Add login tests and fix scope security issue

2015-11-23 23:46:05 -05:00 · 2015-11-23 23:46:05 -05:00 · 75a91f0f92
commit 75a91f0f92
parent c9b1a02e9c
2 changed files with 156 additions and 10 deletions
--- a/endpoints/v2/v2auth.py
+++ b/endpoints/v2/v2auth.py
@ -78,10 +78,16 @@ def generate_registry_jwt():
    if not REPOSITORY_NAME_REGEX.match(reponame):
      abort(400)

-    if 'pull' in actions and 'push' in actions:
+    final_actions = []
+
+    if 'push' in actions:
+      # If there is no valid user or token, then the repository cannot be
+      # accessed.
      if user is None and token is None:
        abort(401)

+      # Lookup the repository. If it exists, make sure the entity has modify
+      # permission. Otherwise, make sure the entity has create permission.
      repo = model.repository.get_repository(namespace, reponame)
      if repo:
        if not ModifyRepositoryPermission(namespace, reponame).can():
@ -92,15 +98,25 @@ def generate_registry_jwt():

        logger.debug('Creating repository: %s/%s', namespace, reponame)
        model.repository.create_repository(namespace, reponame, user)
-    elif 'pull' in actions:
-      if (not ReadRepositoryPermission(namespace, reponame).can() and
-          not model.repository.repository_is_public(namespace, reponame)):
+
+      final_actions.append('push')
+
+    if 'pull' in actions:
+      # Grant pull if the user can read the repo or it is public. We also
+      # grant it if the user already has push, as they can clearly change
+      # the repository.
+      if (ReadRepositoryPermission(namespace, reponame).can() or
+          model.repository.repository_is_public(namespace, reponame) or
+          'push' in final_actions):
+        final_actions.append('pull')
+      else:
        abort(403)

+
    access.append({
      'type': 'repository',
      'name': namespace_and_repo,
-      'actions': actions,
+      'actions': final_actions,
    })

  elif user is None and token is None: