Fix a bug with pulls and repeate pushes, add permissions checks to all repository endpoints.
This commit is contained in:
yackob03
parent
44255421df
commit
5caa54ffb3
1 changed files with 27 additions and 1 deletions
|
|
@ -12,6 +12,8 @@ import storage
|
||||||
from app import app
|
from app import app
|
||||||
from auth.auth import process_auth, extract_namespace_repo_from_session
|
from auth.auth import process_auth, extract_namespace_repo_from_session
|
||||||
from util import checksums
|
from util import checksums
|
||||||
|
from auth.permissions import (ReadRepositoryPermission,
|
||||||
|
ModifyRepositoryPermission)
|
||||||
|
|
||||||
|
|
||||||
store = storage.load()
|
store = storage.load()
|
||||||
|
|
@ -76,6 +78,10 @@ def set_cache_headers(f):
|
||||||
@require_completion
|
@require_completion
|
||||||
@set_cache_headers
|
@set_cache_headers
|
||||||
def get_image_layer(namespace, repository, image_id, headers):
|
def get_image_layer(namespace, repository, image_id, headers):
|
||||||
|
permission = ReadRepositoryPermission(namespace, repository)
|
||||||
|
if not permission.can():
|
||||||
|
abort(403)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
return Response(store.stream_read(store.image_layer_path(
|
return Response(store.stream_read(store.image_layer_path(
|
||||||
namespace, repository, image_id)), headers=headers)
|
namespace, repository, image_id)), headers=headers)
|
||||||
|
|
@ -87,6 +93,10 @@ def get_image_layer(namespace, repository, image_id, headers):
|
||||||
@process_auth
|
@process_auth
|
||||||
@extract_namespace_repo_from_session
|
@extract_namespace_repo_from_session
|
||||||
def put_image_layer(namespace, repository, image_id):
|
def put_image_layer(namespace, repository, image_id):
|
||||||
|
permission = ModifyRepositoryPermission(namespace, repository)
|
||||||
|
if not permission.can():
|
||||||
|
abort(403)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
json_data = store.get_content(store.image_json_path(namespace, repository,
|
json_data = store.get_content(store.image_json_path(namespace, repository,
|
||||||
image_id))
|
image_id))
|
||||||
|
|
@ -139,6 +149,10 @@ def put_image_layer(namespace, repository, image_id):
|
||||||
@process_auth
|
@process_auth
|
||||||
@extract_namespace_repo_from_session
|
@extract_namespace_repo_from_session
|
||||||
def put_image_checksum(namespace, repository, image_id):
|
def put_image_checksum(namespace, repository, image_id):
|
||||||
|
permission = ModifyRepositoryPermission(namespace, repository)
|
||||||
|
if not permission.can():
|
||||||
|
abort(403)
|
||||||
|
|
||||||
checksum = request.headers.get('X-Docker-Checksum')
|
checksum = request.headers.get('X-Docker-Checksum')
|
||||||
if not checksum:
|
if not checksum:
|
||||||
abort(400) #'Missing Image\'s checksum')
|
abort(400) #'Missing Image\'s checksum')
|
||||||
|
|
@ -166,6 +180,10 @@ def put_image_checksum(namespace, repository, image_id):
|
||||||
@require_completion
|
@require_completion
|
||||||
@set_cache_headers
|
@set_cache_headers
|
||||||
def get_image_json(namespace, repository, image_id, headers):
|
def get_image_json(namespace, repository, image_id, headers):
|
||||||
|
permission = ReadRepositoryPermission(namespace, repository)
|
||||||
|
if not permission.can():
|
||||||
|
abort(403)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
data = store.get_content(store.image_json_path(namespace, repository,
|
data = store.get_content(store.image_json_path(namespace, repository,
|
||||||
image_id))
|
image_id))
|
||||||
|
|
@ -177,7 +195,7 @@ def get_image_json(namespace, repository, image_id, headers):
|
||||||
headers['X-Docker-Size'] = str(size)
|
headers['X-Docker-Size'] = str(size)
|
||||||
except OSError:
|
except OSError:
|
||||||
pass
|
pass
|
||||||
checksum_path = store.image_checksum_path(image_id)
|
checksum_path = store.image_checksum_path(namespace, repository, image_id)
|
||||||
if store.exists(checksum_path):
|
if store.exists(checksum_path):
|
||||||
headers['X-Docker-Checksum'] = store.get_content(checksum_path)
|
headers['X-Docker-Checksum'] = store.get_content(checksum_path)
|
||||||
response = make_response(data, 200)
|
response = make_response(data, 200)
|
||||||
|
|
@ -191,6 +209,10 @@ def get_image_json(namespace, repository, image_id, headers):
|
||||||
@require_completion
|
@require_completion
|
||||||
@set_cache_headers
|
@set_cache_headers
|
||||||
def get_image_ancestry(namespace, repository, image_id, headers):
|
def get_image_ancestry(namespace, repository, image_id, headers):
|
||||||
|
permission = ReadRepositoryPermission(namespace, repository)
|
||||||
|
if not permission.can():
|
||||||
|
abort(403)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
data = store.get_content(store.image_ancestry_path(namespace, repository,
|
data = store.get_content(store.image_ancestry_path(namespace, repository,
|
||||||
image_id))
|
image_id))
|
||||||
|
|
@ -229,6 +251,10 @@ def store_checksum(namespace, repository, image_id, checksum):
|
||||||
@process_auth
|
@process_auth
|
||||||
@extract_namespace_repo_from_session
|
@extract_namespace_repo_from_session
|
||||||
def put_image_json(namespace, repository, image_id):
|
def put_image_json(namespace, repository, image_id):
|
||||||
|
permission = ModifyRepositoryPermission(namespace, repository)
|
||||||
|
if not permission.can():
|
||||||
|
abort(403)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
data = json.loads(request.data)
|
data = json.loads(request.data)
|
||||||
except json.JSONDecodeError:
|
except json.JSONDecodeError:
|
||||||
|
|
|
||||||
Reference in a new issue