quay/endpoints/v2/__init__.py

import logging

from functools import wraps
from urlparse import urlparse

from flask import Blueprint, make_response, url_for, request, jsonify
from semantic_version import Spec

import features

from app import app, metric_queue
from auth.auth_context import get_grant_context
from auth.permissions import (ReadRepositoryPermission, ModifyRepositoryPermission,
                              AdministerRepositoryPermission)
from auth.registry_jwt_auth import process_registry_jwt_auth, get_auth_headers
from data import model
from endpoints.decorators import anon_protect, anon_allowed
from endpoints.v2.errors import V2RegistryException, Unauthorized
from util.http import abort
from util.registry.dockerver import docker_version
from util.saas.metricqueue import time_blueprint

logger = logging.getLogger(__name__)
v2_bp = Blueprint('v2', __name__)

time_blueprint(v2_bp, metric_queue)

@v2_bp.app_errorhandler(V2RegistryException)
def handle_registry_v2_exception(error):
  response = jsonify({
    'errors': [error.as_dict()]
  })

  response.status_code = error.http_status_code
  if response.status_code == 401:
    response.headers.extend(get_auth_headers(repository=error.repository, scopes=error.scopes))
  logger.debug('sending response: %s', response.get_data())
  return response


def _require_repo_permission(permission_class, scopes=None, allow_public=False):
  def wrapper(func):
    @wraps(func)
    def wrapped(namespace_name, repo_name, *args, **kwargs):
      logger.debug('Checking permission %s for repo: %s/%s', permission_class,
                   namespace_name, repo_name)
      permission = permission_class(namespace_name, repo_name)
      if (permission.can() or
          (allow_public and
           model.repository.repository_is_public(namespace_name, repo_name))):
        return func(namespace_name, repo_name, *args, **kwargs)
      repository = namespace_name + '/' + repo_name
      raise Unauthorized(repository=repository, scopes=scopes)
    return wrapped
  return wrapper


require_repo_read = _require_repo_permission(ReadRepositoryPermission,
                                             scopes=['pull'],
                                             allow_public=True)
require_repo_write = _require_repo_permission(ModifyRepositoryPermission,
                                              scopes=['pull', 'push'])
require_repo_admin = _require_repo_permission(AdministerRepositoryPermission,
                                              scopes=['pull', 'push'])


def get_input_stream(flask_request):
  if flask_request.headers.get('transfer-encoding') == 'chunked':
    return flask_request.environ['wsgi.input']
  return flask_request.stream


# TODO remove when v2 is deployed everywhere
def route_show_if(value):
  def decorator(f):
    @wraps(f)
    def decorated_function(*args, **kwargs):
      if not value:
        abort(404)

      return f(*args, **kwargs)
    return decorated_function
  return decorator

@v2_bp.route('/')
@route_show_if(features.ADVERTISE_V2)
@process_registry_jwt_auth()
@anon_allowed
def v2_support_enabled():
  docker_ver = docker_version(request.user_agent.string)

  # Check if our version is one of the blacklisted versions, if we can't
  # identify the version (None) we will fail open and assume that it is
  # newer and therefore should not be blacklisted.
  if Spec(app.config['BLACKLIST_V2_SPEC']).match(docker_ver) and docker_ver is not None:
    abort(404)

  response = make_response('true', 200)

  if get_grant_context() is None:
    response = make_response('true', 401)

  response.headers.extend(get_auth_headers())
  return response


from endpoints.v2 import v2auth
from endpoints.v2 import manifest
from endpoints.v2 import blob
from endpoints.v2 import tag
from endpoints.v2 import catalog