def _validate_schema1_manifest(namespace: str, repo: str, manifest: DockerSchema1Manifest):
# NOTE: These extra checks are needed for schema version 1 because the manifests
# contain the repo namespace, name and tag name.
if manifest.schema_version != 1:
return
if (
manifest.namespace == ""
and features.LIBRARY_SUPPORT
and namespace == app.config["LIBRARY_NAMESPACE"]
):
pass
elif manifest.namespace != namespace:
raise NameInvalid(
message="namespace name does not match manifest",
detail={
"message": "namespace name `%s` does not match `%s` in manifest"
% (namespace, manifest.namespace),
},
)
if manifest.repo_name != repo:
raise NameInvalid(
message="repository name does not match manifest",
detail={
"message": "repository name `%s` does not match `%s` in manifest"
% (repo, manifest.repo_name),
},
)
try:
if not manifest.layers:
raise ManifestInvalid(detail={"message": "manifest does not reference any layers"})
except ManifestException as me:
raise ManifestInvalid(detail={"message": str(me)})
def _write_manifest(namespace_name, repo_name, tag_name, manifest_impl):
# NOTE: These extra checks are needed for schema version 1 because the manifests
# contain the repo namespace, name and tag name.
if manifest_impl.schema_version == 1:
if (manifest_impl.namespace == "" and features.LIBRARY_SUPPORT
and namespace_name == app.config["LIBRARY_NAMESPACE"]):
pass
elif manifest_impl.namespace != namespace_name:
raise NameInvalid(
message="namespace name does not match manifest",
detail={
"namespace name `%s` does not match `%s` in manifest" %
(namespace_name, manifest_impl.namespace)
},
)
if manifest_impl.repo_name != repo_name:
raise NameInvalid(
message="repository name does not match manifest",
detail={
"repository name `%s` does not match `%s` in manifest" %
(repo_name, manifest_impl.repo_name)
},
)
try:
if not manifest_impl.layers:
raise ManifestInvalid(
detail={
"message": "manifest does not reference any layers"
})
except ManifestException as me:
raise ManifestInvalid(detail={"message": str(me)})
# Ensure that the repository exists.
repository_ref = registry_model.lookup_repository(namespace_name,
repo_name)
if repository_ref is None:
raise NameUnknown()
# Create the manifest(s) and retarget the tag to point to it.
try:
manifest, tag = registry_model.create_manifest_and_retarget_tag(
repository_ref,
manifest_impl,
tag_name,
storage,
raise_on_error=True)
except CreateManifestException as cme:
raise ManifestInvalid(detail={"message": str(cme)})
except RetargetTagException as rte:
raise ManifestInvalid(detail={"message": str(rte)})
if manifest is None:
raise ManifestInvalid()
return repository_ref, manifest, tag
def _authorize_or_downscope_request(scope_param, has_valid_auth_context):
# TODO: The complexity of this function is difficult to follow and maintain. Refactor/Cleanup.
if len(scope_param) == 0:
if not has_valid_auth_context:
# In this case, we are doing an auth flow, and it's not an anonymous pull.
logger.debug("No user and no token sent for empty scope list")
raise Unauthorized()
return None
match = _get_scope_regex().match(scope_param)
if match is None:
logger.debug("Match: %s", match)
logger.debug("len: %s", len(scope_param))
logger.warning("Unable to decode repository and actions: %s",
scope_param)
raise InvalidRequest("Unable to decode repository and actions: %s" %
scope_param)
logger.debug("Match: %s", match.groups())
registry_and_repo = match.group(1)
namespace_and_repo = match.group(2)
requested_actions = match.group(3).split(",")
lib_namespace = app.config["LIBRARY_NAMESPACE"]
namespace, reponame = parse_namespace_repository(namespace_and_repo,
lib_namespace)
# Ensure that we are never creating an invalid repository.
if not REPOSITORY_NAME_REGEX.match(reponame):
logger.debug("Found invalid repository name in auth flow: %s",
reponame)
if len(namespace_and_repo.split("/")) > 1:
msg = "Nested repositories are not supported. Found: %s" % namespace_and_repo
raise NameInvalid(message=msg)
raise NameInvalid(message="Invalid repository name: %s" %
namespace_and_repo)
# Ensure the namespace is enabled.
if registry_model.is_existing_disabled_namespace(namespace):
msg = "Namespace %s has been disabled. Please contact a system administrator." % namespace
raise NamespaceDisabled(message=msg)
final_actions = []
repository_ref = registry_model.lookup_repository(namespace, reponame)
repo_is_public = repository_ref is not None and repository_ref.is_public
invalid_repo_message = ""
if repository_ref is not None and repository_ref.kind != "image":
invalid_repo_message = (
"This repository is for managing %s " +
"and not container images.") % repository_ref.kind
# Ensure the repository is not marked for deletion.
if repository_ref is not None and repository_ref.state == RepositoryState.MARKED_FOR_DELETION:
raise Unknown(message="Unknown repository")
if "push" in requested_actions:
# Check if there is a valid user or token, as otherwise the repository cannot be
# accessed.
if has_valid_auth_context:
user = get_authenticated_user()
# Lookup the repository. If it exists, make sure the entity has modify
# permission. Otherwise, make sure the entity has create permission.
if repository_ref:
if ModifyRepositoryPermission(namespace, reponame).can():
if repository_ref is not None and repository_ref.kind != "image":
raise Unsupported(message=invalid_repo_message)
# Check for different repository states.
if repository_ref.state == RepositoryState.NORMAL:
# In NORMAL mode, if the user has permission, then they can push.
final_actions.append("push")
elif repository_ref.state == RepositoryState.MIRROR:
# In MIRROR mode, only the mirroring robot can push.
mirror = model.repo_mirror.get_mirror(
repository_ref.id)
robot = mirror.internal_robot if mirror is not None else None
if robot is not None and user is not None and robot == user:
assert robot.robot
final_actions.append("push")
else:
logger.debug(
"Repository %s/%s push requested for non-mirror robot %s: %s",
namespace,
reponame,
robot,
user,
)
elif repository_ref.state == RepositoryState.READ_ONLY:
# No pushing allowed in read-only state.
pass
else:
logger.warning(
"Unknown state for repository %s: %s",
repository_ref,
repository_ref.state,
)
else:
logger.debug("No permission to modify repository %s/%s",
namespace, reponame)
else:
# TODO: Push-to-create functionality should be configurable
if CreateRepositoryPermission(
namespace).can() and user is not None:
logger.debug("Creating repository: %s/%s", namespace,
reponame)
repository_ref = RepositoryReference.for_repo_obj(
model.repository.create_repository(
namespace, reponame, user))
final_actions.append("push")
else:
logger.debug("No permission to create repository %s/%s",
namespace, reponame)
if "pull" in requested_actions:
# Grant pull if the user can read the repo or it is public.
if ReadRepositoryPermission(namespace,
reponame).can() or repo_is_public:
if repository_ref is not None and repository_ref.kind != "image":
raise Unsupported(message=invalid_repo_message)
final_actions.append("pull")
else:
logger.debug("No permission to pull repository %s/%s", namespace,
reponame)
if "*" in requested_actions:
# Grant * user is admin
if AdministerRepositoryPermission(namespace, reponame).can():
if repository_ref is not None and repository_ref.kind != "image":
raise Unsupported(message=invalid_repo_message)
if repository_ref and repository_ref.state in (
RepositoryState.MIRROR,
RepositoryState.READ_ONLY,
):
logger.debug("No permission to administer repository %s/%s",
namespace, reponame)
else:
assert repository_ref.state == RepositoryState.NORMAL
final_actions.append("*")
else:
logger.debug("No permission to administer repository %s/%s",
namespace, reponame)
# Final sanity checks.
if "push" in final_actions:
assert repository_ref.state != RepositoryState.READ_ONLY
if "*" in final_actions:
assert repository_ref.state == RepositoryState.NORMAL
return scopeResult(
actions=final_actions,
namespace=namespace,
repository=reponame,
registry_and_repo=registry_and_repo,
tuf_root=_get_tuf_root(repository_ref, namespace, reponame),
)