170 lines
		
	
	
	
		
			5.4 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
			
		
		
	
	
			170 lines
		
	
	
	
		
			5.4 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
| import logging
 | |
| import os.path
 | |
| 
 | |
| from functools import wraps
 | |
| from urlparse import urlparse
 | |
| from urllib import urlencode
 | |
| 
 | |
| from flask import Blueprint, make_response, url_for, request, jsonify
 | |
| from semantic_version import Spec
 | |
| 
 | |
| import features
 | |
| 
 | |
| from app import app, metric_queue, get_app_url, license_validator
 | |
| from auth.auth_context import get_grant_context
 | |
| from auth.permissions import (
 | |
|   ReadRepositoryPermission, ModifyRepositoryPermission, AdministerRepositoryPermission)
 | |
| from auth.registry_jwt_auth import process_registry_jwt_auth, get_auth_headers
 | |
| from endpoints.decorators import anon_protect, anon_allowed
 | |
| from endpoints.v2.errors import V2RegistryException, Unauthorized, Unsupported, NameUnknown
 | |
| from endpoints.v2.models_pre_oci import data_model as model
 | |
| from util.http import abort
 | |
| from util.metrics.metricqueue import time_blueprint
 | |
| from util.registry.dockerver import docker_version
 | |
| from util.pagination import encrypt_page_token, decrypt_page_token
 | |
| 
 | |
| logger = logging.getLogger(__name__)
 | |
| 
 | |
| v2_bp = Blueprint('v2', __name__)
 | |
| license_validator.enforce_license_before_request(v2_bp)
 | |
| time_blueprint(v2_bp, metric_queue)
 | |
| 
 | |
| 
 | |
| @v2_bp.app_errorhandler(V2RegistryException)
 | |
| def handle_registry_v2_exception(error):
 | |
|   response = jsonify({'errors': [error.as_dict()]})
 | |
| 
 | |
|   response.status_code = error.http_status_code
 | |
|   if response.status_code == 401:
 | |
|     response.headers.extend(get_auth_headers(repository=error.repository, scopes=error.scopes))
 | |
|   logger.debug('sending response: %s', response.get_data())
 | |
|   return response
 | |
| 
 | |
| 
 | |
| _MAX_RESULTS_PER_PAGE = 50
 | |
| 
 | |
| 
 | |
| def paginate(limit_kwarg_name='limit', offset_kwarg_name='offset',
 | |
|              callback_kwarg_name='pagination_callback'):
 | |
|   """
 | |
|   Decorates a handler adding a parsed pagination token and a callback to encode a response token.
 | |
|   """
 | |
| 
 | |
|   def wrapper(func):
 | |
|     @wraps(func)
 | |
|     def wrapped(*args, **kwargs):
 | |
|       try:
 | |
|         requested_limit = int(request.args.get('n', _MAX_RESULTS_PER_PAGE))
 | |
|       except ValueError:
 | |
|         requested_limit = 0
 | |
| 
 | |
|       limit = max(min(requested_limit, _MAX_RESULTS_PER_PAGE), 1)
 | |
|       next_page_token = request.args.get('next_page', request.args.get('last', None))
 | |
| 
 | |
|       # Decrypt the next page token, if any.
 | |
|       offset = 0
 | |
|       page_info = decrypt_page_token(next_page_token)
 | |
|       if page_info is not None:
 | |
|         # Note: we use offset here instead of ID >= n because one of the V2 queries is a UNION.
 | |
|         offset = page_info.get('offset', 0)
 | |
| 
 | |
|       def callback(num_results, response):
 | |
|         if num_results < limit:
 | |
|           return
 | |
| 
 | |
|         next_page_token = encrypt_page_token({'offset': limit + offset})
 | |
| 
 | |
|         link_url = os.path.join(get_app_url(), url_for(request.endpoint, **request.view_args))
 | |
|         link_param = urlencode({'n': limit, 'next_page': next_page_token})
 | |
|         link = '<%s?%s>; rel="next"' % (link_url, link_param)
 | |
|         response.headers['Link'] = link
 | |
| 
 | |
|       kwargs[limit_kwarg_name] = limit
 | |
|       kwargs[offset_kwarg_name] = offset
 | |
|       kwargs[callback_kwarg_name] = callback
 | |
|       return func(*args, **kwargs)
 | |
| 
 | |
|     return wrapped
 | |
| 
 | |
|   return wrapper
 | |
| 
 | |
| 
 | |
| def _require_repo_permission(permission_class, scopes=None, allow_public=False):
 | |
|   def wrapper(func):
 | |
|     @wraps(func)
 | |
|     def wrapped(namespace_name, repo_name, *args, **kwargs):
 | |
|       logger.debug('Checking permission %s for repo: %s/%s', permission_class, namespace_name,
 | |
|                    repo_name)
 | |
|       repository = namespace_name + '/' + repo_name
 | |
|       repo = model.get_repository(namespace_name, repo_name)
 | |
|       if repo is None:
 | |
|         raise Unauthorized(repository=repository, scopes=scopes)
 | |
| 
 | |
|       permission = permission_class(namespace_name, repo_name)
 | |
|       if (permission.can() or (allow_public and repo.is_public)):
 | |
|         if repo.kind != 'image':
 | |
|           msg = 'This repository is for managing %s resources and not container images.' % repo.kind
 | |
|           raise Unsupported(detail=msg)
 | |
|         return func(namespace_name, repo_name, *args, **kwargs)
 | |
|       raise Unauthorized(repository=repository, scopes=scopes)
 | |
| 
 | |
|     return wrapped
 | |
| 
 | |
|   return wrapper
 | |
| 
 | |
| 
 | |
| require_repo_read = _require_repo_permission(ReadRepositoryPermission, scopes=['pull'],
 | |
|                                              allow_public=True)
 | |
| require_repo_write = _require_repo_permission(ModifyRepositoryPermission, scopes=['pull', 'push'])
 | |
| require_repo_admin = _require_repo_permission(AdministerRepositoryPermission, scopes=[
 | |
|   'pull', 'push'])
 | |
| 
 | |
| 
 | |
| def get_input_stream(flask_request):
 | |
|   if flask_request.headers.get('transfer-encoding') == 'chunked':
 | |
|     return flask_request.environ['wsgi.input']
 | |
|   return flask_request.stream
 | |
| 
 | |
| 
 | |
| def route_show_if(value):
 | |
|   def decorator(f):
 | |
|     @wraps(f)
 | |
|     def decorated_function(*args, **kwargs):
 | |
|       if not value:
 | |
|         abort(404)
 | |
| 
 | |
|       return f(*args, **kwargs)
 | |
| 
 | |
|     return decorated_function
 | |
| 
 | |
|   return decorator
 | |
| 
 | |
| 
 | |
| @v2_bp.route('/')
 | |
| @route_show_if(features.ADVERTISE_V2)
 | |
| @process_registry_jwt_auth()
 | |
| @anon_allowed
 | |
| def v2_support_enabled():
 | |
|   docker_ver = docker_version(request.user_agent.string)
 | |
| 
 | |
|   # Check if our version is one of the blacklisted versions, if we can't
 | |
|   # identify the version (None) we will fail open and assume that it is
 | |
|   # newer and therefore should not be blacklisted.
 | |
|   if Spec(app.config['BLACKLIST_V2_SPEC']).match(docker_ver) and docker_ver is not None:
 | |
|     abort(404)
 | |
| 
 | |
|   response = make_response('true', 200)
 | |
| 
 | |
|   if get_grant_context() is None:
 | |
|     response = make_response('true', 401)
 | |
| 
 | |
|   response.headers.extend(get_auth_headers())
 | |
|   return response
 | |
| 
 | |
| 
 | |
| from endpoints.v2 import (
 | |
|   blob,
 | |
|   catalog,
 | |
|   manifest,
 | |
|   tag,
 | |
|   v2auth,)
 |