Merge pull request #2376 from charltonaustin/quay_jwts_indicate_which_root_a_user_should_see_137968801

Adding in what metadata_root_name to JWT

endpoints/v2/test/test_v2auth.py

@@ -0,0 +1,18 @@
+import pytest
+
+from endpoints.v2.v2auth import attach_metadata_root_name, CLAIM_APOSTILLE_ROOT
+
+
+@pytest.mark.parametrize('context,access,expected', [
+  ({}, None, {}),
+  ({}, [], {}),
+  ({}, [{}], {}),
+  ({}, [{"actions": None}], {}),
+  ({}, [{"actions": []}], {}),
+  ({}, [{"actions": ["pull"]}], {CLAIM_APOSTILLE_ROOT: 'quay'}),
+  ({}, [{"actions": ["push"]}], {CLAIM_APOSTILLE_ROOT: 'signer'}),
+  ({}, [{"actions": ["pull", "push"]}], {CLAIM_APOSTILLE_ROOT: 'signer'}),
+])
+def test_attach_metadata_root_name(context, access, expected):
+  actual = attach_metadata_root_name(context, access)
+  assert actual == expected, "should be %s, but was %s" % (expected, actual)

endpoints/v2/v2auth.py

@@ -16,6 +16,7 @@ from util.cache import no_cache
 from util.names import parse_namespace_repository, REPOSITORY_NAME_REGEX
 from util.security.registry_jwt import generate_bearer_token, build_context_and_subject
 
+CLAIM_APOSTILLE_ROOT = 'com.apostille.root'
 
 logger = logging.getLogger(__name__)
 
@@ -158,6 +159,27 @@ def generate_registry_jwt():
 
   # Build the signed JWT.
   context, subject = build_context_and_subject(user, token, oauthtoken)
+  context = attach_metadata_root_name(context, access)
   token = generate_bearer_token(audience_param, subject, context, access,
                                 TOKEN_VALIDITY_LIFETIME_S, instance_keys)
   return jsonify({'token': token})
+
+
+def attach_metadata_root_name(context, access):
+  """
+  Adds in metadata_root_name into JWT context when appropriate
+  """
+  try:
+    actions = access[0]["actions"]
+  except(TypeError, IndexError, KeyError):
+    return context
+
+  if not actions:
+    return context
+
+  if "push" in actions:
+    context[CLAIM_APOSTILLE_ROOT] = 'signer'
+  else:
+    context[CLAIM_APOSTILLE_ROOT] = 'quay'
+
+  return context