Jimmy Zelinskie
parent
bb46cc933d
commit
ea2e17cc11
9 changed files with 91 additions and 71 deletions
|
|
@ -5,25 +5,23 @@ import datetime
|
|||
import os
|
||||
import re
|
||||
|
||||
# Register the various exceptions via decorators.
|
||||
import endpoints.decorated
|
||||
from random import SystemRandom
|
||||
from functools import wraps
|
||||
|
||||
from cachetools import lru_cache
|
||||
from flask import make_response, render_template, request, abort, session
|
||||
from flask.ext.login import login_user
|
||||
from flask.ext.principal import identity_changed
|
||||
from random import SystemRandom
|
||||
from cachetools import lru_cache
|
||||
|
||||
from app import app, oauth_apps, LoginWrappedDBUser
|
||||
|
||||
from auth.permissions import QuayDeferredPermissionUser
|
||||
from auth import scopes
|
||||
from functools import wraps
|
||||
from config import frontend_visible_config
|
||||
from external_libraries import get_external_javascript, get_external_css
|
||||
from util.secscan import PRIORITY_LEVELS
|
||||
from util.names import parse_namespace_repository
|
||||
|
||||
import endpoints.decorated # Register the various exceptions via decorators.
|
||||
import features
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
|
@ -55,21 +53,19 @@ def parse_repository_name(include_tag=False,
|
|||
def inner(func):
|
||||
@wraps(func)
|
||||
def wrapper(*args, **kwargs):
|
||||
parsed_stuff = parse_namespace_repository(kwargs[incoming_repo_kwarg],
|
||||
app.config['LIBRARY_NAMESPACE'],
|
||||
include_tag=include_tag)
|
||||
repo_name_components = parse_namespace_repository(kwargs[incoming_repo_kwarg],
|
||||
app.config['LIBRARY_NAMESPACE'],
|
||||
include_tag=include_tag)
|
||||
del kwargs[incoming_repo_kwarg]
|
||||
kwargs[ns_kwarg_name] = parsed_stuff[0]
|
||||
kwargs[repo_kwarg_name] = parsed_stuff[1]
|
||||
kwargs[ns_kwarg_name] = repo_name_components[0]
|
||||
kwargs[repo_kwarg_name] = repo_name_components[1]
|
||||
if include_tag:
|
||||
kwargs[tag_kwarg_name] = parsed_stuff[2]
|
||||
kwargs[tag_kwarg_name] = repo_name_components[2]
|
||||
return func(*args, **kwargs)
|
||||
return wrapper
|
||||
return inner
|
||||
|
||||
|
||||
# TODO get rid of all calls to this parse_repository_name_and_tag
|
||||
|
||||
def route_show_if(value):
|
||||
def decorator(f):
|
||||
@wraps(f)
|
||||
|
|
|
|||
|
|
@ -1,24 +1,24 @@
|
|||
import logging
|
||||
|
||||
from flask import Blueprint, make_response, url_for, request, jsonify
|
||||
from functools import wraps
|
||||
from urlparse import urlparse
|
||||
|
||||
from flask import Blueprint, make_response, url_for, request, jsonify
|
||||
from semantic_version import Spec
|
||||
|
||||
import features
|
||||
|
||||
from app import metric_queue
|
||||
from endpoints.decorators import anon_protect, anon_allowed
|
||||
from endpoints.v2.errors import V2RegistryException, Unauthorized
|
||||
from app import app, metric_queue
|
||||
from auth.auth_context import get_grant_context
|
||||
from auth.permissions import (ReadRepositoryPermission, ModifyRepositoryPermission,
|
||||
AdministerRepositoryPermission)
|
||||
from data import model
|
||||
from app import app
|
||||
from util.http import abort
|
||||
from util.saas.metricqueue import time_blueprint
|
||||
from util.registry.dockerver import docker_version
|
||||
from auth.registry_jwt_auth import process_registry_jwt_auth, get_auth_headers
|
||||
from data import model
|
||||
from endpoints.decorators import anon_protect, anon_allowed
|
||||
from endpoints.v2.errors import V2RegistryException, Unauthorized
|
||||
from util.http import abort
|
||||
from util.registry.dockerver import docker_version
|
||||
from util.saas.metricqueue import time_blueprint
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
v2_bp = Blueprint('v2', __name__)
|
||||
|
|
@ -33,12 +33,12 @@ def handle_registry_v2_exception(error):
|
|||
|
||||
response.status_code = error.http_status_code
|
||||
if response.status_code == 401:
|
||||
response.headers.extend(get_auth_headers())
|
||||
response.headers.extend(get_auth_headers(repository=error.repository, scopes=error.scopes))
|
||||
logger.debug('sending response: %s', response.get_data())
|
||||
return response
|
||||
|
||||
|
||||
def _require_repo_permission(permission_class, allow_public=False):
|
||||
def _require_repo_permission(permission_class, scopes=None, allow_public=False):
|
||||
def wrapper(func):
|
||||
@wraps(func)
|
||||
def wrapped(namespace_name, repo_name, *args, **kwargs):
|
||||
|
|
@ -49,14 +49,19 @@ def _require_repo_permission(permission_class, allow_public=False):
|
|||
(allow_public and
|
||||
model.repository.repository_is_public(namespace_name, repo_name))):
|
||||
return func(namespace_name, repo_name, *args, **kwargs)
|
||||
raise Unauthorized()
|
||||
repository = namespace_name + '/' + repo_name
|
||||
raise Unauthorized(repository=repository, scopes=scopes)
|
||||
return wrapped
|
||||
return wrapper
|
||||
|
||||
|
||||
require_repo_read = _require_repo_permission(ReadRepositoryPermission, True)
|
||||
require_repo_write = _require_repo_permission(ModifyRepositoryPermission)
|
||||
require_repo_admin = _require_repo_permission(AdministerRepositoryPermission)
|
||||
require_repo_read = _require_repo_permission(ReadRepositoryPermission,
|
||||
scopes=['pull'],
|
||||
allow_public=True)
|
||||
require_repo_write = _require_repo_permission(ModifyRepositoryPermission,
|
||||
scopes=['pull', 'push'])
|
||||
require_repo_admin = _require_repo_permission(AdministerRepositoryPermission,
|
||||
scopes=['pull', 'push'])
|
||||
|
||||
|
||||
def get_input_stream(flask_request):
|
||||
|
|
@ -79,7 +84,7 @@ def route_show_if(value):
|
|||
|
||||
@v2_bp.route('/')
|
||||
@route_show_if(features.ADVERTISE_V2)
|
||||
@process_registry_jwt_auth
|
||||
@process_registry_jwt_auth()
|
||||
@anon_allowed
|
||||
def v2_support_enabled():
|
||||
docker_ver = docker_version(request.user_agent.string)
|
||||
|
|
|
|||
|
|
@ -57,8 +57,8 @@ def _base_blob_fetch(namespace_name, repo_name, digest):
|
|||
|
||||
|
||||
@v2_bp.route(BLOB_DIGEST_ROUTE, methods=['HEAD'])
|
||||
@process_registry_jwt_auth
|
||||
@parse_repository_name()
|
||||
@process_registry_jwt_auth(scopes=['pull'])
|
||||
@require_repo_read
|
||||
@anon_protect
|
||||
@cache_control(max_age=31436000)
|
||||
|
|
@ -73,8 +73,8 @@ def check_blob_exists(namespace_name, repo_name, digest):
|
|||
|
||||
|
||||
@v2_bp.route(BLOB_DIGEST_ROUTE, methods=['GET'])
|
||||
@process_registry_jwt_auth
|
||||
@parse_repository_name()
|
||||
@process_registry_jwt_auth(scopes=['pull'])
|
||||
@require_repo_read
|
||||
@anon_protect
|
||||
@cache_control(max_age=31536000)
|
||||
|
|
@ -107,8 +107,8 @@ def _render_range(num_uploaded_bytes, with_bytes_prefix=True):
|
|||
|
||||
|
||||
@v2_bp.route('/<repopath:repository>/blobs/uploads/', methods=['POST'])
|
||||
@process_registry_jwt_auth
|
||||
@parse_repository_name()
|
||||
@process_registry_jwt_auth(scopes=['pull', 'push'])
|
||||
@require_repo_write
|
||||
@anon_protect
|
||||
def start_blob_upload(namespace_name, repo_name):
|
||||
|
|
@ -143,8 +143,8 @@ def start_blob_upload(namespace_name, repo_name):
|
|||
|
||||
|
||||
@v2_bp.route('/<repopath:repository>/blobs/uploads/<upload_uuid>', methods=['GET'])
|
||||
@process_registry_jwt_auth
|
||||
@parse_repository_name()
|
||||
@process_registry_jwt_auth(scopes=['pull'])
|
||||
@require_repo_write
|
||||
@anon_protect
|
||||
def fetch_existing_upload(namespace_name, repo_name, upload_uuid):
|
||||
|
|
@ -325,8 +325,8 @@ def _finish_upload(namespace_name, repo_name, upload_obj, expected_digest):
|
|||
|
||||
|
||||
@v2_bp.route('/<repopath:repository>/blobs/uploads/<upload_uuid>', methods=['PATCH'])
|
||||
@process_registry_jwt_auth
|
||||
@parse_repository_name()
|
||||
@process_registry_jwt_auth(scopes=['pull', 'push'])
|
||||
@require_repo_write
|
||||
@anon_protect
|
||||
def upload_chunk(namespace_name, repo_name, upload_uuid):
|
||||
|
|
@ -344,8 +344,8 @@ def upload_chunk(namespace_name, repo_name, upload_uuid):
|
|||
|
||||
|
||||
@v2_bp.route('/<repopath:repository>/blobs/uploads/<upload_uuid>', methods=['PUT'])
|
||||
@process_registry_jwt_auth
|
||||
@parse_repository_name()
|
||||
@process_registry_jwt_auth(scopes=['pull', 'push'])
|
||||
@require_repo_write
|
||||
@anon_protect
|
||||
def monolithic_upload_or_last_chunk(namespace_name, repo_name, upload_uuid):
|
||||
|
|
@ -364,7 +364,7 @@ def monolithic_upload_or_last_chunk(namespace_name, repo_name, upload_uuid):
|
|||
|
||||
@v2_bp.route('/<repopath:repository>/blobs/uploads/<upload_uuid>', methods=['DELETE'])
|
||||
@parse_repository_name()
|
||||
@process_registry_jwt_auth
|
||||
@process_registry_jwt_auth(scopes=['pull', 'push'])
|
||||
@require_repo_write
|
||||
@anon_protect
|
||||
def cancel_upload(namespace_name, repo_name, upload_uuid):
|
||||
|
|
@ -383,8 +383,8 @@ def cancel_upload(namespace_name, repo_name, upload_uuid):
|
|||
|
||||
|
||||
@v2_bp.route('/<repopath:repository>/blobs/<digest>', methods=['DELETE'])
|
||||
@process_registry_jwt_auth
|
||||
@parse_repository_name()
|
||||
@process_registry_jwt_auth(scopes=['pull', 'push'])
|
||||
@require_repo_write
|
||||
@anon_protect
|
||||
def delete_digest(namespace_name, repo_name, upload_uuid):
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ from data import model
|
|||
from endpoints.v2.v2util import add_pagination
|
||||
|
||||
@v2_bp.route('/_catalog', methods=['GET'])
|
||||
@process_registry_jwt_auth
|
||||
@process_registry_jwt_auth()
|
||||
@anon_protect
|
||||
def catalog_search():
|
||||
url = url_for('v2.catalog_search')
|
||||
|
|
|
|||
|
|
@ -1,7 +1,10 @@
|
|||
class V2RegistryException(Exception):
|
||||
def __init__(self, error_code_str, message, detail, http_status_code=400):
|
||||
def __init__(self, error_code_str, message, detail, http_status_code=400,
|
||||
repository=None, scopes=None):
|
||||
super(V2RegistryException, self).__init__(message)
|
||||
self.http_status_code = http_status_code
|
||||
self.repository = repository
|
||||
self.scopes = scopes
|
||||
|
||||
self._error_code_str = error_code_str
|
||||
self._detail = detail
|
||||
|
|
@ -104,11 +107,13 @@ class TagInvalid(V2RegistryException):
|
|||
|
||||
|
||||
class Unauthorized(V2RegistryException):
|
||||
def __init__(self, detail=None):
|
||||
def __init__(self, detail=None, repository=None, scopes=None):
|
||||
super(Unauthorized, self).__init__('UNAUTHORIZED',
|
||||
'access to the requested resource is not authorized',
|
||||
detail,
|
||||
401)
|
||||
401,
|
||||
repository=repository,
|
||||
scopes=scopes)
|
||||
|
||||
|
||||
class Unsupported(V2RegistryException):
|
||||
|
|
|
|||
|
|
@ -241,8 +241,8 @@ class SignedManifestBuilder(object):
|
|||
|
||||
|
||||
@v2_bp.route(MANIFEST_TAGNAME_ROUTE, methods=['GET'])
|
||||
@process_registry_jwt_auth
|
||||
@parse_repository_name()
|
||||
@process_registry_jwt_auth(scopes=['pull'])
|
||||
@require_repo_read
|
||||
@anon_protect
|
||||
def fetch_manifest_by_tagname(namespace_name, repo_name, manifest_ref):
|
||||
|
|
@ -272,8 +272,8 @@ def fetch_manifest_by_tagname(namespace_name, repo_name, manifest_ref):
|
|||
|
||||
|
||||
@v2_bp.route(MANIFEST_DIGEST_ROUTE, methods=['GET'])
|
||||
@process_registry_jwt_auth
|
||||
@parse_repository_name()
|
||||
@process_registry_jwt_auth(scopes=['pull'])
|
||||
@require_repo_read
|
||||
@anon_protect
|
||||
def fetch_manifest_by_digest(namespace_name, repo_name, manifest_ref):
|
||||
|
|
@ -304,8 +304,8 @@ def _reject_manifest2_schema2(func):
|
|||
|
||||
|
||||
@v2_bp.route(MANIFEST_TAGNAME_ROUTE, methods=['PUT'])
|
||||
@process_registry_jwt_auth
|
||||
@parse_repository_name()
|
||||
@process_registry_jwt_auth(scopes=['pull', 'push'])
|
||||
@require_repo_write
|
||||
@anon_protect
|
||||
@_reject_manifest2_schema2
|
||||
|
|
@ -322,8 +322,8 @@ def write_manifest_by_tagname(namespace_name, repo_name, manifest_ref):
|
|||
|
||||
|
||||
@v2_bp.route(MANIFEST_DIGEST_ROUTE, methods=['PUT'])
|
||||
@process_registry_jwt_auth
|
||||
@parse_repository_name()
|
||||
@process_registry_jwt_auth(scopes=['pull', 'push'])
|
||||
@require_repo_write
|
||||
@anon_protect
|
||||
@_reject_manifest2_schema2
|
||||
|
|
@ -471,8 +471,8 @@ def _write_manifest(namespace_name, repo_name, manifest):
|
|||
|
||||
|
||||
@v2_bp.route(MANIFEST_DIGEST_ROUTE, methods=['DELETE'])
|
||||
@process_registry_jwt_auth
|
||||
@parse_repository_name()
|
||||
@process_registry_jwt_auth(scopes=['pull', 'push'])
|
||||
@require_repo_write
|
||||
@anon_protect
|
||||
def delete_manifest_by_digest(namespace_name, repo_name, manifest_ref):
|
||||
|
|
|
|||
|
|
@ -9,8 +9,8 @@ from endpoints.decorators import anon_protect
|
|||
from data import model
|
||||
|
||||
@v2_bp.route('/<repopath:repository>/tags/list', methods=['GET'])
|
||||
@process_registry_jwt_auth
|
||||
@parse_repository_name()
|
||||
@process_registry_jwt_auth(scopes=['pull'])
|
||||
@require_repo_read
|
||||
@anon_protect
|
||||
def list_all_tags(namespace_name, repo_name):
|
||||
|
|
|
|||
Reference in a new issue