Extend registry auth to support notary JWTs.

endpoints/v2/v2auth.py

@@ -9,6 +9,7 @@ from auth.auth import process_auth
 from auth.auth_context import get_authenticated_user, get_validated_token, get_validated_oauth_token
 from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermission,
                               CreateRepositoryPermission)
+from cachetools import lru_cache
 from endpoints.v2 import v2_bp
 from endpoints.decorators import anon_protect
 from util.cache import no_cache
@@ -20,10 +21,18 @@ logger = logging.getLogger(__name__)
 
 
 TOKEN_VALIDITY_LIFETIME_S = 60 * 60  # 1 hour
-SCOPE_REGEX = re.compile(
-    r'^repository:(([\.a-zA-Z0-9_\-]+/)?[\.a-zA-Z0-9_\-]+):(((push|pull|\*),)*(push|pull|\*))$'
+SCOPE_REGEX_TEMPLATE = (
+    r'^repository:((?:{}\/)?((?:[\.a-zA-Z0-9_\-]+\/)?[\.a-zA-Z0-9_\-]+)):((?:push|pull|\*)(?:,(?:push|pull|\*))*)$'
 )
 
+
+@lru_cache(maxsize=1)
+def get_scope_regex():
+  hostname = re.escape(app.config['SERVER_HOSTNAME'])
+  scope_regex_string = SCOPE_REGEX_TEMPLATE.format(hostname)
+  return re.compile(scope_regex_string)
+
+
 @v2_bp.route('/auth')
 @process_auth
 @no_cache
@@ -59,7 +68,7 @@ def generate_registry_jwt():
   }
 
   if len(scope_param) > 0:
-    match = SCOPE_REGEX.match(scope_param)
+    match = get_scope_regex().match(scope_param)
     if match is None:
       logger.debug('Match: %s', match)
       logger.debug('len: %s', len(scope_param))
@@ -68,7 +77,8 @@ def generate_registry_jwt():
 
     logger.debug('Match: %s', match.groups())
 
-    namespace_and_repo = match.group(1)
+    registry_and_repo = match.group(1)
+    namespace_and_repo = match.group(2)
     actions = match.group(3).split(',')
 
     lib_namespace = app.config['LIBRARY_NAMESPACE']
@@ -112,7 +122,7 @@ def generate_registry_jwt():
     # Add the access for the JWT.
     access.append({
       'type': 'repository',
-      'name': namespace_and_repo,
+      'name': registry_and_repo,
       'actions': final_actions,
     })