import logging from functools import wraps from urlparse import urlparse from urllib import urlencode from flask import Blueprint, make_response, url_for, request, jsonify from semantic_version import Spec import features from app import app, metric_queue, get_app_url from auth.auth_context import get_grant_context from auth.permissions import (ReadRepositoryPermission, ModifyRepositoryPermission, AdministerRepositoryPermission) from auth.registry_jwt_auth import process_registry_jwt_auth, get_auth_headers from data import model from endpoints.decorators import anon_protect, anon_allowed from endpoints.v2.errors import V2RegistryException, Unauthorized from util.http import abort from util.registry.dockerver import docker_version from util.metrics.metricqueue import time_blueprint from util.pagination import encrypt_page_token, decrypt_page_token logger = logging.getLogger(__name__) v2_bp = Blueprint('v2', __name__) time_blueprint(v2_bp, metric_queue) _MAX_RESULTS_PER_PAGE = 50 def _paginate(limit_kwarg_name='limit', offset_kwarg_name='offset', callback_kwarg_name='pagination_callback'): def wrapper(func): @wraps(func) def wrapped(*args, **kwargs): try: requested_limit = int(request.args.get('n', _MAX_RESULTS_PER_PAGE)) except ValueError: requested_limit = 0 limit = max(min(requested_limit, _MAX_RESULTS_PER_PAGE), 1) next_page_token = request.args.get('next_page', None) # Decrypt the next page token, if any. offset = 0 page_info = decrypt_page_token(next_page_token) if page_info is not None: # Note: we use offset here instead of ID >= n because one of the V2 queries is a UNION. offset = page_info.get('offset', 0) def callback(num_results, response): if num_results <= limit: return next_page_token = encrypt_page_token({'offset': limit+offset}) link = get_app_url() + url_for(request.endpoint, **request.view_args) link += '?%s; rel="next"' % urlencode({'n': limit, 'next_page': next_page_token}) response.headers['Link'] = link kwargs[limit_kwarg_name] = limit kwargs[offset_kwarg_name] = offset kwargs[callback_kwarg_name] = callback func(*args, **kwargs) return wrapped return wrapper @v2_bp.app_errorhandler(V2RegistryException) def handle_registry_v2_exception(error): response = jsonify({ 'errors': [error.as_dict()] }) response.status_code = error.http_status_code if response.status_code == 401: response.headers.extend(get_auth_headers(repository=error.repository, scopes=error.scopes)) logger.debug('sending response: %s', response.get_data()) return response def _require_repo_permission(permission_class, scopes=None, allow_public=False): def wrapper(func): @wraps(func) def wrapped(namespace_name, repo_name, *args, **kwargs): logger.debug('Checking permission %s for repo: %s/%s', permission_class, namespace_name, repo_name) permission = permission_class(namespace_name, repo_name) if (permission.can() or (allow_public and model.repository.repository_is_public(namespace_name, repo_name))): return func(namespace_name, repo_name, *args, **kwargs) repository = namespace_name + '/' + repo_name raise Unauthorized(repository=repository, scopes=scopes) return wrapped return wrapper require_repo_read = _require_repo_permission(ReadRepositoryPermission, scopes=['pull'], allow_public=True) require_repo_write = _require_repo_permission(ModifyRepositoryPermission, scopes=['pull', 'push']) require_repo_admin = _require_repo_permission(AdministerRepositoryPermission, scopes=['pull', 'push']) def get_input_stream(flask_request): if flask_request.headers.get('transfer-encoding') == 'chunked': return flask_request.environ['wsgi.input'] return flask_request.stream # TODO remove when v2 is deployed everywhere def route_show_if(value): def decorator(f): @wraps(f) def decorated_function(*args, **kwargs): if not value: abort(404) return f(*args, **kwargs) return decorated_function return decorator @v2_bp.route('/') @route_show_if(features.ADVERTISE_V2) @process_registry_jwt_auth() @anon_allowed def v2_support_enabled(): docker_ver = docker_version(request.user_agent.string) # Check if our version is one of the blacklisted versions, if we can't # identify the version (None) we will fail open and assume that it is # newer and therefore should not be blacklisted. if Spec(app.config['BLACKLIST_V2_SPEC']).match(docker_ver) and docker_ver is not None: abort(404) response = make_response('true', 200) if get_grant_context() is None: response = make_response('true', 401) response.headers.extend(get_auth_headers()) return response from endpoints.v2 import ( blob, catalog, manifest, tag, v2auth, )