Some fixes and tests for v2 auth

Fixes #395
2015-09-10 12:24:33 -04:00 · 2015-09-10 12:24:33 -04:00 · 9c3ddf846f
commit 9c3ddf846f
parent 5029ab62f6
7 changed files with 290 additions and 35 deletions
--- a/endpoints/v2/init.py
+++ b/endpoints/v2/init.py
@ -6,6 +6,7 @@ import logging
 from flask import Blueprint, make_response, url_for, request, jsonify
 from functools import wraps
 from urlparse import urlparse
+from util import get_app_url

 from app import metric_queue
 from endpoints.decorators import anon_protect, anon_allowed
@ -69,12 +70,11 @@ def v2_support_enabled():

  if get_grant_user_context() is None:
    response = make_response('true', 401)
-    realm_hostname = urlparse(request.url).netloc
    realm_auth_path = url_for('v2.generate_registry_jwt')
-    scheme = app.config['PREFERRED_URL_SCHEME']

-    authenticate = 'Bearer realm="{0}://{1}{2}",service="quay"'.format(scheme, realm_hostname,
-                                                                       realm_auth_path)
+    authenticate = 'Bearer realm="{0}{1}",service="{2}"'.format(get_app_url(app.config),
+                                                                realm_auth_path,
+                                                                app.config['SERVER_HOSTNAME'])
    response.headers['WWW-Authenticate'] = authenticate

  response.headers['Docker-Distribution-API-Version'] = 'registry/2.0'
--- a/endpoints/v2/v2auth.py
+++ b/endpoints/v2/v2auth.py
@ -24,9 +24,11 @@ from endpoints.decorators import anon_protect
 logger = logging.getLogger(__name__)


+TOKEN_VALIDITY_LIFETIME_S = 60 * 60  # 1 hour
 SCOPE_REGEX = re.compile(
    r'^repository:([\.a-zA-Z0-9_\-]+/[\.a-zA-Z0-9_\-]+):(((push|pull|\*),)*(push|pull|\*))$'
 )
+ANONYMOUS_SUB = '(anonymous)'


@lru_cache(maxsize=1)
@ -89,7 +91,6 @@ def generate_registry_jwt():
          not model.repository.repository_is_public(namespace, reponame)):
        abort(403)

-
    access.append({
      'type': 'repository',
      'name': namespace_and_repo,
@ -97,11 +98,12 @@ def generate_registry_jwt():
    })

  token_data = {
-    'iss': 'token-issuer',
+    'iss': app.config['JWT_AUTH_TOKEN_ISSUER'],
    'aud': audience_param,
    'nbf': int(time.time()),
-    'exp': int(time.time() + 60),
-    'sub': user.username if user else '(anonymous)',
+    'iat': int(time.time()),
+    'exp': int(time.time() + TOKEN_VALIDITY_LIFETIME_S),
+    'sub': user.username if user else ANONYMOUS_SUB,
    'access': access,
  }