Add support for multiple scope parameters on V2 auth requests

Fixes https://jira.coreos.com/browse/QUAY-892
2018-03-23 17:47:55 -04:00 · 2018-03-23 17:47:55 -04:00 · a59c951aa3
commit a59c951aa3
parent 86aa93aab5
5 changed files with 164 additions and 119 deletions
--- a/endpoints/v2/test/test_v2_tuf.py
+++ b/endpoints/v2/test/test_v2_tuf.py
@ -5,7 +5,7 @@ from flask_principal import Identity, Principal
 from mock import Mock

 from auth import permissions
-from endpoints.v2.v2auth import get_tuf_root
+from endpoints.v2.v2auth import _get_tuf_root
 from test import testconfig
 from util.security.registry_jwt import QUAY_TUF_ROOT, SIGNER_TUF_ROOT, DISABLED_TUF_ROOT

@ -52,7 +52,7 @@ def test_get_tuf_root(identity, expected):
  app, principal = app_with_principal()
  with app.test_request_context('/'):
    principal.set_identity(identity)
-    actual = get_tuf_root(Mock(), "namespace", "repo")
+    actual = _get_tuf_root(Mock(), "namespace", "repo")
    assert actual == expected, "should be %s, but was %s" % (expected, actual)


@ -64,5 +64,5 @@ def test_trust_disabled(trust_enabled,tuf_root):
  app, principal = app_with_principal()
  with app.test_request_context('/'):
    principal.set_identity(read_identity("namespace", "repo"))
-    actual = get_tuf_root(Mock(trust_enabled=trust_enabled), "namespace", "repo")
+    actual = _get_tuf_root(Mock(trust_enabled=trust_enabled), "namespace", "repo")
    assert actual == tuf_root, "should be %s, but was %s" % (tuf_root, actual)
--- a/endpoints/v2/test/test_v2auth.py
+++ b/endpoints/v2/test/test_v2auth.py
@ -4,7 +4,7 @@ from flask import url_for

 from app import instance_keys, app as original_app
 from endpoints.test.shared import conduct_call
-from util.security.registry_jwt import decode_bearer_token
+from util.security.registry_jwt import decode_bearer_token, CLAIM_TUF_ROOTS

 from test.fixtures import *

@ -34,6 +34,8 @@ from test.fixtures import *
  ('repository:buynlarge/orgrepo:pull,push,*', 'devtable', 'password', 200,
   ['buynlarge/orgrepo:push,pull,*']),

+  ('', 'devtable', 'password', 200, []),
+
  # No credentials, non-public repo.
  ('repository:devtable/simple:pull', None, None, 200, ['devtable/simple:']),

@ -51,6 +53,20 @@ from test.fixtures import *
  # Unknown repository in another namespace.
  ('repository:somenamespace/unknownrepo:pull,push', 'devtable', 'password', 200,
   ['somenamespace/unknownrepo:']),
+
+  # Multiple scopes.
+  (['repository:devtable/simple:pull,push', 'repository:devtable/complex:pull'],
+    'devtable', 'password', 200,
+   ['devtable/simple:push,pull', 'devtable/complex:pull']),
+
+  # Multiple scopes with restricted behavior.
+  (['repository:devtable/simple:pull,push', 'repository:public/publicrepo:pull,push'],
+    'devtable', 'password', 200,
+   ['devtable/simple:push,pull', 'public/publicrepo:pull']),
+
+  (['repository:devtable/simple:pull,push,*', 'repository:public/publicrepo:pull,push,*'],
+    'devtable', 'password', 200,
+   ['devtable/simple:push,pull,*', 'public/publicrepo:pull']),
 ])
 def test_generate_registry_jwt(scope, username, password, expected_code, expected_scopes,
                               app, client):
@ -86,3 +102,4 @@ def test_generate_registry_jwt(scope, username, password, expected_code, expecte
    })

  assert decoded['access'] == expected_access
+  assert len(decoded['context'][CLAIM_TUF_ROOTS]) == len(expected_scopes)
--- a/endpoints/v2/v2auth.py
+++ b/endpoints/v2/v2auth.py
@ -1,6 +1,7 @@
 import logging
 import re

+from collections import namedtuple
 from cachetools import lru_cache
 from flask import request, jsonify

@ -24,13 +25,8 @@ logger = logging.getLogger(__name__)
 TOKEN_VALIDITY_LIFETIME_S = 60 * 60  # 1 hour
 SCOPE_REGEX_TEMPLATE = r'^repository:((?:{}\/)?((?:[\.a-zA-Z0-9_\-]+\/)*[\.a-zA-Z0-9_\-]+)):((?:push|pull|\*)(?:,(?:push|pull|\*))*)$'

-
-@lru_cache(maxsize=1)
-def get_scope_regex():
-  hostname = re.escape(app.config['SERVER_HOSTNAME'])
-  scope_regex_string = SCOPE_REGEX_TEMPLATE.format(hostname)
-  return re.compile(scope_regex_string)
-
+scopeResult = namedtuple('scopeResult', ['actions', 'namespace', 'repository', 'registry_and_repo',
+                                         'tuf_root'])

@v2_bp.route('/auth')
@process_basic_auth
@ -44,12 +40,13 @@ def generate_registry_jwt(auth_result):
  audience_param = request.args.get('service')
  logger.debug('Request audience: %s', audience_param)

-  scope_param = request.args.get('scope') or ''
-  logger.debug('Scope request: %s', scope_param)
+  scope_params = request.args.getlist('scope') or []
+  logger.debug('Scope request: %s', scope_params)

  auth_header = request.headers.get('authorization', '')
  auth_credentials_sent = bool(auth_header)

+  # Load the auth context and verify thatg we've directly received credentials.
  has_valid_auth_context = False
  if get_authenticated_context():
    has_valid_auth_context = not get_authenticated_context().is_anonymous
@ -58,117 +55,45 @@ def generate_registry_jwt(auth_result):
    # The auth credentials sent for the user are invalid.
    raise InvalidLogin(auth_result.error_message)

+  if not has_valid_auth_context and len(scope_params) == 0:
+    # In this case, we are doing an auth flow, and it's not an anonymous pull.
+    logger.debug('No user and no token sent for empty scope list')
+    raise Unauthorized()
+
+  # Build the access list for the authenticated context.
  access = []
+  scope_results = []
+  for scope_param in scope_params:
+    scope_result = _authorize_or_downscope_request(scope_param, has_valid_auth_context)
+    if scope_result is None:
+      continue
+
+    scope_results.append(scope_result)
+    access.append({
+      'type': 'repository',
+      'name': scope_result.registry_and_repo,
+      'actions': scope_result.actions,
+    })
+
+  # Issue user events.
  user_event_data = {
    'action': 'login',
  }
-  tuf_root = DISABLED_TUF_ROOT

-  if len(scope_param) > 0:
-    match = get_scope_regex().match(scope_param)
-    if match is None:
-      logger.debug('Match: %s', match)
-      logger.debug('len: %s', len(scope_param))
-      logger.warning('Unable to decode repository and actions: %s', scope_param)
-      raise InvalidRequest('Unable to decode repository and actions: %s' % scope_param)
-
-    logger.debug('Match: %s', match.groups())
-
-    registry_and_repo = match.group(1)
-    namespace_and_repo = match.group(2)
-    actions = match.group(3).split(',')
-
-    lib_namespace = app.config['LIBRARY_NAMESPACE']
-    namespace, reponame = parse_namespace_repository(namespace_and_repo, lib_namespace)
-
-    # Ensure that we are never creating an invalid repository.
-    if not REPOSITORY_NAME_REGEX.match(reponame):
-      logger.debug('Found invalid repository name in auth flow: %s', reponame)
-      if len(namespace_and_repo.split('/')) > 1:
-        msg = 'Nested repositories are not supported. Found: %s' % namespace_and_repo
-        raise NameInvalid(message=msg)
-
-      raise NameInvalid(message='Invalid repository name: %s' % namespace_and_repo)
-
-    final_actions = []
-
-    repo = model.get_repository(namespace, reponame)
-
-    repo_is_public = repo is not None and repo.is_public
-    invalid_repo_message = ''
-    if repo is not None and repo.kind != 'image':
-      invalid_repo_message = ((
-        'This repository is for managing %s resources ' + 'and not container images.') % repo.kind)
-
-    if 'push' in actions:
-      # Check if there is a valid user or token, as otherwise the repository cannot be
-      # accessed.
-      if has_valid_auth_context:
-        # Lookup the repository. If it exists, make sure the entity has modify
-        # permission. Otherwise, make sure the entity has create permission.
-        if repo:
-          if ModifyRepositoryPermission(namespace, reponame).can():
-            if repo.kind != 'image':
-              raise Unsupported(message=invalid_repo_message)
-
-            final_actions.append('push')
-          else:
-            logger.debug('No permission to modify repository %s/%s', namespace, reponame)
-        else:
-          user = get_authenticated_user()
-          if CreateRepositoryPermission(namespace).can() and user is not None:
-            logger.debug('Creating repository: %s/%s', namespace, reponame)
-            model.create_repository(namespace, reponame, user)
-            final_actions.append('push')
-          else:
-            logger.debug('No permission to create repository %s/%s', namespace, reponame)
-
-    if 'pull' in actions:
-      # Grant pull if the user can read the repo or it is public.
-      if ReadRepositoryPermission(namespace, reponame).can() or repo_is_public:
-        if repo is not None and repo.kind != 'image':
-          raise Unsupported(message=invalid_repo_message)
-
-        final_actions.append('pull')
-      else:
-        logger.debug('No permission to pull repository %s/%s', namespace, reponame)
-
-    if '*' in actions:
-      # Grant * user is admin
-      if AdministerRepositoryPermission(namespace, reponame).can():
-        if repo is not None and repo.kind != 'image':
-          raise Unsupported(message=invalid_repo_message)
-
-        final_actions.append('*')
-      else:
-        logger.debug("No permission to administer repository %s/%s", namespace, reponame)
-
-    # Add the access for the JWT.
-    access.append({
-      'type': 'repository',
-      'name': registry_and_repo,
-      'actions': final_actions,
-    })
-
-    # Set the user event data for the auth.
-    if 'push' in final_actions:
+  # Set the user event data for when authed.
+  if len(scope_results) > 0:
+    if 'push' in scope_results[0].actions:
      user_action = 'push_start'
-    elif 'pull' in final_actions:
+    elif 'pull' in scope_results[0].actions:
      user_action = 'pull_start'
    else:
      user_action = 'login'

    user_event_data = {
      'action': user_action,
-      'repository': reponame,
-      'namespace': namespace,
+      'namespace': scope_results[0].namespace,
+      'repository': scope_results[0].repository,
    }
-    tuf_root = get_tuf_root(repo, namespace, reponame)
-
-  elif not has_valid_auth_context:
-    # In this case, we are doing an auth flow, and it's not an anonymous pull
-    logger.debug('No user and no token sent for empty scope list')
-    raise Unauthorized()

  # Send the user event.
  if get_authenticated_user() is not None:
@ -176,13 +101,22 @@ def generate_registry_jwt(auth_result):
    event.publish_event_data('docker-cli', user_event_data)

  # Build the signed JWT.
-  context, subject = build_context_and_subject(get_authenticated_context(), tuf_root=tuf_root)
+  tuf_roots = {'%s/%s' % (scope_result.namespace, scope_result.repository): scope_result.tuf_root
+               for scope_result in scope_results}
+  context, subject = build_context_and_subject(get_authenticated_context(), tuf_roots=tuf_roots)
  token = generate_bearer_token(audience_param, subject, context, access,
                                TOKEN_VALIDITY_LIFETIME_S, instance_keys)
  return jsonify({'token': token})


-def get_tuf_root(repo, namespace, reponame):
+@lru_cache(maxsize=1)
+def _get_scope_regex():
+  hostname = re.escape(app.config['SERVER_HOSTNAME'])
+  scope_regex_string = SCOPE_REGEX_TEMPLATE.format(hostname)
+  return re.compile(scope_regex_string)
+
+
+def _get_tuf_root(repo, namespace, reponame):
  if not features.SIGNING or repo is None or not repo.trust_enabled:
    return DISABLED_TUF_ROOT

@ -190,3 +124,94 @@ def get_tuf_root(repo, namespace, reponame):
  if ModifyRepositoryPermission(namespace, reponame).can():
    return SIGNER_TUF_ROOT
  return QUAY_TUF_ROOT
+
+
+def _authorize_or_downscope_request(scope_param, has_valid_auth_context):
+  if len(scope_param) == 0:
+    if not has_valid_auth_context:
+      # In this case, we are doing an auth flow, and it's not an anonymous pull.
+      logger.debug('No user and no token sent for empty scope list')
+      raise Unauthorized()
+
+    return None
+
+  match = _get_scope_regex().match(scope_param)
+  if match is None:
+    logger.debug('Match: %s', match)
+    logger.debug('len: %s', len(scope_param))
+    logger.warning('Unable to decode repository and actions: %s', scope_param)
+    raise InvalidRequest('Unable to decode repository and actions: %s' % scope_param)
+
+  logger.debug('Match: %s', match.groups())
+
+  registry_and_repo = match.group(1)
+  namespace_and_repo = match.group(2)
+  actions = match.group(3).split(',')
+
+  lib_namespace = app.config['LIBRARY_NAMESPACE']
+  namespace, reponame = parse_namespace_repository(namespace_and_repo, lib_namespace)
+
+  # Ensure that we are never creating an invalid repository.
+  if not REPOSITORY_NAME_REGEX.match(reponame):
+    logger.debug('Found invalid repository name in auth flow: %s', reponame)
+    if len(namespace_and_repo.split('/')) > 1:
+      msg = 'Nested repositories are not supported. Found: %s' % namespace_and_repo
+      raise NameInvalid(message=msg)
+
+    raise NameInvalid(message='Invalid repository name: %s' % namespace_and_repo)
+
+  final_actions = []
+
+  repo = model.get_repository(namespace, reponame)
+  repo_is_public = repo is not None and repo.is_public
+  invalid_repo_message = ''
+  if repo is not None and repo.kind != 'image':
+    invalid_repo_message = ((
+      'This repository is for managing %s resources ' + 'and not container images.') % repo.kind)
+
+  if 'push' in actions:
+    # Check if there is a valid user or token, as otherwise the repository cannot be
+    # accessed.
+    if has_valid_auth_context:
+      # Lookup the repository. If it exists, make sure the entity has modify
+      # permission. Otherwise, make sure the entity has create permission.
+      if repo:
+        if ModifyRepositoryPermission(namespace, reponame).can():
+          if repo.kind != 'image':
+            raise Unsupported(message=invalid_repo_message)
+
+          final_actions.append('push')
+        else:
+          logger.debug('No permission to modify repository %s/%s', namespace, reponame)
+      else:
+        user = get_authenticated_user()
+        if CreateRepositoryPermission(namespace).can() and user is not None:
+          logger.debug('Creating repository: %s/%s', namespace, reponame)
+          model.create_repository(namespace, reponame, user)
+          final_actions.append('push')
+        else:
+          logger.debug('No permission to create repository %s/%s', namespace, reponame)
+
+  if 'pull' in actions:
+    # Grant pull if the user can read the repo or it is public.
+    if ReadRepositoryPermission(namespace, reponame).can() or repo_is_public:
+      if repo is not None and repo.kind != 'image':
+        raise Unsupported(message=invalid_repo_message)
+
+      final_actions.append('pull')
+    else:
+      logger.debug('No permission to pull repository %s/%s', namespace, reponame)
+
+  if '*' in actions:
+    # Grant * user is admin
+    if AdministerRepositoryPermission(namespace, reponame).can():
+      if repo is not None and repo.kind != 'image':
+        raise Unsupported(message=invalid_repo_message)
+
+      final_actions.append('*')
+    else:
+      logger.debug("No permission to administer repository %s/%s", namespace, reponame)
+
+  return scopeResult(actions=final_actions, namespace=namespace, repository=reponame,
+                     registry_and_repo=registry_and_repo,
+                     tuf_root=_get_tuf_root(repo, namespace, reponame))
--- a/util/security/registry_jwt.py
+++ b/util/security/registry_jwt.py
@ -8,6 +8,7 @@ logger = logging.getLogger(__name__)

 ANONYMOUS_SUB = '(anonymous)'
 ALGORITHM = 'RS256'
+CLAIM_TUF_ROOTS = 'com.apostille.roots'
 CLAIM_TUF_ROOT = 'com.apostille.root'
 QUAY_TUF_ROOT = 'quay'
 SIGNER_TUF_ROOT = 'signer'
@ -106,18 +107,20 @@ def _generate_jwt_object(audience, subject, context, access, lifetime_s, issuer,
  return jwt.encode(token_data, private_key, ALGORITHM, headers=token_headers)


-def build_context_and_subject(auth_context=None, tuf_root=None):
+def build_context_and_subject(auth_context=None, tuf_roots=None):
  """ Builds the custom context field for the JWT signed token and returns it,
      along with the subject for the JWT signed token. """
  # Serialize to a dictionary.
  context = auth_context.to_signed_dict() if auth_context else {}

-  # Default to quay root if not explicitly granted permission to see signer root
-  if not tuf_root:
-    tuf_root = QUAY_TUF_ROOT
+  # TODO: remove once Apostille has been upgraded to not use the single root.
+  single_root = (tuf_roots.values()[0]
+                 if tuf_roots is not None and len(tuf_roots) == 1
+                 else DISABLED_TUF_ROOT)

  context.update({
-    CLAIM_TUF_ROOT: tuf_root
+    CLAIM_TUF_ROOTS: tuf_roots,
+    CLAIM_TUF_ROOT: single_root,
  })

  if not auth_context or auth_context.is_anonymous:
--- a/util/tufmetadata/api.py
+++ b/util/tufmetadata/api.py
@ -242,7 +242,7 @@ class ImplementedTUFMetadataAPI(TUFMetadataAPIInterface):
      'name': gun,
      'actions': actions,
    }]
-    context, subject = build_context_and_subject(auth_context=None, tuf_root=SIGNER_TUF_ROOT)
+    context, subject = build_context_and_subject(auth_context=None, tuf_roots={gun: SIGNER_TUF_ROOT})
    token = generate_bearer_token(self._config["SERVER_HOSTNAME"], subject, context, access,
                                  TOKEN_VALIDITY_LIFETIME_S, self._instance_keys)
    return {'Authorization': 'Bearer %s' % token}