_TAG_PATTERN) @@ -61,9 +62,17 @@ class SignedManifest(object): self._parsed = json.loads(manifest_bytes) self._signatures = self._parsed[_SIGNATURES_KEY] - self._namespace, self._repo_name = self._parsed[_REPO_NAME_KEY].split('/') self._tag = self._parsed[_REPO_TAG_KEY] + repo_name_tuple = self._parsed[_REPO_NAME_KEY].split('/') + if len(repo_name_tuple) > 1: + self._namespace, self._repo_name = repo_name_tuple + elif len(repo_name_tuple) == 1: + self._namespace = '' + self._repo_name = repo_name_tuple[0] + else: + raise ValueError('repo_name has too many or too few pieces') + self._validate() def _validate(self): @@ -144,9 +153,13 @@ class SignedManifestBuilder(object): """ Class which represents a manifest which is currently being built. """ def __init__(self, namespace, repo_name, tag, architecture='amd64', schema_ver=1): + repo_name_key = '{0}/{1}'.format(namespace, repo_name) + if namespace == '': + repo_name_key = repo_name + self._base_payload = { _REPO_TAG_KEY: tag, - _REPO_NAME_KEY: '{0}/{1}'.format(namespace, repo_name), + _REPO_NAME_KEY: repo_name_key, _ARCH_KEY: architecture, _SCHEMA_VER: schema_ver, } @@ -213,6 +226,7 @@ class SignedManifestBuilder(object): @v2_bp.route(MANIFEST_TAGNAME_ROUTE, methods=['GET']) @process_registry_jwt_auth +@parse_repository_name @require_repo_read @anon_protect def fetch_manifest_by_tagname(namespace, repo_name, manifest_ref): @@ -242,6 +256,7 @@ def fetch_manifest_by_tagname(namespace, repo_name, manifest_ref): @v2_bp.route(MANIFEST_DIGEST_ROUTE, methods=['GET']) @process_registry_jwt_auth +@parse_repository_name @require_repo_read @anon_protect def fetch_manifest_by_digest(namespace, repo_name, manifest_ref): @@ -262,12 +277,13 @@ def fetch_manifest_by_digest(namespace, repo_name, manifest_ref): @v2_bp.route(MANIFEST_TAGNAME_ROUTE, methods=['PUT']) @process_registry_jwt_auth +@parse_repository_name @require_repo_write @anon_protect def write_manifest_by_tagname(namespace, repo_name, manifest_ref): try: manifest = SignedManifest(request.data) - except ValueError: + except ValueError as ve: raise ManifestInvalid() if manifest.tag != manifest_ref: @@ -278,6 +294,7 @@ def write_manifest_by_tagname(namespace, repo_name, manifest_ref): @v2_bp.route(MANIFEST_DIGEST_ROUTE, methods=['PUT']) @process_registry_jwt_auth +@parse_repository_name @require_repo_write @anon_protect def write_manifest_by_digest(namespace, repo_name, manifest_ref): @@ -293,8 +310,16 @@ def write_manifest_by_digest(namespace, repo_name, manifest_ref): def _write_manifest(namespace, repo_name, manifest): - # Ensure that the manifest is for this repository. - if manifest.namespace != namespace or manifest.repo_name != repo_name: + # Ensure that the manifest is for this repository. If the manifest's namespace is empty, then + # it is for the library namespace and we need an extra check. + if (manifest.namespace == '' and features.LIBRARY_SUPPORT and + namespace == app.config['LIBRARY_NAMESPACE']): + # This is a library manifest. All good. + pass + elif manifest.namespace != namespace: + raise NameInvalid() + + if manifest.repo_name != repo_name: raise NameInvalid() # Ensure that the repository exists. @@ -369,13 +394,15 @@ def _write_manifest(namespace, repo_name, manifest): response = make_response('OK', 202) response.headers['Docker-Content-Digest'] = manifest_digest - response.headers['Location'] = url_for('v2.fetch_manifest_by_digest', namespace=namespace, - repo_name=repo_name, manifest_ref=manifest_digest) + response.headers['Location'] = url_for('v2.fetch_manifest_by_digest', + repository='%s/%s' % (namespace, repo_name), + manifest_ref=manifest_digest) return response @v2_bp.route(MANIFEST_DIGEST_ROUTE, methods=['DELETE']) @process_registry_jwt_auth +@parse_repository_name @require_repo_write @anon_protect def delete_manifest_by_digest(namespace, repo_name, manifest_ref): @@ -406,8 +433,14 @@ def _generate_and_store_manifest(namespace, repo_name, tag_name): image = model.tag.get_tag_image(namespace, repo_name, tag_name) parents = model.image.get_parent_images(namespace, repo_name, image) + # If the manifest is being generated under the library namespace, then we make its namespace + # empty. + manifest_namespace = namespace + if features.LIBRARY_SUPPORT and namespace == app.config['LIBRARY_NAMESPACE']: + manifest_namespace = '' + # Create and populate the manifest builder - builder = SignedManifestBuilder(namespace, repo_name, tag_name) + builder = SignedManifestBuilder(manifest_namespace, repo_name, tag_name) # Add the leaf layer builder.add_layer(image.storage.content_checksum, image.v1_json_metadata) diff --git a/endpoints/v2/tag.py b/endpoints/v2/tag.py index a1811b063..03aa51198 100644 --- a/endpoints/v2/tag.py +++ b/endpoints/v2/tag.py @@ -6,9 +6,11 @@ from endpoints.v2.errors import NameUnknown from endpoints.v2.v2util import add_pagination from endpoints.decorators import anon_protect from data import model +from endpoints.common import parse_repository_name -@v2_bp.route('///tags/list', methods=['GET']) +@v2_bp.route('//tags/list', methods=['GET']) @process_registry_jwt_auth +@parse_repository_name @require_repo_read @anon_protect def list_all_tags(namespace, repo_name): @@ -17,8 +19,7 @@ def list_all_tags(namespace, repo_name): raise NameUnknown() query = model.tag.list_repository_tags(namespace, repo_name) - - url = url_for('v2.list_all_tags', namespace=namespace, repo_name=repo_name) + url = url_for('v2.list_all_tags', repository='%s/%s' % (namespace, repo_name)) link, query = add_pagination(query, url) response = jsonify({ diff --git a/endpoints/v2/v2auth.py b/endpoints/v2/v2auth.py index 974a9dafc..576ca41dd 100644 --- a/endpoints/v2/v2auth.py +++ b/endpoints/v2/v2auth.py @@ -23,7 +23,7 @@ logger = logging.getLogger(__name__) TOKEN_VALIDITY_LIFETIME_S = 60 * 60 # 1 hour SCOPE_REGEX = re.compile( - r'^repository:([\.a-zA-Z0-9_\-]+/[\.a-zA-Z0-9_\-]+):(((push|pull|\*),)*(push|pull|\*))$' + r'^repository:(([\.a-zA-Z0-9_\-]+/)?[\.a-zA-Z0-9_\-]+):(((push|pull|\*),)*(push|pull|\*))$' ) @lru_cache(maxsize=1) @@ -77,9 +77,10 @@ def generate_registry_jwt(): logger.debug('Match: %s', match.groups()) namespace_and_repo = match.group(1) - actions = match.group(2).split(',') + actions = match.group(3).split(',') - namespace, reponame = parse_namespace_repository(namespace_and_repo) + lib_namespace = app.config['LIBRARY_NAMESPACE'] + namespace, reponame = parse_namespace_repository(namespace_and_repo, lib_namespace) # Ensure that we are never creating an invalid repository. if not REPOSITORY_NAME_REGEX.match(reponame): diff --git a/endpoints/verbs.py b/endpoints/verbs.py index 568a469a9..79253002b 100644 --- a/endpoints/verbs.py +++ b/endpoints/verbs.py @@ -22,7 +22,7 @@ from formats.squashed import SquashedDockerImage from formats.aci import ACIImage from storage import Storage from endpoints.v2.blob import BLOB_DIGEST_ROUTE -from endpoints.common import route_show_if +from endpoints.common import route_show_if, parse_repository_name verbs = Blueprint('verbs', __name__) @@ -376,6 +376,7 @@ def get_squashed_tag(namespace, repository, tag): @anon_protect @verbs.route('/torrent{0}'.format(BLOB_DIGEST_ROUTE), methods=['GET']) @process_auth +@parse_repository_name def get_tag_torrent(namespace, repo_name, digest): permission = ReadRepositoryPermission(namespace, repo_name) public_repo = model.repository.repository_is_public(namespace, repo_name) diff --git a/endpoints/web.py b/endpoints/web.py index c3a1136d9..bad2a75ef 100644 --- a/endpoints/web.py +++ b/endpoints/web.py @@ -25,14 +25,14 @@ from buildtrigger.triggerutil import TriggerProviderException from data import model from data.database import db from endpoints.api.discovery import swagger_route_data -from endpoints.common import common_login, render_page_template, route_show_if, param_required +from endpoints.common import (common_login, render_page_template, route_show_if, param_required, + parse_repository_name, parse_repository_name_and_tag) from endpoints.csrf import csrf_protect, generate_csrf_token, verify_csrf from endpoints.decorators import anon_protect, anon_allowed from health.healthcheck import get_healthchecker from util.cache import no_cache, cache_control from util.headers import parse_basic_auth from util.invoice import renderInvoiceToPdf -from util.names import parse_repository_name, parse_repository_name_and_tag from util.seo import render_snapshot from util.systemlogs import build_logs_archive from util.useremails import send_email_changed @@ -409,7 +409,7 @@ def confirm_recovery(): abort(403) -@web.route('/repository//status', methods=['GET']) +@web.route('/repository//status', methods=['GET']) @parse_repository_name @anon_protect def build_status_badge(namespace, repository): @@ -597,7 +597,7 @@ def download_logs_archive(): abort(403) -@web.route('/bitbucket/setup/', methods=['GET']) +@web.route('/bitbucket/setup/', methods=['GET']) @require_session_login @parse_repository_name @route_show_if(features.BITBUCKET_BUILD) @@ -630,7 +630,7 @@ def attach_bitbucket_trigger(namespace, repository_name): abort(403) -@web.route('/customtrigger/setup/', methods=['GET']) +@web.route('/customtrigger/setup/', methods=['GET']) @require_session_login @parse_repository_name def attach_custom_build_trigger(namespace, repository_name): @@ -653,7 +653,7 @@ def attach_custom_build_trigger(namespace, repository_name): abort(403) -@web.route('/') +@web.route('/') @no_cache @process_oauth @parse_repository_name_and_tag diff --git a/endpoints/webhooks.py b/endpoints/webhooks.py index cb13f9fd9..abe43280c 100644 --- a/endpoints/webhooks.py +++ b/endpoints/webhooks.py @@ -67,7 +67,7 @@ def stripe_webhook(): return make_response('Okay') -@webhooks.route('/push//trigger/', methods=['POST']) +@webhooks.route('/push//trigger/', methods=['POST']) @webhooks.route('/push/trigger/', methods=['POST'], defaults={'repository': ''}) @process_auth def build_trigger_webhook(trigger_uuid, **kwargs): diff --git a/initdb.py b/initdb.py index 776ca165a..0e79a4d37 100644 --- a/initdb.py +++ b/initdb.py @@ -537,6 +537,9 @@ def populate_database(minimal=False): org.stripe_id = TEST_STRIPE_ID org.save() + liborg = model.organization.create_organization('library', 'quay+library@devtable.com', new_user_1) + liborg.save() + model.user.create_robot('coolrobot', org) oauth_app_1 = model.oauth.create_application(org, 'Some Test App', 'http://localhost:8000', diff --git a/test/data/test.db b/test/data/test.db index 4a72f1686..c65ad6987 100644 Binary files a/test/data/test.db and b/test/data/test.db differ diff --git a/test/registry_tests.py b/test/registry_tests.py index 69759e444..842b75297 100644 --- a/test/registry_tests.py +++ b/test/registry_tests.py @@ -138,7 +138,14 @@ _CLEAN_DATABASE_PATH = None _JWK = RSAKey(key=RSA.generate(2048)) -def get_full_contents(image_data): +def _get_repo_name(namespace, name): + if namespace == '': + return name + + return '%s/%s' % (namespace, name) + + +def _get_full_contents(image_data): if 'chunks' in image_data: # Data is just for chunking; no need for a real TAR. return image_data['contents'] @@ -213,7 +220,8 @@ class RegistryTestCaseMixin(LiveServerTestCase): self.csrf_token = self.conduct('GET', '/__test/csrf').text def do_tag(self, namespace, repository, tag, image_id, expected_code=200): - self.conduct('PUT', '/v1/repositories/%s/%s/tags/%s' % (namespace, repository, tag), + repo_name = _get_repo_name(namespace, repository) + self.conduct('PUT', '/v1/repositories/%s/tags/%s' % (repo_name, tag), data='"%s"' % image_id, expected_code=expected_code, auth='sig') def conduct_api_login(self, username, password): @@ -221,8 +229,9 @@ class RegistryTestCaseMixin(LiveServerTestCase): data=json.dumps(dict(username=username, password=password)), headers={'Content-Type': 'application/json'}) - def change_repo_visibility(self, repository, namespace, visibility): - self.conduct('POST', '/api/v1/repository/%s/%s/changevisibility' % (repository, namespace), + def change_repo_visibility(self, namespace, repository, visibility): + repo_name = _get_repo_name(namespace, repository) + self.conduct('POST', '/api/v1/repository/%s/changevisibility' % repo_name, data=json.dumps(dict(visibility=visibility)), headers={'Content-Type': 'application/json'}) @@ -284,12 +293,13 @@ class V1RegistryPushMixin(V1RegistryMixin): def do_push(self, namespace, repository, username, password, images=None, expected_code=201): images = images or self._get_default_images() auth = (username, password) + repo_name = _get_repo_name(namespace, repository) # Ping! self.v1_ping() # PUT /v1/repositories/{namespace}/{repository}/ - self.conduct('PUT', '/v1/repositories/%s/%s' % (namespace, repository), + self.conduct('PUT', '/v1/repositories/%s' % repo_name, data=json.dumps(images), auth=auth, expected_code=expected_code) @@ -310,7 +320,7 @@ class V1RegistryPushMixin(V1RegistryMixin): data=json.dumps(image_json_data), auth='sig') # PUT /v1/images/{imageID}/layer - layer_bytes = get_full_contents(image_data) + layer_bytes = _get_full_contents(image_data) self.conduct('PUT', '/v1/images/%s/layer' % image_id, data=StringIO(layer_bytes), auth='sig') @@ -325,7 +335,7 @@ class V1RegistryPushMixin(V1RegistryMixin): self.do_tag(namespace, repository, 'latest', images[0]['id']) # PUT /v1/repositories/{namespace}/{repository}/images - self.conduct('PUT', '/v1/repositories/%s/%s/images' % (namespace, repository), + self.conduct('PUT', '/v1/repositories/%s/images' % repo_name, expected_code=204, auth='sig') @@ -334,6 +344,7 @@ class V1RegistryPullMixin(V1RegistryMixin): def do_pull(self, namespace, repository, username=None, password='password', expected_code=200, images=None): images = images or self._get_default_images() + repo_name = _get_repo_name(namespace, repository) auth = None if username: @@ -342,7 +353,7 @@ class V1RegistryPullMixin(V1RegistryMixin): # Ping! self.v1_ping() - prefix = '/v1/repositories/%s/%s/' % (namespace, repository) + prefix = '/v1/repositories/%s/' % repo_name # GET /v1/repositories/{namespace}/{repository}/ self.conduct('GET', prefix + 'images', auth=auth, expected_code=expected_code) @@ -417,9 +428,11 @@ class V2RegistryMixin(BaseRegistryMixin): def do_auth(self, username, password, namespace, repository, expected_code=200, scopes=[]): auth = (username, password) + repo_name = _get_repo_name(namespace, repository) + params = { 'account': username, - 'scope': 'repository:%s/%s:%s' % (namespace, repository, ','.join(scopes)), + 'scope': 'repository:%s:%s' % (repo_name, ','.join(scopes)), 'service': app.config['SERVER_HOSTNAME'], } @@ -439,6 +452,7 @@ class V2RegistryPushMixin(V2RegistryMixin): cancel=False, invalid=False, expected_manifest_code=202, expected_auth_code=200, scopes=None): images = images or self._get_default_images() + repo_name = _get_repo_name(namespace, repository) # Ping! self.v2_ping() @@ -456,7 +470,7 @@ class V2RegistryPushMixin(V2RegistryMixin): full_contents = {} for image_data in images: - full_contents[image_data['id']] = get_full_contents(image_data) + full_contents[image_data['id']] = _get_full_contents(image_data) checksum = 'sha256:' + hashlib.sha256(full_contents[image_data['id']]).hexdigest() if invalid: @@ -476,11 +490,11 @@ class V2RegistryPushMixin(V2RegistryMixin): # Layer data should not yet exist. checksum = 'sha256:' + hashlib.sha256(layer_bytes).hexdigest() - self.conduct('HEAD', '/v2/%s/%s/blobs/%s' % (namespace, repository, checksum), + self.conduct('HEAD', '/v2/%s/blobs/%s' % (repo_name, checksum), expected_code=404, auth='jwt') # Start a new upload of the layer data. - response = self.conduct('POST', '/v2/%s/%s/blobs/uploads/' % (namespace, repository), + response = self.conduct('POST', '/v2/%s/blobs/uploads/' % repo_name, expected_code=202, auth='jwt') upload_uuid = response.headers['Docker-Upload-UUID'] @@ -505,7 +519,7 @@ class V2RegistryPushMixin(V2RegistryMixin): return # Retrieve the upload status at each point. - status_url = '/v2/%s/%s/blobs/uploads/%s' % (namespace, repository, upload_uuid) + status_url = '/v2/%s/blobs/uploads/%s' % (repo_name, upload_uuid) response = self.conduct('GET', status_url, expected_code=204, auth='jwt', headers=dict(host=self.get_server_url())) self.assertEquals(response.headers['Docker-Upload-UUID'], upload_uuid) @@ -516,7 +530,7 @@ class V2RegistryPushMixin(V2RegistryMixin): auth='jwt') # Ensure the upload was canceled. - status_url = '/v2/%s/%s/blobs/uploads/%s' % (namespace, repository, upload_uuid) + status_url = '/v2/%s/blobs/uploads/%s' % (repo_name, upload_uuid) self.conduct('GET', status_url, expected_code=404, auth='jwt', headers=dict(host=self.get_server_url())) return @@ -529,14 +543,14 @@ class V2RegistryPushMixin(V2RegistryMixin): checksums[image_id] = checksum # Ensure the layer exists now. - response = self.conduct('HEAD', '/v2/%s/%s/blobs/%s' % (namespace, repository, checksum), + response = self.conduct('HEAD', '/v2/%s/blobs/%s' % (repo_name, checksum), expected_code=200, auth='jwt') self.assertEquals(response.headers['Docker-Content-Digest'], checksum) self.assertEquals(response.headers['Content-Length'], str(len(layer_bytes))) # Write the manifest. put_code = 404 if invalid else expected_manifest_code - self.conduct('PUT', '/v2/%s/%s/manifests/%s' % (namespace, repository, tag_name), + self.conduct('PUT', '/v2/%s/manifests/%s' % (repo_name, tag_name), data=manifest.bytes, expected_code=put_code, headers={'Content-Type': 'application/json'}, auth='jwt') @@ -547,6 +561,7 @@ class V2RegistryPullMixin(V2RegistryMixin): def do_pull(self, namespace, repository, username=None, password='password', expected_code=200, manifest_id=None, expected_manifest_code=200, images=None): images = images or self._get_default_images() + repo_name = _get_repo_name(namespace, repository) # Ping! self.v2_ping() @@ -559,7 +574,7 @@ class V2RegistryPullMixin(V2RegistryMixin): # Retrieve the manifest for the tag or digest. manifest_id = manifest_id or 'latest' - response = self.conduct('GET', '/v2/%s/%s/manifests/%s' % (namespace, repository, manifest_id), + response = self.conduct('GET', '/v2/%s/manifests/%s' % (repo_name, manifest_id), auth='jwt', expected_code=expected_manifest_code) if expected_manifest_code != 200: return @@ -573,7 +588,7 @@ class V2RegistryPullMixin(V2RegistryMixin): blobs = {} for layer in manifest_data['fsLayers']: blob_id = layer['blobSum'] - result = self.conduct('GET', '/v2/%s/%s/blobs/%s' % (namespace, repository, blob_id), + result = self.conduct('GET', '/v2/%s/blobs/%s' % (repo_name, blob_id), expected_code=200, auth='jwt') blobs[blob_id] = result.content @@ -863,6 +878,17 @@ class RegistryTestsMixin(object): self.do_pull('buynlarge', 'newrepo', 'devtable', 'password') + def test_library_repo(self): + self.do_push('', 'newrepo', 'devtable', 'password') + self.do_pull('', 'newrepo', 'devtable', 'password') + self.do_pull('library', 'newrepo', 'devtable', 'password') + + def test_library_disabled(self): + with TestFeature(self, 'LIBRARY_SUPPORT', False): + self.do_push('library', 'newrepo', 'devtable', 'password') + self.do_pull('library', 'newrepo', 'devtable', 'password') + + class V1RegistryTests(V1RegistryPullMixin, V1RegistryPushMixin, RegistryTestsMixin, RegistryTestCaseMixin, LiveServerTestCase): """ Tests for V1 registry. """ @@ -872,7 +898,7 @@ class V1RegistryTests(V1RegistryPullMixin, V1RegistryPushMixin, RegistryTestsMix 'id': 'onlyimagehere', 'contents': 'somecontents', }] - self.do_push('public', 'newrepo/somesubrepo', 'public', 'password', images, expected_code=400) + self.do_push('public', 'newrepo/somesubrepo', 'public', 'password', images, expected_code=404) def test_push_unicode_metadata(self): self.conduct_api_login('devtable', 'password') @@ -896,7 +922,7 @@ class V1RegistryTests(V1RegistryPullMixin, V1RegistryPushMixin, RegistryTestsMix self.do_push('public', 'newrepo', 'public', 'password', images) self.do_tag('public', 'newrepo', '1', image_id) self.do_tag('public', 'newrepo', 'x' * 128, image_id) - self.do_tag('public', 'newrepo', '', image_id, expected_code=400) + self.do_tag('public', 'newrepo', '', image_id, expected_code=404) self.do_tag('public', 'newrepo', 'x' * 129, image_id, expected_code=400) self.do_tag('public', 'newrepo', '.fail', image_id, expected_code=400) self.do_tag('public', 'newrepo', '-fail', image_id, expected_code=400) @@ -1440,6 +1466,16 @@ class V2LoginTests(V2RegistryLoginMixin, LoginTests, RegistryTestCaseMixin, Base def test_nouser_push_publicrepo(self): self.do_login('', '', expected_code=401, scope='repository:public/publicrepo:push') + def test_library_invaliduser(self): + self.do_login('invaliduser', 'password', expected_code=401, scope='repository:librepo:pull,push') + + def test_library_noaccess(self): + self.do_login('freshuser', 'password', expected_code=403, scope='repository:librepo:pull,push') + + def test_library_access(self): + self.do_login('devtable', 'password', expect_success=200, scope='repository:librepo:pull,push') + + if __name__ == '__main__': unittest.main() diff --git a/test/specs.py b/test/specs.py index 4552f5eac..a113d3368 100644 --- a/test/specs.py +++ b/test/specs.py @@ -276,8 +276,7 @@ class IndexV2TestSpec(object): return self def get_url(self): - namespace, repo_name = parse_namespace_repository(self.repo_name) - return url_for(self.index_name, namespace=namespace, repo_name=repo_name, **self.kwargs) + return url_for(self.index_name, repository=self.repo_name, **self.kwargs) def gen_basic_auth(self, username, password): encoded = b64encode('%s:%s' % (username, password)) diff --git a/test/test_api_usage.py b/test/test_api_usage.py index f815784ad..7fd804dc3 100644 --- a/test/test_api_usage.py +++ b/test/test_api_usage.py @@ -644,7 +644,7 @@ class TestConductSearch(ApiTestCase): json = self.getJsonResponse(ConductSearch, params=dict(query='owners')) - self.assertEquals(1, len(json['results'])) + self.assertEquals(2, len(json['results'])) self.assertEquals(json['results'][0]['kind'], 'team') self.assertEquals(json['results'][0]['name'], 'owners') diff --git a/test/test_v1_endpoint_security.py b/test/test_v1_endpoint_security.py index fe88f6d5b..6de09d721 100644 --- a/test/test_v1_endpoint_security.py +++ b/test/test_v1_endpoint_security.py @@ -63,7 +63,7 @@ class _SpecTestBuilder(type): session_vars = [] if test_spec.sess_repo: - ns, repo = parse_namespace_repository(test_spec.sess_repo) + ns, repo = parse_namespace_repository(test_spec.sess_repo, 'library') session_vars.append(('namespace', ns)) session_vars.append(('repository', repo)) diff --git a/test/test_v2_endpoint_security.py b/test/test_v2_endpoint_security.py index 06d1f025f..1cc99fcb6 100644 --- a/test/test_v2_endpoint_security.py +++ b/test/test_v2_endpoint_security.py @@ -3,7 +3,6 @@ import endpoints.decorated import json from app import app -from util.names import parse_namespace_repository from initdb import setup_database_for_testing, finished_database_for_testing from specs import build_v2_index_specs from endpoints.v2 import v2_bp diff --git a/util/names.py b/util/names.py index 4bb460c6a..c943bfc52 100644 --- a/util/names.py +++ b/util/names.py @@ -10,10 +10,11 @@ TAG_REGEX = re.compile(r'^[\w][\w\.-]{0,127}$') TAG_ERROR = ('Invalid tag: must match [A-Za-z0-9_.-], NOT start with "." or "-", ' 'and can contain 1-128 characters') -def parse_namespace_repository(repository, include_tag=False): + +def parse_namespace_repository(repository, library_namespace, include_tag=False): parts = repository.rstrip('/').split('/', 1) if len(parts) < 2: - namespace = 'library' + namespace = library_namespace repository = parts[0] else: (namespace, repository) = parts @@ -30,20 +31,6 @@ def parse_namespace_repository(repository, include_tag=False): return (namespace, repository, tag) return (namespace, repository) -def parse_repository_name(f): - @wraps(f) - def wrapper(repository, *args, **kwargs): - (namespace, repository) = parse_namespace_repository(repository) - return f(namespace, repository, *args, **kwargs) - return wrapper - -def parse_repository_name_and_tag(f): - @wraps(f) - def wrapper(repository, *args, **kwargs): - namespace, repository, tag = parse_namespace_repository(repository, include_tag=True) - return f(namespace, repository, tag, *args, **kwargs) - return wrapper - def format_robot_username(parent_username, robot_shortname): return '%s+%s' % (parent_username, robot_shortname)