smart_proxy_container_gateway 1.0.3 → 1.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ed0a914e50f04c3851c5ddde3f117ed6ab10d87912c1736cd229d270e44f9043
-  data.tar.gz: cc6e50ca1142aa6e4a8103092033bafb8c0b29e342bc8edb303b7ecf4e53ddf7
+  metadata.gz: 8c0467076082cd7138c8415f2915d72c9b69fea3af5909d9c396ed4b247f5009
+  data.tar.gz: 66a1866562b0fb767f1a7c94f40ad3572d89a67966269db711dfd2ca967449e1
 SHA512:
-  metadata.gz: 87a98b19c70679c4e1529adf4b080e8b9c5bd78fdde4db87709f76743eb43ad8b6ee0552a42bfc03465d36679da768e4d4f8c5ef8daca58dcd31d07e256bd9d2
-  data.tar.gz: 470244c840404138894b8f22991cc65cbdb429b0764632ac4e1a87444f7e0d67319a7277c7f9bac22665c3b2808d47e3b0ed05f519aec16bf6081d84878f5ea8
+  metadata.gz: d5fb41b0be01a09736defddc0ec23ccf2ef81199700194cf46fbbc4afaaa6b2ffeebb79afa6119822a50f225ae7675ce1ea19946c49ff96882912c924a752b02
+  data.tar.gz: 7098744ff44801ee8051e3bdcdb87d2d7379eada25517552683023ef0cdd5932a52bdffd4b874e22b465cc7309754cc09b87a7d2fd36365be020a006c5f732cc

data/lib/smart_proxy_container_gateway/container_gateway_api.rb

@@ -2,7 +2,6 @@ require 'sinatra'
 require 'smart_proxy_container_gateway/container_gateway'
 require 'smart_proxy_container_gateway/container_gateway_main'
 require 'smart_proxy_container_gateway/foreman_api'
-require 'sequel'
 require 'sqlite3'
 
 module Proxy
@@ -10,7 +9,7 @@ module Proxy
     class Api < ::Sinatra::Base
       include ::Proxy::Log
       helpers ::Proxy::Helpers
-      Sequel.extension :migration, :core_extensions
+      helpers ::Sinatra::Authorization::Helpers
 
       get '/v1/_ping/?' do
         Proxy::ContainerGateway.ping
@@ -18,6 +17,7 @@ module Proxy
 
       get '/v2/?' do
         if auth_header.present? && (auth_header.unauthorized_token? || auth_header.valid_user_token?)
+          response.headers['Docker-Distribution-API-Version'] = 'registry/2.0'
           Proxy::ContainerGateway.ping
         else
           redirect_authorization_headers
@@ -26,31 +26,32 @@ module Proxy
       end
 
       get '/v2/:repository/manifests/:tag/?' do
-        unless Proxy::ContainerGateway.authorized_for_repo?(params[:repository])
-          redirect_authorization_headers
-          halt 401, "unauthorized"
-        end
+        handle_repo_auth(params, auth_header, request)
         redirection_location = Proxy::ContainerGateway.manifests(params[:repository], params[:tag])
         redirect to(redirection_location)
       end
 
       get '/v2/:repository/blobs/:digest/?' do
-        unless Proxy::ContainerGateway.authorized_for_repo?(params[:repository])
-          redirect_authorization_headers
-          halt 401, "unauthorized"
-        end
+        handle_repo_auth(params, auth_header, request)
         redirection_location = Proxy::ContainerGateway.blobs(params[:repository], params[:digest])
         redirect to(redirection_location)
       end
 
       get '/v1/search/?' do
         # Checks for podman client and issues a 404 in that case. Podman
-        # examines the response from a /v1_search request. If the result
+        # examines the response from a /v1/search request. If the result
         # is a 4XX, it will then proceed with a request to /_catalog
         if !request.env['HTTP_USER_AGENT'].nil? && request.env['HTTP_USER_AGENT'].downcase.include?('libpod')
           halt 404, "not found"
         end
 
+        if auth_header.present? && !auth_header.blank?
+          username = auth_header.v1_foreman_authorized_username
+          if username.nil?
+            halt 401, "unauthorized"
+          end
+          params[:user] = username
+        end
         repositories = Proxy::ContainerGateway.v1_search(params)
 
         content_type :json
@@ -58,13 +59,23 @@ module Proxy
       end
 
       get '/v2/_catalog/?' do
-        content_type :json
-        { repositories: Proxy::ContainerGateway.catalog }.to_json
-      end
+        catalog = []
+        if auth_header.present?
+          if auth_header.unauthorized_token?
+            catalog = Proxy::ContainerGateway.catalog
+          elsif auth_header.valid_user_token?
+            catalog = Proxy::ContainerGateway.catalog(auth_header.user)
+          else
+            redirect_authorization_headers
+            halt 401, "unauthorized"
+          end
+        else
+          redirect_authorization_headers
+          halt 401, "unauthorized"
+        end
 
-      get '/v2/unauthenticated_repository_list/?' do
         content_type :json
-        { repositories: Proxy::ContainerGateway.unauthenticated_repos }.to_json
+        { repositories: catalog }.to_json
       end
 
       get '/v2/token' do
@@ -83,28 +94,56 @@ module Proxy
           token_response_body = JSON.parse(token_response.body)
           ContainerGateway.insert_token(request.params['account'], token_response_body['token'],
                                         token_response_body['expires_at'])
+
+          repo_response = ForemanApi.new.fetch_user_repositories(auth_header.raw_header, request.params)
+          if repo_response.code.to_i != 200
+            halt repo_response.code.to_i, repo_response.body
+          else
+            ContainerGateway.update_user_repositories(request.params['account'],
+                                                      JSON.parse(repo_response.body)['repositories'])
+          end
           return token_response_body.to_json
         end
       end
 
-      put '/v2/unauthenticated_repository_list/?' do
-        if params.key? :repositories
-          repo_names = params[:repositories]
-        else
-          repo_names = JSON.parse(request.body.read)["repositories"]
-        end
-      rescue JSON::ParserError
-        halt 400, "malformed repositories json"
-      else
-        if repo_names.nil?
-          Proxy::ContainerGateway.update_unauthenticated_repos([])
-        else
-          Proxy::ContainerGateway.update_unauthenticated_repos(repo_names)
-        end
+      get '/users/?' do
+        do_authorize_any
+
+        content_type :json
+        { users: User.map(:name) }.to_json
+      end
+
+      put '/user_repository_mapping/?' do
+        do_authorize_any
+
+        ContainerGateway.update_user_repo_mapping(params)
+        {}
+      end
+
+      put '/repository_list/?' do
+        do_authorize_any
+
+        ContainerGateway.update_repository_list(params['repositories'])
+        {}
       end
 
       private
 
+      def handle_repo_auth(params, auth_header, request)
+        user_token_is_valid = false
+        # FIXME: Getting unauthenticated token here...
+        if auth_header.present? && auth_header.valid_user_token?
+          user_token_is_valid = true
+          username = auth_header.user.name
+        end
+        username = request.params['account'] if username.nil?
+
+        return if Proxy::ContainerGateway.authorized_for_repo?(params[:repository], user_token_is_valid, username)
+
+        redirect_authorization_headers
+        halt 401, "unauthorized"
+      end
+
       def redirect_authorization_headers
         response.headers['Docker-Distribution-API-Version'] = 'registry/2.0'
         response.headers['Www-Authenticate'] = "Bearer realm=\"https://#{request.host}/v2/token\"," \
@@ -123,6 +162,10 @@ module Proxy
           @value = value || ''
         end
 
+        def user
+          ContainerGateway.token_user(@value.split(' ')[1])
+        end
+
         def valid_user_token?
           token_auth? && ContainerGateway.valid_token?(@value.split(' ')[1])
         end
@@ -146,6 +189,19 @@ module Proxy
         def basic_auth?
           @value.split(' ')[0] == 'Basic'
         end
+
+        def blank?
+          Base64.decode64(@value.split(' ')[1]) == ':'
+        end
+
+        # A special case for the V1 API.  Defer authentication to Foreman and return the username. `nil` if not authorized.
+        def v1_foreman_authorized_username
+          username = Base64.decode64(@value.split(' ')[1]).split(':')[0]
+          auth_response = ForemanApi.new.fetch_token(raw_header, { 'account' => username })
+          return username if auth_response.code.to_i == 200 && (JSON.parse(auth_response.body)['token'] != 'unauthenticated')
+
+          nil
+        end
       end
     end
   end

data/lib/smart_proxy_container_gateway/container_gateway_main.rb

@@ -1,13 +1,14 @@
 require 'net/http'
 require 'uri'
 require 'digest'
-
+require 'sequel'
 module Proxy
   module ContainerGateway
     extend ::Proxy::Util
     extend ::Proxy::Log
 
     class << self
+      Sequel.extension :migration, :core_extensions
       def pulp_registry_request(uri)
         http_client = Net::HTTP.new(uri.host, uri.port)
         http_client.ca_file = pulp_ca
@@ -49,7 +50,8 @@ module Proxy
 
         repo_count = 0
         repositories = []
-        Proxy::ContainerGateway.catalog.each do |repo_name|
+        user = params[:user].nil? ? nil : User.find(name: params[:user])
+        Proxy::ContainerGateway.catalog(user).each do |repo_name|
           break if repo_count >= params[:n]
 
           if params[:q].nil? || params[:q] == "" || repo_name.include?(params[:q])
@@ -60,48 +62,103 @@ module Proxy
         repositories
       end
 
-      def catalog
-        unauthenticated_repos
+      def catalog(user = nil)
+        if user.nil?
+          unauthenticated_repos
+        else
+          (unauthenticated_repos + user.repositories_dataset.map(:name)).sort
+        end
       end
 
       def unauthenticated_repos
-        conn = initialize_db
-        conn[:unauthenticated_repositories].order(:name).map(:name)
+        Repository.where(auth_required: false).order(:name).map(:name)
       end
 
-      def update_unauthenticated_repos(repo_names)
-        conn = initialize_db
-        unauthenticated_repos = conn[:unauthenticated_repositories]
-        unauthenticated_repos.delete
-        repo_names.each do |repo_name|
-          unauthenticated_repos.insert(:name => repo_name)
+      # Replaces the entire list of repositories
+      def update_repository_list(repo_list)
+        RepositoryUser.dataset.delete
+        Repository.dataset.delete
+        repo_list.each do |repo|
+          Repository.find_or_create(name: repo['repository'],
+                                    auth_required: repo['auth_required'].to_s.downcase == "true")
         end
       end
 
-      def authorized_for_repo?(repo_name)
-        conn = initialize_db
-        unauthenticated_repo = conn[:unauthenticated_repositories].where(name: repo_name).first
-        !unauthenticated_repo.nil?
+      # Replaces the entire user-repo mapping for all logged-in users
+      def update_user_repo_mapping(user_repo_maps)
+        # Get hash map of all users and their repositories
+        # Ex: {"users"=> [{"admin"=>[{"repository"=>"repo", "auth_required"=>"true"}]}]}
+        # Go through list of repositories and add them to the DB
+        RepositoryUser.dataset.delete
+        user_repo_maps['users'].each do |user_repo_map|
+          user_repo_map.each do |user, repos|
+            repos.each do |repo|
+              found_repo = Repository.find(name: repo['repository'],
+                                           auth_required: repo['auth_required'].to_s.downcase == "true")
+              if found_repo.nil?
+                logger.warn("#{repo['repository']} does not exist in this smart proxy's environments")
+              elsif found_repo.auth_required
+                found_repo.add_user(User.find(name: user))
+              end
+            end
+          end
+        end
+      end
+
+      # Replaces the user-repo mapping for a single user
+      def update_user_repositories(username, repositories)
+        user = User.where(name: username).first
+        user.remove_all_repositories
+        repositories.each do |repo_name|
+          found_repo = Repository.find(name: repo_name)
+          if found_repo.nil?
+            logger.warn("#{repo_name} does not exist in this smart proxy's environments")
+          elsif user.repositories_dataset.where(name: repo_name).first.nil? && found_repo.auth_required
+            user.add_repository(found_repo)
+          end
+        end
+      end
+
+      def authorized_for_repo?(repo_name, user_token_is_valid, username = nil)
+        repository = Repository.where(name: repo_name).first
+
+        # Repository doesn't exist
+        return false if repository.nil?
+
+        # Repository doesn't require auth
+        return true unless repository.auth_required
+
+        if username && user_token_is_valid && repository.auth_required
+          # User is logged in and has access to the repository
+          user = User.find(name: username)
+          return !user.repositories_dataset.where(name: repo_name).first.nil?
+        end
+
+        false
+      end
+
+      def token_user(token)
+        User[AuthenticationToken.find(token_checksum: Digest::SHA256.hexdigest(token)).user_id]
       end
 
       def valid_token?(token)
-        tokens = initialize_db[:authentication_tokens]
-        tokens.where(token_checksum: Digest::SHA256.hexdigest(token)).where do
+        AuthenticationToken.where(token_checksum: Digest::SHA256.hexdigest(token)).where do
           expire_at > Sequel::CURRENT_TIMESTAMP
         end.count.positive?
       end
 
       def insert_token(username, token, expire_at_string, clear_expired_tokens: true)
-        tokens = initialize_db[:authentication_tokens]
         checksum = Digest::SHA256.hexdigest(token)
+        user = User.find_or_create(name: username)
 
-        tokens.where(:token_checksum => checksum).delete
-        tokens.insert(username: username, token_checksum: checksum, expire_at: expire_at_string.to_s)
-        tokens.where { expire_at < Sequel::CURRENT_TIMESTAMP }.delete if clear_expired_tokens
+        AuthenticationToken.where(:token_checksum => checksum).delete
+        AuthenticationToken.create(token_checksum: checksum, expire_at: expire_at_string.to_s, user_id: user.id)
+        AuthenticationToken.where { expire_at < Sequel::CURRENT_TIMESTAMP }.delete if clear_expired_tokens
       end
 
       def initialize_db
-        conn = Sequel.connect("sqlite://#{Proxy::ContainerGateway::Plugin.settings.sqlite_db_path}")
+        file_path = Proxy::ContainerGateway::Plugin.settings.sqlite_db_path
+        conn = Sequel.connect("sqlite://#{file_path}")
         container_gateway_path = $LOAD_PATH.detect { |path| path.include? 'smart_proxy_container_gateway' }
         begin
           Sequel::Migrator.check_current(conn, "#{container_gateway_path}/smart_proxy_container_gateway/sequel_migrations")
@@ -131,5 +188,20 @@ module Proxy
         )
       end
     end
+
+    class Repository < ::Sequel::Model(Proxy::ContainerGateway.initialize_db[:repositories])
+      many_to_many :users
+    end
+
+    class User < ::Sequel::Model(Proxy::ContainerGateway.initialize_db[:users])
+      many_to_many :repositories
+      one_to_many :authentication_tokens
+    end
+
+    class RepositoryUser < ::Sequel::Model(Proxy::ContainerGateway.initialize_db[:repositories_users]); end
+
+    class AuthenticationToken < ::Sequel::Model(Proxy::ContainerGateway.initialize_db[:authentication_tokens])
+      many_to_one :users
+    end
   end
 end

data/lib/smart_proxy_container_gateway/foreman_api.rb

@@ -3,15 +3,15 @@ require 'uri'
 module Proxy
   module ContainerGateway
     class ForemanApi
-      def fetch_token(auth_header, params)
-        url = URI.join(Proxy::SETTINGS.foreman_url, Proxy::ContainerGateway::Plugin.settings.katello_registry_path, 'token')
-        url.query = process_params(params)
+      def registry_request(auth_header, params, suffix)
+        uri = URI.join(Proxy::SETTINGS.foreman_url, Proxy::ContainerGateway::Plugin.settings.katello_registry_path, suffix)
+        uri.query = process_params(params)
 
-        req = Net::HTTP::Get.new(url)
+        req = Net::HTTP::Get.new(uri)
         req.add_field('Authorization', auth_header)
         req.add_field('Accept', 'application/json')
         req.content_type = 'application/json'
-        http = Net::HTTP.new(url.hostname, url.port)
+        http = Net::HTTP.new(uri.hostname, uri.port)
         http.use_ssl = true
 
         http.request(req)
@@ -21,6 +21,14 @@ module Proxy
         params = params_in.slice('scope', 'account').compact
         URI.encode_www_form(params)
       end
+
+      def fetch_token(auth_header, params)
+        registry_request(auth_header, params, 'token')
+      end
+
+      def fetch_user_repositories(auth_header, params)
+        registry_request(auth_header, params, '_catalog')
+      end
     end
   end
 end

data/lib/smart_proxy_container_gateway/sequel_migrations/003_authorization_reorg.rb

@@ -0,0 +1,65 @@
+Sequel.migration do
+  up do
+    # TODO: Should I be migrating the existing data?
+
+    create_table(:repositories) do
+      primary_key :id
+      String :name, null: false
+      Boolean :auth_required, null: false
+    end
+
+    create_table(:users) do
+      primary_key :id
+      String :name, null: false
+    end
+
+    # Migrate unauthenticated_repositories to the new repositories table (TODO: can I select `false` like that?)
+    from(:repositories).insert(%i[name auth_required],
+                               from(:unauthenticated_repositories).select(:name, false))
+
+    # Migrate names from authentication_tokens to the new users table
+    from(:users).insert([:name], from(:authentication_tokens).select(:username))
+
+    alter_table(:authentication_tokens) do
+      add_foreign_key :user_id, :users
+    end
+
+    # Populate the new user_id foreign key for all authentication_tokens
+    from(:authentication_tokens).insert([:user_id],
+                                        from(:users).select(:id).where(name: self[:authentication_tokens][:username]))
+
+    alter_table(:authentication_tokens) do
+      drop_column :username
+    end
+
+    create_join_table(repository_id: :repositories, user_id: :users)
+    drop_table :unauthenticated_repositories
+  end
+
+  down do
+    alter_table(:authentication_tokens) do
+      add_column :username, String
+    end
+
+    # Repopulate the name column with usernames
+    from(:authentication_tokens).update(username:
+                                        from(:users).select(:name).where(id: self[:authentication_tokens][:user_id]))
+
+    alter_table(:authentication_tokens) do
+      drop_foreign_key :user_id
+    end
+
+    create_table(:unauthenticated_repositories) do
+      primary_key :id
+      String :name, null: false
+    end
+
+    # Repopulate the unauthenticated_repositories table
+    from(:unauthenticated_repositories).insert([:username],
+                                               from(:repositories).select(:name).where(auth_required: true))
+
+    drop_table :users
+    drop_table :repositories
+    drop_join_table(repository_id: :repositories, user_id: :users)
+  end
+end

data/lib/smart_proxy_container_gateway/version.rb

@@ -1,5 +1,5 @@
 module Proxy
   module ContainerGateway
-    VERSION = '1.0.3'.freeze
+    VERSION = '1.0.4'.freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: smart_proxy_container_gateway
 version: !ruby/object:Gem::Version
-  version: 1.0.3
+  version: 1.0.4
 platform: ruby
 authors:
 - Ian Ballou
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-04-15 00:00:00.000000000 Z
+date: 2021-04-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sequel
@@ -57,6 +57,7 @@ files:
 - lib/smart_proxy_container_gateway/foreman_api.rb
 - lib/smart_proxy_container_gateway/sequel_migrations/001_initial.rb
 - lib/smart_proxy_container_gateway/sequel_migrations/002_auth_tokens.rb
+- lib/smart_proxy_container_gateway/sequel_migrations/003_authorization_reorg.rb
 - lib/smart_proxy_container_gateway/version.rb
 - settings.d/container_gateway.yml.example
 homepage: http://github.com/ianballou/smart_proxy_container_gateway