quay/endpoints/v2/__init__.py

import logging
import os.path

from functools import wraps
from urlparse import urlparse
from urllib import urlencode

from flask import Blueprint, make_response, url_for, request, jsonify
from semantic_version import Spec

import features

from app import app, metric_queue, get_app_url
from auth.auth_context import get_authenticated_context
from auth.permissions import (
  ReadRepositoryPermission, ModifyRepositoryPermission, AdministerRepositoryPermission)
from auth.registry_jwt_auth import process_registry_jwt_auth, get_auth_headers
from data.registry_model import registry_model
from data.readreplica import ReadOnlyModeException
from endpoints.decorators import anon_protect, anon_allowed, route_show_if
from endpoints.v2.errors import (V2RegistryException, Unauthorized, Unsupported, NameUnknown,
                                 ReadOnlyMode)
from util.http import abort
from util.metrics.metricqueue import time_blueprint
from util.registry.dockerver import docker_version
from util.pagination import encrypt_page_token, decrypt_page_token

logger = logging.getLogger(__name__)

v2_bp = Blueprint('v2', __name__)
time_blueprint(v2_bp, metric_queue)


@v2_bp.app_errorhandler(V2RegistryException)
def handle_registry_v2_exception(error):
  response = jsonify({'errors': [error.as_dict()]})

  response.status_code = error.http_status_code
  if response.status_code == 401:
    response.headers.extend(get_auth_headers(repository=error.repository, scopes=error.scopes))
  logger.debug('sending response: %s', response.get_data())
  return response


@v2_bp.app_errorhandler(ReadOnlyModeException)
def handle_readonly(ex):
  error = ReadOnlyMode()
  response = jsonify({'errors': [error.as_dict()]})
  response.status_code = error.http_status_code
  logger.debug('sending response: %s', response.get_data())
  return response


_MAX_RESULTS_PER_PAGE = app.config.get('V2_PAGINATION_SIZE', 100)


def paginate(start_id_kwarg_name='start_id', limit_kwarg_name='limit',
             callback_kwarg_name='pagination_callback'):
  """
  Decorates a handler adding a parsed pagination token and a callback to encode a response token.
  """

  def wrapper(func):
    @wraps(func)
    def wrapped(*args, **kwargs):
      try:
        requested_limit = int(request.args.get('n', _MAX_RESULTS_PER_PAGE))
      except ValueError:
        requested_limit = 0

      limit = max(min(requested_limit, _MAX_RESULTS_PER_PAGE), 1)
      next_page_token = request.args.get('next_page', request.args.get('last', None))

      # Decrypt the next page token, if any.
      start_id = None
      page_info = decrypt_page_token(next_page_token)
      if page_info is not None:
        start_id = page_info.get('start_id', None)

      def callback(results, response):
        if len(results) <= limit:
          return

        next_page_token = encrypt_page_token({'start_id': max([obj.id for obj in results])})

        link_url = os.path.join(get_app_url(), url_for(request.endpoint, **request.view_args))
        link_param = urlencode({'n': limit, 'next_page': next_page_token})
        link = '<%s?%s>; rel="next"' % (link_url, link_param)
        response.headers['Link'] = link

      kwargs[limit_kwarg_name] = limit
      kwargs[start_id_kwarg_name] = start_id
      kwargs[callback_kwarg_name] = callback
      return func(*args, **kwargs)
    return wrapped
  return wrapper


def _require_repo_permission(permission_class, scopes=None, allow_public=False):
  def wrapper(func):
    @wraps(func)
    def wrapped(namespace_name, repo_name, *args, **kwargs):
      logger.debug('Checking permission %s for repo: %s/%s', permission_class, namespace_name,
                   repo_name)

      permission = permission_class(namespace_name, repo_name)
      if permission.can():
        return func(namespace_name, repo_name, *args, **kwargs)

      repository = namespace_name + '/' + repo_name
      if allow_public:
        repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
        if repository_ref is None or not repository_ref.is_public:
          raise Unauthorized(repository=repository, scopes=scopes)

        if repository_ref.kind != 'image':
          msg = 'This repository is for managing %s and not container images.' % repository_ref.kind
          raise Unsupported(detail=msg)

        if repository_ref.is_public:
          if not features.ANONYMOUS_ACCESS:
            raise Unauthorized(repository=repository, scopes=scopes)

          return func(namespace_name, repo_name, *args, **kwargs)

      raise Unauthorized(repository=repository, scopes=scopes)
    return wrapped
  return wrapper


require_repo_read = _require_repo_permission(ReadRepositoryPermission, scopes=['pull'],
                                             allow_public=True)
require_repo_write = _require_repo_permission(ModifyRepositoryPermission, scopes=['pull', 'push'])
require_repo_admin = _require_repo_permission(AdministerRepositoryPermission, scopes=[
  'pull', 'push'])


def get_input_stream(flask_request):
  if flask_request.headers.get('transfer-encoding') == 'chunked':
    return flask_request.environ['wsgi.input']
  return flask_request.stream


@v2_bp.route('/')
@route_show_if(features.ADVERTISE_V2)
@process_registry_jwt_auth()
@anon_allowed
def v2_support_enabled():
  docker_ver = docker_version(request.user_agent.string)

  # Check if our version is one of the blacklisted versions, if we can't
  # identify the version (None) we will fail open and assume that it is
  # newer and therefore should not be blacklisted.
  if docker_ver is not None and Spec(app.config['BLACKLIST_V2_SPEC']).match(docker_ver):
    abort(404)

  response = make_response('true', 200)

  if get_authenticated_context() is None:
    response = make_response('true', 401)

  response.headers.extend(get_auth_headers())
  return response


from endpoints.v2 import (
  blob,
  catalog,
  manifest,
  tag,
  v2auth,)