def _try_to_mount_blob(repository_ref, mount_blob_digest): """ Attempts to mount a blob requested by the user from another repository. """ logger.debug("Got mount request for blob `%s` into `%s`", mount_blob_digest, repository_ref) from_repo = request.args.get("from", None) if from_repo is None: # If we cannot mount the blob, fall back to the standard upload behavior, # since we don't support automatic mount origin discovery across all repos. return None # Ensure the user has access to the repository. logger.debug( "Got mount request for blob `%s` under repository `%s` into `%s`", mount_blob_digest, from_repo, repository_ref, ) from_namespace, from_repo_name = parse_namespace_repository( from_repo, app.config["LIBRARY_NAMESPACE"], include_tag=False ) from_repository_ref = registry_model.lookup_repository(from_namespace, from_repo_name) if from_repository_ref is None: logger.debug("Could not find from repo: `%s/%s`", from_namespace, from_repo_name) return None # First check permission. read_permission = ReadRepositoryPermission(from_namespace, from_repo_name).can() if not read_permission: # If no direct permission, check if the repostory is public. if not from_repository_ref.is_public: logger.debug( "No permission to mount blob `%s` under repository `%s` into `%s`", mount_blob_digest, from_repo, repository_ref, ) return None # Lookup if the mount blob's digest exists in the repository. mount_blob = registry_model.get_cached_repo_blob( model_cache, from_namespace, from_repo_name, mount_blob_digest ) if mount_blob is None: logger.debug("Blob `%s` under repository `%s` not found", mount_blob_digest, from_repo) return None logger.debug( "Mounting blob `%s` under repository `%s` into `%s`", mount_blob_digest, from_repo, repository_ref, ) # Mount the blob into the current repository and return that we've completed the operation. expiration_sec = app.config["PUSH_TEMP_TAG_EXPIRATION_SEC"] mounted = registry_model.mount_blob_into_repository(mount_blob, repository_ref, expiration_sec) if not mounted: logger.debug( "Could not mount blob `%s` under repository `%s` not found", mount_blob_digest, from_repo, ) return # Return the response for the blob indicating that it was mounted, and including its content # digest. logger.debug( "Mounted blob `%s` under repository `%s` into `%s`", mount_blob_digest, from_repo, repository_ref, ) namespace_name = repository_ref.namespace_name repo_name = repository_ref.name return Response( status=201, headers={ "Docker-Content-Digest": mount_blob_digest, "Location": get_app_url() + url_for( "v2.download_blob", repository="%s/%s" % (namespace_name, repo_name), digest=mount_blob_digest, ), }, )
def _authorize_or_downscope_request(scope_param, has_valid_auth_context): # TODO: The complexity of this function is difficult to follow and maintain. Refactor/Cleanup. if len(scope_param) == 0: if not has_valid_auth_context: # In this case, we are doing an auth flow, and it's not an anonymous pull. logger.debug("No user and no token sent for empty scope list") raise Unauthorized() return None match = _get_scope_regex().match(scope_param) if match is None: logger.debug("Match: %s", match) logger.debug("len: %s", len(scope_param)) logger.warning("Unable to decode repository and actions: %s", scope_param) raise InvalidRequest("Unable to decode repository and actions: %s" % scope_param) logger.debug("Match: %s", match.groups()) registry_and_repo = match.group(1) namespace_and_repo = match.group(2) requested_actions = match.group(3).split(",") lib_namespace = app.config["LIBRARY_NAMESPACE"] namespace, reponame = parse_namespace_repository(namespace_and_repo, lib_namespace) # Ensure that we are never creating an invalid repository. if features.EXTENDED_REPOSITORY_NAMES: if not REPOSITORY_NAME_EXTENDED_REGEX.match(reponame): logger.debug("Found invalid repository name in auth flow: %s", reponame) raise NameInvalid(message="Invalid repository name: %s" % namespace_and_repo) else: if not REPOSITORY_NAME_REGEX.match(reponame): logger.debug("Found invalid repository name in auth flow: %s", reponame) if len(namespace_and_repo.split("/")) > 1: msg = "Nested repositories are not supported. Found: %s" % namespace_and_repo raise NameInvalid(message=msg) raise NameInvalid(message="Invalid repository name: %s" % namespace_and_repo) # Ensure the namespace is enabled. if registry_model.is_existing_disabled_namespace(namespace): msg = "Namespace %s has been disabled. Please contact a system administrator." % namespace raise NamespaceDisabled(message=msg) final_actions = [] repository_ref = registry_model.lookup_repository(namespace, reponame) repo_is_public = repository_ref is not None and repository_ref.is_public invalid_repo_message = "" if repository_ref is not None and repository_ref.kind != "image": invalid_repo_message = ( "This repository is for managing %s " + "and not container images.") % repository_ref.kind # Ensure the repository is not marked for deletion. if repository_ref is not None and repository_ref.state == RepositoryState.MARKED_FOR_DELETION: raise Unknown(message="Unknown repository") if "push" in requested_actions: # Check if there is a valid user or token, as otherwise the repository cannot be # accessed. if has_valid_auth_context: user = get_authenticated_user() # Lookup the repository. If it exists, make sure the entity has modify # permission. Otherwise, make sure the entity has create permission. if repository_ref: if ModifyRepositoryPermission(namespace, reponame).can(): if repository_ref is not None and repository_ref.kind != "image": raise Unsupported(message=invalid_repo_message) # Check for different repository states. if repository_ref.state == RepositoryState.NORMAL: # In NORMAL mode, if the user has permission, then they can push. final_actions.append("push") elif repository_ref.state == RepositoryState.MIRROR: # In MIRROR mode, only the mirroring robot can push. mirror = model.repo_mirror.get_mirror( repository_ref.id) robot = mirror.internal_robot if mirror is not None else None if robot is not None and user is not None and robot == user: assert robot.robot final_actions.append("push") else: logger.debug( "Repository %s/%s push requested for non-mirror robot %s: %s", namespace, reponame, robot, user, ) elif repository_ref.state == RepositoryState.READ_ONLY: # No pushing allowed in read-only state. pass else: logger.warning( "Unknown state for repository %s: %s", repository_ref, repository_ref.state, ) else: logger.debug("No permission to modify repository %s/%s", namespace, reponame) else: if (app.config.get("CREATE_NAMESPACE_ON_PUSH", False) and model.user.get_namespace_user(namespace) is None): logger.debug("Creating organization: %s/%s", namespace, reponame) try: model.organization.create_organization( namespace, ("+" + namespace + "@").join( user.email.split("@")), user, email_required=features.MAILING, ) except model.DataModelException as ex: raise Unsupported(message="Cannot create organization") if CreateRepositoryPermission( namespace).can() and user is not None: logger.debug("Creating repository: %s/%s", namespace, reponame) visibility = ("private" if app.config.get( "CREATE_PRIVATE_REPO_ON_PUSH", True) else "public") found = model.repository.get_or_create_repository( namespace, reponame, user, visibility=visibility) if found is not None: repository_ref = RepositoryReference.for_repo_obj( found) if repository_ref.kind != "image": raise Unsupported( message="Cannot push to an app repository") final_actions.append("push") else: logger.debug("No permission to create repository %s/%s", namespace, reponame) if "pull" in requested_actions: # Grant pull if the user can read the repo or it is public. if ReadRepositoryPermission(namespace, reponame).can() or repo_is_public: if repository_ref is not None and repository_ref.kind != "image": raise Unsupported(message=invalid_repo_message) final_actions.append("pull") else: logger.debug("No permission to pull repository %s/%s", namespace, reponame) if "*" in requested_actions: # Grant * user is admin if AdministerRepositoryPermission(namespace, reponame).can(): if repository_ref is not None and repository_ref.kind != "image": raise Unsupported(message=invalid_repo_message) if repository_ref and repository_ref.state in ( RepositoryState.MIRROR, RepositoryState.READ_ONLY, ): logger.debug("No permission to administer repository %s/%s", namespace, reponame) else: assert repository_ref.state == RepositoryState.NORMAL final_actions.append("*") else: logger.debug("No permission to administer repository %s/%s", namespace, reponame) # Final sanity checks. if "push" in final_actions: assert repository_ref.state != RepositoryState.READ_ONLY if "*" in final_actions: assert repository_ref.state == RepositoryState.NORMAL return scopeResult( actions=final_actions, namespace=namespace, repository=reponame, registry_and_repo=registry_and_repo, tuf_root=_get_tuf_root(repository_ref, namespace, reponame), )
def wrapper(repository, *args, **kwargs): (namespace, repository) = parse_namespace_repository(repository, app.config['LIBRARY_NAMESPACE']) return func(namespace, repository, *args, **kwargs)