Add support for multiple scope parameters on V2 auth requests
Fixes https://jira.coreos.com/browse/QUAY-892
This commit is contained in:
parent
86aa93aab5
commit
a59c951aa3
5 changed files with 164 additions and 119 deletions
|
@ -5,7 +5,7 @@ from flask_principal import Identity, Principal
|
|||
from mock import Mock
|
||||
|
||||
from auth import permissions
|
||||
from endpoints.v2.v2auth import get_tuf_root
|
||||
from endpoints.v2.v2auth import _get_tuf_root
|
||||
from test import testconfig
|
||||
from util.security.registry_jwt import QUAY_TUF_ROOT, SIGNER_TUF_ROOT, DISABLED_TUF_ROOT
|
||||
|
||||
|
@ -52,7 +52,7 @@ def test_get_tuf_root(identity, expected):
|
|||
app, principal = app_with_principal()
|
||||
with app.test_request_context('/'):
|
||||
principal.set_identity(identity)
|
||||
actual = get_tuf_root(Mock(), "namespace", "repo")
|
||||
actual = _get_tuf_root(Mock(), "namespace", "repo")
|
||||
assert actual == expected, "should be %s, but was %s" % (expected, actual)
|
||||
|
||||
|
||||
|
@ -64,5 +64,5 @@ def test_trust_disabled(trust_enabled,tuf_root):
|
|||
app, principal = app_with_principal()
|
||||
with app.test_request_context('/'):
|
||||
principal.set_identity(read_identity("namespace", "repo"))
|
||||
actual = get_tuf_root(Mock(trust_enabled=trust_enabled), "namespace", "repo")
|
||||
actual = _get_tuf_root(Mock(trust_enabled=trust_enabled), "namespace", "repo")
|
||||
assert actual == tuf_root, "should be %s, but was %s" % (tuf_root, actual)
|
||||
|
|
|
@ -4,7 +4,7 @@ from flask import url_for
|
|||
|
||||
from app import instance_keys, app as original_app
|
||||
from endpoints.test.shared import conduct_call
|
||||
from util.security.registry_jwt import decode_bearer_token
|
||||
from util.security.registry_jwt import decode_bearer_token, CLAIM_TUF_ROOTS
|
||||
|
||||
from test.fixtures import *
|
||||
|
||||
|
@ -34,6 +34,8 @@ from test.fixtures import *
|
|||
('repository:buynlarge/orgrepo:pull,push,*', 'devtable', 'password', 200,
|
||||
['buynlarge/orgrepo:push,pull,*']),
|
||||
|
||||
('', 'devtable', 'password', 200, []),
|
||||
|
||||
# No credentials, non-public repo.
|
||||
('repository:devtable/simple:pull', None, None, 200, ['devtable/simple:']),
|
||||
|
||||
|
@ -51,6 +53,20 @@ from test.fixtures import *
|
|||
# Unknown repository in another namespace.
|
||||
('repository:somenamespace/unknownrepo:pull,push', 'devtable', 'password', 200,
|
||||
['somenamespace/unknownrepo:']),
|
||||
|
||||
# Multiple scopes.
|
||||
(['repository:devtable/simple:pull,push', 'repository:devtable/complex:pull'],
|
||||
'devtable', 'password', 200,
|
||||
['devtable/simple:push,pull', 'devtable/complex:pull']),
|
||||
|
||||
# Multiple scopes with restricted behavior.
|
||||
(['repository:devtable/simple:pull,push', 'repository:public/publicrepo:pull,push'],
|
||||
'devtable', 'password', 200,
|
||||
['devtable/simple:push,pull', 'public/publicrepo:pull']),
|
||||
|
||||
(['repository:devtable/simple:pull,push,*', 'repository:public/publicrepo:pull,push,*'],
|
||||
'devtable', 'password', 200,
|
||||
['devtable/simple:push,pull,*', 'public/publicrepo:pull']),
|
||||
])
|
||||
def test_generate_registry_jwt(scope, username, password, expected_code, expected_scopes,
|
||||
app, client):
|
||||
|
@ -86,3 +102,4 @@ def test_generate_registry_jwt(scope, username, password, expected_code, expecte
|
|||
})
|
||||
|
||||
assert decoded['access'] == expected_access
|
||||
assert len(decoded['context'][CLAIM_TUF_ROOTS]) == len(expected_scopes)
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
import logging
|
||||
import re
|
||||
|
||||
from collections import namedtuple
|
||||
from cachetools import lru_cache
|
||||
from flask import request, jsonify
|
||||
|
||||
|
@ -24,13 +25,8 @@ logger = logging.getLogger(__name__)
|
|||
TOKEN_VALIDITY_LIFETIME_S = 60 * 60 # 1 hour
|
||||
SCOPE_REGEX_TEMPLATE = r'^repository:((?:{}\/)?((?:[\.a-zA-Z0-9_\-]+\/)*[\.a-zA-Z0-9_\-]+)):((?:push|pull|\*)(?:,(?:push|pull|\*))*)$'
|
||||
|
||||
|
||||
@lru_cache(maxsize=1)
|
||||
def get_scope_regex():
|
||||
hostname = re.escape(app.config['SERVER_HOSTNAME'])
|
||||
scope_regex_string = SCOPE_REGEX_TEMPLATE.format(hostname)
|
||||
return re.compile(scope_regex_string)
|
||||
|
||||
scopeResult = namedtuple('scopeResult', ['actions', 'namespace', 'repository', 'registry_and_repo',
|
||||
'tuf_root'])
|
||||
|
||||
@v2_bp.route('/auth')
|
||||
@process_basic_auth
|
||||
|
@ -44,12 +40,13 @@ def generate_registry_jwt(auth_result):
|
|||
audience_param = request.args.get('service')
|
||||
logger.debug('Request audience: %s', audience_param)
|
||||
|
||||
scope_param = request.args.get('scope') or ''
|
||||
logger.debug('Scope request: %s', scope_param)
|
||||
scope_params = request.args.getlist('scope') or []
|
||||
logger.debug('Scope request: %s', scope_params)
|
||||
|
||||
auth_header = request.headers.get('authorization', '')
|
||||
auth_credentials_sent = bool(auth_header)
|
||||
|
||||
# Load the auth context and verify thatg we've directly received credentials.
|
||||
has_valid_auth_context = False
|
||||
if get_authenticated_context():
|
||||
has_valid_auth_context = not get_authenticated_context().is_anonymous
|
||||
|
@ -58,14 +55,87 @@ def generate_registry_jwt(auth_result):
|
|||
# The auth credentials sent for the user are invalid.
|
||||
raise InvalidLogin(auth_result.error_message)
|
||||
|
||||
if not has_valid_auth_context and len(scope_params) == 0:
|
||||
# In this case, we are doing an auth flow, and it's not an anonymous pull.
|
||||
logger.debug('No user and no token sent for empty scope list')
|
||||
raise Unauthorized()
|
||||
|
||||
# Build the access list for the authenticated context.
|
||||
access = []
|
||||
scope_results = []
|
||||
for scope_param in scope_params:
|
||||
scope_result = _authorize_or_downscope_request(scope_param, has_valid_auth_context)
|
||||
if scope_result is None:
|
||||
continue
|
||||
|
||||
scope_results.append(scope_result)
|
||||
access.append({
|
||||
'type': 'repository',
|
||||
'name': scope_result.registry_and_repo,
|
||||
'actions': scope_result.actions,
|
||||
})
|
||||
|
||||
# Issue user events.
|
||||
user_event_data = {
|
||||
'action': 'login',
|
||||
}
|
||||
tuf_root = DISABLED_TUF_ROOT
|
||||
|
||||
if len(scope_param) > 0:
|
||||
match = get_scope_regex().match(scope_param)
|
||||
# Set the user event data for when authed.
|
||||
if len(scope_results) > 0:
|
||||
if 'push' in scope_results[0].actions:
|
||||
user_action = 'push_start'
|
||||
elif 'pull' in scope_results[0].actions:
|
||||
user_action = 'pull_start'
|
||||
else:
|
||||
user_action = 'login'
|
||||
|
||||
user_event_data = {
|
||||
'action': user_action,
|
||||
'namespace': scope_results[0].namespace,
|
||||
'repository': scope_results[0].repository,
|
||||
}
|
||||
|
||||
# Send the user event.
|
||||
if get_authenticated_user() is not None:
|
||||
event = userevents.get_event(get_authenticated_user().username)
|
||||
event.publish_event_data('docker-cli', user_event_data)
|
||||
|
||||
# Build the signed JWT.
|
||||
tuf_roots = {'%s/%s' % (scope_result.namespace, scope_result.repository): scope_result.tuf_root
|
||||
for scope_result in scope_results}
|
||||
context, subject = build_context_and_subject(get_authenticated_context(), tuf_roots=tuf_roots)
|
||||
token = generate_bearer_token(audience_param, subject, context, access,
|
||||
TOKEN_VALIDITY_LIFETIME_S, instance_keys)
|
||||
return jsonify({'token': token})
|
||||
|
||||
|
||||
@lru_cache(maxsize=1)
|
||||
def _get_scope_regex():
|
||||
hostname = re.escape(app.config['SERVER_HOSTNAME'])
|
||||
scope_regex_string = SCOPE_REGEX_TEMPLATE.format(hostname)
|
||||
return re.compile(scope_regex_string)
|
||||
|
||||
|
||||
def _get_tuf_root(repo, namespace, reponame):
|
||||
if not features.SIGNING or repo is None or not repo.trust_enabled:
|
||||
return DISABLED_TUF_ROOT
|
||||
|
||||
# Users with write access to a repo will see signer-rooted TUF metadata
|
||||
if ModifyRepositoryPermission(namespace, reponame).can():
|
||||
return SIGNER_TUF_ROOT
|
||||
return QUAY_TUF_ROOT
|
||||
|
||||
|
||||
def _authorize_or_downscope_request(scope_param, has_valid_auth_context):
|
||||
if len(scope_param) == 0:
|
||||
if not has_valid_auth_context:
|
||||
# In this case, we are doing an auth flow, and it's not an anonymous pull.
|
||||
logger.debug('No user and no token sent for empty scope list')
|
||||
raise Unauthorized()
|
||||
|
||||
return None
|
||||
|
||||
match = _get_scope_regex().match(scope_param)
|
||||
if match is None:
|
||||
logger.debug('Match: %s', match)
|
||||
logger.debug('len: %s', len(scope_param))
|
||||
|
@ -93,7 +163,6 @@ def generate_registry_jwt(auth_result):
|
|||
final_actions = []
|
||||
|
||||
repo = model.get_repository(namespace, reponame)
|
||||
|
||||
repo_is_public = repo is not None and repo.is_public
|
||||
invalid_repo_message = ''
|
||||
if repo is not None and repo.kind != 'image':
|
||||
|
@ -143,50 +212,6 @@ def generate_registry_jwt(auth_result):
|
|||
else:
|
||||
logger.debug("No permission to administer repository %s/%s", namespace, reponame)
|
||||
|
||||
# Add the access for the JWT.
|
||||
access.append({
|
||||
'type': 'repository',
|
||||
'name': registry_and_repo,
|
||||
'actions': final_actions,
|
||||
})
|
||||
|
||||
# Set the user event data for the auth.
|
||||
if 'push' in final_actions:
|
||||
user_action = 'push_start'
|
||||
elif 'pull' in final_actions:
|
||||
user_action = 'pull_start'
|
||||
else:
|
||||
user_action = 'login'
|
||||
|
||||
user_event_data = {
|
||||
'action': user_action,
|
||||
'repository': reponame,
|
||||
'namespace': namespace,
|
||||
}
|
||||
tuf_root = get_tuf_root(repo, namespace, reponame)
|
||||
|
||||
elif not has_valid_auth_context:
|
||||
# In this case, we are doing an auth flow, and it's not an anonymous pull
|
||||
logger.debug('No user and no token sent for empty scope list')
|
||||
raise Unauthorized()
|
||||
|
||||
# Send the user event.
|
||||
if get_authenticated_user() is not None:
|
||||
event = userevents.get_event(get_authenticated_user().username)
|
||||
event.publish_event_data('docker-cli', user_event_data)
|
||||
|
||||
# Build the signed JWT.
|
||||
context, subject = build_context_and_subject(get_authenticated_context(), tuf_root=tuf_root)
|
||||
token = generate_bearer_token(audience_param, subject, context, access,
|
||||
TOKEN_VALIDITY_LIFETIME_S, instance_keys)
|
||||
return jsonify({'token': token})
|
||||
|
||||
|
||||
def get_tuf_root(repo, namespace, reponame):
|
||||
if not features.SIGNING or repo is None or not repo.trust_enabled:
|
||||
return DISABLED_TUF_ROOT
|
||||
|
||||
# Users with write access to a repo will see signer-rooted TUF metadata
|
||||
if ModifyRepositoryPermission(namespace, reponame).can():
|
||||
return SIGNER_TUF_ROOT
|
||||
return QUAY_TUF_ROOT
|
||||
return scopeResult(actions=final_actions, namespace=namespace, repository=reponame,
|
||||
registry_and_repo=registry_and_repo,
|
||||
tuf_root=_get_tuf_root(repo, namespace, reponame))
|
||||
|
|
|
@ -8,6 +8,7 @@ logger = logging.getLogger(__name__)
|
|||
|
||||
ANONYMOUS_SUB = '(anonymous)'
|
||||
ALGORITHM = 'RS256'
|
||||
CLAIM_TUF_ROOTS = 'com.apostille.roots'
|
||||
CLAIM_TUF_ROOT = 'com.apostille.root'
|
||||
QUAY_TUF_ROOT = 'quay'
|
||||
SIGNER_TUF_ROOT = 'signer'
|
||||
|
@ -106,18 +107,20 @@ def _generate_jwt_object(audience, subject, context, access, lifetime_s, issuer,
|
|||
return jwt.encode(token_data, private_key, ALGORITHM, headers=token_headers)
|
||||
|
||||
|
||||
def build_context_and_subject(auth_context=None, tuf_root=None):
|
||||
def build_context_and_subject(auth_context=None, tuf_roots=None):
|
||||
""" Builds the custom context field for the JWT signed token and returns it,
|
||||
along with the subject for the JWT signed token. """
|
||||
# Serialize to a dictionary.
|
||||
context = auth_context.to_signed_dict() if auth_context else {}
|
||||
|
||||
# Default to quay root if not explicitly granted permission to see signer root
|
||||
if not tuf_root:
|
||||
tuf_root = QUAY_TUF_ROOT
|
||||
# TODO: remove once Apostille has been upgraded to not use the single root.
|
||||
single_root = (tuf_roots.values()[0]
|
||||
if tuf_roots is not None and len(tuf_roots) == 1
|
||||
else DISABLED_TUF_ROOT)
|
||||
|
||||
context.update({
|
||||
CLAIM_TUF_ROOT: tuf_root
|
||||
CLAIM_TUF_ROOTS: tuf_roots,
|
||||
CLAIM_TUF_ROOT: single_root,
|
||||
})
|
||||
|
||||
if not auth_context or auth_context.is_anonymous:
|
||||
|
|
|
@ -242,7 +242,7 @@ class ImplementedTUFMetadataAPI(TUFMetadataAPIInterface):
|
|||
'name': gun,
|
||||
'actions': actions,
|
||||
}]
|
||||
context, subject = build_context_and_subject(auth_context=None, tuf_root=SIGNER_TUF_ROOT)
|
||||
context, subject = build_context_and_subject(auth_context=None, tuf_roots={gun: SIGNER_TUF_ROOT})
|
||||
token = generate_bearer_token(self._config["SERVER_HOSTNAME"], subject, context, access,
|
||||
TOKEN_VALIDITY_LIFETIME_S, self._instance_keys)
|
||||
return {'Authorization': 'Bearer %s' % token}
|
||||
|
|
Reference in a new issue