149 lines
4.6 KiB
Python
149 lines
4.6 KiB
Python
import logging
|
|
import re
|
|
|
|
from jsonschema import validate, ValidationError
|
|
from functools import wraps
|
|
from flask import request
|
|
from flask.ext.principal import identity_changed, Identity
|
|
from cryptography.x509 import load_pem_x509_certificate
|
|
from cryptography.hazmat.backends import default_backend
|
|
from cachetools import lru_cache
|
|
|
|
from app import app
|
|
from .auth_context import set_grant_user_context
|
|
from .permissions import repository_read_grant, repository_write_grant
|
|
from util.names import parse_namespace_repository
|
|
from util.http import abort
|
|
from util.security import strictjwt
|
|
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
TOKEN_REGEX = re.compile(r'^Bearer (([a-zA-Z0-9+/]+\.)+[a-zA-Z0-9+-_/]+)$')
|
|
|
|
|
|
ACCESS_SCHEMA = {
|
|
'type': 'array',
|
|
'description': 'List of access granted to the subject',
|
|
'items': {
|
|
'type': 'object',
|
|
'required': [
|
|
'type',
|
|
'name',
|
|
'actions',
|
|
],
|
|
'properties': {
|
|
'type': {
|
|
'type': 'string',
|
|
'description': 'We only allow repository permissions',
|
|
'enum': [
|
|
'repository',
|
|
],
|
|
},
|
|
'name': {
|
|
'type': 'string',
|
|
'description': 'The name of the repository for which we are receiving access'
|
|
},
|
|
'actions': {
|
|
'type': 'array',
|
|
'description': 'List of specific verbs which can be performed against repository',
|
|
'items': {
|
|
'type': 'string',
|
|
'enum': [
|
|
'push',
|
|
'pull',
|
|
],
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
|
|
class InvalidJWTException(Exception):
|
|
pass
|
|
|
|
|
|
def identity_from_bearer_token(bearer_token, max_signed_s, public_key):
|
|
""" Process a bearer token and return the loaded identity, or raise InvalidJWTException if an
|
|
identity could not be loaded. Expects tokens and grants in the format of the Docker registry
|
|
v2 auth spec: https://docs.docker.com/registry/spec/auth/token/
|
|
"""
|
|
logger.debug('Validating auth header: %s', bearer_token)
|
|
|
|
# Extract the jwt token from the header
|
|
match = TOKEN_REGEX.match(bearer_token)
|
|
if match is None:
|
|
raise InvalidJWTException('Invalid bearer token format')
|
|
|
|
encoded = match.group(1)
|
|
logger.debug('encoded JWT: %s', encoded)
|
|
|
|
# Load the JWT returned.
|
|
try:
|
|
expected_issuer = app.config['JWT_AUTH_TOKEN_ISSUER']
|
|
audience = app.config['SERVER_HOSTNAME']
|
|
max_exp = strictjwt.exp_max_s_option(max_signed_s)
|
|
payload = strictjwt.decode(encoded, public_key, algorithms=['RS256'], audience=audience,
|
|
issuer=expected_issuer, options=max_exp)
|
|
except strictjwt.InvalidTokenError:
|
|
logger.exception('Invalid token reason')
|
|
raise InvalidJWTException('Invalid token')
|
|
|
|
if not 'sub' in payload:
|
|
raise InvalidJWTException('Missing sub field in JWT')
|
|
|
|
username = payload['sub']
|
|
loaded_identity = Identity(username, 'signed_jwt')
|
|
|
|
# Process the grants from the payload
|
|
|
|
if 'access' in payload:
|
|
try:
|
|
validate(payload['access'], ACCESS_SCHEMA)
|
|
except ValidationError:
|
|
logger.exception('We should not be minting invalid credentials')
|
|
raise InvalidJWTException('Token contained invalid or malformed access grants')
|
|
|
|
for grant in payload['access']:
|
|
namespace, repo_name = parse_namespace_repository(grant['name'])
|
|
|
|
if 'push' in grant['actions']:
|
|
loaded_identity.provides.add(repository_write_grant(namespace, repo_name))
|
|
elif 'pull' in grant['actions']:
|
|
loaded_identity.provides.add(repository_read_grant(namespace, repo_name))
|
|
|
|
return loaded_identity
|
|
|
|
|
|
@lru_cache(maxsize=1)
|
|
def load_public_key(certificate_file_path):
|
|
with open(certificate_file_path) as cert_file:
|
|
cert_obj = load_pem_x509_certificate(cert_file.read(), default_backend())
|
|
return cert_obj.public_key()
|
|
|
|
|
|
def process_jwt_auth(func):
|
|
@wraps(func)
|
|
def wrapper(*args, **kwargs):
|
|
logger.debug('Called with params: %s, %s', args, kwargs)
|
|
auth = request.headers.get('authorization', '').strip()
|
|
if auth:
|
|
max_signature_seconds = app.config.get('JWT_AUTH_MAX_FRESH_S', 3660)
|
|
certificate_file_path = app.config['JWT_AUTH_CERTIFICATE_PATH']
|
|
public_key = load_public_key(certificate_file_path)
|
|
|
|
try:
|
|
extracted_identity = identity_from_bearer_token(auth, max_signature_seconds, public_key)
|
|
identity_changed.send(app, identity=extracted_identity)
|
|
set_grant_user_context(extracted_identity.id)
|
|
logger.debug('Identity changed to %s', extracted_identity.id)
|
|
except InvalidJWTException as ije:
|
|
abort(401, message=ije.message)
|
|
|
|
else:
|
|
logger.debug('No auth header.')
|
|
|
|
return func(*args, **kwargs)
|
|
return wrapper
|