import logging import stripe import re from flask import request, make_response, jsonify, abort from flask.ext.login import login_required, current_user, logout_user from flask.ext.principal import identity_changed, AnonymousIdentity from functools import wraps from collections import defaultdict import storage from data import model from app import app from util.email import send_confirmation_email, send_recovery_email from util.names import parse_repository_name from util.gravatar import compute_hash from auth.permissions import (ReadRepositoryPermission, ModifyRepositoryPermission, AdministerRepositoryPermission) from endpoints import registry from endpoints.web import common_login from util.cache import cache_control store = storage.load() logger = logging.getLogger(__name__) def api_login_required(f): @wraps(f) def decorated_view(*args, **kwargs): if not current_user.is_authenticated(): abort(401) return f(*args, **kwargs) return decorated_view @app.errorhandler(model.DataModelException) def handle_dme(ex): return make_response(ex.message, 400) @app.route('/api/') def welcome(): return make_response('welcome', 200) @app.route('/api/user/', methods=['GET']) def get_logged_in_user(): if current_user.is_anonymous(): return jsonify({'anonymous': True}) user = current_user.db_user() return jsonify({ 'verified': user.verified, 'anonymous': False, 'username': user.username, 'email': user.email, 'gravatar': compute_hash(user.email), 'askForPassword': user.password_hash is None, }) @app.route('/api/user/', methods=['PUT']) @api_login_required def change_user_details(): user = current_user.db_user() user_data = request.get_json(); try: if user_data['password']: logger.debug('Changing password for user: %s', user.username) model.change_password(user, user_data['password']) except model.InvalidPasswordException, ex: error_resp = jsonify({ 'message': ex.message, }) error_resp.status_code = 400 return error_resp return jsonify({ 'verified': user.verified, 'anonymous': False, 'username': user.username, 'email': user.email, 'gravatar': compute_hash(user.email), 'askForPassword': user.password_hash is None, }) @app.route('/api/user/', methods=['POST']) def create_user_api(): user_data = request.get_json() existing_user = model.get_user(user_data['username']) if existing_user: error_resp = jsonify({ 'message': 'The username already exists' }) error_resp.status_code = 400 return error_resp try: new_user = model.create_user(user_data['username'], user_data['password'], user_data['email']) code = model.create_confirm_email_code(new_user) send_confirmation_email(new_user.username, new_user.email, code.code) return make_response('Created', 201) except model.DataModelException as ex: error_resp = jsonify({ 'message': ex.message, }) error_resp.status_code = 400 return error_resp @app.route('/api/signin', methods=['POST']) def signin_api(): signin_data = request.get_json() username = signin_data['username'] password = signin_data['password'] #TODO Allow email login needs_email_verification = False invalid_credentials = False verified = model.verify_user(username, password) if verified: if common_login(verified): return make_response('Success', 200) else: needs_email_verification = True else: invalid_credentials = True response = jsonify({ 'needsEmailVerification': needs_email_verification, 'invalidCredentials': invalid_credentials, }) response.status_code = 403 return response @app.route("/api/signout", methods=['POST']) @api_login_required def logout(): logout_user() identity_changed.send(app, identity=AnonymousIdentity()) return make_response('Success', 200) @app.route("/api/recovery", methods=['POST']) def send_recovery(): email = request.get_json()['email'] code = model.create_reset_password_email_code(email) send_recovery_email(email, code.code) return make_response('Created', 201) @app.route('/api/users/', methods=['GET']) @api_login_required def get_matching_users(prefix): users = model.get_matching_users(prefix) return jsonify({ 'users': [user.username for user in users] }) @app.route('/api/repository/', methods=['POST']) @api_login_required def create_repo_api(): pass @app.route('/api/find/repository', methods=['GET']) def match_repos_api(): prefix = request.args.get('query', '') def repo_view(repo): return { 'namespace': repo.namespace, 'name': repo.name, 'description': repo.description } username = None if current_user.is_authenticated(): username = current_user.db_user().username matching = model.get_matching_repositories(prefix, username) response = { 'repositories': [repo_view(repo) for repo in matching] } return jsonify(response) @app.route('/api/repository/', methods=['GET']) def list_repos_api(): def repo_view(repo_obj): is_public = model.repository_is_public(repo_obj.namespace, repo_obj.name) return { 'namespace': repo_obj.namespace, 'name': repo_obj.name, 'description': repo_obj.description, 'is_public': is_public } limit = request.args.get('limit', None) include_public = request.args.get('public', 'true') include_private = request.args.get('private', 'true') sort = request.args.get('sort', 'false') try: limit = int(limit) if limit else None except: limit = None include_public = include_public == 'true' include_private = include_private == 'true' sort = sort == 'true' username = None if current_user.is_authenticated() and include_private: username = current_user.db_user().username repo_query = model.get_visible_repositories(username, limit=limit, include_public=include_public, sort=sort) repos = [repo_view(repo) for repo in repo_query] response = { 'repositories': repos } return jsonify(response) @app.route('/api/repository/', methods=['PUT']) @api_login_required @parse_repository_name def update_repo_api(namespace, repository): permission = ModifyRepositoryPermission(namespace, repository) if permission.can(): repo = model.get_repository(namespace, repository) if repo: values = request.get_json() repo.description = values['description'] repo.save() return jsonify({ 'success': True }) abort(404) @app.route('/api/repository//changevisibility', methods=['POST']) @api_login_required @parse_repository_name def change_repo_visibility_api(namespace, repository): permission = AdministerRepositoryPermission(namespace, repository) if permission.can(): repo = model.get_repository(namespace, repository) if repo: values = request.get_json() model.set_repository_visibility(repo, values['visibility']) return jsonify({ 'success': True }) abort(404) @app.route('/api/repository/', methods=['DELETE']) @api_login_required @parse_repository_name def delete_repository(namespace, repository): permission = AdministerRepositoryPermission(namespace, repository) if permission.can(): model.purge_repository(namespace, repository) registry.delete_repository_storage(namespace, repository) return make_response('Deleted', 204) abort(404) def image_view(image): return { 'id': image.docker_image_id, 'created': image.created, 'comment': image.comment, 'ancestors': image.ancestors, 'dbid': image.id, } @app.route('/api/repository/', methods=['GET']) @parse_repository_name def get_repo_api(namespace, repository): logger.debug('Get repo: %s/%s' % (namespace, repository)) def tag_view(tag): image = model.get_tag_image(namespace, repository, tag.name) if not image: return {} return { 'name': tag.name, 'image': image_view(image), } permission = ReadRepositoryPermission(namespace, repository) is_public = model.repository_is_public(namespace, repository) if permission.can() or is_public: repo = model.get_repository(namespace, repository) if repo: tags = model.list_repository_tags(namespace, repository) tag_dict = {tag.name: tag_view(tag) for tag in tags} can_write = ModifyRepositoryPermission(namespace, repository).can() can_admin = AdministerRepositoryPermission(namespace, repository).can() return jsonify({ 'namespace': namespace, 'name': repository, 'description': repo.description, 'tags': tag_dict, 'can_write': can_write, 'can_admin': can_admin, 'is_public': is_public }) abort(404) # Not fount abort(403) # Permission denied def role_view(repo_perm_obj): return { 'role': repo_perm_obj.role.name } @app.route('/api/repository//image/', methods=['GET']) @parse_repository_name def list_repository_images(namespace, repository): permission = ReadRepositoryPermission(namespace, repository) if permission.can() or model.repository_is_public(namespace, repository): all_images = model.get_repository_images(namespace, repository) all_tags = model.list_repository_tags(namespace, repository) tags_by_image_id = defaultdict(list) for tag in all_tags: tags_by_image_id[tag.image.docker_image_id].append(tag.name) def add_tags(image_json): image_json['tags'] = tags_by_image_id[image_json['id']] return image_json return jsonify({ 'images': [add_tags(image_view(image)) for image in all_images] }) abort(403) @app.route('/api/repository//image/', methods=['GET']) @parse_repository_name def get_image(namespace, repository, image_id): permission = ReadRepositoryPermission(namespace, repository) if permission.can() or model.repository_is_public(namespace, repository): image = model.get_repo_image(namespace, repository, image_id) if not image: abort(404) return jsonify(image_view(image)) abort(403) @app.route('/api/repository//image//changes', methods=['GET']) @cache_control(max_age=60*60) # Cache for one hour @parse_repository_name def get_image_changes(namespace, repository, image_id): permission = ReadRepositoryPermission(namespace, repository) if permission.can() or model.repository_is_public(namespace, repository): diffs_path = store.image_file_diffs_path(namespace, repository, image_id) try: response_json = store.get_content(diffs_path) return make_response(response_json) except IOError: abort(404) abort(403) @app.route('/api/repository//tag//images', methods=['GET']) @parse_repository_name def list_tag_images(namespace, repository, tag): permission = ReadRepositoryPermission(namespace, repository) if permission.can() or model.repository_is_public(namespace, repository): tag_image = model.get_tag_image(namespace, repository, tag) parent_images = model.get_parent_images(tag_image) parents = list(parent_images) parents.reverse() all_images = [tag_image] + parents return jsonify({ 'images': [image_view(image) for image in all_images] }) abort(403) # Permission denied @app.route('/api/repository//permissions/', methods=['GET']) @api_login_required @parse_repository_name def list_repo_permissions(namespace, repository): permission = AdministerRepositoryPermission(namespace, repository) if permission.can(): repo_perms = model.get_all_repo_users(namespace, repository) return jsonify({ 'permissions': {repo_perm.user.username: role_view(repo_perm) for repo_perm in repo_perms} }) abort(403) # Permission denied @app.route('/api/repository//permissions/', methods=['GET']) @api_login_required @parse_repository_name def get_permissions(namespace, repository, username): logger.debug('Get repo: %s/%s permissions for user %s' % (namespace, repository, username)) permission = AdministerRepositoryPermission(namespace, repository) if permission.can(): perm = model.get_user_reponame_permission(username, namespace, repository) return jsonify(role_view(perm)) abort(403) # Permission denied @app.route('/api/repository//permissions/', methods=['PUT', 'POST']) @api_login_required @parse_repository_name def change_permissions(namespace, repository, username): permission = AdministerRepositoryPermission(namespace, repository) if permission.can(): new_permission = request.get_json() logger.debug('Setting permission to: %s for user %s' % (new_permission['role'], username)) try: perm = model.set_user_repo_permission(username, namespace, repository, new_permission['role']) except model.DataModelException: logger.warning('User tried to remove themselves as admin.') abort(409) resp = jsonify(role_view(perm)) if request.method == 'POST': resp.status_code = 201 return resp abort(403) # Permission denied @app.route('/api/repository//permissions/', methods=['DELETE']) @api_login_required @parse_repository_name def delete_permissions(namespace, repository, username): permission = AdministerRepositoryPermission(namespace, repository) if permission.can(): try: model.delete_user_permission(username, namespace, repository) except model.DataModelException: logger.warning('User tried to remove themselves as admin.') abort(409) return make_response('Deleted', 204) abort(403) # Permission denied def token_view(token_obj): return { 'friendlyName': token_obj.friendly_name, 'code': token_obj.code, 'role': token_obj.role.name, } @app.route('/api/repository//tokens/', methods=['GET']) @api_login_required @parse_repository_name def list_repo_tokens(namespace, repository): permission = AdministerRepositoryPermission(namespace, repository) if permission.can(): tokens = model.get_repository_delegate_tokens(namespace, repository) return jsonify({ 'tokens': {token.code: token_view(token) for token in tokens} }) abort(403) # Permission denied @app.route('/api/repository//tokens/', methods=['GET']) @api_login_required @parse_repository_name def get_tokens(namespace, repository, code): permission = AdministerRepositoryPermission(namespace, repository) if permission.can(): perm = model.get_repo_delegate_token(namespace, repository, code) return jsonify(token_view(perm)) abort(403) # Permission denied @app.route('/api/repository//tokens/', methods=['POST']) @api_login_required @parse_repository_name def create_token(namespace, repository): permission = AdministerRepositoryPermission(namespace, repository) if permission.can(): token_params = request.get_json() token = model.create_delegate_token(namespace, repository, token_params['friendlyName']) resp = jsonify(token_view(token)) resp.status_code = 201 return resp abort(403) # Permission denied @app.route('/api/repository//tokens/', methods=['PUT']) @api_login_required @parse_repository_name def change_token(namespace, repository, code): permission = AdministerRepositoryPermission(namespace, repository) if permission.can(): new_permission = request.get_json() logger.debug('Setting permission to: %s for code %s' % (new_permission['role'], code)) token = model.set_repo_delegate_token_role(namespace, repository, code, new_permission['role']) resp = jsonify(token_view(token)) return resp abort(403) # Permission denied @app.route('/api/repository//tokens/', methods=['DELETE']) @api_login_required @parse_repository_name def delete_token(namespace, repository, code): permission = AdministerRepositoryPermission(namespace, repository) if permission.can(): model.delete_delegate_token(namespace, repository, code) return make_response('Deleted', 204) abort(403) # Permission denied def subscription_view(stripe_subscription, used_repos): return { 'currentPeriodStart': stripe_subscription.current_period_start, 'currentPeriodEnd': stripe_subscription.current_period_end, 'plan': stripe_subscription.plan.id, 'usedPrivateRepos': used_repos, } @app.route('/api/user/plan', methods=['PUT']) @api_login_required def subscribe(): # Amount in cents amount = 500 request_data = request.get_json() plan = request_data['plan'] user = current_user.db_user() private_repos = model.get_private_repo_count(user.username) if not user.stripe_id: # Create the customer and plan simultaneously card = request_data['token'] cus = stripe.Customer.create(email=user.email, plan=plan, card=card) user.stripe_id = cus.id user.save() resp = jsonify(subscription_view(cus.subscription, private_repos)) resp.status_code = 201 return resp else: # Change the plan cus = stripe.Customer.retrieve(user.stripe_id) if plan == 'free': cus.cancel_subscription() cus.save() response_json = { 'plan': 'free', 'usedPrivateRepos': private_repos, } else: cus.plan = plan # User may have been a previous customer who is resubscribing if 'token' in request_data: cus.card = request_data['token'] cus.save() response_json = subscription_view(cus.subscription, private_repos) return jsonify(response_json) @app.route('/api/user/plan', methods=['GET']) @api_login_required def get_subscription(): user = current_user.db_user() private_repos = model.get_private_repo_count(user.username) if user.stripe_id: cus = stripe.Customer.retrieve(user.stripe_id) if cus.subscription: return jsonify(subscription_view(cus.subscription, private_repos)) return jsonify({ 'plan': 'free', 'usedPrivateRepos': private_repos, })