Add support for Basic Authentication to proxyingRegistry (#4263)

Merging despite CodeQL warnings. see this for more details, why we decided to merge: https://github.com/github/codeql/issues/16486
2024-05-14 10:43:56 +01:00 · 2024-05-14 10:43:56 +01:00 · 6a9b0cfb71
commit 6a9b0cfb71
parent 56a020f7f1 1e8ea03173
2 changed files with 22 additions and 9 deletions
--- a/registry/proxy/proxyauth.go
+++ b/registry/proxy/proxyauth.go
@ -17,14 +17,23 @@ type userpass struct {
 	password string
 }

+func (u userpass) Basic(_ *url.URL) (string, string) {
+	return u.username, u.password
+}
+
+func (u userpass) RefreshToken(_ *url.URL, service string) string {
+	return ""
+}
+
+func (u userpass) SetRefreshToken(_ *url.URL, service, token string) {
+}
+
 type credentials struct {
 	creds map[string]userpass
 }

 func (c credentials) Basic(u *url.URL) (string, string) {
-	up := c.creds[u.String()]
-
-	return up.username, up.password
+	return c.creds[u.String()].Basic(u)
 }

 func (c credentials) RefreshToken(u *url.URL, service string) string {
@ -35,12 +44,12 @@ func (c credentials) SetRefreshToken(u *url.URL, service, token string) {
 }

 // configureAuth stores credentials for challenge responses
-func configureAuth(username, password, remoteURL string) (auth.CredentialStore, error) {
+func configureAuth(username, password, remoteURL string) (auth.CredentialStore, auth.CredentialStore, error) {
 	creds := map[string]userpass{}

 	authURLs, err := getAuthURLs(remoteURL)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}

 	for _, url := range authURLs {
@ -51,7 +60,7 @@ func configureAuth(username, password, remoteURL string) (auth.CredentialStore,
 		}
 	}

-	return credentials{creds: creds}, nil
+	return credentials{creds: creds}, userpass{username: username, password: password}, nil
 }

 func getAuthURLs(remoteURL string) ([]string, error) {
--- a/registry/proxy/proxyregistry.go
+++ b/registry/proxy/proxyregistry.go
@ -8,6 +8,8 @@ import (
 	"sync"
 	"time"

+	"github.com/distribution/reference"
+
 	"github.com/distribution/distribution/v3"
 	"github.com/distribution/distribution/v3/configuration"
 	"github.com/distribution/distribution/v3/internal/client"
@ -18,7 +20,6 @@ import (
 	"github.com/distribution/distribution/v3/registry/proxy/scheduler"
 	"github.com/distribution/distribution/v3/registry/storage"
 	"github.com/distribution/distribution/v3/registry/storage/driver"
-	"github.com/distribution/reference"
 )

 var repositoryTTL = 24 * 7 * time.Hour
@ -30,6 +31,7 @@ type proxyingRegistry struct {
 	ttl            *time.Duration
 	remoteURL      url.URL
 	authChallenger authChallenger
+	basicAuth      auth.CredentialStore
 }

 // NewRegistryPullThroughCache creates a registry acting as a pull through cache
@ -112,7 +114,7 @@ func NewRegistryPullThroughCache(ctx context.Context, registry distribution.Name
 		}
 	}

-	cs, err := configureAuth(config.Username, config.Password, config.RemoteURL)
+	cs, b, err := configureAuth(config.Username, config.Password, config.RemoteURL)
 	if err != nil {
 		return nil, err
 	}
@ -127,6 +129,7 @@ func NewRegistryPullThroughCache(ctx context.Context, registry distribution.Name
 			cm:        challenge.NewSimpleManager(),
 			cs:        cs,
 		},
+		basicAuth: b,
 	}, nil
 }

@ -155,7 +158,8 @@ func (pr *proxyingRegistry) Repository(ctx context.Context, name reference.Named

 	tr := transport.NewTransport(http.DefaultTransport,
 		auth.NewAuthorizer(c.challengeManager(),
-			auth.NewTokenHandlerWithOptions(tkopts)))
+			auth.NewTokenHandlerWithOptions(tkopts),
+			auth.NewBasicHandler(pr.basicAuth)))

 	localRepo, err := pr.embedded.Repository(ctx, name)
 	if err != nil {