initial commit

Jack Zheng · Jack Zheng · commit e32f502cbdf3 · 2016-02-19T11:33:24.000-08:00
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,10 @@
+FROM ubuntu:14.04
+RUN apt-get update && apt-get install -y python-pip python-dev
+RUN mkdir -p /server
+ADD requirements.txt /server/requirements.txt
+WORKDIR /server
+RUN pip install -r requirements.txt
+
+ADD . /server
+EXPOSE 8080
+CMD python app.py
diff --git a/README.md b/README.md
@@ -0,0 +1,45 @@
+# registry-oauth-server
+
+## Quickstart
+
+To build and start the containers, simply run the command
+
+```
+./build.sh
+```
+After installation is finished, you should have a local registry running on *:5000*, and a local oauth server running on *:8080*.
+
+```
+CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
+915726d60e03        demo_oauth_server   "/bin/sh -c 'python r"   8 minutes ago       Up 8 minutes        0.0.0.0:8080->8080/tcp   demo_oauth_server_1
+16c5c1cb2310        registry:2          "/bin/registry /etc/d"   2 hours ago         Up 27 minutes       0.0.0.0:5000->5000/tcp   demo_registry_1
+```
+
+To see the oauth server in action, run the startdemo.sh script provided
+
+```
+./startdemo.sh
+```
+
+And you should see a detailed explaination of the oauth handshake process.
+
+##CONFIGURATIONS
+
+The following are a list of environment variables that has to be set for the oauth_server container to work properly.
+####SIGNING_KEY_PATH
+Specifies the path to the private key used to sign tokens. Must be a valid path inside the container.
+
+####SIGNING_KEY_TYPE
+Specifies the type of key used to sign tokens. Can be either RSA or EC, defaults to RSA
+
+####SIGNING_KEY_ALG
+Specifies the algorithm used to sign tokens. For RSA keys this should be set to RS256. For EC keys this should be set to ES256
+
+####ISSUER
+Identifies who signed the token to the registry. Usually the FQDN of the OAuth Server is used. This configuration should match the REGISTRY_AUTH_TOKEN_ISSUER variable used to configure the registry.
+
+####TOKEN_EXPIRATION
+Specifies the expiration time in seconds for tokens signed by this server. Defaults to 3600 seconds.
+
+####TOKEN_TYPE
+Specifies the type of tokens signed by this server. Defaults to JWT
diff --git a/app.py b/app.py
@@ -0,0 +1,40 @@
+from flask import Flask, request, jsonify
+from tokens import Token
+from auth import basic_auth_required
+
+
+app = Flask(__name__)
+
+
+def get_allowed_actions(user, actions):
+    # determine what actions are allowed here
+    return actions
+
+
+@app.route('/tokens')
+@basic_auth_required
+def tokens():
+    service = request.args.get('service')
+    scope = request.args.get('scope')
+    if not scope:
+        typ = ''
+        name = ''
+        actions = []
+    else:
+        params = scope.split(':')
+        if len(params) != 3:
+            return jsonify(error='Invalid scope parameter'), 400
+        typ = params[0]
+        name = params[1]
+        actions = params[2].split(',')
+
+    authorized_actions = get_allowed_actions(request.user, actions)
+
+    token = Token(service, typ, name, authorized_actions)
+    encoded_token = token.encode_token()
+
+    return jsonify(token=encoded_token)
+
+
+if __name__ == '__main__':
+    app.run(host='0.0.0.0', port=8080)
diff --git a/auth.py b/auth.py
@@ -0,0 +1,26 @@
+from functools import wraps
+from flask import request, jsonify
+
+
+def check_auth(username, password):
+    """This function is called to check if a username /
+    password combination is valid.
+    """
+    request.user = username
+    return True
+
+
+def authenticate():
+    """Sends a 401 response that enables basic auth"""
+    return jsonify(error='Authentication required'), 401, \
+        {'WWW-Authenticate': 'Basic realm="Login Required"'}
+
+
+def basic_auth_required(func):
+    @wraps(func)
+    def decorated(*args, **kwargs):
+        auth = request.authorization
+        if not auth or not check_auth(auth.username, auth.password):
+            return authenticate()
+        return func(*args, **kwargs)
+    return decorated
diff --git a/build.sh b/build.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+if [ "$(uname)" == "Darwin" ]; then
+    docker_ip="$(docker-machine ip default)"
+else
+    docker_ip="0.0.0.0"
+fi
+
+cat <<EOF > docker-compose.yml
+registry:
+    restart: always
+    image: registry:2
+    ports:
+        - 5000:5000
+    environment:
+        - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.crt
+        - REGISTRY_HTTP_TLS_KEY=/certs/server.key
+        - REGISTRY_AUTH=token
+        - REGISTRY_AUTH_TOKEN_REALM=http://${docker_ip}:8080/tokens
+        - REGISTRY_AUTH_TOKEN_SERVICE=demo_registry
+        - REGISTRY_AUTH_TOKEN_ISSUER=demo_oauth
+        - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/server.crt
+    volumes:
+        - ./certs:/certs
+
+
+oauth_server:
+    build: .
+    ports:
+        - 8080:8080
+    volumes:
+        - ./certs:/certs
+    environment:
+        - SIGNING_KEY_PATH=/certs/server.key
+        - SIGNING_KEY_TYPE=RSA
+        - SIGNING_KEY_ALG=RS256
+        - ISSUER=demo_oauth
+        - TOKEN_EXPIRATION=3600
+        - TOKEN_TYPE=JWT
+EOF
+
+docker-compose build
+docker-compose up -d
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,30 @@
+registry:
+    restart: always
+    image: registry:2
+    ports:
+        - 5000:5000
+    environment:
+        - REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.crt
+        - REGISTRY_HTTP_TLS_KEY=/certs/server.key
+        - REGISTRY_AUTH=token
+        - REGISTRY_AUTH_TOKEN_REALM=http://192.168.99.100:8080/tokens
+        - REGISTRY_AUTH_TOKEN_SERVICE=demo_registry
+        - REGISTRY_AUTH_TOKEN_ISSUER=demo_oauth
+        - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/certs/server.crt
+    volumes:
+        - ./certs:/certs
+
+
+oauth_server:
+    build: .
+    ports:
+        - 8080:8080
+    volumes:
+        - ./certs:/certs
+    environment:
+        - SIGNING_KEY_PATH=/certs/server.key
+        - SIGNING_KEY_TYPE=RSA
+        - SIGNING_KEY_ALG=RS256
+        - ISSUER=demo_oauth
+        - TOKEN_EXPIRATION=3600
+        - TOKEN_TYPE=JWT
diff --git a/requirements.txt b/requirements.txt
@@ -0,0 +1,3 @@
+Flask==0.10.1
+jose==1.0.0
+python-jose==0.5.5
diff --git a/startdemo.sh b/startdemo.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+username="admin"
+pass="password"
+cred="${username}:${pass}"
+encoded_cred=`echo -n ${cred} | base64`
+service="demo_registry"
+
+if [ "$(uname)" == "Darwin" ]; then
+    docker_ip="$(docker-machine ip default)"
+else
+    docker_ip="0.0.0.0"
+fi
+
+
+echo
+echo "curl https://${docker_ip}:5000/v2/_catalog"
+echo
+curl -skv "https://${docker_ip}:5000/v2/_catalog"
+read input
+clear
+
+echo
+echo "curl http://${docker_ip}:8080/tokens?service=${service}&scope=registry:catalog:*"
+echo
+curl -sv -H "Authorization: Basic ${encoded_cred}" "http://${docker_ip}:8080/tokens?service=${service}&scope=registry:catalog:*"
+
+token=`curl -s -H "Authorization: Basic ${encoded_cred}" "http://${docker_ip}:8080/tokens?service=${service}&scope=registry:catalog:*" | jq .token | tr -d '"'`
+read input
+clear
+
+echo
+echo  "curl \"https://${docker_ip}:5000/v2/_catalog\""
+curl -skv -H "Authorization: Bearer ${token}" "https://${docker_ip}:5000/v2/_catalog"
+echo
diff --git a/tokens.py b/tokens.py
@@ -0,0 +1,114 @@
+import os
+import time
+import hashlib
+import base64
+import subprocess
+from jose import jwt
+
+SIGNING_KEY_PATH = os.environ.get('SIGNING_KEY_PATH')
+SIGNING_KEY_TYPE = os.environ.get('SIGNING_KEY_TYPE')
+SIGNING_KEY_ALG = os.environ.get('SIGNING_KEY_ALG')
+SIGNING_KEY = open(SIGNING_KEY_PATH).read()
+
+ISSUER = os.environ.get('ISSUER')
+TOKEN_EXPIRATION = os.environ.get('TOKEN_EXPIRATION')
+TOKEN_TYPE = os.environ.get('TOKEN_TYPE')
+
+
+def run_command(command):
+    process = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    return process.communicate()
+
+
+def key_id_encode(the_bytes):
+    source = base64.b32encode(the_bytes).rstrip("=")
+    result = []
+    for i in xrange(0, len(source), 4):
+        start = i
+        end = start+4
+        result.append(source[start:end])
+    return ":".join(result)
+
+
+def kid_from_crypto_key(private_key_path, key_type='EC'):
+    """
+    python implementation of
+    https://github.com/jlhawn/libtrust/blob/master/util.go#L192
+    returns a distinct identifier which is unique to
+    the public key derived from this private key.
+    The format generated by this library is a base32 encoding of a 240 bit
+    hash of the public key data divided into 12 groups like so:
+    ABCD:EFGH:IJKL:MNOP:QRST:UVWX:YZ23:4567:ABCD:EFGH:IJKL:MNOP
+    """
+    algorithm = hashlib.sha256()
+    if key_type == 'EC':
+        der, msg = run_command(['openssl', 'ec', '-in', private_key_path,
+                                '-pubout', '-outform', 'DER'])
+
+    elif key_type == 'RSA':
+        der, msg = run_command(['openssl', 'rsa', '-in', private_key_path,
+                                '-pubout', '-outform', 'DER'])
+
+    else:
+        raise Exception("Key type not supported")
+
+    if not der:
+        raise Exception(msg)
+
+    algorithm.update(der)
+    return key_id_encode(algorithm.digest()[:30])
+
+
+class Token(object):
+    def __init__(self, service, access_type="", access_name="",
+                 access_actions=None, subject=''):
+        if access_actions is None:
+            access_actions = []
+
+        self.issuer = ISSUER
+        self.signing_key = SIGNING_KEY
+        self.signing_key_path = SIGNING_KEY_PATH
+        self.signing_key_type = SIGNING_KEY_TYPE
+        self.signing_key_alg = SIGNING_KEY_ALG
+        self.token_expiration = TOKEN_EXPIRATION
+        self.token_type = TOKEN_TYPE
+        self.header = {
+            'typ': self.token_type,
+            'alg': self.signing_key_alg,
+            'kid': kid_from_crypto_key(self.signing_key_path,
+                                       self.signing_key_type)
+        }
+        self.claim = {
+            'iss': self.issuer,
+            'sub': subject,
+            'aud': service,
+            'exp': int(time.time()) + int(self.token_expiration),
+            'nbf': int(time.time()) - 30,
+            'iat': int(time.time()),
+            'access': [
+                {
+                    'type': access_type,
+                    'name': access_name,
+                    'actions': access_actions
+                }
+            ]
+        }
+
+    def set_header(self, header):
+        self.header = header
+
+    def get_header(self):
+        return self.header
+
+    def set_claim(self, claim):
+        self.claim = claim
+
+    def get_claim(self):
+        return self.claim
+
+    def encode_token(self):
+        token = jwt.encode(self.claim, self.signing_key,
+                           algorithm=self.signing_key_alg,
+                           headers=self.header)
+
+        return token

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+Flask==0.10.1`
	`2`	`+jose==1.0.0`
	`3`	`+python-jose==0.5.5`