vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

v2: send proper scopes for authorization failures

Browse source 
Fixes #1278.
This commit is contained in:
Jimmy Zelinskie 2016-03-09 18:09:20 -05:00
parent bb46cc933d
commit ea2e17cc11
9 changed files with 91 additions and 71 deletions
Download patch file Download diff file Expand all files Collapse all files

37
endpoints/v2/__init__.py
View file

@ -1,24 +1,24 @@
import logging
from flask import Blueprint, make_response, url_for, request, jsonify
from functools import wraps
from urlparse import urlparse
from flask import Blueprint, make_response, url_for, request, jsonify
from semantic_version import Spec
import features
from app import metric_queue
from endpoints.decorators import anon_protect, anon_allowed
from endpoints.v2.errors import V2RegistryException, Unauthorized
from app import app, metric_queue
from auth.auth_context import get_grant_context
from auth.permissions import (ReadRepositoryPermission, ModifyRepositoryPermission,
AdministerRepositoryPermission)
from data import model
from app import app
from util.http import abort
from util.saas.metricqueue import time_blueprint
from util.registry.dockerver import docker_version
from auth.registry_jwt_auth import process_registry_jwt_auth, get_auth_headers
from data import model
from endpoints.decorators import anon_protect, anon_allowed
from endpoints.v2.errors import V2RegistryException, Unauthorized
from util.http import abort
from util.registry.dockerver import docker_version
from util.saas.metricqueue import time_blueprint
logger = logging.getLogger(__name__)
v2_bp = Blueprint('v2', __name__)
@ -33,12 +33,12 @@ def handle_registry_v2_exception(error):
response.status_code = error.http_status_code
if response.status_code == 401:
response.headers.extend(get_auth_headers())
response.headers.extend(get_auth_headers(repository=error.repository, scopes=error.scopes))
logger.debug('sending response: %s', response.get_data())
return response
def _require_repo_permission(permission_class, allow_public=False):
def _require_repo_permission(permission_class, scopes=None, allow_public=False):
def wrapper(func):
@wraps(func)
def wrapped(namespace_name, repo_name, *args, **kwargs):
@ -49,14 +49,19 @@ def _require_repo_permission(permission_class, allow_public=False):
(allow_public and
model.repository.repository_is_public(namespace_name, repo_name))):
return func(namespace_name, repo_name, *args, **kwargs)
raise Unauthorized()
repository = namespace_name + '/' + repo_name
raise Unauthorized(repository=repository, scopes=scopes)
return wrapped
return wrapper
require_repo_read = _require_repo_permission(ReadRepositoryPermission, True)
require_repo_write = _require_repo_permission(ModifyRepositoryPermission)
require_repo_admin = _require_repo_permission(AdministerRepositoryPermission)
require_repo_read = _require_repo_permission(ReadRepositoryPermission,
scopes=['pull'],
allow_public=True)
require_repo_write = _require_repo_permission(ModifyRepositoryPermission,
scopes=['pull', 'push'])
require_repo_admin = _require_repo_permission(AdministerRepositoryPermission,
scopes=['pull', 'push'])
def get_input_stream(flask_request):
@ -79,7 +84,7 @@ def route_show_if(value):
@v2_bp.route('/')
@route_show_if(features.ADVERTISE_V2)
@process_registry_jwt_auth
@process_registry_jwt_auth()
@anon_allowed
def v2_support_enabled():
docker_ver = docker_version(request.user_agent.string)

16
endpoints/v2/blob.py
View file

@ -57,8 +57,8 @@ def _base_blob_fetch(namespace_name, repo_name, digest):
@v2_bp.route(BLOB_DIGEST_ROUTE, methods=['HEAD'])
@process_registry_jwt_auth
@parse_repository_name()
@process_registry_jwt_auth(scopes=['pull'])
@require_repo_read
@anon_protect
@cache_control(max_age=31436000)
@ -73,8 +73,8 @@ def check_blob_exists(namespace_name, repo_name, digest):
@v2_bp.route(BLOB_DIGEST_ROUTE, methods=['GET'])
@process_registry_jwt_auth
@parse_repository_name()
@process_registry_jwt_auth(scopes=['pull'])
@require_repo_read
@anon_protect
@cache_control(max_age=31536000)
@ -107,8 +107,8 @@ def _render_range(num_uploaded_bytes, with_bytes_prefix=True):
@v2_bp.route('/<repopath:repository>/blobs/uploads/', methods=['POST'])
@process_registry_jwt_auth
@parse_repository_name()
@process_registry_jwt_auth(scopes=['pull', 'push'])
@require_repo_write
@anon_protect
def start_blob_upload(namespace_name, repo_name):
@ -143,8 +143,8 @@ def start_blob_upload(namespace_name, repo_name):
@v2_bp.route('/<repopath:repository>/blobs/uploads/<upload_uuid>', methods=['GET'])
@process_registry_jwt_auth
@parse_repository_name()
@process_registry_jwt_auth(scopes=['pull'])
@require_repo_write
@anon_protect
def fetch_existing_upload(namespace_name, repo_name, upload_uuid):
@ -325,8 +325,8 @@ def _finish_upload(namespace_name, repo_name, upload_obj, expected_digest):
@v2_bp.route('/<repopath:repository>/blobs/uploads/<upload_uuid>', methods=['PATCH'])
@process_registry_jwt_auth
@parse_repository_name()
@process_registry_jwt_auth(scopes=['pull', 'push'])
@require_repo_write
@anon_protect
def upload_chunk(namespace_name, repo_name, upload_uuid):
@ -344,8 +344,8 @@ def upload_chunk(namespace_name, repo_name, upload_uuid):
@v2_bp.route('/<repopath:repository>/blobs/uploads/<upload_uuid>', methods=['PUT'])
@process_registry_jwt_auth
@parse_repository_name()
@process_registry_jwt_auth(scopes=['pull', 'push'])
@require_repo_write
@anon_protect
def monolithic_upload_or_last_chunk(namespace_name, repo_name, upload_uuid):
@ -364,7 +364,7 @@ def monolithic_upload_or_last_chunk(namespace_name, repo_name, upload_uuid):
@v2_bp.route('/<repopath:repository>/blobs/uploads/<upload_uuid>', methods=['DELETE'])
@parse_repository_name()
@process_registry_jwt_auth
@process_registry_jwt_auth(scopes=['pull', 'push'])
@require_repo_write
@anon_protect
def cancel_upload(namespace_name, repo_name, upload_uuid):
@ -383,8 +383,8 @@ def cancel_upload(namespace_name, repo_name, upload_uuid):
@v2_bp.route('/<repopath:repository>/blobs/<digest>', methods=['DELETE'])
@process_registry_jwt_auth
@parse_repository_name()
@process_registry_jwt_auth(scopes=['pull', 'push'])
@require_repo_write
@anon_protect
def delete_digest(namespace_name, repo_name, upload_uuid):

2
endpoints/v2/catalog.py
View file

@ -7,7 +7,7 @@ from data import model
from endpoints.v2.v2util import add_pagination
@v2_bp.route('/_catalog', methods=['GET'])
@process_registry_jwt_auth
@process_registry_jwt_auth()
@anon_protect
def catalog_search():
url = url_for('v2.catalog_search')

11
endpoints/v2/errors.py
View file

@ -1,7 +1,10 @@
class V2RegistryException(Exception):
def __init__(self, error_code_str, message, detail, http_status_code=400):
def __init__(self, error_code_str, message, detail, http_status_code=400,
repository=None, scopes=None):
super(V2RegistryException, self).__init__(message)
self.http_status_code = http_status_code
self.repository = repository
self.scopes = scopes
self._error_code_str = error_code_str
self._detail = detail
@ -104,11 +107,13 @@ class TagInvalid(V2RegistryException):
class Unauthorized(V2RegistryException):
def __init__(self, detail=None):
def __init__(self, detail=None, repository=None, scopes=None):
super(Unauthorized, self).__init__('UNAUTHORIZED',
'access to the requested resource is not authorized',
detail,
401)
401,
repository=repository,
scopes=scopes)
class Unsupported(V2RegistryException):

10
endpoints/v2/manifest.py
View file

@ -241,8 +241,8 @@ class SignedManifestBuilder(object):
@v2_bp.route(MANIFEST_TAGNAME_ROUTE, methods=['GET'])
@process_registry_jwt_auth
@parse_repository_name()
@process_registry_jwt_auth(scopes=['pull'])
@require_repo_read
@anon_protect
def fetch_manifest_by_tagname(namespace_name, repo_name, manifest_ref):
@ -272,8 +272,8 @@ def fetch_manifest_by_tagname(namespace_name, repo_name, manifest_ref):
@v2_bp.route(MANIFEST_DIGEST_ROUTE, methods=['GET'])
@process_registry_jwt_auth
@parse_repository_name()
@process_registry_jwt_auth(scopes=['pull'])
@require_repo_read
@anon_protect
def fetch_manifest_by_digest(namespace_name, repo_name, manifest_ref):
@ -304,8 +304,8 @@ def _reject_manifest2_schema2(func):
@v2_bp.route(MANIFEST_TAGNAME_ROUTE, methods=['PUT'])
@process_registry_jwt_auth
@parse_repository_name()
@process_registry_jwt_auth(scopes=['pull', 'push'])
@require_repo_write
@anon_protect
@_reject_manifest2_schema2
@ -322,8 +322,8 @@ def write_manifest_by_tagname(namespace_name, repo_name, manifest_ref):
@v2_bp.route(MANIFEST_DIGEST_ROUTE, methods=['PUT'])
@process_registry_jwt_auth
@parse_repository_name()
@process_registry_jwt_auth(scopes=['pull', 'push'])
@require_repo_write
@anon_protect
@_reject_manifest2_schema2
@ -471,8 +471,8 @@ def _write_manifest(namespace_name, repo_name, manifest):
@v2_bp.route(MANIFEST_DIGEST_ROUTE, methods=['DELETE'])
@process_registry_jwt_auth
@parse_repository_name()
@process_registry_jwt_auth(scopes=['pull', 'push'])
@require_repo_write
@anon_protect
def delete_manifest_by_digest(namespace_name, repo_name, manifest_ref):

2
endpoints/v2/tag.py
View file

@ -9,8 +9,8 @@ from endpoints.decorators import anon_protect
from data import model
@v2_bp.route('/<repopath:repository>/tags/list', methods=['GET'])
@process_registry_jwt_auth
@parse_repository_name()
@process_registry_jwt_auth(scopes=['pull'])
@require_repo_read
@anon_protect
def list_all_tags(namespace_name, repo_name):