Handle empty scopes and always send the WWW-Authenticate header, as per spec
Fixes #1045
This commit is contained in:
Joseph Schorr
parent
c8f43ed08e
commit
ca7d36bf14
10 changed files with 47 additions and 41 deletions
|
|
@ -9,16 +9,13 @@ import features
|
|||
from app import metric_queue
|
||||
from endpoints.decorators import anon_protect, anon_allowed
|
||||
from endpoints.v2.errors import V2RegistryException
|
||||
from auth.jwt_auth import process_jwt_auth
|
||||
from auth.auth_context import get_grant_context
|
||||
from auth.permissions import (ReadRepositoryPermission, ModifyRepositoryPermission,
|
||||
AdministerRepositoryPermission)
|
||||
from data import model
|
||||
from util.http import abort
|
||||
from util.saas.metricqueue import time_blueprint
|
||||
from util import get_app_url
|
||||
from app import app
|
||||
|
||||
from auth.registry_jwt_auth import process_registry_jwt_auth, get_auth_headers
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
v2_bp = Blueprint('v2', __name__)
|
||||
|
|
@ -75,21 +72,15 @@ def route_show_if(value):
|
|||
|
||||
@v2_bp.route('/')
|
||||
@route_show_if(features.ADVERTISE_V2)
|
||||
@process_jwt_auth
|
||||
@process_registry_jwt_auth
|
||||
@anon_allowed
|
||||
def v2_support_enabled():
|
||||
response = make_response('true', 200)
|
||||
|
||||
if get_grant_context() is None:
|
||||
response = make_response('true', 401)
|
||||
realm_auth_path = url_for('v2.generate_registry_jwt')
|
||||
|
||||
authenticate = 'Bearer realm="{0}{1}",service="{2}"'.format(get_app_url(app.config),
|
||||
realm_auth_path,
|
||||
app.config['SERVER_HOSTNAME'])
|
||||
response.headers['WWW-Authenticate'] = authenticate
|
||||
|
||||
response.headers['Docker-Distribution-API-Version'] = 'registry/2.0'
|
||||
response.headers.extend(get_auth_headers())
|
||||
return response
|
||||
|
||||
|
||||
|
|
|
|||
Reference in a new issue