import logging import os.path from functools import wraps from urlparse import urlparse from urllib import urlencode from flask import Blueprint, make_response, url_for, request, jsonify from semantic_version import Spec import features from app import app, metric_queue, get_app_url, license_validator from auth.auth_context import get_authenticated_context from auth.permissions import ( ReadRepositoryPermission, ModifyRepositoryPermission, AdministerRepositoryPermission) from auth.registry_jwt_auth import process_registry_jwt_auth, get_auth_headers from endpoints.decorators import anon_protect, anon_allowed, route_show_if from endpoints.v2.errors import V2RegistryException, Unauthorized, Unsupported, NameUnknown from endpoints.v2.models_pre_oci import data_model as model from util.http import abort from util.metrics.metricqueue import time_blueprint from util.registry.dockerver import docker_version from util.pagination import encrypt_page_token, decrypt_page_token logger = logging.getLogger(__name__) v2_bp = Blueprint('v2', __name__) license_validator.enforce_license_before_request(v2_bp) time_blueprint(v2_bp, metric_queue) @v2_bp.app_errorhandler(V2RegistryException) def handle_registry_v2_exception(error): response = jsonify({'errors': [error.as_dict()]}) response.status_code = error.http_status_code if response.status_code == 401: response.headers.extend(get_auth_headers(repository=error.repository, scopes=error.scopes)) logger.debug('sending response: %s', response.get_data()) return response _MAX_RESULTS_PER_PAGE = app.config.get('V2_PAGINATION_SIZE', 50) def paginate(limit_kwarg_name='limit', offset_kwarg_name='offset', callback_kwarg_name='pagination_callback'): """ Decorates a handler adding a parsed pagination token and a callback to encode a response token. """ def wrapper(func): @wraps(func) def wrapped(*args, **kwargs): try: requested_limit = int(request.args.get('n', _MAX_RESULTS_PER_PAGE)) except ValueError: requested_limit = 0 limit = max(min(requested_limit, _MAX_RESULTS_PER_PAGE), 1) next_page_token = request.args.get('next_page', request.args.get('last', None)) # Decrypt the next page token, if any. offset = 0 page_info = decrypt_page_token(next_page_token) if page_info is not None: # Note: we use offset here instead of ID >= n because one of the V2 queries is a UNION. offset = page_info.get('offset', 0) def callback(num_results, response): if num_results < limit: return next_page_token = encrypt_page_token({'offset': limit + offset}) link_url = os.path.join(get_app_url(), url_for(request.endpoint, **request.view_args)) link_param = urlencode({'n': limit, 'next_page': next_page_token}) link = '<%s?%s>; rel="next"' % (link_url, link_param) response.headers['Link'] = link kwargs[limit_kwarg_name] = limit kwargs[offset_kwarg_name] = offset kwargs[callback_kwarg_name] = callback return func(*args, **kwargs) return wrapped return wrapper def _require_repo_permission(permission_class, scopes=None, allow_public=False): def wrapper(func): @wraps(func) def wrapped(namespace_name, repo_name, *args, **kwargs): logger.debug('Checking permission %s for repo: %s/%s', permission_class, namespace_name, repo_name) permission = permission_class(namespace_name, repo_name) if permission.can(): return func(namespace_name, repo_name, *args, **kwargs) repository = namespace_name + '/' + repo_name if allow_public: repo = model.get_repository(namespace_name, repo_name) if repo is None or not repo.is_public: raise Unauthorized(repository=repository, scopes=scopes) if repo.kind != 'image': msg = 'This repository is for managing %s resources and not container images.' % repo.kind raise Unsupported(detail=msg) if repo.is_public: return func(namespace_name, repo_name, *args, **kwargs) raise Unauthorized(repository=repository, scopes=scopes) return wrapped return wrapper require_repo_read = _require_repo_permission(ReadRepositoryPermission, scopes=['pull'], allow_public=True) require_repo_write = _require_repo_permission(ModifyRepositoryPermission, scopes=['pull', 'push']) require_repo_admin = _require_repo_permission(AdministerRepositoryPermission, scopes=[ 'pull', 'push']) def get_input_stream(flask_request): if flask_request.headers.get('transfer-encoding') == 'chunked': return flask_request.environ['wsgi.input'] return flask_request.stream @v2_bp.route('/') @route_show_if(features.ADVERTISE_V2) @process_registry_jwt_auth() @anon_allowed def v2_support_enabled(): docker_ver = docker_version(request.user_agent.string) # Check if our version is one of the blacklisted versions, if we can't # identify the version (None) we will fail open and assume that it is # newer and therefore should not be blacklisted. if Spec(app.config['BLACKLIST_V2_SPEC']).match(docker_ver) and docker_ver is not None: abort(404) response = make_response('true', 200) if get_authenticated_context() is None: response = make_response('true', 401) response.headers.extend(get_auth_headers()) return response from endpoints.v2 import ( blob, catalog, manifest, tag, v2auth,)