Address remaining usage of the old data interface
This commit is contained in:
Joseph Schorr
parent
3a8a913ad3
commit
cbf0edb164
3 changed files with 31 additions and 21 deletions
|
|
@ -47,6 +47,15 @@ class RepositoryReference(datatype('Repository', [])):
|
|||
|
||||
return model.repository.is_repository_public(self._repository_obj)
|
||||
|
||||
@property
|
||||
def trust_enabled(self):
|
||||
""" Returns whether trust is enabled in this repository. """
|
||||
repository = self._repository_obj
|
||||
if repository is None:
|
||||
return None
|
||||
|
||||
return repository.trust_enabled
|
||||
|
||||
@property
|
||||
def id(self):
|
||||
""" Returns the database ID of the repository. """
|
||||
|
|
|
|||
|
|
@ -15,9 +15,9 @@ from auth.auth_context import get_authenticated_context
|
|||
from auth.permissions import (
|
||||
ReadRepositoryPermission, ModifyRepositoryPermission, AdministerRepositoryPermission)
|
||||
from auth.registry_jwt_auth import process_registry_jwt_auth, get_auth_headers
|
||||
from data.registry_model import registry_model
|
||||
from endpoints.decorators import anon_protect, anon_allowed, route_show_if
|
||||
from endpoints.v2.errors import V2RegistryException, Unauthorized, Unsupported, NameUnknown
|
||||
from endpoints.v2.models_pre_oci import data_model as model
|
||||
from util.http import abort
|
||||
from util.metrics.metricqueue import time_blueprint
|
||||
from util.registry.dockerver import docker_version
|
||||
|
|
@ -98,15 +98,15 @@ def _require_repo_permission(permission_class, scopes=None, allow_public=False):
|
|||
|
||||
repository = namespace_name + '/' + repo_name
|
||||
if allow_public:
|
||||
repo = model.get_repository(namespace_name, repo_name)
|
||||
if repo is None or not repo.is_public:
|
||||
repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
|
||||
if repository_ref is None or not repository_ref.is_public:
|
||||
raise Unauthorized(repository=repository, scopes=scopes)
|
||||
|
||||
if repo.kind != 'image':
|
||||
msg = 'This repository is for managing %s resources and not container images.' % repo.kind
|
||||
if repository_ref.kind != 'image':
|
||||
msg = 'This repository is for managing %s and not container images.' % repository_ref.kind
|
||||
raise Unsupported(detail=msg)
|
||||
|
||||
if repo.is_public:
|
||||
if repository_ref.is_public:
|
||||
return func(namespace_name, repo_name, *args, **kwargs)
|
||||
|
||||
raise Unauthorized(repository=repository, scopes=scopes)
|
||||
|
|
|
|||
|
|
@ -11,11 +11,12 @@ from auth.auth_context import get_authenticated_context, get_authenticated_user
|
|||
from auth.decorators import process_basic_auth
|
||||
from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermission,
|
||||
CreateRepositoryPermission, AdministerRepositoryPermission)
|
||||
from data import model
|
||||
from data.registry_model import registry_model
|
||||
from endpoints.decorators import anon_protect
|
||||
from endpoints.v2 import v2_bp
|
||||
from endpoints.v2.errors import (InvalidLogin, NameInvalid, InvalidRequest, Unsupported,
|
||||
Unauthorized, NamespaceDisabled)
|
||||
from endpoints.v2.models_pre_oci import data_model as model
|
||||
from util.cache import no_cache
|
||||
from util.names import parse_namespace_repository, REPOSITORY_NAME_REGEX
|
||||
from util.security.registry_jwt import (generate_bearer_token, build_context_and_subject,
|
||||
|
|
@ -117,11 +118,11 @@ def _get_scope_regex():
|
|||
return re.compile(scope_regex_string)
|
||||
|
||||
|
||||
def _get_tuf_root(repo, namespace, reponame):
|
||||
if not features.SIGNING or repo is None or not repo.trust_enabled:
|
||||
def _get_tuf_root(repository_ref, namespace, reponame):
|
||||
if not features.SIGNING or repository_ref is None or not repository_ref.trust_enabled:
|
||||
return DISABLED_TUF_ROOT
|
||||
|
||||
# Users with write access to a repo will see signer-rooted TUF metadata
|
||||
# Users with write access to a repository will see signer-rooted TUF metadata
|
||||
if ModifyRepositoryPermission(namespace, reponame).can():
|
||||
return SIGNER_TUF_ROOT
|
||||
return QUAY_TUF_ROOT
|
||||
|
|
@ -162,18 +163,18 @@ def _authorize_or_downscope_request(scope_param, has_valid_auth_context):
|
|||
raise NameInvalid(message='Invalid repository name: %s' % namespace_and_repo)
|
||||
|
||||
# Ensure the namespace is enabled.
|
||||
if not model.is_namespace_enabled(namespace):
|
||||
if not registry_model.is_namespace_enabled(namespace):
|
||||
msg = 'Namespace %s has been disabled. Please contact a system administrator.' % namespace
|
||||
raise NamespaceDisabled(message=msg)
|
||||
|
||||
final_actions = []
|
||||
|
||||
repo = model.get_repository(namespace, reponame)
|
||||
repo_is_public = repo is not None and repo.is_public
|
||||
repository_ref = registry_model.lookup_repository(namespace, reponame)
|
||||
repo_is_public = repository_ref is not None and repository_ref.is_public
|
||||
invalid_repo_message = ''
|
||||
if repo is not None and repo.kind != 'image':
|
||||
if repository_ref is not None and repository_ref.kind != 'image':
|
||||
invalid_repo_message = ((
|
||||
'This repository is for managing %s resources ' + 'and not container images.') % repo.kind)
|
||||
'This repository is for managing %s ' + 'and not container images.') % repository_ref.kind)
|
||||
|
||||
if 'push' in actions:
|
||||
# Check if there is a valid user or token, as otherwise the repository cannot be
|
||||
|
|
@ -181,9 +182,9 @@ def _authorize_or_downscope_request(scope_param, has_valid_auth_context):
|
|||
if has_valid_auth_context:
|
||||
# Lookup the repository. If it exists, make sure the entity has modify
|
||||
# permission. Otherwise, make sure the entity has create permission.
|
||||
if repo:
|
||||
if repository_ref:
|
||||
if ModifyRepositoryPermission(namespace, reponame).can():
|
||||
if repo.kind != 'image':
|
||||
if repository_ref.kind != 'image':
|
||||
raise Unsupported(message=invalid_repo_message)
|
||||
|
||||
final_actions.append('push')
|
||||
|
|
@ -193,7 +194,7 @@ def _authorize_or_downscope_request(scope_param, has_valid_auth_context):
|
|||
user = get_authenticated_user()
|
||||
if CreateRepositoryPermission(namespace).can() and user is not None:
|
||||
logger.debug('Creating repository: %s/%s', namespace, reponame)
|
||||
model.create_repository(namespace, reponame, user)
|
||||
model.repository.create_repository(namespace, reponame, user)
|
||||
final_actions.append('push')
|
||||
else:
|
||||
logger.debug('No permission to create repository %s/%s', namespace, reponame)
|
||||
|
|
@ -201,7 +202,7 @@ def _authorize_or_downscope_request(scope_param, has_valid_auth_context):
|
|||
if 'pull' in actions:
|
||||
# Grant pull if the user can read the repo or it is public.
|
||||
if ReadRepositoryPermission(namespace, reponame).can() or repo_is_public:
|
||||
if repo is not None and repo.kind != 'image':
|
||||
if repository_ref is not None and repository_ref.kind != 'image':
|
||||
raise Unsupported(message=invalid_repo_message)
|
||||
|
||||
final_actions.append('pull')
|
||||
|
|
@ -211,7 +212,7 @@ def _authorize_or_downscope_request(scope_param, has_valid_auth_context):
|
|||
if '*' in actions:
|
||||
# Grant * user is admin
|
||||
if AdministerRepositoryPermission(namespace, reponame).can():
|
||||
if repo is not None and repo.kind != 'image':
|
||||
if repository_ref is not None and repository_ref.kind != 'image':
|
||||
raise Unsupported(message=invalid_repo_message)
|
||||
|
||||
final_actions.append('*')
|
||||
|
|
@ -220,4 +221,4 @@ def _authorize_or_downscope_request(scope_param, has_valid_auth_context):
|
|||
|
||||
return scopeResult(actions=final_actions, namespace=namespace, repository=reponame,
|
||||
registry_and_repo=registry_and_repo,
|
||||
tuf_root=_get_tuf_root(repo, namespace, reponame))
|
||||
tuf_root=_get_tuf_root(repository_ref, namespace, reponame))
|
||||
|
|
|
|||
Reference in a new issue