Add support for multiple scope parameters on V2 auth requests

Fixes https://jira.coreos.com/browse/QUAY-892
2018-03-23 17:47:55 -04:00 · 2018-03-23 17:47:55 -04:00 · a59c951aa3
commit a59c951aa3
parent 86aa93aab5
5 changed files with 164 additions and 119 deletions
--- a/util/security/registry_jwt.py
+++ b/util/security/registry_jwt.py
@ -8,6 +8,7 @@ logger = logging.getLogger(__name__)

 ANONYMOUS_SUB = '(anonymous)'
 ALGORITHM = 'RS256'
+CLAIM_TUF_ROOTS = 'com.apostille.roots'
 CLAIM_TUF_ROOT = 'com.apostille.root'
 QUAY_TUF_ROOT = 'quay'
 SIGNER_TUF_ROOT = 'signer'
@ -106,18 +107,20 @@ def _generate_jwt_object(audience, subject, context, access, lifetime_s, issuer,
  return jwt.encode(token_data, private_key, ALGORITHM, headers=token_headers)


-def build_context_and_subject(auth_context=None, tuf_root=None):
+def build_context_and_subject(auth_context=None, tuf_roots=None):
  """ Builds the custom context field for the JWT signed token and returns it,
      along with the subject for the JWT signed token. """
  # Serialize to a dictionary.
  context = auth_context.to_signed_dict() if auth_context else {}

-  # Default to quay root if not explicitly granted permission to see signer root
-  if not tuf_root:
-    tuf_root = QUAY_TUF_ROOT
+  # TODO: remove once Apostille has been upgraded to not use the single root.
+  single_root = (tuf_roots.values()[0]
+                 if tuf_roots is not None and len(tuf_roots) == 1
+                 else DISABLED_TUF_ROOT)

  context.update({
-    CLAIM_TUF_ROOT: tuf_root
+    CLAIM_TUF_ROOTS: tuf_roots,
+    CLAIM_TUF_ROOT: single_root,
  })

  if not auth_context or auth_context.is_anonymous:
--- a/util/tufmetadata/api.py
+++ b/util/tufmetadata/api.py
@ -242,7 +242,7 @@ class ImplementedTUFMetadataAPI(TUFMetadataAPIInterface):
      'name': gun,
      'actions': actions,
    }]
-    context, subject = build_context_and_subject(auth_context=None, tuf_root=SIGNER_TUF_ROOT)
+    context, subject = build_context_and_subject(auth_context=None, tuf_roots={gun: SIGNER_TUF_ROOT})
    token = generate_bearer_token(self._config["SERVER_HOSTNAME"], subject, context, access,
                                  TOKEN_VALIDITY_LIFETIME_S, self._instance_keys)
    return {'Authorization': 'Bearer %s' % token}