Merge pull request #118 from coreos-inc/createfix

Fix creation of repositories when having a creator permission
2015-06-10 16:18:56 -04:00 · 2015-06-10 16:18:56 -04:00 · a99414b222
commit a99414b222
parent 038e0972ac 44f49a43dd
3 changed files with 72 additions and 12 deletions
--- a/endpoints/index.py
+++ b/endpoints/index.py
@ -34,7 +34,7 @@ class GrantType(object):
  WRITE_REPOSITORY = 'write'


-def generate_headers(scope=GrantType.READ_REPOSITORY):
+def generate_headers(scope=GrantType.READ_REPOSITORY, add_grant_for_status=None):
  def decorator_method(f):
    @wraps(f)
    def wrapper(namespace, repository, *args, **kwargs):
@ -49,15 +49,16 @@ def generate_headers(scope=GrantType.READ_REPOSITORY):
      response.headers['X-Docker-Endpoints'] = registry_server

      has_token_request = request.headers.get('X-Docker-Token', '')
+      force_grant = (add_grant_for_status == response.status_code)

-      if has_token_request:
+      if has_token_request or force_grant:
        grants = []

        if scope == GrantType.READ_REPOSITORY:
-          if ReadRepositoryPermission(namespace, repository).can():
+          if ReadRepositoryPermission(namespace, repository).can() or force_grant:
            grants.append(repository_read_grant(namespace, repository))
        elif scope == GrantType.WRITE_REPOSITORY:
-          if ModifyRepositoryPermission(namespace, repository).can():
+          if ModifyRepositoryPermission(namespace, repository).can() or force_grant:
            grants.append(repository_write_grant(namespace, repository))

        # Generate a signed token for the user (if any) and the grants (if any)
@ -196,18 +197,18 @@ def update_user(username):
@index.route('/repositories/<path:repository>', methods=['PUT'])
@process_auth
@parse_repository_name
-@generate_headers(scope=GrantType.WRITE_REPOSITORY)
+@generate_headers(scope=GrantType.WRITE_REPOSITORY, add_grant_for_status=201)
@anon_allowed
 def create_repository(namespace, repository):
-  logger.debug('Parsing image descriptions')
+  logger.debug('Parsing image descriptions for repository %s/%s', namespace, repository)
  image_descriptions = json.loads(request.data.decode('utf8'))

-  logger.debug('Looking up repository')
+  logger.debug('Looking up repository %s/%s', namespace, repository)
  repo = model.get_repository(namespace, repository)

-  logger.debug('Repository looked up')
+  logger.debug('Found repository %s/%s', namespace, repository)
  if not repo and get_authenticated_user() is None:
-    logger.debug('Attempt to create new repository without user auth.')
+    logger.debug('Attempt to create repository %s/%s without user auth', namespace, repository)
    abort(401,
          message='Cannot create a repository as a guest. Please login via "docker login" first.',
          issue='no-login')
@ -219,17 +220,19 @@ def create_repository(namespace, repository):
            message='You do not have permission to modify repository %(namespace)s/%(repository)s',
            issue='no-repo-write-permission',
            namespace=namespace, repository=repository)
-
  else:
    permission = CreateRepositoryPermission(namespace)
    if not permission.can():
-      logger.info('Attempt to create a new repo with insufficient perms.')
+      logger.info('Attempt to create a new repo %s/%s with insufficient perms', namespace, repository)
      abort(403,
            message='You do not have permission to create repositories in namespace "%(namespace)s"',
            issue='no-create-permission',
            namespace=namespace)

-    logger.debug('Creaing repository with owner: %s', get_authenticated_user().username)
+    # Attempt to create the new repository.
+    logger.debug('Creating repository %s/%s with owner: %s', namespace, repository,
+                 get_authenticated_user().username)
+
    repo = model.create_repository(namespace, repository,
                                   get_authenticated_user())

--- a/initdb.py
+++ b/initdb.py
@ -354,6 +354,10 @@ def populate_database():
  reader.verified = True
  reader.save()

+  creatoruser = model.create_user('creator', 'password', 'noc@thanks.com')
+  creatoruser.verified = True
+  creatoruser.save()
+
  outside_org = model.create_user('outsideorg', 'password', 'no2@thanks.com')
  outside_org.verified = True
  outside_org.save()
@ -490,6 +494,9 @@ def populate_database():

  model.create_robot('neworgrobot', org)

+  ownerbot = model.create_robot('ownerbot', org)[0]
+  creatorbot = model.create_robot('creatorbot', org)[0]
+
  owners = model.get_organization_team('buynlarge', 'owners')
  owners.description = 'Owners have unfetterd access across the entire org.'
  owners.save()
@ -504,12 +511,19 @@ def populate_database():
                                    [],
                                    (4, [], ['latest', 'prod']))

+  creators = model.create_team('creators', org, 'creator',
+                               'Creators of orgrepo.')
+
  reader_team = model.create_team('readers', org, 'member',
                                  'Readers of orgrepo.')
  model.set_team_repo_permission(reader_team.name, org_repo.namespace_user.username, org_repo.name,
                                 'read')
+
  model.add_user_to_team(new_user_2, reader_team)
  model.add_user_to_team(reader, reader_team)
+  model.add_user_to_team(ownerbot, owners)
+  model.add_user_to_team(creatorbot, creators)
+  model.add_user_to_team(creatoruser, creators)

  __generate_repository(new_user_1, 'superwide', None, False, [],
                        [(10, [], 'latest2'),
--- a/test/registry_tests.py
+++ b/test/registry_tests.py
@ -346,5 +346,48 @@ class RegistryTests(RegistryTestCase):
      # Pull the repository as devtable, which should succeed because the repository is public.
      self.do_pull('public', 'newrepo', 'devtable', 'password')

+
+  def test_create_repo_creator_user(self):
+    images = [{
+      'id': 'onlyimagehere'
+    }]
+    self.do_push('buynlarge', 'newrepo', 'creator', 'password', images)
+
+    # Pull the repository as devtable, which should succeed because the repository is owned by the
+    # org.
+    self.do_pull('buynlarge', 'newrepo', 'devtable', 'password')
+
+
+  def test_create_repo_robot_owner(self):
+    # Lookup the robot's password.
+    self.conduct_api_login('devtable', 'password')
+    resp = self.conduct('GET', '/api/v1/organization/buynlarge/robots/ownerbot')
+    robot_token = json.loads(resp.text)['token']
+
+    images = [{
+      'id': 'onlyimagehere'
+    }]
+    self.do_push('buynlarge', 'newrepo', 'buynlarge+ownerbot', robot_token, images)
+
+    # Pull the repository as devtable, which should succeed because the repository is owned by the
+    # org.
+    self.do_pull('buynlarge', 'newrepo', 'devtable', 'password')
+
+
+  def test_create_repo_robot_creator(self):
+    # Lookup the robot's password.
+    self.conduct_api_login('devtable', 'password')
+    resp = self.conduct('GET', '/api/v1/organization/buynlarge/robots/creatorbot')
+    robot_token = json.loads(resp.text)['token']
+
+    images = [{
+      'id': 'onlyimagehere'
+    }]
+    self.do_push('buynlarge', 'newrepo', 'buynlarge+creatorbot', robot_token, images)
+
+    # Pull the repository as devtable, which should succeed because the repository is owned by the
+    # org.
+    self.do_pull('buynlarge', 'newrepo', 'devtable', 'password')
+
 if __name__ == '__main__':
  unittest.main()