Add signing to the ACI converter

2015-02-04 15:29:24 -05:00 · 2015-02-04 15:29:24 -05:00 · bfb0784abc
commit bfb0784abc
parent 81b5b8d1dc
14 changed files with 311 additions and 90 deletions
--- a/endpoints/verbs.py
+++ b/endpoints/verbs.py
@ -2,9 +2,9 @@ import logging
 import json
 import hashlib

-from flask import redirect, Blueprint, abort, send_file
+from flask import redirect, Blueprint, abort, send_file, make_response

-from app import app
+from app import app, signer
 from auth.auth import process_auth
 from auth.permissions import ReadRepositoryPermission
 from data import model
@ -53,6 +53,26 @@ def _open_stream(formatter, namespace, repository, tag, synthetic_image_id, imag
  return stream.read


+def _sign_sythentic_image(verb, linked_storage_uuid, queue_file):
+  signature = None
+  try:
+    signature = signer.detached_sign(queue_file)
+  except:
+    logger.exception('Exception when signing %s image %s', verb, linked_storage_uuid)
+    return
+
+  with database.UseThenDisconnect(app.config):
+    try:
+      derived = model.get_storage_by_uuid(linked_storage_uuid)
+    except model.InvalidImageException:
+      return
+
+    signature_entry = model.find_or_create_storage_signature(derived, signer.name)
+    signature_entry.signature = signature
+    signature_entry.uploading = False
+    signature_entry.save()
+
+
 def _write_synthetic_image_to_storage(verb, linked_storage_uuid, linked_locations, queue_file):
  store = Storage(app)

@ -76,101 +96,145 @@ def _write_synthetic_image_to_storage(verb, linked_storage_uuid, linked_location


 # pylint: disable=too-many-locals
-def _repo_verb(namespace, repository, tag, verb, formatter, checker=None, **kwargs):
+def _verify_repo_verb(store, namespace, repository, tag, verb, checker=None):
  permission = ReadRepositoryPermission(namespace, repository)
+
  # pylint: disable=no-member
-  if permission.can() or model.repository_is_public(namespace, repository):
-    # Lookup the requested tag.
-    try:
-      tag_image = model.get_tag_image(namespace, repository, tag)
-    except model.DataModelException:
+  if not permission.can() and not model.repository_is_public(namespace, repository):
+    abort(403)
+
+  # Lookup the requested tag.
+  try:
+    tag_image = model.get_tag_image(namespace, repository, tag)
+  except model.DataModelException:
+    abort(404)
+
+  # Lookup the tag's image and storage.
+  repo_image = model.get_repo_image_extended(namespace, repository, tag_image.docker_image_id)
+  if not repo_image:
+    abort(404)
+
+  # If there is a data checker, call it first.
+  uuid = repo_image.storage.uuid
+  image_json = None
+
+  if checker is not None:
+    image_json_data = store.get_content(repo_image.storage.locations, store.image_json_path(uuid))
+    image_json = json.loads(image_json_data)
+
+    if not checker(image_json):
+      logger.debug('Check mismatch on %s/%s:%s, verb %s', namespace, repository, tag, verb)
      abort(404)

-    # Lookup the tag's image and storage.
-    repo_image = model.get_repo_image_extended(namespace, repository, tag_image.docker_image_id)
-    if not repo_image:
-      abort(404)
+  return (repo_image, tag_image, image_json)

-    # If there is a data checker, call it first.
-    store = Storage(app)
-    uuid = repo_image.storage.uuid
-    image_json = None

-    if checker is not None:
-      image_json_data = store.get_content(repo_image.storage.locations, store.image_json_path(uuid))
-      image_json = json.loads(image_json_data)
+# pylint: disable=too-many-locals
+def _repo_verb_signature(namespace, repository, tag, verb, checker=None, **kwargs):
+  # Verify that the image exists and that we have access to it.
+  store = Storage(app)
+  result = _verify_repo_verb(store, namespace, repository, tag, verb, checker)
+  (repo_image, tag_image, image_json) = result

-      if not checker(image_json):
-        logger.debug('Check mismatch on %s/%s:%s, verb %s', namespace, repository, tag, verb)
-        abort(404)
+  # Lookup the derived image storage for the verb.
+  derived = model.find_derived_storage(repo_image.storage, verb)
+  if derived is None or derived.uploading:
+    abort(404)

-    # Log the action.
-    track_and_log('repo_verb', repo_image.repository, tag=tag, verb=verb, **kwargs)
+  # Check if we have a valid signer configured.
+  if not signer.name:
+    abort(404)

-    derived = model.find_or_create_derived_storage(repo_image.storage, verb,
-                                                   store.preferred_locations[0])
+  # Lookup the signature for the verb.
+  signature_entry = model.lookup_storage_signature(derived, signer.name)
+  if signature_entry is None:
+    abort(404)

-    if not derived.uploading:
-      logger.debug('Derived %s image %s exists in storage', verb, derived.uuid)
-      derived_layer_path = store.image_layer_path(derived.uuid)
-      download_url = store.get_direct_download_url(derived.locations, derived_layer_path)
-      if download_url:
-        logger.debug('Redirecting to download URL for derived %s image %s', verb, derived.uuid)
-        return redirect(download_url)
+  # Return the signature.
+  return make_response(signature_entry.signature)

-      # Close the database handle here for this process before we send the long download.
-      database.close_db_filter(None)

-      logger.debug('Sending cached derived %s image %s', verb, derived.uuid)
-      return send_file(store.stream_read_file(derived.locations, derived_layer_path))
+# pylint: disable=too-many-locals
+def _repo_verb(namespace, repository, tag, verb, formatter, sign=False, checker=None, **kwargs):
+  # Verify that the image exists and that we have access to it.
+  store = Storage(app)
+  result = _verify_repo_verb(store, namespace, repository, tag, verb, checker)
+  (repo_image, tag_image, image_json) = result

-    # Load the ancestry for the image.
-    logger.debug('Building and returning derived %s image %s', verb, derived.uuid)
-    ancestry_data = store.get_content(repo_image.storage.locations, store.image_ancestry_path(uuid))
-    full_image_list = json.loads(ancestry_data)
+  # Log the action.
+  track_and_log('repo_verb', repo_image.repository, tag=tag, verb=verb, **kwargs)

-    # Load the image's JSON layer.
-    if not image_json:
-      image_json_data = store.get_content(repo_image.storage.locations, store.image_json_path(uuid))
-      image_json = json.loads(image_json_data)
+  # Lookup/create the derived image storage for the verb.
+  derived = model.find_or_create_derived_storage(repo_image.storage, verb,
+                                                 store.preferred_locations[0])

-    # Calculate a synthetic image ID.
-    synthetic_image_id = hashlib.sha256(tag_image.docker_image_id + ':' + verb).hexdigest()
-
-    # Create a queue process to generate the data. The queue files will read from the process
-    # and send the results to the client and storage.
-    def _cleanup():
-      # Close any existing DB connection once the process has exited.
-      database.close_db_filter(None)
-
-    args = (formatter, namespace, repository, tag, synthetic_image_id, image_json, full_image_list)
-    queue_process = QueueProcess(_open_stream,
-                    8 * 1024, 10 * 1024 * 1024, # 8K/10M chunk/max
-                    args, finished=_cleanup)
-
-    client_queue_file = QueueFile(queue_process.create_queue(), 'client')
-    storage_queue_file = QueueFile(queue_process.create_queue(), 'storage')
-
-    # Start building.
-    queue_process.run()
-
-    # Start the storage saving.
-    storage_args = (verb, derived.uuid, derived.locations, storage_queue_file)
-    QueueProcess.run_process(_write_synthetic_image_to_storage, storage_args, finished=_cleanup)
+  if not derived.uploading:
+    logger.debug('Derived %s image %s exists in storage', verb, derived.uuid)
+    derived_layer_path = store.image_layer_path(derived.uuid)
+    download_url = store.get_direct_download_url(derived.locations, derived_layer_path)
+    if download_url:
+      logger.debug('Redirecting to download URL for derived %s image %s', verb, derived.uuid)
+      return redirect(download_url)

    # Close the database handle here for this process before we send the long download.
    database.close_db_filter(None)

-    # Return the client's data.
-    return send_file(client_queue_file)
+    logger.debug('Sending cached derived %s image %s', verb, derived.uuid)
+    return send_file(store.stream_read_file(derived.locations, derived_layer_path))

-  abort(403)
+  # Load the ancestry for the image.
+  uuid = repo_image.storage.uuid
+
+  logger.debug('Building and returning derived %s image %s', verb, derived.uuid)
+  ancestry_data = store.get_content(repo_image.storage.locations, store.image_ancestry_path(uuid))
+  full_image_list = json.loads(ancestry_data)
+
+  # Load the image's JSON layer.
+  if not image_json:
+    image_json_data = store.get_content(repo_image.storage.locations, store.image_json_path(uuid))
+    image_json = json.loads(image_json_data)
+
+  # Calculate a synthetic image ID.
+  synthetic_image_id = hashlib.sha256(tag_image.docker_image_id + ':' + verb).hexdigest()
+
+  def _cleanup():
+    # Close any existing DB connection once the process has exited.
+    database.close_db_filter(None)
+
+  # Create a queue process to generate the data. The queue files will read from the process
+  # and send the results to the client and storage.
+  args = (formatter, namespace, repository, tag, synthetic_image_id, image_json, full_image_list)
+  queue_process = QueueProcess(_open_stream,
+                  8 * 1024, 10 * 1024 * 1024, # 8K/10M chunk/max
+                  args, finished=_cleanup)
+
+  client_queue_file = QueueFile(queue_process.create_queue(), 'client')
+  storage_queue_file = QueueFile(queue_process.create_queue(), 'storage')
+
+  # If signing is required, add a QueueFile for signing the image as we stream it out.
+  signing_queue_file = None
+  if sign and signer.name:
+    signing_queue_file = QueueFile(queue_process.create_queue(), 'signing')
+
+  # Start building.
+  queue_process.run()
+
+  # Start the storage saving.
+  storage_args = (verb, derived.uuid, derived.locations, storage_queue_file)
+  QueueProcess.run_process(_write_synthetic_image_to_storage, storage_args, finished=_cleanup)
+
+  if sign and signer.name:
+    signing_args = (verb, derived.uuid, signing_queue_file)
+    QueueProcess.run_process(_sign_sythentic_image, signing_args, finished=_cleanup)
+
+  # Close the database handle here for this process before we send the long download.
+  database.close_db_filter(None)
+
+  # Return the client's data.
+  return send_file(client_queue_file)


-@verbs.route('/aci/<server>/<namespace>/<repository>/<tag>/aci/<os>/<arch>/', methods=['GET'])
-@process_auth
-# pylint: disable=unused-argument
-def get_aci_image(server, namespace, repository, tag, os, arch):
+def os_arch_checker(os, arch):
  def checker(image_json):
    # Verify the architecture and os.
    operating_system = image_json.get('os', 'linux')
@ -183,8 +247,23 @@ def get_aci_image(server, namespace, repository, tag, os, arch):

    return True

+  return checker
+
+
+@verbs.route('/aci/<server>/<namespace>/<repository>/<tag>/sig/<os>/<arch>/', methods=['GET'])
+@process_auth
+# pylint: disable=unused-argument
+def get_aci_signature(server, namespace, repository, tag, os, arch):
+  return _repo_verb_signature(namespace, repository, tag, 'aci', checker=os_arch_checker(os, arch),
+                              os=os, arch=arch)
+
+
+@verbs.route('/aci/<server>/<namespace>/<repository>/<tag>/aci/<os>/<arch>/', methods=['GET'])
+@process_auth
+# pylint: disable=unused-argument
+def get_aci_image(server, namespace, repository, tag, os, arch):
  return _repo_verb(namespace, repository, tag, 'aci', ACIImage(),
-                    checker=checker, os=os, arch=arch)
+                    sign=True, checker=os_arch_checker(os, arch), os=os, arch=arch)


@verbs.route('/squash/<namespace>/<repository>/<tag>', methods=['GET'])