def _upload_chunk(blob_uploader, commit_digest=None):
"""
Performs uploading of a chunk of data in the current request's stream, via the blob uploader
given.
If commit_digest is specified, the upload is committed to a blob once the stream's data has been
read and stored.
"""
start_offset, length = _start_offset_and_length(request.headers.get("content-range"))
if None in {start_offset, length}:
raise InvalidRequest(message="Invalid range header")
input_fp = get_input_stream(request)
try:
# Upload the data received.
blob_uploader.upload_chunk(app.config, input_fp, start_offset, length)
if commit_digest is not None:
# Commit the upload to a blob.
return blob_uploader.commit_to_blob(app.config, commit_digest)
except BlobTooLargeException as ble:
raise LayerTooLarge(uploaded=ble.uploaded, max_allowed=ble.max_allowed)
except BlobRangeMismatchException:
logger.exception("Exception when uploading blob to %s", blob_uploader.blob_upload_id)
_abort_range_not_satisfiable(
blob_uploader.blob_upload.byte_count, blob_uploader.blob_upload_id
)
except BlobUploadException:
logger.exception("Exception when uploading blob to %s", blob_uploader.blob_upload_id)
raise BlobUploadInvalid()
def start_blob_upload(namespace_name, repo_name):
repository_ref = registry_model.lookup_repository(namespace_name,
repo_name)
if repository_ref is None:
raise NameUnknown()
# Check for mounting of a blob from another repository.
mount_blob_digest = request.args.get('mount', None)
if mount_blob_digest is not None:
response = _try_to_mount_blob(repository_ref, mount_blob_digest)
if response is not None:
return response
# Begin the blob upload process.
blob_uploader = create_blob_upload(repository_ref, storage,
_upload_settings())
if blob_uploader is None:
logger.debug('Could not create a blob upload for `%s/%s`',
namespace_name, repo_name)
raise InvalidRequest(
message='Unable to start blob upload for unknown repository')
# Check if the blob will be uploaded now or in followup calls. If the `digest` is given, then
# the upload will occur as a monolithic chunk in this call. Otherwise, we return a redirect
# for the client to upload the chunks as distinct operations.
digest = request.args.get('digest', None)
if digest is None:
# Short-circuit because the user will send the blob data in another request.
return Response(
status=202,
headers={
'Docker-Upload-UUID':
blob_uploader.blob_upload_id,
'Range':
_render_range(0),
'Location':
get_app_url() +
url_for('v2.upload_chunk',
repository='%s/%s' % (namespace_name, repo_name),
upload_uuid=blob_uploader.blob_upload_id)
},
)
# Upload the data sent and commit it to a blob.
with complete_when_uploaded(blob_uploader):
_upload_chunk(blob_uploader, digest)
# Write the response to the client.
return Response(
status=201,
headers={
'Docker-Content-Digest':
digest,
'Location':
get_app_url() + url_for('v2.download_blob',
repository='%s/%s' %
(namespace_name, repo_name),
digest=digest),
},
)
def _try_to_mount_blob(repository_ref, mount_blob_digest):
"""
Attempts to mount a blob requested by the user from another repository.
"""
logger.debug("Got mount request for blob `%s` into `%s`", mount_blob_digest, repository_ref)
from_repo = request.args.get("from", None)
if from_repo is None:
raise InvalidRequest(message="Missing `from` repository argument")
# Ensure the user has access to the repository.
logger.debug(
"Got mount request for blob `%s` under repository `%s` into `%s`",
mount_blob_digest,
from_repo,
repository_ref,
)
from_namespace, from_repo_name = parse_namespace_repository(
from_repo, app.config["LIBRARY_NAMESPACE"], include_tag=False
)
from_repository_ref = registry_model.lookup_repository(from_namespace, from_repo_name)
if from_repository_ref is None:
logger.debug("Could not find from repo: `%s/%s`", from_namespace, from_repo_name)
return None
# First check permission.
read_permission = ReadRepositoryPermission(from_namespace, from_repo_name).can()
if not read_permission:
# If no direct permission, check if the repostory is public.
if not from_repository_ref.is_public:
logger.debug(
"No permission to mount blob `%s` under repository `%s` into `%s`",
mount_blob_digest,
from_repo,
repository_ref,
)
return None
# Lookup if the mount blob's digest exists in the repository.
mount_blob = registry_model.get_cached_repo_blob(
model_cache, from_namespace, from_repo_name, mount_blob_digest
)
if mount_blob is None:
logger.debug("Blob `%s` under repository `%s` not found", mount_blob_digest, from_repo)
return None
logger.debug(
"Mounting blob `%s` under repository `%s` into `%s`",
mount_blob_digest,
from_repo,
repository_ref,
)
# Mount the blob into the current repository and return that we've completed the operation.
expiration_sec = app.config["PUSH_TEMP_TAG_EXPIRATION_SEC"]
mounted = registry_model.mount_blob_into_repository(mount_blob, repository_ref, expiration_sec)
if not mounted:
logger.debug(
"Could not mount blob `%s` under repository `%s` not found",
mount_blob_digest,
from_repo,
)
return
# Return the response for the blob indicating that it was mounted, and including its content
# digest.
logger.debug(
"Mounted blob `%s` under repository `%s` into `%s`",
mount_blob_digest,
from_repo,
repository_ref,
)
namespace_name = repository_ref.namespace_name
repo_name = repository_ref.name
return Response(
status=201,
headers={
"Docker-Content-Digest": mount_blob_digest,
"Location": get_app_url()
+ url_for(
"v2.download_blob",
repository="%s/%s" % (namespace_name, repo_name),
digest=mount_blob_digest,
),
},
)
def _authorize_or_downscope_request(scope_param, has_valid_auth_context):
# TODO: The complexity of this function is difficult to follow and maintain. Refactor/Cleanup.
if len(scope_param) == 0:
if not has_valid_auth_context:
# In this case, we are doing an auth flow, and it's not an anonymous pull.
logger.debug("No user and no token sent for empty scope list")
raise Unauthorized()
return None
match = _get_scope_regex().match(scope_param)
if match is None:
logger.debug("Match: %s", match)
logger.debug("len: %s", len(scope_param))
logger.warning("Unable to decode repository and actions: %s",
scope_param)
raise InvalidRequest("Unable to decode repository and actions: %s" %
scope_param)
logger.debug("Match: %s", match.groups())
registry_and_repo = match.group(1)
namespace_and_repo = match.group(2)
requested_actions = match.group(3).split(",")
lib_namespace = app.config["LIBRARY_NAMESPACE"]
namespace, reponame = parse_namespace_repository(namespace_and_repo,
lib_namespace)
# Ensure that we are never creating an invalid repository.
if not REPOSITORY_NAME_REGEX.match(reponame):
logger.debug("Found invalid repository name in auth flow: %s",
reponame)
if len(namespace_and_repo.split("/")) > 1:
msg = "Nested repositories are not supported. Found: %s" % namespace_and_repo
raise NameInvalid(message=msg)
raise NameInvalid(message="Invalid repository name: %s" %
namespace_and_repo)
# Ensure the namespace is enabled.
if registry_model.is_existing_disabled_namespace(namespace):
msg = "Namespace %s has been disabled. Please contact a system administrator." % namespace
raise NamespaceDisabled(message=msg)
final_actions = []
repository_ref = registry_model.lookup_repository(namespace, reponame)
repo_is_public = repository_ref is not None and repository_ref.is_public
invalid_repo_message = ""
if repository_ref is not None and repository_ref.kind != "image":
invalid_repo_message = (
"This repository is for managing %s " +
"and not container images.") % repository_ref.kind
# Ensure the repository is not marked for deletion.
if repository_ref is not None and repository_ref.state == RepositoryState.MARKED_FOR_DELETION:
raise Unknown(message="Unknown repository")
if "push" in requested_actions:
# Check if there is a valid user or token, as otherwise the repository cannot be
# accessed.
if has_valid_auth_context:
user = get_authenticated_user()
# Lookup the repository. If it exists, make sure the entity has modify
# permission. Otherwise, make sure the entity has create permission.
if repository_ref:
if ModifyRepositoryPermission(namespace, reponame).can():
if repository_ref is not None and repository_ref.kind != "image":
raise Unsupported(message=invalid_repo_message)
# Check for different repository states.
if repository_ref.state == RepositoryState.NORMAL:
# In NORMAL mode, if the user has permission, then they can push.
final_actions.append("push")
elif repository_ref.state == RepositoryState.MIRROR:
# In MIRROR mode, only the mirroring robot can push.
mirror = model.repo_mirror.get_mirror(
repository_ref.id)
robot = mirror.internal_robot if mirror is not None else None
if robot is not None and user is not None and robot == user:
assert robot.robot
final_actions.append("push")
else:
logger.debug(
"Repository %s/%s push requested for non-mirror robot %s: %s",
namespace,
reponame,
robot,
user,
)
elif repository_ref.state == RepositoryState.READ_ONLY:
# No pushing allowed in read-only state.
pass
else:
logger.warning(
"Unknown state for repository %s: %s",
repository_ref,
repository_ref.state,
)
else:
logger.debug("No permission to modify repository %s/%s",
namespace, reponame)
else:
# TODO: Push-to-create functionality should be configurable
if CreateRepositoryPermission(
namespace).can() and user is not None:
logger.debug("Creating repository: %s/%s", namespace,
reponame)
repository_ref = RepositoryReference.for_repo_obj(
model.repository.create_repository(
namespace, reponame, user))
final_actions.append("push")
else:
logger.debug("No permission to create repository %s/%s",
namespace, reponame)
if "pull" in requested_actions:
# Grant pull if the user can read the repo or it is public.
if ReadRepositoryPermission(namespace,
reponame).can() or repo_is_public:
if repository_ref is not None and repository_ref.kind != "image":
raise Unsupported(message=invalid_repo_message)
final_actions.append("pull")
else:
logger.debug("No permission to pull repository %s/%s", namespace,
reponame)
if "*" in requested_actions:
# Grant * user is admin
if AdministerRepositoryPermission(namespace, reponame).can():
if repository_ref is not None and repository_ref.kind != "image":
raise Unsupported(message=invalid_repo_message)
if repository_ref and repository_ref.state in (
RepositoryState.MIRROR,
RepositoryState.READ_ONLY,
):
logger.debug("No permission to administer repository %s/%s",
namespace, reponame)
else:
assert repository_ref.state == RepositoryState.NORMAL
final_actions.append("*")
else:
logger.debug("No permission to administer repository %s/%s",
namespace, reponame)
# Final sanity checks.
if "push" in final_actions:
assert repository_ref.state != RepositoryState.READ_ONLY
if "*" in final_actions:
assert repository_ref.state == RepositoryState.NORMAL
return scopeResult(
actions=final_actions,
namespace=namespace,
repository=reponame,
registry_and_repo=registry_and_repo,
tuf_root=_get_tuf_root(repository_ref, namespace, reponame),
)
def handle_proxy_cache_error(error):
return _format_error_response(InvalidRequest(message=str(error)))
def start_blob_upload(namespace_name, repo_name):
repository_ref = registry_model.lookup_repository(namespace_name, repo_name)
if repository_ref is None:
raise NameUnknown("repository not found")
if app.config.get("FEATURE_QUOTA_MANAGEMENT", False):
quota = namespacequota.verify_namespace_quota(repository_ref)
if quota["severity_level"] == "Reject":
namespacequota.notify_organization_admins(
repository_ref, "quota_error", {"severity": "Reject"}
)
raise QuotaExceeded
# Check for mounting of a blob from another repository.
mount_blob_digest = request.args.get("mount", None)
if mount_blob_digest is not None:
response = _try_to_mount_blob(repository_ref, mount_blob_digest)
if response is not None:
return response
# Begin the blob upload process.
blob_uploader = create_blob_upload(repository_ref, storage, _upload_settings())
if blob_uploader is None:
logger.debug("Could not create a blob upload for `%s/%s`", namespace_name, repo_name)
raise InvalidRequest(message="Unable to start blob upload for unknown repository")
# Check if the blob will be uploaded now or in followup calls. If the `digest` is given, then
# the upload will occur as a monolithic chunk in this call. Otherwise, we return a redirect
# for the client to upload the chunks as distinct operations.
digest = request.args.get("digest", None)
if digest is None:
# Short-circuit because the user will send the blob data in another request.
return Response(
status=202,
headers={
"Docker-Upload-UUID": blob_uploader.blob_upload_id,
"Range": _render_range(0),
"Location": get_app_url()
+ url_for(
"v2.upload_chunk",
repository="%s/%s" % (namespace_name, repo_name),
upload_uuid=blob_uploader.blob_upload_id,
),
},
)
# Upload the data sent and commit it to a blob.
with complete_when_uploaded(blob_uploader):
_upload_chunk(blob_uploader, digest)
# Write the response to the client.
return Response(
status=201,
headers={
"Docker-Content-Digest": digest,
"Location": get_app_url()
+ url_for(
"v2.download_blob", repository="%s/%s" % (namespace_name, repo_name), digest=digest
),
},
)
