def _upload_chunk(blob_uploader, commit_digest=None): """ Performs uploading of a chunk of data in the current request's stream, via the blob uploader given. If commit_digest is specified, the upload is committed to a blob once the stream's data has been read and stored. """ start_offset, length = _start_offset_and_length(request.headers.get("content-range")) if None in {start_offset, length}: raise InvalidRequest(message="Invalid range header") input_fp = get_input_stream(request) try: # Upload the data received. blob_uploader.upload_chunk(app.config, input_fp, start_offset, length) if commit_digest is not None: # Commit the upload to a blob. return blob_uploader.commit_to_blob(app.config, commit_digest) except BlobTooLargeException as ble: raise LayerTooLarge(uploaded=ble.uploaded, max_allowed=ble.max_allowed) except BlobRangeMismatchException: logger.exception("Exception when uploading blob to %s", blob_uploader.blob_upload_id) _abort_range_not_satisfiable( blob_uploader.blob_upload.byte_count, blob_uploader.blob_upload_id ) except BlobUploadException: logger.exception("Exception when uploading blob to %s", blob_uploader.blob_upload_id) raise BlobUploadInvalid()
def start_blob_upload(namespace_name, repo_name): repository_ref = registry_model.lookup_repository(namespace_name, repo_name) if repository_ref is None: raise NameUnknown() # Check for mounting of a blob from another repository. mount_blob_digest = request.args.get('mount', None) if mount_blob_digest is not None: response = _try_to_mount_blob(repository_ref, mount_blob_digest) if response is not None: return response # Begin the blob upload process. blob_uploader = create_blob_upload(repository_ref, storage, _upload_settings()) if blob_uploader is None: logger.debug('Could not create a blob upload for `%s/%s`', namespace_name, repo_name) raise InvalidRequest( message='Unable to start blob upload for unknown repository') # Check if the blob will be uploaded now or in followup calls. If the `digest` is given, then # the upload will occur as a monolithic chunk in this call. Otherwise, we return a redirect # for the client to upload the chunks as distinct operations. digest = request.args.get('digest', None) if digest is None: # Short-circuit because the user will send the blob data in another request. return Response( status=202, headers={ 'Docker-Upload-UUID': blob_uploader.blob_upload_id, 'Range': _render_range(0), 'Location': get_app_url() + url_for('v2.upload_chunk', repository='%s/%s' % (namespace_name, repo_name), upload_uuid=blob_uploader.blob_upload_id) }, ) # Upload the data sent and commit it to a blob. with complete_when_uploaded(blob_uploader): _upload_chunk(blob_uploader, digest) # Write the response to the client. return Response( status=201, headers={ 'Docker-Content-Digest': digest, 'Location': get_app_url() + url_for('v2.download_blob', repository='%s/%s' % (namespace_name, repo_name), digest=digest), }, )
def _try_to_mount_blob(repository_ref, mount_blob_digest): """ Attempts to mount a blob requested by the user from another repository. """ logger.debug("Got mount request for blob `%s` into `%s`", mount_blob_digest, repository_ref) from_repo = request.args.get("from", None) if from_repo is None: raise InvalidRequest(message="Missing `from` repository argument") # Ensure the user has access to the repository. logger.debug( "Got mount request for blob `%s` under repository `%s` into `%s`", mount_blob_digest, from_repo, repository_ref, ) from_namespace, from_repo_name = parse_namespace_repository( from_repo, app.config["LIBRARY_NAMESPACE"], include_tag=False ) from_repository_ref = registry_model.lookup_repository(from_namespace, from_repo_name) if from_repository_ref is None: logger.debug("Could not find from repo: `%s/%s`", from_namespace, from_repo_name) return None # First check permission. read_permission = ReadRepositoryPermission(from_namespace, from_repo_name).can() if not read_permission: # If no direct permission, check if the repostory is public. if not from_repository_ref.is_public: logger.debug( "No permission to mount blob `%s` under repository `%s` into `%s`", mount_blob_digest, from_repo, repository_ref, ) return None # Lookup if the mount blob's digest exists in the repository. mount_blob = registry_model.get_cached_repo_blob( model_cache, from_namespace, from_repo_name, mount_blob_digest ) if mount_blob is None: logger.debug("Blob `%s` under repository `%s` not found", mount_blob_digest, from_repo) return None logger.debug( "Mounting blob `%s` under repository `%s` into `%s`", mount_blob_digest, from_repo, repository_ref, ) # Mount the blob into the current repository and return that we've completed the operation. expiration_sec = app.config["PUSH_TEMP_TAG_EXPIRATION_SEC"] mounted = registry_model.mount_blob_into_repository(mount_blob, repository_ref, expiration_sec) if not mounted: logger.debug( "Could not mount blob `%s` under repository `%s` not found", mount_blob_digest, from_repo, ) return # Return the response for the blob indicating that it was mounted, and including its content # digest. logger.debug( "Mounted blob `%s` under repository `%s` into `%s`", mount_blob_digest, from_repo, repository_ref, ) namespace_name = repository_ref.namespace_name repo_name = repository_ref.name return Response( status=201, headers={ "Docker-Content-Digest": mount_blob_digest, "Location": get_app_url() + url_for( "v2.download_blob", repository="%s/%s" % (namespace_name, repo_name), digest=mount_blob_digest, ), }, )
def _authorize_or_downscope_request(scope_param, has_valid_auth_context): # TODO: The complexity of this function is difficult to follow and maintain. Refactor/Cleanup. if len(scope_param) == 0: if not has_valid_auth_context: # In this case, we are doing an auth flow, and it's not an anonymous pull. logger.debug("No user and no token sent for empty scope list") raise Unauthorized() return None match = _get_scope_regex().match(scope_param) if match is None: logger.debug("Match: %s", match) logger.debug("len: %s", len(scope_param)) logger.warning("Unable to decode repository and actions: %s", scope_param) raise InvalidRequest("Unable to decode repository and actions: %s" % scope_param) logger.debug("Match: %s", match.groups()) registry_and_repo = match.group(1) namespace_and_repo = match.group(2) requested_actions = match.group(3).split(",") lib_namespace = app.config["LIBRARY_NAMESPACE"] namespace, reponame = parse_namespace_repository(namespace_and_repo, lib_namespace) # Ensure that we are never creating an invalid repository. if not REPOSITORY_NAME_REGEX.match(reponame): logger.debug("Found invalid repository name in auth flow: %s", reponame) if len(namespace_and_repo.split("/")) > 1: msg = "Nested repositories are not supported. Found: %s" % namespace_and_repo raise NameInvalid(message=msg) raise NameInvalid(message="Invalid repository name: %s" % namespace_and_repo) # Ensure the namespace is enabled. if registry_model.is_existing_disabled_namespace(namespace): msg = "Namespace %s has been disabled. Please contact a system administrator." % namespace raise NamespaceDisabled(message=msg) final_actions = [] repository_ref = registry_model.lookup_repository(namespace, reponame) repo_is_public = repository_ref is not None and repository_ref.is_public invalid_repo_message = "" if repository_ref is not None and repository_ref.kind != "image": invalid_repo_message = ( "This repository is for managing %s " + "and not container images.") % repository_ref.kind # Ensure the repository is not marked for deletion. if repository_ref is not None and repository_ref.state == RepositoryState.MARKED_FOR_DELETION: raise Unknown(message="Unknown repository") if "push" in requested_actions: # Check if there is a valid user or token, as otherwise the repository cannot be # accessed. if has_valid_auth_context: user = get_authenticated_user() # Lookup the repository. If it exists, make sure the entity has modify # permission. Otherwise, make sure the entity has create permission. if repository_ref: if ModifyRepositoryPermission(namespace, reponame).can(): if repository_ref is not None and repository_ref.kind != "image": raise Unsupported(message=invalid_repo_message) # Check for different repository states. if repository_ref.state == RepositoryState.NORMAL: # In NORMAL mode, if the user has permission, then they can push. final_actions.append("push") elif repository_ref.state == RepositoryState.MIRROR: # In MIRROR mode, only the mirroring robot can push. mirror = model.repo_mirror.get_mirror( repository_ref.id) robot = mirror.internal_robot if mirror is not None else None if robot is not None and user is not None and robot == user: assert robot.robot final_actions.append("push") else: logger.debug( "Repository %s/%s push requested for non-mirror robot %s: %s", namespace, reponame, robot, user, ) elif repository_ref.state == RepositoryState.READ_ONLY: # No pushing allowed in read-only state. pass else: logger.warning( "Unknown state for repository %s: %s", repository_ref, repository_ref.state, ) else: logger.debug("No permission to modify repository %s/%s", namespace, reponame) else: # TODO: Push-to-create functionality should be configurable if CreateRepositoryPermission( namespace).can() and user is not None: logger.debug("Creating repository: %s/%s", namespace, reponame) repository_ref = RepositoryReference.for_repo_obj( model.repository.create_repository( namespace, reponame, user)) final_actions.append("push") else: logger.debug("No permission to create repository %s/%s", namespace, reponame) if "pull" in requested_actions: # Grant pull if the user can read the repo or it is public. if ReadRepositoryPermission(namespace, reponame).can() or repo_is_public: if repository_ref is not None and repository_ref.kind != "image": raise Unsupported(message=invalid_repo_message) final_actions.append("pull") else: logger.debug("No permission to pull repository %s/%s", namespace, reponame) if "*" in requested_actions: # Grant * user is admin if AdministerRepositoryPermission(namespace, reponame).can(): if repository_ref is not None and repository_ref.kind != "image": raise Unsupported(message=invalid_repo_message) if repository_ref and repository_ref.state in ( RepositoryState.MIRROR, RepositoryState.READ_ONLY, ): logger.debug("No permission to administer repository %s/%s", namespace, reponame) else: assert repository_ref.state == RepositoryState.NORMAL final_actions.append("*") else: logger.debug("No permission to administer repository %s/%s", namespace, reponame) # Final sanity checks. if "push" in final_actions: assert repository_ref.state != RepositoryState.READ_ONLY if "*" in final_actions: assert repository_ref.state == RepositoryState.NORMAL return scopeResult( actions=final_actions, namespace=namespace, repository=reponame, registry_and_repo=registry_and_repo, tuf_root=_get_tuf_root(repository_ref, namespace, reponame), )
def handle_proxy_cache_error(error): return _format_error_response(InvalidRequest(message=str(error)))
def start_blob_upload(namespace_name, repo_name): repository_ref = registry_model.lookup_repository(namespace_name, repo_name) if repository_ref is None: raise NameUnknown("repository not found") if app.config.get("FEATURE_QUOTA_MANAGEMENT", False): quota = namespacequota.verify_namespace_quota(repository_ref) if quota["severity_level"] == "Reject": namespacequota.notify_organization_admins( repository_ref, "quota_error", {"severity": "Reject"} ) raise QuotaExceeded # Check for mounting of a blob from another repository. mount_blob_digest = request.args.get("mount", None) if mount_blob_digest is not None: response = _try_to_mount_blob(repository_ref, mount_blob_digest) if response is not None: return response # Begin the blob upload process. blob_uploader = create_blob_upload(repository_ref, storage, _upload_settings()) if blob_uploader is None: logger.debug("Could not create a blob upload for `%s/%s`", namespace_name, repo_name) raise InvalidRequest(message="Unable to start blob upload for unknown repository") # Check if the blob will be uploaded now or in followup calls. If the `digest` is given, then # the upload will occur as a monolithic chunk in this call. Otherwise, we return a redirect # for the client to upload the chunks as distinct operations. digest = request.args.get("digest", None) if digest is None: # Short-circuit because the user will send the blob data in another request. return Response( status=202, headers={ "Docker-Upload-UUID": blob_uploader.blob_upload_id, "Range": _render_range(0), "Location": get_app_url() + url_for( "v2.upload_chunk", repository="%s/%s" % (namespace_name, repo_name), upload_uuid=blob_uploader.blob_upload_id, ), }, ) # Upload the data sent and commit it to a blob. with complete_when_uploaded(blob_uploader): _upload_chunk(blob_uploader, digest) # Write the response to the client. return Response( status=201, headers={ "Docker-Content-Digest": digest, "Location": get_app_url() + url_for( "v2.download_blob", repository="%s/%s" % (namespace_name, repo_name), digest=digest ), }, )