import logging import re from cachetools import lru_cache from flask import request, jsonify, abort from app import app, userevents, instance_keys from data import model from auth.auth import process_auth from auth.auth_context import get_authenticated_user, get_validated_token, get_validated_oauth_token from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermission, CreateRepositoryPermission) from endpoints.v2 import v2_bp from endpoints.decorators import anon_protect from util.cache import no_cache from util.names import parse_namespace_repository, REPOSITORY_NAME_REGEX from util.security.registry_jwt import generate_bearer_token, build_context_and_subject logger = logging.getLogger(__name__) TOKEN_VALIDITY_LIFETIME_S = 60 * 60 # 1 hour SCOPE_REGEX_TEMPLATE = ( r'^repository:((?:{}\/)?((?:[\.a-zA-Z0-9_\-]+\/)?[\.a-zA-Z0-9_\-]+)):((?:push|pull|\*)(?:,(?:push|pull|\*))*)$' ) @lru_cache(maxsize=1) def get_scope_regex(): hostname = re.escape(app.config['SERVER_HOSTNAME']) scope_regex_string = SCOPE_REGEX_TEMPLATE.format(hostname) return re.compile(scope_regex_string) @v2_bp.route('/auth') @process_auth @no_cache @anon_protect def generate_registry_jwt(): """ This endpoint will generate a JWT conforming to the Docker registry v2 auth spec: https://docs.docker.com/registry/spec/auth/token/ """ audience_param = request.args.get('service') logger.debug('Request audience: %s', audience_param) scope_param = request.args.get('scope') or '' logger.debug('Scope request: %s', scope_param) user = get_authenticated_user() logger.debug('Authenticated user: %s', user) token = get_validated_token() logger.debug('Authenticated token: %s', token) oauthtoken = get_validated_oauth_token() logger.debug('Authenticated OAuth token: %s', oauthtoken) auth_credentials_sent = bool(request.headers.get('authorization', '')) if auth_credentials_sent and not user and not token: # The auth credentials sent for the user are invalid. logger.debug('Invalid auth credentials') abort(401) access = [] user_event_data = { 'action': 'login', } if len(scope_param) > 0: match = get_scope_regex().match(scope_param) if match is None: logger.debug('Match: %s', match) logger.debug('len: %s', len(scope_param)) logger.warning('Unable to decode repository and actions: %s', scope_param) abort(400) logger.debug('Match: %s', match.groups()) registry_and_repo = match.group(1) namespace_and_repo = match.group(2) actions = match.group(3).split(',') lib_namespace = app.config['LIBRARY_NAMESPACE'] namespace, reponame = parse_namespace_repository(namespace_and_repo, lib_namespace) # Ensure that we are never creating an invalid repository. if not REPOSITORY_NAME_REGEX.match(reponame): logger.debug('Found invalid repository name in auth flow: %s', reponame) abort(400) final_actions = [] if 'push' in actions: # If there is no valid user or token, then the repository cannot be # accessed. if user is not None or token is not None: # Lookup the repository. If it exists, make sure the entity has modify # permission. Otherwise, make sure the entity has create permission. repo = model.repository.get_repository(namespace, reponame) if repo: if ModifyRepositoryPermission(namespace, reponame).can(): final_actions.append('push') else: logger.debug('No permission to modify repository %s/%s', namespace, reponame) else: if CreateRepositoryPermission(namespace).can() and user is not None: logger.debug('Creating repository: %s/%s', namespace, reponame) model.repository.create_repository(namespace, reponame, user) final_actions.append('push') else: logger.debug('No permission to create repository %s/%s', namespace, reponame) if 'pull' in actions: # Grant pull if the user can read the repo or it is public. if (ReadRepositoryPermission(namespace, reponame).can() or model.repository.repository_is_public(namespace, reponame)): final_actions.append('pull') else: logger.debug('No permission to pull repository %s/%s', namespace, reponame) # Add the access for the JWT. access.append({ 'type': 'repository', 'name': registry_and_repo, 'actions': final_actions, }) # Set the user event data for the auth. if 'push' in final_actions: user_action = 'push_start' elif 'pull' in final_actions: user_action = 'pull_start' else: user_action = 'login' user_event_data = { 'action': user_action, 'repository': reponame, 'namespace': namespace, } elif user is None and token is None: # In this case, we are doing an auth flow, and it's not an anonymous pull logger.debug('No user and no token sent for empty scope list') abort(401) # Send the user event. if user is not None: event = userevents.get_event(user.username) event.publish_event_data('docker-cli', user_event_data) # Build the signed JWT. context, subject = build_context_and_subject(user, token, oauthtoken) token = generate_bearer_token(audience_param, subject, context, access, TOKEN_VALIDITY_LIFETIME_S, instance_keys) return jsonify({'token': token})