Fix Docker Auth and our V2 registry paths to support library (i.e. namespace-less) repositories.

This support is placed behind a feature flag.

app.py

@@ -50,15 +50,6 @@ DOCKER_V2_SIGNINGKEY_FILENAME = 'docker_v2.pem'
 app = Flask(__name__)
 logger = logging.getLogger(__name__)
 
-
-class RegexConverter(BaseConverter):
-  def __init__(self, url_map, *items):
-    super(RegexConverter, self).__init__(url_map)
-    self.regex = items[0]
-
-
-app.url_map.converters['regex'] = RegexConverter
-
 # Instantiate the configuration.
 is_testing = 'TEST' in os.environ
 is_kubernetes = 'KUBERNETES_SERVICE_HOST' in os.environ
@@ -126,6 +117,41 @@ if app.config['SECRET_KEY'] is None:
 
 features.import_features(app.config)
 
+# Register custom converters.
+class RegexConverter(BaseConverter):
+  """ Converter for handling custom regular expression patterns in paths. """
+  def __init__(self, url_map, *items):
+    super(RegexConverter, self).__init__(url_map)
+    self.regex = items[0]
+
+class RepositoryPathConverter(BaseConverter):
+  """ Converter for handling repository paths. Handles both library and non-library paths (if
+      configured).
+  """
+  def __init__(self, url_map, *items):
+    super(RepositoryPathConverter, self).__init__(url_map)
+    self.weight = 200
+
+    if features.LIBRARY_SUPPORT:
+      # Allow names without namespaces.
+      self.regex = r'[^/]+(/[^/]+)?'
+    else:
+      self.regex = r'([^/]+/[^/]+)'
+
+
+class APIRepositoryPathConverter(BaseConverter):
+  """ Converter for handling repository paths. Does not handle library paths.
+  """
+  def __init__(self, url_map, *items):
+    super(APIRepositoryPathConverter, self).__init__(url_map)
+    self.weight = 200
+    self.regex = r'([^/]+/[^/]+)'
+
+
+app.url_map.converters['regex'] = RegexConverter
+app.url_map.converters['repopath'] = RepositoryPathConverter
+app.url_map.converters['apirepopath'] = APIRepositoryPathConverter
+
 Principal(app, use_sessions=False)
 
 avatar = Avatar(app)

auth/registry_jwt_auth.py

@@ -207,8 +207,9 @@ def identity_from_bearer_token(bearer_token, max_signed_s, public_key):
       logger.exception('We should not be minting invalid credentials')
       raise InvalidJWTException('Token contained invalid or malformed access grants')
 
+    lib_namespace = app.config['LIBRARY_NAMESPACE']
     for grant in payload['access']:
-      namespace, repo_name = parse_namespace_repository(grant['name'])
+      namespace, repo_name = parse_namespace_repository(grant['name'], lib_namespace)
 
       if 'push' in grant['actions']:
         loaded_identity.provides.add(repository_write_grant(namespace, repo_name))

config.py

@@ -199,6 +199,16 @@ class DefaultConfig(object):
   # Feature Flag: Whether or not to rotate old action logs to storage.
   FEATURE_ACTION_LOG_ROTATION = False
 
+  # Feature Flag: Whether to allow for "namespace-less" repositories when pulling and pushing from
+  # Docker.
+  FEATURE_LIBRARY_SUPPORT = True
+
+  # The namespace to use for library repositories.
+  # Note: This must remain 'library' until Docker removes their hard-coded namespace for libraries.
+  # See: https://github.com/docker/docker/blob/master/registry/session.go#L320
+  LIBRARY_NAMESPACE = 'library'
+
+
   BUILD_MANAGER = ('enterprise', {})
 
   DISTRIBUTED_STORAGE_CONFIG = {

endpoints/api/__init__.py

@@ -227,7 +227,7 @@ def parse_args(func):
 def parse_repository_name(func):
   @wraps(func)
   def wrapper(repository, *args, **kwargs):
-    (namespace, repository) = parse_namespace_repository(repository)
+    (namespace, repository) = parse_namespace_repository(repository, app.config['LIBRARY_NAMESPACE'])
     return func(namespace, repository, *args, **kwargs)
   return wrapper
 

endpoints/api/build.py

@@ -145,7 +145,7 @@ def build_status_view(build_obj):
   return resp
 
 
-@resource('/v1/repository/<repopath:repository>/build/')
+@resource('/v1/repository/<apirepopath:repository>/build/')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class RepositoryBuildList(RepositoryParamResource):
   """ Resource related to creating and listing repository builds. """
@@ -288,7 +288,7 @@ class RepositoryBuildList(RepositoryParamResource):
 
 
 
-@resource('/v1/repository/<repopath:repository>/build/<build_uuid>')
+@resource('/v1/repository/<apirepopath:repository>/build/<build_uuid>')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('build_uuid', 'The UUID of the build')
 class RepositoryBuildResource(RepositoryParamResource):
@@ -322,7 +322,7 @@ class RepositoryBuildResource(RepositoryParamResource):
       raise InvalidRequest('Build is currently running or has finished')
 
 
-@resource('/v1/repository/<repopath:repository>/build/<build_uuid>/status')
+@resource('/v1/repository/<apirepopath:repository>/build/<build_uuid>/status')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('build_uuid', 'The UUID of the build')
 class RepositoryBuildStatus(RepositoryParamResource):
@@ -339,7 +339,7 @@ class RepositoryBuildStatus(RepositoryParamResource):
     return build_status_view(build)
 
 
-@resource('/v1/repository/<repopath:repository>/build/<build_uuid>/logs')
+@resource('/v1/repository/<apirepopath:repository>/build/<build_uuid>/logs')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('build_uuid', 'The UUID of the build')
 class RepositoryBuildLogs(RepositoryParamResource):

endpoints/api/image.py

@@ -43,7 +43,7 @@ def historical_image_view(image, image_map):
   return normal_view
 
 
-@resource('/v1/repository/<repopath:repository>/image/')
+@resource('/v1/repository/<apirepopath:repository>/image/')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class RepositoryImageList(RepositoryParamResource):
   """ Resource for listing repository images. """
@@ -82,7 +82,7 @@ class RepositoryImageList(RepositoryParamResource):
     }
 
 
-@resource('/v1/repository/<repopath:repository>/image/<image_id>')
+@resource('/v1/repository/<apirepopath:repository>/image/<image_id>')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('image_id', 'The Docker image ID')
 class RepositoryImage(RepositoryParamResource):

endpoints/api/logs.py

@@ -106,7 +106,7 @@ def get_aggregate_logs(start_time, end_time, performer_name=None, repository=Non
   }
 
 
-@resource('/v1/repository/<repopath:repository>/logs')
+@resource('/v1/repository/<apirepopath:repository>/logs')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class RepositoryLogs(RepositoryParamResource):
   """ Resource for fetching logs for the specific repository. """
@@ -175,7 +175,7 @@ class OrgLogs(ApiResource):
     raise Unauthorized()
 
 
-@resource('/v1/repository/<repopath:repository>/aggregatelogs')
+@resource('/v1/repository/<apirepopath:repository>/aggregatelogs')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class RepositoryAggregateLogs(RepositoryParamResource):
   """ Resource for fetching aggregated logs for the specific repository. """

endpoints/api/permission.py

@@ -38,7 +38,7 @@ def wrap_role_view_team(role_json, team):
   return role_json
 
 
-@resource('/v1/repository/<repopath:repository>/permissions/team/')
+@resource('/v1/repository/<apirepopath:repository>/permissions/team/')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class RepositoryTeamPermissionList(RepositoryParamResource):
   """ Resource for repository team permissions. """
@@ -57,7 +57,7 @@ class RepositoryTeamPermissionList(RepositoryParamResource):
     }
 
 
-@resource('/v1/repository/<repopath:repository>/permissions/user/')
+@resource('/v1/repository/<apirepopath:repository>/permissions/user/')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class RepositoryUserPermissionList(RepositoryParamResource):
   """ Resource for repository user permissions. """
@@ -97,7 +97,7 @@ class RepositoryUserPermissionList(RepositoryParamResource):
     }
 
 
-@resource('/v1/repository/<repopath:repository>/permissions/user/<username>/transitive')
+@resource('/v1/repository/<apirepopath:repository>/permissions/user/<username>/transitive')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('username', 'The username of the user to which the permissions apply')
 class RepositoryUserTransitivePermission(RepositoryParamResource):
@@ -121,7 +121,7 @@ class RepositoryUserTransitivePermission(RepositoryParamResource):
     }
 
 
-@resource('/v1/repository/<repopath:repository>/permissions/user/<username>')
+@resource('/v1/repository/<apirepopath:repository>/permissions/user/<username>')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('username', 'The username of the user to which the permission applies')
 class RepositoryUserPermission(RepositoryParamResource):
@@ -215,7 +215,7 @@ class RepositoryUserPermission(RepositoryParamResource):
     return 'Deleted', 204
 
 
-@resource('/v1/repository/<repopath:repository>/permissions/team/<teamname>')
+@resource('/v1/repository/<apirepopath:repository>/permissions/team/<teamname>')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('teamname', 'The name of the team to which the permission applies')
 class RepositoryTeamPermission(RepositoryParamResource):

endpoints/api/repoemail.py

@@ -30,7 +30,7 @@ def record_view(record):
 
 @internal_only
 @show_if(features.MAILING)
-@resource('/v1/repository/<repopath:repository>/authorizedemail/<email>')
+@resource('/v1/repository/<apirepopath:repository>/authorizedemail/<email>')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('email', 'The e-mail address')
 class RepositoryAuthorizedEmail(RepositoryParamResource):

endpoints/api/repository.py

@@ -225,7 +225,7 @@ class RepositoryList(ApiResource):
     }
 
 
-@resource('/v1/repository/<repopath:repository>')
+@resource('/v1/repository/<apirepopath:repository>')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class Repository(RepositoryParamResource):
   """Operations for managing a specific repository."""
@@ -339,7 +339,7 @@ class Repository(RepositoryParamResource):
     return 'Deleted', 204
 
 
-@resource('/v1/repository/<repopath:repository>/changevisibility')
+@resource('/v1/repository/<apirepopath:repository>/changevisibility')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class RepositoryVisibility(RepositoryParamResource):
   """ Custom verb for changing the visibility of the repository. """

endpoints/api/repositorynotification.py

@@ -38,7 +38,7 @@ def notification_view(note):
   }
 
 
-@resource('/v1/repository/<repopath:repository>/notification/')
+@resource('/v1/repository/<apirepopath:repository>/notification/')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class RepositoryNotificationList(RepositoryParamResource):
   """ Resource for dealing with listing and creating notifications on a repository. """
@@ -116,7 +116,7 @@ class RepositoryNotificationList(RepositoryParamResource):
     }
 
 
-@resource('/v1/repository/<repopath:repository>/notification/<uuid>')
+@resource('/v1/repository/<apirepopath:repository>/notification/<uuid>')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('uuid', 'The UUID of the notification')
 class RepositoryNotification(RepositoryParamResource):
@@ -149,7 +149,7 @@ class RepositoryNotification(RepositoryParamResource):
     return 'No Content', 204
 
 
-@resource('/v1/repository/<repopath:repository>/notification/<uuid>/test')
+@resource('/v1/repository/<apirepopath:repository>/notification/<uuid>/test')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('uuid', 'The UUID of the notification')
 class TestRepositoryNotification(RepositoryParamResource):

endpoints/api/repotoken.py

@@ -20,7 +20,7 @@ def token_view(token_obj):
   }
 
 
-@resource('/v1/repository/<repopath:repository>/tokens/')
+@resource('/v1/repository/<apirepopath:repository>/tokens/')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class RepositoryTokenList(RepositoryParamResource):
   """ Resource for creating and listing repository tokens. """
@@ -66,7 +66,7 @@ class RepositoryTokenList(RepositoryParamResource):
     return token_view(token), 201
 
 
-@resource('/v1/repository/<repopath:repository>/tokens/<code>')
+@resource('/v1/repository/<apirepopath:repository>/tokens/<code>')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('code', 'The token code')
 class RepositoryToken(RepositoryParamResource):

endpoints/api/secscan.py

@@ -54,7 +54,7 @@ def _get_status(repo_image):
 
 
 @show_if(features.SECURITY_SCANNER)
-@resource('/v1/repository/<repopath:repository>/image/<imageid>/vulnerabilities')
+@resource('/v1/repository/<apirepopath:repository>/image/<imageid>/vulnerabilities')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('imageid', 'The image ID')
 class RepositoryImageVulnerabilities(RepositoryParamResource):
@@ -89,7 +89,7 @@ class RepositoryImageVulnerabilities(RepositoryParamResource):
 
 
 @show_if(features.SECURITY_SCANNER)
-@resource('/v1/repository/<repopath:repository>/image/<imageid>/packages')
+@resource('/v1/repository/<apirepopath:repository>/image/<imageid>/packages')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('imageid', 'The image ID')
 class RepositoryImagePackages(RepositoryParamResource):

endpoints/api/tag.py

@@ -11,7 +11,7 @@ from auth.auth_context import get_authenticated_user
 from util.names import TAG_ERROR, TAG_REGEX
 
 
-@resource('/v1/repository/<repopath:repository>/tag/')
+@resource('/v1/repository/<apirepopath:repository>/tag/')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class ListRepositoryTags(RepositoryParamResource):
   """ Resource for listing full repository tag history, alive *and dead*. """
@@ -60,7 +60,7 @@ class ListRepositoryTags(RepositoryParamResource):
     }
 
 
-@resource('/v1/repository/<repopath:repository>/tag/<tag>')
+@resource('/v1/repository/<apirepopath:repository>/tag/<tag>')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('tag', 'The name of the tag')
 class RepositoryTag(RepositoryParamResource):
@@ -128,7 +128,7 @@ class RepositoryTag(RepositoryParamResource):
     return 'Deleted', 204
 
 
-@resource('/v1/repository/<repopath:repository>/tag/<tag>/images')
+@resource('/v1/repository/<apirepopath:repository>/tag/<tag>/images')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('tag', 'The name of the tag')
 class RepositoryTagImages(RepositoryParamResource):
@@ -179,7 +179,7 @@ class RepositoryTagImages(RepositoryParamResource):
 
 
 
-@resource('/v1/repository/<repopath:repository>/tag/<tag>/revert')
+@resource('/v1/repository/<apirepopath:repository>/tag/<tag>/revert')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('tag', 'The name of the tag')
 class RevertTag(RepositoryParamResource):

endpoints/api/trigger.py

@@ -33,7 +33,7 @@ def _prepare_webhook_url(scheme, username, password, hostname, path):
   return urlunparse((scheme, auth_hostname, path, '', '', ''))
 
 
-@resource('/v1/repository/<repopath:repository>/trigger/')
+@resource('/v1/repository/<apirepopath:repository>/trigger/')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class BuildTriggerList(RepositoryParamResource):
   """ Resource for listing repository build triggers. """
@@ -48,7 +48,7 @@ class BuildTriggerList(RepositoryParamResource):
     }
 
 
-@resource('/v1/repository/<repopath:repository>/trigger/<trigger_uuid>')
+@resource('/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('trigger_uuid', 'The UUID of the build trigger')
 class BuildTrigger(RepositoryParamResource):
@@ -95,7 +95,7 @@ class BuildTrigger(RepositoryParamResource):
     return 'No Content', 204
 
 
-@resource('/v1/repository/<repopath:repository>/trigger/<trigger_uuid>/subdir')
+@resource('/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/subdir')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('trigger_uuid', 'The UUID of the build trigger')
 @internal_only
@@ -143,7 +143,7 @@ class BuildTriggerSubdirs(RepositoryParamResource):
       raise Unauthorized()
 
 
-@resource('/v1/repository/<repopath:repository>/trigger/<trigger_uuid>/activate')
+@resource('/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/activate')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('trigger_uuid', 'The UUID of the build trigger')
 class BuildTriggerActivate(RepositoryParamResource):
@@ -245,7 +245,7 @@ class BuildTriggerActivate(RepositoryParamResource):
       raise Unauthorized()
 
 
-@resource('/v1/repository/<repopath:repository>/trigger/<trigger_uuid>/analyze')
+@resource('/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/analyze')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('trigger_uuid', 'The UUID of the build trigger')
 @internal_only
@@ -384,7 +384,7 @@ class BuildTriggerAnalyze(RepositoryParamResource):
     raise NotFound()
 
 
-@resource('/v1/repository/<repopath:repository>/trigger/<trigger_uuid>/start')
+@resource('/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/start')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('trigger_uuid', 'The UUID of the build trigger')
 class ActivateBuildTrigger(RepositoryParamResource):
@@ -444,7 +444,7 @@ class ActivateBuildTrigger(RepositoryParamResource):
     return resp, 201, headers
 
 
-@resource('/v1/repository/<repopath:repository>/trigger/<trigger_uuid>/builds')
+@resource('/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/builds')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('trigger_uuid', 'The UUID of the build trigger')
 class TriggerBuildList(RepositoryParamResource):
@@ -464,7 +464,7 @@ class TriggerBuildList(RepositoryParamResource):
 
 FIELD_VALUE_LIMIT = 30
 
-@resource('/v1/repository/<repopath:repository>/trigger/<trigger_uuid>/fields/<field_name>')
+@resource('/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/fields/<field_name>')
 @internal_only
 class BuildTriggerFieldValues(RepositoryParamResource):
   """ Custom verb to fetch a values list for a particular field name. """
@@ -493,7 +493,7 @@ class BuildTriggerFieldValues(RepositoryParamResource):
       raise Unauthorized()
 
 
-@resource('/v1/repository/<repopath:repository>/trigger/<trigger_uuid>/sources')
+@resource('/v1/repository/<apirepopath:repository>/trigger/<trigger_uuid>/sources')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 @path_param('trigger_uuid', 'The UUID of the build trigger')
 @internal_only

endpoints/api/user.py

@@ -876,7 +876,7 @@ class StarredRepositoryList(ApiResource):
       }, 201
 
 
-@resource('/v1/user/starred/<repopath:repository>')
+@resource('/v1/user/starred/<apirepopath:repository>')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class StarredRepository(RepositoryParamResource):
   """ Operations for managing a specific starred repository. """

endpoints/bitbuckettrigger.py

@@ -8,7 +8,6 @@ from buildtrigger.bitbuckethandler import BitbucketBuildTrigger
 from endpoints.common import route_show_if
 from app import app
 from data import model
-from util.names import parse_repository_name
 from util.http import abort
 from auth.auth import require_session_login
 

endpoints/common.py

@@ -23,6 +23,7 @@ from functools import wraps
 from config import frontend_visible_config
 from external_libraries import get_external_javascript, get_external_css
 from util.secscan.api import PRIORITY_LEVELS
+from util.names import parse_namespace_repository
 
 import features
 
@@ -47,11 +48,24 @@ def get_cache_busters():
     return CACHE_BUSTERS
 
 
-class RepoPathConverter(BaseConverter):
-  regex = '[\.a-zA-Z0-9_\-]+/[\.a-zA-Z0-9_\-]+'
-  weight = 200
+def parse_repository_name(f):
+  @wraps(f)
+  def wrapper(repository, *args, **kwargs):
+    lib_namespace = app.config['LIBRARY_NAMESPACE']
+    (namespace, repository) = parse_namespace_repository(repository, lib_namespace)
+    return f(namespace, repository, *args, **kwargs)
+  return wrapper
+
+
+def parse_repository_name_and_tag(f):
+  @wraps(f)
+  def wrapper(repository, *args, **kwargs):
+    lib_namespace = app.config['LIBRARY_NAMESPACE']
+    namespace, repository, tag = parse_namespace_repository(repository, lib_namespace,
+                                                            include_tag=True)
+    return f(namespace, repository, tag, *args, **kwargs)
+  return wrapper
 
-app.url_map.converters['repopath'] = RepoPathConverter
 
 def route_show_if(value):
   def decorator(f):

endpoints/githubtrigger.py

@@ -3,10 +3,9 @@ import logging
 from flask import request, redirect, url_for, Blueprint
 from flask.ext.login import current_user
 
-from endpoints.common import route_show_if
+from endpoints.common import route_show_if, parse_repository_name
 from app import app, github_trigger
 from data import model
-from util.names import parse_repository_name
 from util.http import abort
 from auth.permissions import AdministerRepositoryPermission
 from auth.auth import require_session_login
@@ -17,7 +16,7 @@ logger = logging.getLogger(__name__)
 client = app.config['HTTPCLIENT']
 githubtrigger = Blueprint('callback', __name__)
 
-@githubtrigger.route('/github/callback/trigger/<path:repository>', methods=['GET'])
+@githubtrigger.route('/github/callback/trigger/<repopath:repository>', methods=['GET'])
 @route_show_if(features.GITHUB_BUILD)
 @require_session_login
 @parse_repository_name

endpoints/oauthlogin.py

@@ -4,11 +4,10 @@ import requests
 from flask import request, redirect, url_for, Blueprint
 from flask.ext.login import current_user
 
-from endpoints.common import common_login, route_show_if
+from endpoints.common import common_login, route_show_if, parse_repository_name
 from endpoints.web import render_page_template_with_routedata
 from app import app, analytics, get_app_url, github_login, google_login, dex_login
 from data import model
-from util.names import parse_repository_name
 from util.validation import generate_valid_usernames
 from util.http import abort
 from auth.auth import require_session_login

endpoints/v1/index.py

@@ -9,12 +9,13 @@ from data import model
 from app import app, authentication, userevents, storage
 from auth.auth import process_auth, generate_signed_token
 from auth.auth_context import get_authenticated_user, get_validated_token, get_validated_oauth_token
-from util.names import parse_repository_name, REPOSITORY_NAME_REGEX
+from util.names import REPOSITORY_NAME_REGEX
 from auth.permissions import (ModifyRepositoryPermission, UserAdminPermission,
                               ReadRepositoryPermission, CreateRepositoryPermission,
                               repository_read_grant, repository_write_grant)
 
 from util.http import abort
+from endpoints.common import parse_repository_name
 from endpoints.v1 import v1_bp
 from endpoints.trackhelper import track_and_log
 from endpoints.notificationhelper import spawn_notification
@@ -167,7 +168,7 @@ def update_user(username):
   abort(403)
 
 
-@v1_bp.route('/repositories/<path:repository>', methods=['PUT'])
+@v1_bp.route('/repositories/<repopath:repository>', methods=['PUT'])
 @process_auth
 @parse_repository_name
 @generate_headers(scope=GrantType.WRITE_REPOSITORY, add_grant_for_status=201)
@@ -221,7 +222,7 @@ def create_repository(namespace, repository):
   return make_response('Created', 201)
 
 
-@v1_bp.route('/repositories/<path:repository>/images', methods=['PUT'])
+@v1_bp.route('/repositories/<repopath:repository>/images', methods=['PUT'])
 @process_auth
 @parse_repository_name
 @generate_headers(scope=GrantType.WRITE_REPOSITORY)
@@ -251,7 +252,7 @@ def update_images(namespace, repository):
   abort(403)
 
 
-@v1_bp.route('/repositories/<path:repository>/images', methods=['GET'])
+@v1_bp.route('/repositories/<repopath:repository>/images', methods=['GET'])
 @process_auth
 @parse_repository_name
 @generate_headers(scope=GrantType.READ_REPOSITORY)
@@ -277,7 +278,7 @@ def get_repository_images(namespace, repository):
   abort(403)
 
 
-@v1_bp.route('/repositories/<path:repository>/images', methods=['DELETE'])
+@v1_bp.route('/repositories/<repopath:repository>/images', methods=['DELETE'])
 @process_auth
 @parse_repository_name
 @generate_headers(scope=GrantType.WRITE_REPOSITORY)
@@ -286,7 +287,7 @@ def delete_repository_images(namespace, repository):
   abort(501, 'Not Implemented', issue='not-implemented')
 
 
-@v1_bp.route('/repositories/<path:repository>/auth', methods=['PUT'])
+@v1_bp.route('/repositories/<repopath:repository>/auth', methods=['PUT'])
 @parse_repository_name
 @anon_allowed
 def put_repository_auth(namespace, repository):

endpoints/v1/tag.py

@@ -5,11 +5,12 @@ import json
 from flask import abort, request, jsonify, make_response, session
 
 from app import app
-from util.names import TAG_ERROR, TAG_REGEX, parse_repository_name
+from util.names import TAG_ERROR, TAG_REGEX
 from auth.auth import process_auth
 from auth.permissions import (ReadRepositoryPermission,
                               ModifyRepositoryPermission)
 from data import model
+from endpoints.common import parse_repository_name
 from endpoints.decorators import anon_protect
 from endpoints.v1 import v1_bp
 from endpoints.trackhelper import track_and_log
@@ -18,7 +19,7 @@ from endpoints.trackhelper import track_and_log
 logger = logging.getLogger(__name__)
 
 
-@v1_bp.route('/repositories/<path:repository>/tags', methods=['GET'])
+@v1_bp.route('/repositories/<repopath:repository>/tags', methods=['GET'])
 @process_auth
 @anon_protect
 @parse_repository_name
@@ -33,7 +34,7 @@ def get_tags(namespace, repository):
   abort(403)
 
 
-@v1_bp.route('/repositories/<path:repository>/tags/<tag>', methods=['GET'])
+@v1_bp.route('/repositories/<repopath:repository>/tags/<tag>', methods=['GET'])
 @process_auth
 @anon_protect
 @parse_repository_name
@@ -53,7 +54,7 @@ def get_tag(namespace, repository, tag):
   abort(403)
 
 
-@v1_bp.route('/repositories/<path:repository>/tags/<tag>', methods=['PUT'])
+@v1_bp.route('/repositories/<repopath:repository>/tags/<tag>', methods=['PUT'])
 @process_auth
 @anon_protect
 @parse_repository_name
@@ -78,7 +79,7 @@ def put_tag(namespace, repository, tag):
   abort(403)
 
 
-@v1_bp.route('/repositories/<path:repository>/tags/<tag>', methods=['DELETE'])
+@v1_bp.route('/repositories/<repopath:repository>/tags/<tag>', methods=['DELETE'])
 @process_auth
 @anon_protect
 @parse_repository_name

endpoints/v2/blob.py

@@ -17,13 +17,14 @@ from util.cache import cache_control
 from util.registry.filelike import wrap_with_handler, StreamSlice
 from util.registry.gzipstream import calculate_size_handler
 from util.registry.torrent import PieceHasher
+from endpoints.common import parse_repository_name
 from storage.basestorage import InvalidChunkException
 
 
 logger = logging.getLogger(__name__)
 
 
-BASE_BLOB_ROUTE = '/<namespace>/<repo_name>/blobs/<regex("{0}"):digest>'
+BASE_BLOB_ROUTE = '/<repopath:repository>/blobs/<regex("{0}"):digest>'
 BLOB_DIGEST_ROUTE = BASE_BLOB_ROUTE.format(digest_tools.DIGEST_PATTERN)
 RANGE_HEADER_REGEX = re.compile(r'^bytes=([0-9]+)-([0-9]+)$')
 BLOB_CONTENT_TYPE = 'application/octet-stream'
@@ -57,6 +58,7 @@ def _base_blob_fetch(namespace, repo_name, digest):
 
 @v2_bp.route(BLOB_DIGEST_ROUTE, methods=['HEAD'])
 @process_registry_jwt_auth
+@parse_repository_name
 @require_repo_read
 @anon_protect
 @cache_control(max_age=31436000)
@@ -72,6 +74,7 @@ def check_blob_exists(namespace, repo_name, digest):
 
 @v2_bp.route(BLOB_DIGEST_ROUTE, methods=['GET'])
 @process_registry_jwt_auth
+@parse_repository_name
 @require_repo_read
 @anon_protect
 @cache_control(max_age=31536000)
@@ -103,8 +106,9 @@ def _render_range(num_uploaded_bytes, with_bytes_prefix=True):
   return '{0}0-{1}'.format('bytes=' if with_bytes_prefix else '', num_uploaded_bytes - 1)
 
 
-@v2_bp.route('/<namespace>/<repo_name>/blobs/uploads/', methods=['POST'])
+@v2_bp.route('/<repopath:repository>/blobs/uploads/', methods=['POST'])
 @process_registry_jwt_auth
+@parse_repository_name
 @require_repo_write
 @anon_protect
 def start_blob_upload(namespace, repo_name):
@@ -121,8 +125,10 @@ def start_blob_upload(namespace, repo_name):
   if digest is None:
     # The user will send the blob data in another request
     accepted = make_response('', 202)
-    accepted.headers['Location'] = url_for('v2.upload_chunk', namespace=namespace,
-                                           repo_name=repo_name, upload_uuid=new_upload_uuid)
+    accepted.headers['Location'] = url_for('v2.upload_chunk',
+                                           repository='%s/%s' % (namespace, repo_name),
+                                           upload_uuid=new_upload_uuid)
+
     accepted.headers['Range'] = _render_range(0)
     accepted.headers['Docker-Upload-UUID'] = new_upload_uuid
     return accepted
@@ -136,8 +142,9 @@ def start_blob_upload(namespace, repo_name):
     return _finish_upload(namespace, repo_name, uploaded, digest)
 
 
-@v2_bp.route('/<namespace>/<repo_name>/blobs/uploads/<upload_uuid>', methods=['GET'])
+@v2_bp.route('/<repopath:repository>/blobs/uploads/<upload_uuid>', methods=['GET'])
 @process_registry_jwt_auth
+@parse_repository_name
 @require_repo_write
 @anon_protect
 def fetch_existing_upload(namespace, repo_name, upload_uuid):
@@ -311,13 +318,15 @@ def _finish_upload(namespace, repo_name, upload_obj, expected_digest):
 
   response = make_response('', 201)
   response.headers['Docker-Content-Digest'] = expected_digest
-  response.headers['Location'] = url_for('v2.download_blob', namespace=namespace,
-                                         repo_name=repo_name, digest=expected_digest)
+  response.headers['Location'] = url_for('v2.download_blob',
+                                         repository='%s/%s' % (namespace, repo_name),
+                                         digest=expected_digest)
   return response
 
 
-@v2_bp.route('/<namespace>/<repo_name>/blobs/uploads/<upload_uuid>', methods=['PATCH'])
+@v2_bp.route('/<repopath:repository>/blobs/uploads/<upload_uuid>', methods=['PATCH'])
 @process_registry_jwt_auth
+@parse_repository_name
 @require_repo_write
 @anon_protect
 def upload_chunk(namespace, repo_name, upload_uuid):
@@ -334,8 +343,9 @@ def upload_chunk(namespace, repo_name, upload_uuid):
   return accepted
 
 
-@v2_bp.route('/<namespace>/<repo_name>/blobs/uploads/<upload_uuid>', methods=['PUT'])
+@v2_bp.route('/<repopath:repository>/blobs/uploads/<upload_uuid>', methods=['PUT'])
 @process_registry_jwt_auth
+@parse_repository_name
 @require_repo_write
 @anon_protect
 def monolithic_upload_or_last_chunk(namespace, repo_name, upload_uuid):
@@ -352,8 +362,9 @@ def monolithic_upload_or_last_chunk(namespace, repo_name, upload_uuid):
   return _finish_upload(namespace, repo_name, found, digest)
 
 
-@v2_bp.route('/<namespace>/<repo_name>/blobs/uploads/<upload_uuid>', methods=['DELETE'])
+@v2_bp.route('/<repopath:repository>/blobs/uploads/<upload_uuid>', methods=['DELETE'])
 @process_registry_jwt_auth
+@parse_repository_name
 @require_repo_write
 @anon_protect
 def cancel_upload(namespace, repo_name, upload_uuid):
@@ -371,8 +382,9 @@ def cancel_upload(namespace, repo_name, upload_uuid):
 
 
 
-@v2_bp.route('/<namespace>/<repo_name>/blobs/<digest>', methods=['DELETE'])
+@v2_bp.route('/<repopath:repository>/blobs/<digest>', methods=['DELETE'])
 @process_registry_jwt_auth
+@parse_repository_name
 @require_repo_write
 @anon_protect
 def delete_digest(namespace, repo_name, upload_uuid):

endpoints/v2/manifest.py

@@ -1,6 +1,7 @@
 import logging
 import jwt.utils
 import json
+import features
 
 from peewee import IntegrityError
 from flask import make_response, request, url_for
@@ -8,25 +9,25 @@ from collections import namedtuple, OrderedDict
 from jwkest.jws import SIGNER_ALGS, keyrep
 from datetime import datetime
 
-from app import docker_v2_signing_key
+from app import docker_v2_signing_key, app
 from auth.registry_jwt_auth import process_registry_jwt_auth
 from endpoints.decorators import anon_protect
 from endpoints.v2 import v2_bp, require_repo_read, require_repo_write
-from endpoints.v2.errors import (BlobUnknown, ManifestInvalid, ManifestUnverified,
-                                 ManifestUnknown, TagInvalid, NameInvalid)
+from endpoints.v2.errors import (BlobUnknown, ManifestInvalid, ManifestUnknown, TagInvalid,
+                                 NameInvalid)
 from endpoints.trackhelper import track_and_log
 from endpoints.notificationhelper import spawn_notification
 from digest import digest_tools
 from data import model
 from data.database import RepositoryTag
-
+from endpoints.common import parse_repository_name
 
 logger = logging.getLogger(__name__)
 
 
 VALID_TAG_PATTERN = r'[\w][\w.-]{0,127}'
 
-BASE_MANIFEST_ROUTE = '/<namespace>/<repo_name>/manifests/<regex("{0}"):manifest_ref>'
+BASE_MANIFEST_ROUTE = '/<repopath:repository>/manifests/<regex("{0}"):manifest_ref>'
 MANIFEST_DIGEST_ROUTE = BASE_MANIFEST_ROUTE.format(digest_tools.DIGEST_PATTERN)
 MANIFEST_TAGNAME_ROUTE = BASE_MANIFEST_ROUTE.format(VALID_TAG_PATTERN)
 
@@ -61,9 +62,17 @@ class SignedManifest(object):
 
     self._parsed = json.loads(manifest_bytes)
     self._signatures = self._parsed[_SIGNATURES_KEY]
-    self._namespace, self._repo_name = self._parsed[_REPO_NAME_KEY].split('/')
     self._tag = self._parsed[_REPO_TAG_KEY]
 
+    repo_name_tuple = self._parsed[_REPO_NAME_KEY].split('/')
+    if len(repo_name_tuple) > 1:
+      self._namespace, self._repo_name = repo_name_tuple
+    elif len(repo_name_tuple) == 1:
+      self._namespace = ''
+      self._repo_name = repo_name_tuple[0]
+    else:
+      raise ValueError('repo_name has too many or too few pieces')
+
     self._validate()
 
   def _validate(self):
@@ -144,9 +153,13 @@ class SignedManifestBuilder(object):
   """ Class which represents a manifest which is currently being built.
   """
   def __init__(self, namespace, repo_name, tag, architecture='amd64', schema_ver=1):
+    repo_name_key = '{0}/{1}'.format(namespace, repo_name)
+    if namespace == '':
+      repo_name_key = repo_name
+
     self._base_payload = {
       _REPO_TAG_KEY: tag,
-      _REPO_NAME_KEY: '{0}/{1}'.format(namespace, repo_name),
+      _REPO_NAME_KEY: repo_name_key,
       _ARCH_KEY: architecture,
       _SCHEMA_VER: schema_ver,
     }
@@ -213,6 +226,7 @@ class SignedManifestBuilder(object):
 
 @v2_bp.route(MANIFEST_TAGNAME_ROUTE, methods=['GET'])
 @process_registry_jwt_auth
+@parse_repository_name
 @require_repo_read
 @anon_protect
 def fetch_manifest_by_tagname(namespace, repo_name, manifest_ref):
@@ -242,6 +256,7 @@ def fetch_manifest_by_tagname(namespace, repo_name, manifest_ref):
 
 @v2_bp.route(MANIFEST_DIGEST_ROUTE, methods=['GET'])
 @process_registry_jwt_auth
+@parse_repository_name
 @require_repo_read
 @anon_protect
 def fetch_manifest_by_digest(namespace, repo_name, manifest_ref):
@@ -262,12 +277,13 @@ def fetch_manifest_by_digest(namespace, repo_name, manifest_ref):
 
 @v2_bp.route(MANIFEST_TAGNAME_ROUTE, methods=['PUT'])
 @process_registry_jwt_auth
+@parse_repository_name
 @require_repo_write
 @anon_protect
 def write_manifest_by_tagname(namespace, repo_name, manifest_ref):
   try:
     manifest = SignedManifest(request.data)
-  except ValueError:
+  except ValueError as ve:
     raise ManifestInvalid()
 
   if manifest.tag != manifest_ref:
@@ -278,6 +294,7 @@ def write_manifest_by_tagname(namespace, repo_name, manifest_ref):
 
 @v2_bp.route(MANIFEST_DIGEST_ROUTE, methods=['PUT'])
 @process_registry_jwt_auth
+@parse_repository_name
 @require_repo_write
 @anon_protect
 def write_manifest_by_digest(namespace, repo_name, manifest_ref):
@@ -293,8 +310,16 @@ def write_manifest_by_digest(namespace, repo_name, manifest_ref):
 
 
 def _write_manifest(namespace, repo_name, manifest):
-  # Ensure that the manifest is for this repository.
-  if manifest.namespace != namespace or manifest.repo_name != repo_name:
+  # Ensure that the manifest is for this repository. If the manifest's namespace is empty, then
+  # it is for the library namespace and we need an extra check.
+  if (manifest.namespace == '' and features.LIBRARY_SUPPORT and
+      namespace == app.config['LIBRARY_NAMESPACE']):
+    # This is a library manifest. All good.
+    pass
+  elif manifest.namespace != namespace:
+    raise NameInvalid()
+
+  if manifest.repo_name != repo_name:
     raise NameInvalid()
 
   # Ensure that the repository exists.
@@ -369,13 +394,15 @@ def _write_manifest(namespace, repo_name, manifest):
 
   response = make_response('OK', 202)
   response.headers['Docker-Content-Digest'] = manifest_digest
-  response.headers['Location'] = url_for('v2.fetch_manifest_by_digest', namespace=namespace,
-                                         repo_name=repo_name, manifest_ref=manifest_digest)
+  response.headers['Location'] = url_for('v2.fetch_manifest_by_digest',
+                                         repository='%s/%s' % (namespace, repo_name),
+                                         manifest_ref=manifest_digest)
   return response
 
 
 @v2_bp.route(MANIFEST_DIGEST_ROUTE, methods=['DELETE'])
 @process_registry_jwt_auth
+@parse_repository_name
 @require_repo_write
 @anon_protect
 def delete_manifest_by_digest(namespace, repo_name, manifest_ref):
@@ -406,8 +433,14 @@ def _generate_and_store_manifest(namespace, repo_name, tag_name):
   image = model.tag.get_tag_image(namespace, repo_name, tag_name)
   parents = model.image.get_parent_images(namespace, repo_name, image)
 
+  # If the manifest is being generated under the library namespace, then we make its namespace
+  # empty.
+  manifest_namespace = namespace
+  if features.LIBRARY_SUPPORT and namespace == app.config['LIBRARY_NAMESPACE']:
+    manifest_namespace = ''
+
   # Create and populate the manifest builder
-  builder = SignedManifestBuilder(namespace, repo_name, tag_name)
+  builder = SignedManifestBuilder(manifest_namespace, repo_name, tag_name)
 
   # Add the leaf layer
   builder.add_layer(image.storage.content_checksum, image.v1_json_metadata)

endpoints/v2/tag.py

@@ -6,9 +6,11 @@ from endpoints.v2.errors import NameUnknown
 from endpoints.v2.v2util import add_pagination
 from endpoints.decorators import anon_protect
 from data import model
+from endpoints.common import parse_repository_name
 
-@v2_bp.route('/<namespace>/<repo_name>/tags/list', methods=['GET'])
+@v2_bp.route('/<repopath:repository>/tags/list', methods=['GET'])
 @process_registry_jwt_auth
+@parse_repository_name
 @require_repo_read
 @anon_protect
 def list_all_tags(namespace, repo_name):
@@ -17,8 +19,7 @@ def list_all_tags(namespace, repo_name):
     raise NameUnknown()
 
   query = model.tag.list_repository_tags(namespace, repo_name)
-
-  url = url_for('v2.list_all_tags', namespace=namespace, repo_name=repo_name)
+  url = url_for('v2.list_all_tags', repository='%s/%s' % (namespace, repo_name))
   link, query = add_pagination(query, url)
 
   response = jsonify({

endpoints/v2/v2auth.py

@@ -23,7 +23,7 @@ logger = logging.getLogger(__name__)
 
 TOKEN_VALIDITY_LIFETIME_S = 60 * 60  # 1 hour
 SCOPE_REGEX = re.compile(
-    r'^repository:([\.a-zA-Z0-9_\-]+/[\.a-zA-Z0-9_\-]+):(((push|pull|\*),)*(push|pull|\*))$'
+    r'^repository:(([\.a-zA-Z0-9_\-]+/)?[\.a-zA-Z0-9_\-]+):(((push|pull|\*),)*(push|pull|\*))$'
 )
 
 @lru_cache(maxsize=1)
@@ -74,9 +74,10 @@ def generate_registry_jwt():
     logger.debug('Match: %s', match.groups())
 
     namespace_and_repo = match.group(1)
-    actions = match.group(2).split(',')
+    actions = match.group(3).split(',')
 
-    namespace, reponame = parse_namespace_repository(namespace_and_repo)
+    lib_namespace = app.config['LIBRARY_NAMESPACE']
+    namespace, reponame = parse_namespace_repository(namespace_and_repo, lib_namespace)
 
     # Ensure that we are never creating an invalid repository.
     if not REPOSITORY_NAME_REGEX.match(reponame):

endpoints/verbs.py

@@ -22,7 +22,7 @@ from formats.squashed import SquashedDockerImage
 from formats.aci import ACIImage
 from storage import Storage
 from endpoints.v2.blob import BLOB_DIGEST_ROUTE
-from endpoints.common import route_show_if
+from endpoints.common import route_show_if, parse_repository_name
 
 
 verbs = Blueprint('verbs', __name__)
@@ -376,6 +376,7 @@ def get_squashed_tag(namespace, repository, tag):
 @anon_protect
 @verbs.route('/torrent{0}'.format(BLOB_DIGEST_ROUTE), methods=['GET'])
 @process_auth
+@parse_repository_name
 def get_tag_torrent(namespace, repo_name, digest):
   permission = ReadRepositoryPermission(namespace, repo_name)
   public_repo = model.repository.repository_is_public(namespace, repo_name)

endpoints/web.py

@@ -25,14 +25,14 @@ from buildtrigger.triggerutil import TriggerProviderException
 from data import model
 from data.database import db
 from endpoints.api.discovery import swagger_route_data
-from endpoints.common import common_login, render_page_template, route_show_if, param_required
+from endpoints.common import (common_login, render_page_template, route_show_if, param_required,
+                              parse_repository_name, parse_repository_name_and_tag)
 from endpoints.csrf import csrf_protect, generate_csrf_token, verify_csrf
 from endpoints.decorators import anon_protect, anon_allowed
 from health.healthcheck import get_healthchecker
 from util.cache import no_cache, cache_control
 from util.headers import parse_basic_auth
 from util.invoice import renderInvoiceToPdf
-from util.names import parse_repository_name, parse_repository_name_and_tag
 from util.seo import render_snapshot
 from util.systemlogs import build_logs_archive
 from util.useremails import send_email_changed
@@ -409,7 +409,7 @@ def confirm_recovery():
     abort(403)
 
 
-@web.route('/repository/<path:repository>/status', methods=['GET'])
+@web.route('/repository/<repopath:repository>/status', methods=['GET'])
 @parse_repository_name
 @anon_protect
 def build_status_badge(namespace, repository):
@@ -597,7 +597,7 @@ def download_logs_archive():
   abort(403)
 
 
-@web.route('/bitbucket/setup/<path:repository>', methods=['GET'])
+@web.route('/bitbucket/setup/<repopath:repository>', methods=['GET'])
 @require_session_login
 @parse_repository_name
 @route_show_if(features.BITBUCKET_BUILD)
@@ -630,7 +630,7 @@ def attach_bitbucket_trigger(namespace, repository_name):
   abort(403)
 
 
-@web.route('/customtrigger/setup/<path:repository>', methods=['GET'])
+@web.route('/customtrigger/setup/<repopath:repository>', methods=['GET'])
 @require_session_login
 @parse_repository_name
 def attach_custom_build_trigger(namespace, repository_name):
@@ -653,7 +653,7 @@ def attach_custom_build_trigger(namespace, repository_name):
 
   abort(403)
 
-@web.route('/<path:repository>')
+@web.route('/<repopath:repository>')
 @no_cache
 @process_oauth
 @parse_repository_name_and_tag

endpoints/webhooks.py

@@ -67,7 +67,7 @@ def stripe_webhook():
   return make_response('Okay')
 
 
-@webhooks.route('/push/<path:repository>/trigger/<trigger_uuid>', methods=['POST'])
+@webhooks.route('/push/<repopath:repository>/trigger/<trigger_uuid>', methods=['POST'])
 @webhooks.route('/push/trigger/<trigger_uuid>', methods=['POST'], defaults={'repository': ''})
 @process_auth
 def build_trigger_webhook(trigger_uuid, **kwargs):

initdb.py

@@ -537,6 +537,9 @@ def populate_database(minimal=False):
   org.stripe_id = TEST_STRIPE_ID
   org.save()
 
+  liborg = model.organization.create_organization('library', 'quay+library@devtable.com', new_user_1)
+  liborg.save()
+
   model.user.create_robot('coolrobot', org)
 
   oauth_app_1 = model.oauth.create_application(org, 'Some Test App', 'http://localhost:8000',

test/registry_tests.py

@@ -138,7 +138,14 @@ _CLEAN_DATABASE_PATH = None
 _JWK = RSAKey(key=RSA.generate(2048))
 
 
-def get_full_contents(image_data):
+def _get_repo_name(namespace, name):
+  if namespace == '':
+    return name
+
+  return '%s/%s' % (namespace, name)
+
+
+def _get_full_contents(image_data):
   if 'chunks' in image_data:
     # Data is just for chunking; no need for a real TAR.
     return image_data['contents']
@@ -213,7 +220,8 @@ class RegistryTestCaseMixin(LiveServerTestCase):
     self.csrf_token = self.conduct('GET', '/__test/csrf').text
 
   def do_tag(self, namespace, repository, tag, image_id, expected_code=200):
-    self.conduct('PUT', '/v1/repositories/%s/%s/tags/%s' % (namespace, repository, tag),
+    repo_name = _get_repo_name(namespace, repository)
+    self.conduct('PUT', '/v1/repositories/%s/tags/%s' % (repo_name, tag),
                  data='"%s"' % image_id, expected_code=expected_code, auth='sig')
 
   def conduct_api_login(self, username, password):
@@ -221,8 +229,9 @@ class RegistryTestCaseMixin(LiveServerTestCase):
                  data=json.dumps(dict(username=username, password=password)),
                  headers={'Content-Type': 'application/json'})
 
-  def change_repo_visibility(self, repository, namespace, visibility):
-    self.conduct('POST', '/api/v1/repository/%s/%s/changevisibility' % (repository, namespace),
+  def change_repo_visibility(self, namespace, repository, visibility):
+    repo_name = _get_repo_name(namespace, repository)
+    self.conduct('POST', '/api/v1/repository/%s/changevisibility' % repo_name,
                  data=json.dumps(dict(visibility=visibility)),
                  headers={'Content-Type': 'application/json'})
 
@@ -284,12 +293,13 @@ class V1RegistryPushMixin(V1RegistryMixin):
   def do_push(self, namespace, repository, username, password, images=None, expected_code=201):
     images = images or self._get_default_images()
     auth = (username, password)
+    repo_name = _get_repo_name(namespace, repository)
 
     # Ping!
     self.v1_ping()
 
     # PUT /v1/repositories/{namespace}/{repository}/
-    self.conduct('PUT', '/v1/repositories/%s/%s' % (namespace, repository),
+    self.conduct('PUT', '/v1/repositories/%s' % repo_name,
                  data=json.dumps(images), auth=auth,
                  expected_code=expected_code)
 
@@ -310,7 +320,7 @@ class V1RegistryPushMixin(V1RegistryMixin):
                    data=json.dumps(image_json_data), auth='sig')
 
       # PUT /v1/images/{imageID}/layer
-      layer_bytes = get_full_contents(image_data)
+      layer_bytes = _get_full_contents(image_data)
       self.conduct('PUT', '/v1/images/%s/layer' % image_id,
                    data=StringIO(layer_bytes), auth='sig')
 
@@ -325,7 +335,7 @@ class V1RegistryPushMixin(V1RegistryMixin):
     self.do_tag(namespace, repository, 'latest', images[0]['id'])
 
     # PUT /v1/repositories/{namespace}/{repository}/images
-    self.conduct('PUT', '/v1/repositories/%s/%s/images' % (namespace, repository),
+    self.conduct('PUT', '/v1/repositories/%s/images' % repo_name,
                  expected_code=204,
                  auth='sig')
 
@@ -334,6 +344,7 @@ class V1RegistryPullMixin(V1RegistryMixin):
   def do_pull(self, namespace, repository, username=None, password='password', expected_code=200,
               images=None):
     images = images or self._get_default_images()
+    repo_name = _get_repo_name(namespace, repository)
 
     auth = None
     if username:
@@ -342,7 +353,7 @@ class V1RegistryPullMixin(V1RegistryMixin):
     # Ping!
     self.v1_ping()
 
-    prefix = '/v1/repositories/%s/%s/' % (namespace, repository)
+    prefix = '/v1/repositories/%s/' % repo_name
 
     # GET /v1/repositories/{namespace}/{repository}/
     self.conduct('GET', prefix + 'images', auth=auth, expected_code=expected_code)
@@ -417,9 +428,11 @@ class V2RegistryMixin(BaseRegistryMixin):
 
   def do_auth(self, username, password, namespace, repository, expected_code=200, scopes=[]):
     auth = (username, password)
+    repo_name = _get_repo_name(namespace, repository)
+
     params = {
       'account': username,
-      'scope': 'repository:%s/%s:%s' % (namespace, repository, ','.join(scopes)),
+      'scope': 'repository:%s:%s' % (repo_name, ','.join(scopes)),
       'service': app.config['SERVER_HOSTNAME'],
     }
 
@@ -439,6 +452,7 @@ class V2RegistryPushMixin(V2RegistryMixin):
               cancel=False, invalid=False, expected_manifest_code=202, expected_auth_code=200,
               scopes=None):
     images = images or self._get_default_images()
+    repo_name = _get_repo_name(namespace, repository)
 
     # Ping!
     self.v2_ping()
@@ -456,7 +470,7 @@ class V2RegistryPushMixin(V2RegistryMixin):
     full_contents = {}
 
     for image_data in images:
-      full_contents[image_data['id']] = get_full_contents(image_data)
+      full_contents[image_data['id']] = _get_full_contents(image_data)
 
       checksum = 'sha256:' + hashlib.sha256(full_contents[image_data['id']]).hexdigest()
       if invalid:
@@ -476,11 +490,11 @@ class V2RegistryPushMixin(V2RegistryMixin):
 
       # Layer data should not yet exist.
       checksum = 'sha256:' + hashlib.sha256(layer_bytes).hexdigest()
-      self.conduct('HEAD', '/v2/%s/%s/blobs/%s' % (namespace, repository, checksum),
+      self.conduct('HEAD', '/v2/%s/blobs/%s' % (repo_name, checksum),
                    expected_code=404, auth='jwt')
 
       # Start a new upload of the layer data.
-      response = self.conduct('POST', '/v2/%s/%s/blobs/uploads/' % (namespace, repository),
+      response = self.conduct('POST', '/v2/%s/blobs/uploads/' % repo_name,
                               expected_code=202, auth='jwt')
 
       upload_uuid = response.headers['Docker-Upload-UUID']
@@ -505,7 +519,7 @@ class V2RegistryPushMixin(V2RegistryMixin):
             return
 
           # Retrieve the upload status at each point.
-          status_url = '/v2/%s/%s/blobs/uploads/%s' % (namespace, repository, upload_uuid)
+          status_url = '/v2/%s/blobs/uploads/%s' % (repo_name, upload_uuid)
           response = self.conduct('GET', status_url, expected_code=204, auth='jwt',
                                   headers=dict(host=self.get_server_url()))
           self.assertEquals(response.headers['Docker-Upload-UUID'], upload_uuid)
@@ -516,7 +530,7 @@ class V2RegistryPushMixin(V2RegistryMixin):
                      auth='jwt')
 
         # Ensure the upload was canceled.
-        status_url = '/v2/%s/%s/blobs/uploads/%s' % (namespace, repository, upload_uuid)
+        status_url = '/v2/%s/blobs/uploads/%s' % (repo_name, upload_uuid)
         self.conduct('GET', status_url, expected_code=404, auth='jwt',
                      headers=dict(host=self.get_server_url()))
         return
@@ -529,14 +543,14 @@ class V2RegistryPushMixin(V2RegistryMixin):
       checksums[image_id] = checksum
 
       # Ensure the layer exists now.
-      response = self.conduct('HEAD', '/v2/%s/%s/blobs/%s' % (namespace, repository, checksum),
+      response = self.conduct('HEAD', '/v2/%s/blobs/%s' % (repo_name, checksum),
                               expected_code=200, auth='jwt')
       self.assertEquals(response.headers['Docker-Content-Digest'], checksum)
       self.assertEquals(response.headers['Content-Length'], str(len(layer_bytes)))
 
     # Write the manifest.
     put_code = 404 if invalid else expected_manifest_code
-    self.conduct('PUT', '/v2/%s/%s/manifests/%s' % (namespace, repository, tag_name),
+    self.conduct('PUT', '/v2/%s/manifests/%s' % (repo_name, tag_name),
                  data=manifest.bytes, expected_code=put_code,
                  headers={'Content-Type': 'application/json'}, auth='jwt')
 
@@ -547,6 +561,7 @@ class V2RegistryPullMixin(V2RegistryMixin):
   def do_pull(self, namespace, repository, username=None, password='password', expected_code=200,
               manifest_id=None, expected_manifest_code=200, images=None):
     images = images or self._get_default_images()
+    repo_name = _get_repo_name(namespace, repository)
 
     # Ping!
     self.v2_ping()
@@ -559,7 +574,7 @@ class V2RegistryPullMixin(V2RegistryMixin):
 
     # Retrieve the manifest for the tag or digest.
     manifest_id = manifest_id or 'latest'
-    response = self.conduct('GET', '/v2/%s/%s/manifests/%s' % (namespace, repository, manifest_id),
+    response = self.conduct('GET', '/v2/%s/manifests/%s' % (repo_name, manifest_id),
                             auth='jwt', expected_code=expected_manifest_code)
     if expected_manifest_code != 200:
       return
@@ -573,7 +588,7 @@ class V2RegistryPullMixin(V2RegistryMixin):
     blobs = {}
     for layer in manifest_data['fsLayers']:
       blob_id = layer['blobSum']
-      result = self.conduct('GET', '/v2/%s/%s/blobs/%s' % (namespace, repository, blob_id),
+      result = self.conduct('GET', '/v2/%s/blobs/%s' % (repo_name, blob_id),
                             expected_code=200, auth='jwt')
 
       blobs[blob_id] = result.content
@@ -863,6 +878,17 @@ class RegistryTestsMixin(object):
     self.do_pull('buynlarge', 'newrepo', 'devtable', 'password')
 
 
+  def test_library_repo(self):
+    self.do_push('', 'newrepo', 'devtable', 'password')
+    self.do_pull('', 'newrepo', 'devtable', 'password')
+    self.do_pull('library', 'newrepo', 'devtable', 'password')
+
+  def test_library_disabled(self):
+    with TestFeature(self, 'LIBRARY_SUPPORT', False):
+      self.do_push('library', 'newrepo', 'devtable', 'password')
+      self.do_pull('library', 'newrepo', 'devtable', 'password')
+
+
 class V1RegistryTests(V1RegistryPullMixin, V1RegistryPushMixin, RegistryTestsMixin,
                       RegistryTestCaseMixin, LiveServerTestCase):
   """ Tests for V1 registry. """
@@ -872,7 +898,7 @@ class V1RegistryTests(V1RegistryPullMixin, V1RegistryPushMixin, RegistryTestsMix
       'id': 'onlyimagehere',
       'contents': 'somecontents',
     }]
-    self.do_push('public', 'newrepo/somesubrepo', 'public', 'password', images, expected_code=400)
+    self.do_push('public', 'newrepo/somesubrepo', 'public', 'password', images, expected_code=404)
 
   def test_push_unicode_metadata(self):
     self.conduct_api_login('devtable', 'password')
@@ -896,7 +922,7 @@ class V1RegistryTests(V1RegistryPullMixin, V1RegistryPushMixin, RegistryTestsMix
     self.do_push('public', 'newrepo', 'public', 'password', images)
     self.do_tag('public', 'newrepo', '1', image_id)
     self.do_tag('public', 'newrepo', 'x' * 128, image_id)
-    self.do_tag('public', 'newrepo', '', image_id, expected_code=400)
+    self.do_tag('public', 'newrepo', '', image_id, expected_code=404)
     self.do_tag('public', 'newrepo', 'x' * 129, image_id, expected_code=400)
     self.do_tag('public', 'newrepo', '.fail', image_id, expected_code=400)
     self.do_tag('public', 'newrepo', '-fail', image_id, expected_code=400)
@@ -1440,6 +1466,16 @@ class V2LoginTests(V2RegistryLoginMixin, LoginTests, RegistryTestCaseMixin, Base
   def test_nouser_push_publicrepo(self):
     self.do_login('', '', expected_code=401, scope='repository:public/publicrepo:push')
 
+  def test_library_invaliduser(self):
+    self.do_login('invaliduser', 'password', expected_code=401, scope='repository:librepo:pull,push')
+
+  def test_library_noaccess(self):
+    self.do_login('freshuser', 'password', expected_code=403, scope='repository:librepo:pull,push')
+
+  def test_library_access(self):
+    self.do_login('devtable', 'password', expect_success=200, scope='repository:librepo:pull,push')
+
+
 
 if __name__ == '__main__':
   unittest.main()

test/specs.py

@@ -276,8 +276,7 @@ class IndexV2TestSpec(object):
     return self
 
   def get_url(self):
-    namespace, repo_name = parse_namespace_repository(self.repo_name)
-    return url_for(self.index_name, namespace=namespace, repo_name=repo_name, **self.kwargs)
+    return url_for(self.index_name, repository=self.repo_name, **self.kwargs)
 
   def gen_basic_auth(self, username, password):
     encoded = b64encode('%s:%s' % (username, password))

test/test_api_usage.py

@@ -644,7 +644,7 @@ class TestConductSearch(ApiTestCase):
     json = self.getJsonResponse(ConductSearch,
                                 params=dict(query='owners'))
 
-    self.assertEquals(1, len(json['results']))
+    self.assertEquals(2, len(json['results']))
     self.assertEquals(json['results'][0]['kind'], 'team')
     self.assertEquals(json['results'][0]['name'], 'owners')
 

test/test_v1_endpoint_security.py

@@ -63,7 +63,7 @@ class _SpecTestBuilder(type):
 
         session_vars = []
         if test_spec.sess_repo:
-          ns, repo = parse_namespace_repository(test_spec.sess_repo)
+          ns, repo = parse_namespace_repository(test_spec.sess_repo, 'library')
           session_vars.append(('namespace', ns))
           session_vars.append(('repository', repo))
 

test/test_v2_endpoint_security.py

@@ -3,7 +3,6 @@ import endpoints.decorated
 import json
 
 from app import app
-from util.names import parse_namespace_repository
 from initdb import setup_database_for_testing, finished_database_for_testing
 from specs import build_v2_index_specs
 from endpoints.v2 import v2_bp

util/names.py

@@ -10,10 +10,11 @@ TAG_REGEX = re.compile(r'^[\w][\w\.-]{0,127}$')
 TAG_ERROR = ('Invalid tag: must match [A-Za-z0-9_.-], NOT start with "." or "-", '
              'and can contain 1-128 characters')
 
-def parse_namespace_repository(repository, include_tag=False):
+
+def parse_namespace_repository(repository, library_namespace, include_tag=False):
   parts = repository.rstrip('/').split('/', 1)
   if len(parts) < 2:
-    namespace = 'library'
+    namespace = library_namespace
     repository = parts[0]
   else:
     (namespace, repository) = parts
@@ -30,20 +31,6 @@ def parse_namespace_repository(repository, include_tag=False):
     return (namespace, repository, tag)
   return (namespace, repository)
 
-def parse_repository_name(f):
-  @wraps(f)
-  def wrapper(repository, *args, **kwargs):
-    (namespace, repository) = parse_namespace_repository(repository)
-    return f(namespace, repository, *args, **kwargs)
-  return wrapper
-
-def parse_repository_name_and_tag(f):
-  @wraps(f)
-  def wrapper(repository, *args, **kwargs):
-    namespace, repository, tag = parse_namespace_repository(repository, include_tag=True)
-    return f(namespace, repository, tag, *args, **kwargs)
-  return wrapper
-
 
 def format_robot_username(parent_username, robot_shortname):
   return '%s+%s' % (parent_username, robot_shortname)