daniel
/
distribution
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Cleanup session and config interface 

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
master
Derek McGowan 2015-05-08 16:29:23 -07:00
parent 6f9fbf99a9
commit c7ef45130b
9 changed files with 475 additions and 392 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
registry/client/authchallenge.go
View File

@ -8,9 +8,9 @@ import (
// Octet types from RFC 2616.
type octetType byte
// AuthorizationChallenge carries information
// authorizationChallenge carries information
// from a WWW-Authenticate response header.
type AuthorizationChallenge struct {
type authorizationChallenge struct {
Scheme string
Parameters map[string]string
}
@ -54,12 +54,12 @@ func init() {
}
}
func parseAuthHeader(header http.Header) []AuthorizationChallenge {
var challenges []AuthorizationChallenge
func parseAuthHeader(header http.Header) []authorizationChallenge {
var challenges []authorizationChallenge
for _, h := range header[http.CanonicalHeaderKey("WWW-Authenticate")] {
v, p := parseValueAndParams(h)
if v != "" {
challenges = append(challenges, AuthorizationChallenge{Scheme: v, Parameters: p})
challenges = append(challenges, authorizationChallenge{Scheme: v, Parameters: p})
}
}
return challenges

268
registry/client/endpoint.go
View File

@ -1,268 +0,0 @@
package client
import (
"fmt"
"net/http"
"net/url"
"strings"
"sync"
"time"
"github.com/Sirupsen/logrus"
"github.com/docker/distribution/registry/api/v2"
)
// Authorizer is used to apply Authorization to an HTTP request
type Authorizer interface {
// Authorizer updates an HTTP request with the needed authorization
Authorize(req *http.Request) error
}
// CredentialStore is an interface for getting credentials for
// a given URL
type CredentialStore interface {
// Basic returns basic auth for the given URL
Basic(*url.URL) (string, string)
}
// RepositoryEndpoint represents a single host endpoint serving up
// the distribution API.
type RepositoryEndpoint struct {
Endpoint string
Mirror bool
Header http.Header
Credentials CredentialStore
ub *v2.URLBuilder
}
type nullAuthorizer struct{}
func (na nullAuthorizer) Authorize(req *http.Request) error {
return nil
}
type repositoryTransport struct {
Transport http.RoundTripper
Header http.Header
Authorizer Authorizer
}
func (rt *repositoryTransport) RoundTrip(req *http.Request) (*http.Response, error) {
reqCopy := new(http.Request)
*reqCopy = *req
// Copy existing headers then static headers
reqCopy.Header = make(http.Header, len(req.Header)+len(rt.Header))
for k, s := range req.Header {
reqCopy.Header[k] = append([]string(nil), s...)
}
for k, s := range rt.Header {
reqCopy.Header[k] = append(reqCopy.Header[k], s...)
}
if rt.Authorizer != nil {
if err := rt.Authorizer.Authorize(reqCopy); err != nil {
return nil, err
}
}
logrus.Debugf("HTTP: %s %s", req.Method, req.URL)
if rt.Transport != nil {
return rt.Transport.RoundTrip(reqCopy)
}
return http.DefaultTransport.RoundTrip(reqCopy)
}
type authTransport struct {
Transport http.RoundTripper
Header http.Header
}
func (rt *authTransport) RoundTrip(req *http.Request) (*http.Response, error) {
reqCopy := new(http.Request)
*reqCopy = *req
// Copy existing headers then static headers
reqCopy.Header = make(http.Header, len(req.Header)+len(rt.Header))
for k, s := range req.Header {
reqCopy.Header[k] = append([]string(nil), s...)
}
for k, s := range rt.Header {
reqCopy.Header[k] = append(reqCopy.Header[k], s...)
}
logrus.Debugf("HTTP: %s %s", req.Method, req.URL)
if rt.Transport != nil {
return rt.Transport.RoundTrip(reqCopy)
}
return http.DefaultTransport.RoundTrip(reqCopy)
}
// URLBuilder returns a new URL builder
func (e *RepositoryEndpoint) URLBuilder() (*v2.URLBuilder, error) {
if e.ub == nil {
var err error
e.ub, err = v2.NewURLBuilderFromString(e.Endpoint)
if err != nil {
return nil, err
}
}
return e.ub, nil
}
// HTTPClient returns a new HTTP client configured for this endpoint
func (e *RepositoryEndpoint) HTTPClient(name string) (*http.Client, error) {
// TODO(dmcgowan): create http.Transport
transport := &repositoryTransport{
Header: e.Header,
}
client := &http.Client{
Transport: transport,
}
challenges, err := e.ping(client)
if err != nil {
return nil, err
}
actions := []string{"pull"}
if !e.Mirror {
actions = append(actions, "push")
}
transport.Authorizer = &endpointAuthorizer{
client: &http.Client{Transport: &authTransport{Header: e.Header}},
challenges: challenges,
creds: e.Credentials,
resource: "repository",
scope: name,
actions: actions,
}
return client, nil
}
func (e *RepositoryEndpoint) ping(client *http.Client) ([]AuthorizationChallenge, error) {
ub, err := e.URLBuilder()
if err != nil {
return nil, err
}
u, err := ub.BuildBaseURL()
if err != nil {
return nil, err
}
req, err := http.NewRequest("GET", u, nil)
if err != nil {
return nil, err
}
req.Header = make(http.Header, len(e.Header))
for k, s := range e.Header {
req.Header[k] = append([]string(nil), s...)
}
resp, err := client.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
var supportsV2 bool
HeaderLoop:
for _, supportedVersions := range resp.Header[http.CanonicalHeaderKey("Docker-Distribution-API-Version")] {
for _, versionName := range strings.Fields(supportedVersions) {
if versionName == "registry/2.0" {
supportsV2 = true
break HeaderLoop
}
}
}
if !supportsV2 {
return nil, fmt.Errorf("%s does not appear to be a v2 registry endpoint", e.Endpoint)
}
if resp.StatusCode == http.StatusUnauthorized {
// Parse the WWW-Authenticate Header and store the challenges
// on this endpoint object.
return parseAuthHeader(resp.Header), nil
} else if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("unable to get valid ping response: %d", resp.StatusCode)
}
return nil, nil
}
type endpointAuthorizer struct {
client *http.Client
challenges []AuthorizationChallenge
creds CredentialStore
resource string
scope string
actions []string
tokenLock sync.Mutex
tokenCache string
tokenExpiration time.Time
}
func (ta *endpointAuthorizer) Authorize(req *http.Request) error {
token, err := ta.getToken()
if err != nil {
return err
}
if token != "" {
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
} else if ta.creds != nil {
username, password := ta.creds.Basic(req.URL)
if username != "" && password != "" {
req.SetBasicAuth(username, password)
}
}
return nil
}
func (ta *endpointAuthorizer) getToken() (string, error) {
ta.tokenLock.Lock()
defer ta.tokenLock.Unlock()
now := time.Now()
if now.Before(ta.tokenExpiration) {
//log.Debugf("Using cached token for %q", ta.auth.Username)
return ta.tokenCache, nil
}
for _, challenge := range ta.challenges {
switch strings.ToLower(challenge.Scheme) {
case "basic":
// no token necessary
case "bearer":
//log.Debugf("Getting bearer token with %s for %s", challenge.Parameters, ta.auth.Username)
params := map[string]string{}
for k, v := range challenge.Parameters {
params[k] = v
}
params["scope"] = fmt.Sprintf("%s:%s:%s", ta.resource, ta.scope, strings.Join(ta.actions, ","))
token, err := getToken(ta.creds, params, ta.client)
if err != nil {
return "", err
}
ta.tokenCache = token
ta.tokenExpiration = now.Add(time.Minute)
return token, nil
default:
//log.Infof("Unsupported auth scheme: %q", challenge.Scheme)
}
}
// Do not expire cache since there are no challenges which use a token
ta.tokenExpiration = time.Now().Add(time.Hour * 24)
return "", nil
}

17
registry/client/layer_upload_test.go
View File

@ -124,7 +124,8 @@ func TestUploadReadFrom(t *testing.T) {
e, c := testServer(m)
defer c()
client, err := e.HTTPClient(repo)
repoConfig := &RepositoryConfig{}
client, err := repoConfig.HTTPClient()
if err != nil {
t.Fatalf("Error creating client: %s", err)
}
@ -133,7 +134,7 @@ func TestUploadReadFrom(t *testing.T) {
}
// Valid case
layerUpload.location = e.Endpoint + locationPath
layerUpload.location = e + locationPath
n, err := layerUpload.ReadFrom(bytes.NewReader(b))
if err != nil {
t.Fatalf("Error calling ReadFrom: %s", err)
@ -143,26 +144,26 @@ func TestUploadReadFrom(t *testing.T) {
}
// Bad range
layerUpload.location = e.Endpoint + locationPath
layerUpload.location = e + locationPath
_, err = layerUpload.ReadFrom(bytes.NewReader(b))
if err == nil {
t.Fatalf("Expected error when bad range received")
}
// 404
layerUpload.location = e.Endpoint + locationPath
layerUpload.location = e + locationPath
_, err = layerUpload.ReadFrom(bytes.NewReader(b))
if err == nil {
t.Fatalf("Expected error when not found")
}
if blobErr, ok := err.(*BlobUploadNotFoundError); !ok {
t.Fatalf("Wrong error type %T: %s", err, err)
} else if expected := e.Endpoint + locationPath; blobErr.Location != expected {
} else if expected := e + locationPath; blobErr.Location != expected {
t.Fatalf("Unexpected location: %s, expected %s", blobErr.Location, expected)
}
// 400 valid json
layerUpload.location = e.Endpoint + locationPath
layerUpload.location = e + locationPath
_, err = layerUpload.ReadFrom(bytes.NewReader(b))
if err == nil {
t.Fatalf("Expected error when not found")
@ -185,7 +186,7 @@ func TestUploadReadFrom(t *testing.T) {
}
// 400 invalid json
layerUpload.location = e.Endpoint + locationPath
layerUpload.location = e + locationPath
_, err = layerUpload.ReadFrom(bytes.NewReader(b))
if err == nil {
t.Fatalf("Expected error when not found")
@ -200,7 +201,7 @@ func TestUploadReadFrom(t *testing.T) {
}
// 500
layerUpload.location = e.Endpoint + locationPath
layerUpload.location = e + locationPath
_, err = layerUpload.ReadFrom(bytes.NewReader(b))
if err == nil {
t.Fatalf("Expected error when not found")

8
registry/client/repository.go
View File

@ -19,17 +19,17 @@ import (
)
// NewRepository creates a new Repository for the given repository name and endpoint
func NewRepository(ctx context.Context, name string, endpoint *RepositoryEndpoint) (distribution.Repository, error) {
func NewRepository(ctx context.Context, name, endpoint string, repoConfig *RepositoryConfig) (distribution.Repository, error) {
if err := v2.ValidateRespositoryName(name); err != nil {
return nil, err
}
ub, err := endpoint.URLBuilder()
ub, err := v2.NewURLBuilderFromString(endpoint)
if err != nil {
return nil, err
}
client, err := endpoint.HTTPClient(name)
client, err := repoConfig.HTTPClient()
if err != nil {
return nil, err
}
@ -39,7 +39,7 @@ func NewRepository(ctx context.Context, name string, endpoint *RepositoryEndpoin
ub: ub,
name: name,
context: ctx,
mirror: endpoint.Mirror,
mirror: repoConfig.AllowMirrors,
}, nil
}

21
registry/client/repository_test.go
View File

@ -20,11 +20,10 @@ import (
"golang.org/x/net/context"
)
func testServer(rrm testutil.RequestResponseMap) (*RepositoryEndpoint, func()) {
func testServer(rrm testutil.RequestResponseMap) (string, func()) {
h := testutil.NewHandler(rrm)
s := httptest.NewServer(h)
e := RepositoryEndpoint{Endpoint: s.URL, Mirror: false}
return &e, s.Close
return s.URL, s.Close
}
func newRandomBlob(size int) (digest.Digest, []byte) {
@ -97,7 +96,7 @@ func TestLayerFetch(t *testing.T) {
e, c := testServer(m)
defer c()
r, err := NewRepository(context.Background(), "test.example.com/repo1", e)
r, err := NewRepository(context.Background(), "test.example.com/repo1", e, &RepositoryConfig{})
if err != nil {
t.Fatal(err)
}
@ -127,7 +126,7 @@ func TestLayerExists(t *testing.T) {
e, c := testServer(m)
defer c()
r, err := NewRepository(context.Background(), "test.example.com/repo1", e)
r, err := NewRepository(context.Background(), "test.example.com/repo1", e, &RepositoryConfig{})
if err != nil {
t.Fatal(err)
}
@ -227,7 +226,7 @@ func TestLayerUploadChunked(t *testing.T) {
e, c := testServer(m)
defer c()
r, err := NewRepository(context.Background(), repo, e)
r, err := NewRepository(context.Background(), repo, e, &RepositoryConfig{})
if err != nil {
t.Fatal(err)
}
@ -334,7 +333,7 @@ func TestLayerUploadMonolithic(t *testing.T) {
e, c := testServer(m)
defer c()
r, err := NewRepository(context.Background(), repo, e)
r, err := NewRepository(context.Background(), repo, e, &RepositoryConfig{})
if err != nil {
t.Fatal(err)
}
@ -475,7 +474,7 @@ func TestManifestFetch(t *testing.T) {
e, c := testServer(m)
defer c()
r, err := NewRepository(context.Background(), repo, e)
r, err := NewRepository(context.Background(), repo, e, &RepositoryConfig{})
if err != nil {
t.Fatal(err)
}
@ -508,7 +507,7 @@ func TestManifestFetchByTag(t *testing.T) {
e, c := testServer(m)
defer c()
r, err := NewRepository(context.Background(), repo, e)
r, err := NewRepository(context.Background(), repo, e, &RepositoryConfig{})
if err != nil {
t.Fatal(err)
}
@ -553,7 +552,7 @@ func TestManifestDelete(t *testing.T) {
e, c := testServer(m)
defer c()
r, err := NewRepository(context.Background(), repo, e)
r, err := NewRepository(context.Background(), repo, e, &RepositoryConfig{})
if err != nil {
t.Fatal(err)
}
@ -591,7 +590,7 @@ func TestManifestPut(t *testing.T) {
e, c := testServer(m)
defer c()
r, err := NewRepository(context.Background(), repo, e)
r, err := NewRepository(context.Background(), repo, e, &RepositoryConfig{})
if err != nil {
t.Fatal(err)
}

282
registry/client/session.go Normal file
View File

@ -0,0 +1,282 @@
package client
import (
"encoding/json"
"errors"
"fmt"
"net/http"
"net/url"
"strings"
"sync"
"time"
)
// Authorizer is used to apply Authorization to an HTTP request
type Authorizer interface {
// Authorizer updates an HTTP request with the needed authorization
Authorize(req *http.Request) error
}
// CredentialStore is an interface for getting credentials for
// a given URL
type CredentialStore interface {
// Basic returns basic auth for the given URL
Basic(*url.URL) (string, string)
}
// RepositoryConfig holds the base configuration needed to communicate
// with a registry including a method of authorization and HTTP headers.
type RepositoryConfig struct {
Header http.Header
AuthSource Authorizer
AllowMirrors bool
}
// HTTPClient returns a new HTTP client configured for this configuration
func (rc *RepositoryConfig) HTTPClient() (*http.Client, error) {
// TODO(dmcgowan): create base http.Transport with proper TLS configuration
transport := &Transport{
ExtraHeader: rc.Header,
AuthSource: rc.AuthSource,
}
client := &http.Client{
Transport: transport,
}
return client, nil
}
// TokenScope represents the scope at which a token will be requested.
// This represents a specific action on a registry resource.
type TokenScope struct {
Resource string
Scope string
Actions []string
}
func (ts TokenScope) String() string {
return fmt.Sprintf("%s:%s:%s", ts.Resource, ts.Scope, strings.Join(ts.Actions, ","))
}
// NewTokenAuthorizer returns an authorizer which is capable of getting a token
// from a token server. The expected authorization method will be discovered
// by the authorizer, getting the token server endpoint from the URL being
// requested. Basic authentication may either be done to the token source or
// directly with the requested endpoint depending on the endpoint's
// WWW-Authenticate header.
func NewTokenAuthorizer(creds CredentialStore, header http.Header, scope TokenScope) Authorizer {
return &tokenAuthorizer{
header: header,
creds: creds,
scope: scope,
challenges: map[string][]authorizationChallenge{},
}
}
type tokenAuthorizer struct {
header http.Header
challenges map[string][]authorizationChallenge
creds CredentialStore
scope TokenScope
tokenLock sync.Mutex
tokenCache string
tokenExpiration time.Time
}
func (ta *tokenAuthorizer) ping(endpoint string) ([]authorizationChallenge, error) {
req, err := http.NewRequest("GET", endpoint, nil)
if err != nil {
return nil, err
}
resp, err := ta.client().Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
var supportsV2 bool
HeaderLoop:
for _, supportedVersions := range resp.Header[http.CanonicalHeaderKey("Docker-Distribution-API-Version")] {
for _, versionName := range strings.Fields(supportedVersions) {
if versionName == "registry/2.0" {
supportsV2 = true
break HeaderLoop
}
}
}
if !supportsV2 {
return nil, fmt.Errorf("%s does not appear to be a v2 registry endpoint", endpoint)
}
if resp.StatusCode == http.StatusUnauthorized {
// Parse the WWW-Authenticate Header and store the challenges
// on this endpoint object.
return parseAuthHeader(resp.Header), nil
} else if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("unable to get valid ping response: %d", resp.StatusCode)
}
return nil, nil
}
func (ta *tokenAuthorizer) Authorize(req *http.Request) error {
v2Root := strings.Index(req.URL.Path, "/v2/")
if v2Root == -1 {
return nil
}
ping := url.URL{
Host: req.URL.Host,
Scheme: req.URL.Scheme,
Path: req.URL.Path[:v2Root+4],
}
pingEndpoint := ping.String()
challenges, ok := ta.challenges[pingEndpoint]
if !ok {
var err error
challenges, err = ta.ping(pingEndpoint)
if err != nil {
return err
}
ta.challenges[pingEndpoint] = challenges
}
return ta.setAuth(challenges, req)
}
func (ta *tokenAuthorizer) client() *http.Client {
// TODO(dmcgowan): Use same transport which has properly configured TLS
return &http.Client{Transport: &Transport{ExtraHeader: ta.header}}
}
func (ta *tokenAuthorizer) setAuth(challenges []authorizationChallenge, req *http.Request) error {
var useBasic bool
for _, challenge := range challenges {
switch strings.ToLower(challenge.Scheme) {
case "basic":
useBasic = true
case "bearer":
if err := ta.refreshToken(challenge); err != nil {
return err
}
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", ta.tokenCache))
return nil
default:
//log.Infof("Unsupported auth scheme: %q", challenge.Scheme)
}
}
// Only use basic when no token auth challenges found
if useBasic {
if ta.creds != nil {
username, password := ta.creds.Basic(req.URL)
if username != "" && password != "" {
req.SetBasicAuth(username, password)
return nil
}
}
return errors.New("no basic auth credentials")
}
return nil
}
func (ta *tokenAuthorizer) refreshToken(challenge authorizationChallenge) error {
ta.tokenLock.Lock()
defer ta.tokenLock.Unlock()
now := time.Now()
if now.After(ta.tokenExpiration) {
token, err := ta.fetchToken(challenge)
if err != nil {
return err
}
ta.tokenCache = token
ta.tokenExpiration = now.Add(time.Minute)
}
return nil
}
type tokenResponse struct {
Token string `json:"token"`
}
func (ta *tokenAuthorizer) fetchToken(challenge authorizationChallenge) (token string, err error) {
//log.Debugf("Getting bearer token with %s for %s", challenge.Parameters, ta.auth.Username)
params := map[string]string{}
for k, v := range challenge.Parameters {
params[k] = v
}
params["scope"] = ta.scope.String()
realm, ok := params["realm"]
if !ok {
return "", errors.New("no realm specified for token auth challenge")
}
realmURL, err := url.Parse(realm)
if err != nil {
return "", fmt.Errorf("invalid token auth challenge realm: %s", err)
}
// TODO(dmcgowan): Handle empty scheme
req, err := http.NewRequest("GET", realmURL.String(), nil)
if err != nil {
return "", err
}
reqParams := req.URL.Query()
service := params["service"]
scope := params["scope"]
if service != "" {
reqParams.Add("service", service)
}
for _, scopeField := range strings.Fields(scope) {
reqParams.Add("scope", scopeField)
}
if ta.creds != nil {
username, password := ta.creds.Basic(realmURL)
if username != "" && password != "" {
reqParams.Add("account", username)
req.SetBasicAuth(username, password)
}
}
req.URL.RawQuery = reqParams.Encode()
resp, err := ta.client().Do(req)
if err != nil {
return "", err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return "", fmt.Errorf("token auth attempt for registry: %s request failed with status: %d %s", req.URL, resp.StatusCode, http.StatusText(resp.StatusCode))
}
decoder := json.NewDecoder(resp.Body)
tr := new(tokenResponse)
if err = decoder.Decode(tr); err != nil {
return "", fmt.Errorf("unable to decode token response: %s", err)
}
if tr.Token == "" {
return "", errors.New("authorization server did not include a token in the response")
}
return tr.Token, nil
}

63
registry/client/endpoint_test.go → registry/client/session_test.go
View File

@ -30,7 +30,7 @@ func (w *testAuthenticationWrapper) ServeHTTP(rw http.ResponseWriter, r *http.Re
w.next.ServeHTTP(rw, r)
}
func testServerWithAuth(rrm testutil.RequestResponseMap, authenticate string, authCheck func(string) bool) (*RepositoryEndpoint, func()) {
func testServerWithAuth(rrm testutil.RequestResponseMap, authenticate string, authCheck func(string) bool) (string, func()) {
h := testutil.NewHandler(rrm)
wrapper := &testAuthenticationWrapper{
@ -43,8 +43,7 @@ func testServerWithAuth(rrm testutil.RequestResponseMap, authenticate string, au
}
s := httptest.NewServer(wrapper)
e := RepositoryEndpoint{Endpoint: s.URL, Mirror: false}
return &e, s.Close
return s.URL, s.Close
}
type testCredentialStore struct {
@ -62,6 +61,16 @@ func TestEndpointAuthorizeToken(t *testing.T) {
repo2 := "other/registry"
scope1 := fmt.Sprintf("repository:%s:pull,push", repo1)
scope2 := fmt.Sprintf("repository:%s:pull,push", repo2)
tokenScope1 := TokenScope{
Resource: "repository",
Scope: repo1,
Actions: []string{"pull", "push"},
}
tokenScope2 := TokenScope{
Resource: "repository",
Scope: repo2,
Actions: []string{"pull", "push"},
}
tokenMap := testutil.RequestResponseMap([]testutil.RequestResponseMapping{
{
@ -92,7 +101,7 @@ func TestEndpointAuthorizeToken(t *testing.T) {
{
Request: testutil.Request{
Method: "GET",
Route: "/hello",
Route: "/v2/hello",
},
Response: testutil.Response{
StatusCode: http.StatusAccepted,
@ -100,19 +109,23 @@ func TestEndpointAuthorizeToken(t *testing.T) {
},
})
authenicate := fmt.Sprintf("Bearer realm=%q,service=%q", te.Endpoint+"/token", service)
authenicate := fmt.Sprintf("Bearer realm=%q,service=%q", te+"/token", service)
validCheck := func(a string) bool {
return a == "Bearer statictoken"
}
e, c := testServerWithAuth(m, authenicate, validCheck)
defer c()
client, err := e.HTTPClient(repo1)
repo1Config := &RepositoryConfig{
AuthSource: NewTokenAuthorizer(nil, nil, tokenScope1),
}
client, err := repo1Config.HTTPClient()
if err != nil {
t.Fatalf("Error creating http client: %s", err)
}
req, _ := http.NewRequest("GET", e.Endpoint+"/hello", nil)
req, _ := http.NewRequest("GET", e+"/v2/hello", nil)
resp, err := client.Do(req)
if err != nil {
t.Fatalf("Error sending get request: %s", err)
@ -128,12 +141,15 @@ func TestEndpointAuthorizeToken(t *testing.T) {
e2, c2 := testServerWithAuth(m, authenicate, badCheck)
defer c2()
client2, err := e2.HTTPClient(repo2)
repo2Config := &RepositoryConfig{
AuthSource: NewTokenAuthorizer(nil, nil, tokenScope2),
}
client2, err := repo2Config.HTTPClient()
if err != nil {
t.Fatalf("Error creating http client: %s", err)
}
req, _ = http.NewRequest("GET", e.Endpoint+"/hello", nil)
req, _ = http.NewRequest("GET", e2+"/v2/hello", nil)
resp, err = client2.Do(req)
if err != nil {
t.Fatalf("Error sending get request: %s", err)
@ -155,6 +171,11 @@ func TestEndpointAuthorizeTokenBasic(t *testing.T) {
scope := fmt.Sprintf("repository:%s:pull,push", repo)
username := "tokenuser"
password := "superSecretPa$$word"
tokenScope := TokenScope{
Resource: "repository",
Scope: repo,
Actions: []string{"pull", "push"},
}
tokenMap := testutil.RequestResponseMap([]testutil.RequestResponseMapping{
{
@ -180,7 +201,7 @@ func TestEndpointAuthorizeTokenBasic(t *testing.T) {
{
Request: testutil.Request{
Method: "GET",
Route: "/hello",
Route: "/v2/hello",
},
Response: testutil.Response{
StatusCode: http.StatusAccepted,
@ -188,24 +209,27 @@ func TestEndpointAuthorizeTokenBasic(t *testing.T) {
},
})
authenicate2 := fmt.Sprintf("Bearer realm=%q,service=%q", te.Endpoint+"/token", service)
authenicate2 := fmt.Sprintf("Bearer realm=%q,service=%q", te+"/token", service)
bearerCheck := func(a string) bool {
return a == "Bearer statictoken"
}
e, c := testServerWithAuth(m, authenicate2, bearerCheck)
defer c()
e.Credentials = &testCredentialStore{
creds := &testCredentialStore{
username: username,
password: password,
}
repoConfig := &RepositoryConfig{
AuthSource: NewTokenAuthorizer(creds, nil, tokenScope),
}
client, err := e.HTTPClient(repo)
client, err := repoConfig.HTTPClient()
if err != nil {
t.Fatalf("Error creating http client: %s", err)
}
req, _ := http.NewRequest("GET", e.Endpoint+"/hello", nil)
req, _ := http.NewRequest("GET", e+"/v2/hello", nil)
resp, err := client.Do(req)
if err != nil {
t.Fatalf("Error sending get request: %s", err)
@ -221,7 +245,7 @@ func TestEndpointAuthorizeBasic(t *testing.T) {
{
Request: testutil.Request{
Method: "GET",
Route: "/hello",
Route: "/v2/hello",
},
Response: testutil.Response{
StatusCode: http.StatusAccepted,
@ -237,17 +261,20 @@ func TestEndpointAuthorizeBasic(t *testing.T) {
}
e, c := testServerWithAuth(m, authenicate, validCheck)
defer c()
e.Credentials = &testCredentialStore{
creds := &testCredentialStore{
username: username,
password: password,
}
repoConfig := &RepositoryConfig{
AuthSource: NewTokenAuthorizer(creds, nil, TokenScope{}),
}
client, err := e.HTTPClient("test/repo/basic")
client, err := repoConfig.HTTPClient()
if err != nil {
t.Fatalf("Error creating http client: %s", err)
}
req, _ := http.NewRequest("GET", e.Endpoint+"/hello", nil)
req, _ := http.NewRequest("GET", e+"/v2/hello", nil)
resp, err := client.Do(req)
if err != nil {
t.Fatalf("Error sending get request: %s", err)

78
registry/client/token.go
View File

@ -1,78 +0,0 @@
package client
import (
"encoding/json"
"errors"
"fmt"
"net/http"
"net/url"
"strings"
)
type tokenResponse struct {
Token string `json:"token"`
}
func getToken(creds CredentialStore, params map[string]string, client *http.Client) (token string, err error) {
realm, ok := params["realm"]
if !ok {
return "", errors.New("no realm specified for token auth challenge")
}
realmURL, err := url.Parse(realm)
if err != nil {
return "", fmt.Errorf("invalid token auth challenge realm: %s", err)
}
// TODO(dmcgowan): Handle empty scheme
req, err := http.NewRequest("GET", realmURL.String(), nil)
if err != nil {
return "", err
}
reqParams := req.URL.Query()
service := params["service"]
scope := params["scope"]
if service != "" {
reqParams.Add("service", service)
}
for _, scopeField := range strings.Fields(scope) {
reqParams.Add("scope", scopeField)
}
if creds != nil {
username, password := creds.Basic(realmURL)
if username != "" && password != "" {
reqParams.Add("account", username)
req.SetBasicAuth(username, password)
}
}
req.URL.RawQuery = reqParams.Encode()
resp, err := client.Do(req)
if err != nil {
return "", err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return "", fmt.Errorf("token auth attempt for registry: %s request failed with status: %d %s", req.URL, resp.StatusCode, http.StatusText(resp.StatusCode))
}
decoder := json.NewDecoder(resp.Body)
tr := new(tokenResponse)
if err = decoder.Decode(tr); err != nil {
return "", fmt.Errorf("unable to decode token response: %s", err)
}
if tr.Token == "" {
return "", errors.New("authorization server did not include a token in the response")
}
return tr.Token, nil
}

120
registry/client/transport.go Normal file
View File

@ -0,0 +1,120 @@
package client
import (
"io"
"net/http"
"sync"
)
// Transport is an http.RoundTripper that makes registry HTTP requests,
// wrapping a base RoundTripper and adding an Authorization header
// from an Auth source
type Transport struct {
AuthSource Authorizer
ExtraHeader http.Header
Base http.RoundTripper
mu sync.Mutex // guards modReq
modReq map[*http.Request]*http.Request // original -> modified
}
// RoundTrip authorizes and authenticates the request with an
// access token. If no token exists or token is expired,
// tries to refresh/fetch a new token.
func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
req2 := t.cloneRequest(req)
if t.AuthSource != nil {
if err := t.AuthSource.Authorize(req2); err != nil {
return nil, err
}
}
t.setModReq(req, req2)
res, err := t.base().RoundTrip(req2)
if err != nil {
t.setModReq(req, nil)
return nil, err
}
res.Body = &onEOFReader{
rc: res.Body,
fn: func() { t.setModReq(req, nil) },
}
return res, nil
}
// CancelRequest cancels an in-flight request by closing its connection.
func (t *Transport) CancelRequest(req *http.Request) {
type canceler interface {
CancelRequest(*http.Request)
}
if cr, ok := t.base().(canceler); ok {
t.mu.Lock()
modReq := t.modReq[req]
delete(t.modReq, req)
t.mu.Unlock()
cr.CancelRequest(modReq)
}
}
func (t *Transport) base() http.RoundTripper {
if t.Base != nil {
return t.Base
}
return http.DefaultTransport
}
func (t *Transport) setModReq(orig, mod *http.Request) {
t.mu.Lock()
defer t.mu.Unlock()
if t.modReq == nil {
t.modReq = make(map[*http.Request]*http.Request)
}
if mod == nil {
delete(t.modReq, orig)
} else {
t.modReq[orig] = mod
}
}
// cloneRequest returns a clone of the provided *http.Request.
// The clone is a shallow copy of the struct and its Header map.
func (t *Transport) cloneRequest(r *http.Request) *http.Request {
// shallow copy of the struct
r2 := new(http.Request)
*r2 = *r
// deep copy of the Header
r2.Header = make(http.Header, len(r.Header))
for k, s := range r.Header {
r2.Header[k] = append([]string(nil), s...)
}
for k, s := range t.ExtraHeader {
r2.Header[k] = append(r2.Header[k], s...)
}
return r2
}
type onEOFReader struct {
rc io.ReadCloser
fn func()
}
func (r *onEOFReader) Read(p []byte) (n int, err error) {
n, err = r.rc.Read(p)
if err == io.EOF {
r.runFunc()
}
return
}
func (r *onEOFReader) Close() error {
err := r.rc.Close()
r.runFunc()
return err
}
func (r *onEOFReader) runFunc() {
if fn := r.fn; fn != nil {
fn()
r.fn = nil
}
}