Start of a v2 API.

2015-06-22 17:37:13 -04:00 · 2015-06-22 17:37:13 -04:00 · acbcc2e206
commit acbcc2e206
parent 3bfa2a6509
16 changed files with 508 additions and 55 deletions
--- a/endpoints/v2/init.py
+++ b/endpoints/v2/init.py
@ -0,0 +1,62 @@
+import logging
+
+from flask import Blueprint, make_response
+from functools import wraps
+
+from endpoints.decorators import anon_protect, anon_allowed
+from auth.jwt_auth import process_jwt_auth
+from auth.auth_context import get_grant_user_context
+from auth.permissions import (ReadRepositoryPermission, ModifyRepositoryPermission,
+                              AdministerRepositoryPermission)
+from data import model
+from util.http import abort
+
+
+
+logger = logging.getLogger(__name__)
+v2_bp = Blueprint('v2', __name__)
+
+
+def _require_repo_permission(permission_class, allow_public=False):
+  def wrapper(func):
+    @wraps(func)
+    def wrapped(namespace, repo_name, *args, **kwargs):
+      logger.debug('Checking permission %s for repo: %s/%s', permission_class, namespace, repo_name)
+      permission = permission_class(namespace, repo_name)
+      if (permission.can() or
+          (allow_public and
+           model.repository_is_public(namespace, repo_name))):
+        return func(namespace, repo_name, *args, **kwargs)
+      raise abort(401)
+    return wrapped
+  return wrapper
+
+
+require_repo_read = _require_repo_permission(ReadRepositoryPermission, True)
+require_repo_write = _require_repo_permission(ModifyRepositoryPermission)
+require_repo_admin = _require_repo_permission(AdministerRepositoryPermission)
+
+
+def get_input_stream(flask_request):
+  if flask_request.headers.get('transfer-encoding') == 'chunked':
+    return flask_request.environ['wsgi.input']
+  return flask_request.stream
+
+
+@v2_bp.route('/')
+@process_jwt_auth
+@anon_allowed
+def v2_support_enabled():
+  response = make_response('true', 200)
+
+  if get_grant_user_context() is None:
+    response = make_response('true', 401)
+    response.headers['WWW-Authenticate'] = 'Bearer realm="192.168.59.3:5000/v2/auth",service="quay"'
+
+  response.headers['Docker-Distribution-API-Version'] = 'registry/2.0'
+  return response
+
+
+from endpoints.v2 import v2auth
+from endpoints.v2 import manifest
+from endpoints.v2 import blobs
--- a/endpoints/v2/blobs.py
+++ b/endpoints/v2/blobs.py
@ -0,0 +1,20 @@
+import logging
+
+from flask import make_response
+
+from endpoints.v2 import v2_bp, require_repo_read, require_repo_write, require_repo_admin
+from auth.jwt_auth import process_jwt_auth
+from auth.permissions import ReadRepositoryPermission
+from endpoints.decorators import anon_protect
+
+
+logger = logging.getLogger(__name__)
+
+
+@v2_bp.route('/<namespace>/<repo_name>/blobs/<tarsum>', methods=['HEAD'])
+@process_jwt_auth
+@require_repo_read
+@anon_protect
+def check_blob_existence(namespace, repo_name, tarsum):
+  logger.debug('Fetching blob with tarsum: %s', tarsum)
+  return make_response('Blob {0}'.format(tarsum))
--- a/endpoints/v2/digest_tools.py
+++ b/endpoints/v2/digest_tools.py
@ -0,0 +1,46 @@
+import re
+import os.path
+import hashlib
+
+from collections import namedtuple
+
+
+Digest = namedtuple('Digest', ['is_tarsum', 'tarsum_version', 'hash_alg', 'hash_bytes'])
+
+
+DIGEST_PATTERN = r'(tarsum\.(v[\w]+)\+)?([\w]+):([0-9a-f]+)'
+DIGEST_REGEX = re.compile(DIGEST_PATTERN)
+
+
+class InvalidDigestException(RuntimeError):
+  pass
+
+
+def parse_digest(digest):
+  """ Returns the digest parsed out to its components. """
+  match = DIGEST_REGEX.match(digest)
+  if match is None or match.end() != len(digest):
+    raise InvalidDigestException('Not a valid digest: %s', digest)
+
+  is_tarsum = match.group(1) is not None
+  return Digest(is_tarsum, match.group(2), match.group(3), match.group(4))
+
+
+def content_path(digest):
+  """ Returns a relative path to the parsed digest. """
+  parsed = parse_digest(digest)
+  components = []
+
+  if parsed.is_tarsum:
+    components.extend(['tarsum', parsed.tarsum_version])
+
+  prefix = parsed.hash_bytes[0:2].zfill(2)
+  components.extend([parsed.hash_alg, prefix, parsed.hash_bytes])
+
+  return os.path.join(*components)
+
+
+def sha256_digest(content):
+  """ Returns a sha256 hash of the content bytes in digest form. """
+  digest = hashlib.sha256(content)
+  return 'sha256:{0}'.format(digest.hexdigest())
--- a/endpoints/v2/manifest.py
+++ b/endpoints/v2/manifest.py
@ -0,0 +1,63 @@
+import logging
+import re
+import hashlib
+
+from flask import make_response, request
+
+from app import storage
+from auth.jwt_auth import process_jwt_auth
+from auth.permissions import ReadRepositoryPermission
+from endpoints.decorators import anon_protect
+from endpoints.v2 import (v2_bp, require_repo_read, require_repo_write, require_repo_admin,
+                          get_input_stream)
+from endpoints.v2 import digest_tools
+
+
+logger = logging.getLogger(__name__)
+
+
+VALID_TAG_PATTERN = r'[\w][\w.-]{0,127}'
+VALID_TAG_REGEX = re.compile(VALID_TAG_PATTERN)
+
+
+def is_tag_name(reference):
+  match = VALID_TAG_REGEX.match(reference)
+  return match is not None and match.end() == len(reference)
+
+
+@v2_bp.route('/<namespace>/<repo_name>/manifests/<regex("' + VALID_TAG_PATTERN + '"):tag_name>',
+             methods=['GET'])
+@process_jwt_auth
+@require_repo_read
+@anon_protect
+def fetch_manifest_by_tagname(namespace, repo_name, tag_name):
+  logger.debug('Fetching tag manifest with name: %s', tag_name)
+  return make_response('Manifest {0}'.format(tag_name))
+
+
+@v2_bp.route('/<namespace>/<repo_name>/manifests/<regex("' + VALID_TAG_PATTERN + '"):tag_name>',
+             methods=['PUT'])
+@process_jwt_auth
+@require_repo_write
+@anon_protect
+def write_manifest_by_tagname(namespace, repo_name, tag_name):
+  manifest_data = request.data
+  logger.debug('Manifest data: %s', manifest_data)
+  response = make_response('OK', 202)
+  response.headers['Docker-Content-Digest'] = digest_tools.sha256_digest(manifest_data)
+  response.headers['Location'] = 'https://fun.com'
+  return response
+
+
+@v2_bp.route('/<namespace>/<repo_name>/manifests/<regex("' + digest_tools.DIGEST_PATTERN + '"):tag_digest>',
+             methods=['PUT'])
+@process_jwt_auth
+@require_repo_write
+@anon_protect
+def write_manifest(namespace, repo_name, tag_digest):
+  logger.debug('Writing tag manifest with name: %s', tag_digest)
+
+  manifest_path = digest_tools.content_path(tag_digest)
+  storage.stream_write('local_us', manifest_path, get_input_stream(request))
+
+  return make_response('Manifest {0}'.format(tag_digest))
--- a/endpoints/v2/registry.py
+++ b/endpoints/v2/registry.py
@ -0,0 +1,12 @@
+import logging
+
+from endpoints.v2 import v2_bp
+
+
+logging.getLogger(__name__)
+
+
+@v2_bp.route()
+
+@process_auth
+@anon_protect
--- a/endpoints/v2/v2auth.py
+++ b/endpoints/v2/v2auth.py
@ -0,0 +1,94 @@
+import logging
+import re
+import time
+import jwt
+
+from flask import request, jsonify, abort
+
+from data import model
+from auth.auth import process_auth
+from auth.auth_context import get_authenticated_user
+from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermission,
+                              CreateRepositoryPermission)
+from endpoints.v2 import v2_bp
+from util.cache import no_cache
+from util.names import parse_namespace_repository
+
+
+logger = logging.getLogger(__name__)
+
+
+SCOPE_REGEX = re.compile(
+    r'repository:([\.a-zA-Z0-9_\-]+/[\.a-zA-Z0-9_\-]+):(((push|pull|\*),)*(push|pull|\*))'
+)
+
+
+@v2_bp.route('/auth')
+@process_auth
+@no_cache
+def generate_registry_jwt():
+  audience_param = request.args.get('service')
+  logger.debug('Request audience: %s', audience_param)
+
+  scope_param = request.args.get('scope')
+  logger.debug('Scope request: %s', scope_param)
+
+  user = get_authenticated_user()
+
+  access = []
+  if scope_param is not None:
+    match = SCOPE_REGEX.match(scope_param)
+    if match is None or match.end() != len(scope_param):
+      logger.debug('Match: %s', match)
+      logger.debug('End: %s', match.end())
+      logger.debug('len: %s', len(scope_param))
+      logger.warning('Unable to decode repository and actions: %s', scope_param)
+      abort(400)
+
+    logger.debug('Match: %s', match.groups())
+
+    namespace_and_repo = match.group(1)
+    actions = match.group(2).split(',')
+
+    namespace, reponame = parse_namespace_repository(namespace_and_repo)
+    if 'pull' in actions and 'push' in actions:
+      repo = model.get_repository(namespace, reponame)
+      if repo:
+        if not ModifyRepositoryPermission(namespace, reponame):
+          abort(403)
+      else:
+        if not CreateRepositoryPermission(namespace):
+          abort(403)
+        logger.debug('Creating repository: %s/%s', namespace, reponame)
+        model.create_repository(namespace, reponame, user)
+    elif 'pull' in actions:
+      if not ReadRepositoryPermission(namespace, reponame):
+        abort(403)
+
+
+    access.append({
+      'type': 'repository',
+      'name': namespace_and_repo,
+      'actions': actions,
+    })
+
+  token_data = {
+    'iss': 'token-issuer',
+    'aud': audience_param,
+    'nbf': int(time.time()),
+    'exp': int(time.time() + 60),
+    'sub': user.username,
+    'access': access,
+  }
+
+  with open('/Users/jake/Projects/registry-v2/ca/quay.host.crt') as cert_file:
+    certificate = ''.join(cert_file.readlines()[1:-1]).rstrip('\n')
+
+  token_headers = {
+    'x5c': [certificate],
+  }
+
+  with open('/Users/jake/Projects/registry-v2/ca/quay.host.key.insecure') as private_key_file:
+    private_key = private_key_file.read()
+
+  return jsonify({'token':jwt.encode(token_data, private_key, 'RS256', headers=token_headers)})