Add support for Basic Authentication to proxyingRegistry (#4263)

Merging despite CodeQL warnings. see this for more details, why we decided to merge: https://github.com/github/codeql/issues/16486
This commit is contained in:
Milos Gajdos 2024-05-14 10:43:56 +01:00 committed by GitHub
commit 6a9b0cfb71
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 22 additions and 9 deletions

View file

@ -17,14 +17,23 @@ type userpass struct {
password string password string
} }
func (u userpass) Basic(_ *url.URL) (string, string) {
return u.username, u.password
}
func (u userpass) RefreshToken(_ *url.URL, service string) string {
return ""
}
func (u userpass) SetRefreshToken(_ *url.URL, service, token string) {
}
type credentials struct { type credentials struct {
creds map[string]userpass creds map[string]userpass
} }
func (c credentials) Basic(u *url.URL) (string, string) { func (c credentials) Basic(u *url.URL) (string, string) {
up := c.creds[u.String()] return c.creds[u.String()].Basic(u)
return up.username, up.password
} }
func (c credentials) RefreshToken(u *url.URL, service string) string { func (c credentials) RefreshToken(u *url.URL, service string) string {
@ -35,12 +44,12 @@ func (c credentials) SetRefreshToken(u *url.URL, service, token string) {
} }
// configureAuth stores credentials for challenge responses // configureAuth stores credentials for challenge responses
func configureAuth(username, password, remoteURL string) (auth.CredentialStore, error) { func configureAuth(username, password, remoteURL string) (auth.CredentialStore, auth.CredentialStore, error) {
creds := map[string]userpass{} creds := map[string]userpass{}
authURLs, err := getAuthURLs(remoteURL) authURLs, err := getAuthURLs(remoteURL)
if err != nil { if err != nil {
return nil, err return nil, nil, err
} }
for _, url := range authURLs { for _, url := range authURLs {
@ -51,7 +60,7 @@ func configureAuth(username, password, remoteURL string) (auth.CredentialStore,
} }
} }
return credentials{creds: creds}, nil return credentials{creds: creds}, userpass{username: username, password: password}, nil
} }
func getAuthURLs(remoteURL string) ([]string, error) { func getAuthURLs(remoteURL string) ([]string, error) {

View file

@ -8,6 +8,8 @@ import (
"sync" "sync"
"time" "time"
"github.com/distribution/reference"
"github.com/distribution/distribution/v3" "github.com/distribution/distribution/v3"
"github.com/distribution/distribution/v3/configuration" "github.com/distribution/distribution/v3/configuration"
"github.com/distribution/distribution/v3/internal/client" "github.com/distribution/distribution/v3/internal/client"
@ -18,7 +20,6 @@ import (
"github.com/distribution/distribution/v3/registry/proxy/scheduler" "github.com/distribution/distribution/v3/registry/proxy/scheduler"
"github.com/distribution/distribution/v3/registry/storage" "github.com/distribution/distribution/v3/registry/storage"
"github.com/distribution/distribution/v3/registry/storage/driver" "github.com/distribution/distribution/v3/registry/storage/driver"
"github.com/distribution/reference"
) )
var repositoryTTL = 24 * 7 * time.Hour var repositoryTTL = 24 * 7 * time.Hour
@ -30,6 +31,7 @@ type proxyingRegistry struct {
ttl *time.Duration ttl *time.Duration
remoteURL url.URL remoteURL url.URL
authChallenger authChallenger authChallenger authChallenger
basicAuth auth.CredentialStore
} }
// NewRegistryPullThroughCache creates a registry acting as a pull through cache // NewRegistryPullThroughCache creates a registry acting as a pull through cache
@ -112,7 +114,7 @@ func NewRegistryPullThroughCache(ctx context.Context, registry distribution.Name
} }
} }
cs, err := configureAuth(config.Username, config.Password, config.RemoteURL) cs, b, err := configureAuth(config.Username, config.Password, config.RemoteURL)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -127,6 +129,7 @@ func NewRegistryPullThroughCache(ctx context.Context, registry distribution.Name
cm: challenge.NewSimpleManager(), cm: challenge.NewSimpleManager(),
cs: cs, cs: cs,
}, },
basicAuth: b,
}, nil }, nil
} }
@ -155,7 +158,8 @@ func (pr *proxyingRegistry) Repository(ctx context.Context, name reference.Named
tr := transport.NewTransport(http.DefaultTransport, tr := transport.NewTransport(http.DefaultTransport,
auth.NewAuthorizer(c.challengeManager(), auth.NewAuthorizer(c.challengeManager(),
auth.NewTokenHandlerWithOptions(tkopts))) auth.NewTokenHandlerWithOptions(tkopts),
auth.NewBasicHandler(pr.basicAuth)))
localRepo, err := pr.embedded.Repository(ctx, name) localRepo, err := pr.embedded.Repository(ctx, name)
if err != nil { if err != nil {