Start of a v2 API.

2015-06-22 17:37:13 -04:00 · 2015-06-22 17:37:13 -04:00 · acbcc2e206
commit acbcc2e206
parent 3bfa2a6509
16 changed files with 508 additions and 55 deletions
--- a/endpoints/v2/v2auth.py
+++ b/endpoints/v2/v2auth.py
@ -0,0 +1,94 @@
+import logging
+import re
+import time
+import jwt
+
+from flask import request, jsonify, abort
+
+from data import model
+from auth.auth import process_auth
+from auth.auth_context import get_authenticated_user
+from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermission,
+                              CreateRepositoryPermission)
+from endpoints.v2 import v2_bp
+from util.cache import no_cache
+from util.names import parse_namespace_repository
+
+
+logger = logging.getLogger(__name__)
+
+
+SCOPE_REGEX = re.compile(
+    r'repository:([\.a-zA-Z0-9_\-]+/[\.a-zA-Z0-9_\-]+):(((push|pull|\*),)*(push|pull|\*))'
+)
+
+
+@v2_bp.route('/auth')
+@process_auth
+@no_cache
+def generate_registry_jwt():
+  audience_param = request.args.get('service')
+  logger.debug('Request audience: %s', audience_param)
+
+  scope_param = request.args.get('scope')
+  logger.debug('Scope request: %s', scope_param)
+
+  user = get_authenticated_user()
+
+  access = []
+  if scope_param is not None:
+    match = SCOPE_REGEX.match(scope_param)
+    if match is None or match.end() != len(scope_param):
+      logger.debug('Match: %s', match)
+      logger.debug('End: %s', match.end())
+      logger.debug('len: %s', len(scope_param))
+      logger.warning('Unable to decode repository and actions: %s', scope_param)
+      abort(400)
+
+    logger.debug('Match: %s', match.groups())
+
+    namespace_and_repo = match.group(1)
+    actions = match.group(2).split(',')
+
+    namespace, reponame = parse_namespace_repository(namespace_and_repo)
+    if 'pull' in actions and 'push' in actions:
+      repo = model.get_repository(namespace, reponame)
+      if repo:
+        if not ModifyRepositoryPermission(namespace, reponame):
+          abort(403)
+      else:
+        if not CreateRepositoryPermission(namespace):
+          abort(403)
+        logger.debug('Creating repository: %s/%s', namespace, reponame)
+        model.create_repository(namespace, reponame, user)
+    elif 'pull' in actions:
+      if not ReadRepositoryPermission(namespace, reponame):
+        abort(403)
+
+
+    access.append({
+      'type': 'repository',
+      'name': namespace_and_repo,
+      'actions': actions,
+    })
+
+  token_data = {
+    'iss': 'token-issuer',
+    'aud': audience_param,
+    'nbf': int(time.time()),
+    'exp': int(time.time() + 60),
+    'sub': user.username,
+    'access': access,
+  }
+
+  with open('/Users/jake/Projects/registry-v2/ca/quay.host.crt') as cert_file:
+    certificate = ''.join(cert_file.readlines()[1:-1]).rstrip('\n')
+
+  token_headers = {
+    'x5c': [certificate],
+  }
+
+  with open('/Users/jake/Projects/registry-v2/ca/quay.host.key.insecure') as private_key_file:
+    private_key = private_key_file.read()
+
+  return jsonify({'token':jwt.encode(token_data, private_key, 'RS256', headers=token_headers)})