Merge pull request #1761 from coreos-inc/nginx-direct-download

Add feature flag to force all direct download URLs to be proxied

auth/registry_jwt_auth.py

@@ -11,7 +11,7 @@ from .auth_context import set_grant_context, get_grant_context
 from .permissions import repository_read_grant, repository_write_grant
 from util.names import parse_namespace_repository
 from util.http import abort
-from util.security.registry_jwt import (ANONYMOUS_SUB, decode_bearer_token,
+from util.security.registry_jwt import (ANONYMOUS_SUB, decode_bearer_header,
                                         InvalidBearerTokenException)
 from data import model
 
@@ -136,15 +136,15 @@ def get_auth_headers(repository=None, scopes=None):
   return headers
 
 
-def identity_from_bearer_token(bearer_token):
-  """ Process a bearer token and return the loaded identity, or raise InvalidJWTException if an
+def identity_from_bearer_token(bearer_header):
+  """ Process a bearer header and return the loaded identity, or raise InvalidJWTException if an
       identity could not be loaded. Expects tokens and grants in the format of the Docker registry
       v2 auth spec: https://docs.docker.com/registry/spec/auth/token/
   """
-  logger.debug('Validating auth header: %s', bearer_token)
+  logger.debug('Validating auth header: %s', bearer_header)
 
   try:
-    payload = decode_bearer_token(bearer_token, instance_keys)
+    payload = decode_bearer_header(bearer_header, instance_keys, app.config)
   except InvalidBearerTokenException as bte:
     logger.exception('Invalid bearer token: %s', bte)
     raise InvalidJWTException(bte)