Merge pull request #539 from docker/0.8-backport

0.8 backport

Author: samalba

depends/docker-registry-core/docker_registry/core/__init__.py

@@ -39,7 +39,7 @@
 __credits__ = []
 
 __license__ = 'Apache 2.0'
-__version__ = '2.0.0'
+__version__ = '2.0.1'
 __maintainer__ = 'Docker'
 __email__ = '[email protected]'
 __status__ = 'Production'

depends/docker-registry-core/docker_registry/core/driver.py

@@ -28,8 +28,10 @@
 
 __all__ = ["fetch", "available", "Base"]
 
+import functools
 import logging
 import pkgutil
+import urllib
 
 import docker_registry.drivers
 
@@ -39,6 +41,28 @@
 logger = logging.getLogger(__name__)
 
 
+def check(value):
+    value = str(value)
+    if value == '..':
+        value = '%2E%2E'
+    if value == '.':
+        value = '%2E'
+    return urllib.quote_plus(value)
+
+
+def filter_args(f):
+    @functools.wraps(f)
+    def wrapper(*args, **kwargs):
+        args = list(args)
+        ref = args.pop(0)
+        args = [check(arg) for arg in args]
+        args.insert(0, ref)
+        for key, value in kwargs.iteritems():
+            kwargs[key] = check(value)
+        return f(*args, **kwargs)
+    return wrapper
+
+
 class Base(object):
 
     """Storage is a convenience class...
@@ -59,6 +83,10 @@ class Base(object):
     repositories = 'repositories'
     images = 'images'
 
+    def _repository_path(self, namespace, repository):
+        return '{0}/{1}/{2}'.format(
+            self.repositories, namespace, repository)
+
     # Set the IO buffer to 128kB
     buffer_size = 128 * 1024
     # By default no storage plugin supports it
@@ -68,60 +96,74 @@ def __init__(self, path=None, config=None):
         pass
 
     # FIXME(samalba): Move all path resolver in each module (out of the base)
+    @filter_args
     def images_list_path(self, namespace, repository):
-        repository_path = self.repository_path(
+        repository_path = self._repository_path(
             namespace=namespace, repository=repository)
         return '{0}/_images_list'.format(repository_path)
 
+    @filter_args
     def image_json_path(self, image_id):
         return '{0}/{1}/json'.format(self.images, image_id)
 
+    @filter_args
     def image_mark_path(self, image_id):
         return '{0}/{1}/_inprogress'.format(self.images, image_id)
 
+    @filter_args
     def image_checksum_path(self, image_id):
         return '{0}/{1}/_checksum'.format(self.images, image_id)
 
+    @filter_args
     def image_layer_path(self, image_id):
         return '{0}/{1}/layer'.format(self.images, image_id)
 
+    @filter_args
     def image_ancestry_path(self, image_id):
         return '{0}/{1}/ancestry'.format(self.images, image_id)
 
+    @filter_args
     def image_files_path(self, image_id):
         return '{0}/{1}/_files'.format(self.images, image_id)
 
+    @filter_args
     def image_diff_path(self, image_id):
         return '{0}/{1}/_diff'.format(self.images, image_id)
 
+    @filter_args
     def repository_path(self, namespace, repository):
         return '{0}/{1}/{2}'.format(
             self.repositories, namespace, repository)
 
+    @filter_args
     def tag_path(self, namespace, repository, tagname=None):
-        repository_path = self.repository_path(
+        repository_path = self._repository_path(
             namespace=namespace, repository=repository)
         if not tagname:
             return repository_path
         return '{0}/tag_{1}'.format(repository_path, tagname)
 
+    @filter_args
     def repository_json_path(self, namespace, repository):
-        repository_path = self.repository_path(
+        repository_path = self._repository_path(
             namespace=namespace, repository=repository)
         return '{0}/json'.format(repository_path)
 
+    @filter_args
     def repository_tag_json_path(self, namespace, repository, tag):
-        repository_path = self.repository_path(
+        repository_path = self._repository_path(
             namespace=namespace, repository=repository)
         return '{0}/tag{1}_json'.format(repository_path, tag)
 
+    @filter_args
     def index_images_path(self, namespace, repository):
-        repository_path = self.repository_path(
+        repository_path = self._repository_path(
             namespace=namespace, repository=repository)
         return '{0}/_index_images'.format(repository_path)
 
+    @filter_args
     def private_flag_path(self, namespace, repository):
-        repository_path = self.repository_path(
+        repository_path = self._repository_path(
             namespace=namespace, repository=repository)
         return '{0}/_private'.format(repository_path)
 

docker_registry/images.py

@@ -203,7 +203,8 @@ def get_image_layer(image_id, headers):
             bytes_range = _parse_bytes_range()
         repository = toolkit.get_repository()
         if repository and store.is_private(*repository):
-            return toolkit.api_error('Image not found', 404)
+            if not toolkit.validate_parent_access(image_id):
+                return toolkit.api_error('Image not found', 404)
         # If no auth token found, either standalone registry or privileged
         # access. In both cases, access is always "public".
         return _get_image_layer(image_id, headers, bytes_range)
@@ -321,7 +322,8 @@ def get_image_json(image_id, headers):
     try:
         repository = toolkit.get_repository()
         if repository and store.is_private(*repository):
-            return toolkit.api_error('Image not found', 404)
+            if not toolkit.validate_parent_access(image_id):
+                return toolkit.api_error('Image not found', 404)
         # If no auth token found, either standalone registry or privileged
         # access. In both cases, access is always "public".
         return _get_image_json(image_id, headers)
@@ -448,7 +450,8 @@ def get_image_files(image_id, headers):
     try:
         repository = toolkit.get_repository()
         if repository and store.is_private(*repository):
-            return toolkit.api_error('Image not found', 404)
+            if not toolkit.validate_parent_access(image_id):
+                return toolkit.api_error('Image not found', 404)
         # If no auth token found, either standalone registry or privileged
         # access. In both cases, access is always "public".
         data = layers.get_image_files_json(image_id)
@@ -469,7 +472,8 @@ def get_image_diff(image_id, headers):
             return toolkit.api_error('Diff queue is disabled', 400)
         repository = toolkit.get_repository()
         if repository and store.is_private(*repository):
-            return toolkit.api_error('Image not found', 404)
+            if not toolkit.validate_parent_access(image_id):
+                return toolkit.api_error('Image not found', 404)
 
         # first try the cache
         diff_json = layers.get_image_diff_cache(image_id)

docker_registry/tags.py

@@ -26,9 +26,9 @@
 @app.route('/v1/repositories/<path:repository>/properties', methods=['PUT'])
 @toolkit.parse_repository_name
 @toolkit.requires_auth
-def set_properties(namespace, repo):
+def set_properties(namespace, repository):
     logger.debug("[set_access] namespace={0}; repository={1}".format(namespace,
-                 repo))
+                 repository))
     data = None
     try:
         # Note(dmp): unicode patch
@@ -37,10 +37,12 @@ def set_properties(namespace, repo):
         pass
     if not data or not isinstance(data, dict):
         return toolkit.api_error('Invalid data')
-    private_flag_path = store.private_flag_path(namespace, repo)
-    if data['access'] == 'private' and not store.is_private(namespace, repo):
+    private_flag_path = store.private_flag_path(namespace, repository)
+    if (data['access'] == 'private'
+       and not store.is_private(namespace, repository)):
         store.put_content(private_flag_path, '')
-    elif data['access'] == 'public' and store.is_private(namespace, repo):
+    elif (data['access'] == 'public'
+          and store.is_private(namespace, repository)):
         # XXX is this necessary? Or do we know for sure the file exists?
         try:
             store.remove(private_flag_path)
@@ -52,10 +54,10 @@ def set_properties(namespace, repo):
 @app.route('/v1/repositories/<path:repository>/properties', methods=['GET'])
 @toolkit.parse_repository_name
 @toolkit.requires_auth
-def get_properties(namespace, repo):
+def get_properties(namespace, repository):
     logger.debug("[get_access] namespace={0}; repository={1}".format(namespace,
-                 repo))
-    is_private = store.is_private(namespace, repo)
+                 repository))
+    is_private = store.is_private(namespace, repository)
     return toolkit.response({
         'access': 'private' if is_private else 'public'
     })

docker_registry/toolkit.py

@@ -274,7 +274,7 @@ def wrapper(repository, *args, **kwargs):
         else:
             (namespace, repository) = parts
         repository = urllib.quote_plus(repository)
-        return f(namespace, repository, *args, **kwargs)
+        return f(namespace=namespace, repository=repository, *args, **kwargs)
     return wrapper