Add feature flag to force all direct download URLs to be proxied
Fixes #1667
This commit is contained in:
Joseph Schorr
parent
2b00c644b5
commit
dd2e086a20
12 changed files with 350 additions and 34 deletions
|
|
@ -11,7 +11,7 @@ from .auth_context import set_grant_context, get_grant_context
|
|||
from .permissions import repository_read_grant, repository_write_grant
|
||||
from util.names import parse_namespace_repository
|
||||
from util.http import abort
|
||||
from util.security.registry_jwt import (ANONYMOUS_SUB, decode_bearer_token,
|
||||
from util.security.registry_jwt import (ANONYMOUS_SUB, decode_bearer_header,
|
||||
InvalidBearerTokenException)
|
||||
from data import model
|
||||
|
||||
|
|
@ -136,15 +136,15 @@ def get_auth_headers(repository=None, scopes=None):
|
|||
return headers
|
||||
|
||||
|
||||
def identity_from_bearer_token(bearer_token):
|
||||
""" Process a bearer token and return the loaded identity, or raise InvalidJWTException if an
|
||||
def identity_from_bearer_token(bearer_header):
|
||||
""" Process a bearer header and return the loaded identity, or raise InvalidJWTException if an
|
||||
identity could not be loaded. Expects tokens and grants in the format of the Docker registry
|
||||
v2 auth spec: https://docs.docker.com/registry/spec/auth/token/
|
||||
"""
|
||||
logger.debug('Validating auth header: %s', bearer_token)
|
||||
logger.debug('Validating auth header: %s', bearer_header)
|
||||
|
||||
try:
|
||||
payload = decode_bearer_token(bearer_token, instance_keys)
|
||||
payload = decode_bearer_header(bearer_header, instance_keys)
|
||||
except InvalidBearerTokenException as bte:
|
||||
logger.exception('Invalid bearer token: %s', bte)
|
||||
raise InvalidJWTException(bte)
|
||||
|
|
|
|||
Reference in a new issue