Fix a bug with pulls and repeate pushes, add permissions checks to all repository endpoints.

2013-09-26 13:42:24 -04:00 · 2013-09-26 13:42:24 -04:00 · 5caa54ffb3
commit 5caa54ffb3
parent 44255421df
1 changed files with 27 additions and 1 deletions
--- a/endpoints/registry.py
+++ b/endpoints/registry.py
@ -12,6 +12,8 @@ import storage
 from app import app
 from auth.auth import process_auth, extract_namespace_repo_from_session
 from util import checksums
+from auth.permissions import (ReadRepositoryPermission,
+                              ModifyRepositoryPermission)


 store = storage.load()
@ -76,6 +78,10 @@ def set_cache_headers(f):
@require_completion
@set_cache_headers
 def get_image_layer(namespace, repository, image_id, headers):
+  permission = ReadRepositoryPermission(namespace, repository)
+  if not permission.can():
+    abort(403)
+
  try:
    return Response(store.stream_read(store.image_layer_path(
      namespace, repository, image_id)), headers=headers)
@ -87,6 +93,10 @@ def get_image_layer(namespace, repository, image_id, headers):
@process_auth
@extract_namespace_repo_from_session
 def put_image_layer(namespace, repository, image_id):
+  permission = ModifyRepositoryPermission(namespace, repository)
+  if not permission.can():
+    abort(403)
+
  try:
    json_data = store.get_content(store.image_json_path(namespace, repository,
                                                        image_id))
@ -139,6 +149,10 @@ def put_image_layer(namespace, repository, image_id):
@process_auth
@extract_namespace_repo_from_session
 def put_image_checksum(namespace, repository, image_id):
+  permission = ModifyRepositoryPermission(namespace, repository)
+  if not permission.can():
+    abort(403)
+
  checksum = request.headers.get('X-Docker-Checksum')
  if not checksum:
    abort(400)  #'Missing Image\'s checksum')
@ -166,6 +180,10 @@ def put_image_checksum(namespace, repository, image_id):
@require_completion
@set_cache_headers
 def get_image_json(namespace, repository, image_id, headers):
+  permission = ReadRepositoryPermission(namespace, repository)
+  if not permission.can():
+    abort(403)
+
  try:
    data = store.get_content(store.image_json_path(namespace, repository,
                                                   image_id))
@ -177,7 +195,7 @@ def get_image_json(namespace, repository, image_id, headers):
    headers['X-Docker-Size'] = str(size)
  except OSError:
    pass
-  checksum_path = store.image_checksum_path(image_id)
+  checksum_path = store.image_checksum_path(namespace, repository, image_id)
  if store.exists(checksum_path):
    headers['X-Docker-Checksum'] = store.get_content(checksum_path)
  response = make_response(data, 200)
@ -191,6 +209,10 @@ def get_image_json(namespace, repository, image_id, headers):
@require_completion
@set_cache_headers
 def get_image_ancestry(namespace, repository, image_id, headers):
+  permission = ReadRepositoryPermission(namespace, repository)
+  if not permission.can():
+    abort(403)
+
  try:
    data = store.get_content(store.image_ancestry_path(namespace, repository,
                                                       image_id))
@ -229,6 +251,10 @@ def store_checksum(namespace, repository, image_id, checksum):
@process_auth
@extract_namespace_repo_from_session
 def put_image_json(namespace, repository, image_id):
+  permission = ModifyRepositoryPermission(namespace, repository)
+  if not permission.can():
+    abort(403)
+
  try:
    data = json.loads(request.data)
  except json.JSONDecodeError: