Add support for Basic Authentication to proxyingRegistry (#4263)

Merging despite CodeQL warnings. see this for more details, why we decided to merge: https://github.com/github/codeql/issues/16486
This commit is contained in:
Milos Gajdos 2024-05-14 10:43:56 +01:00 committed by GitHub
commit 6a9b0cfb71
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 22 additions and 9 deletions

View file

@ -17,14 +17,23 @@ type userpass struct {
password string
}
func (u userpass) Basic(_ *url.URL) (string, string) {
return u.username, u.password
}
func (u userpass) RefreshToken(_ *url.URL, service string) string {
return ""
}
func (u userpass) SetRefreshToken(_ *url.URL, service, token string) {
}
type credentials struct {
creds map[string]userpass
}
func (c credentials) Basic(u *url.URL) (string, string) {
up := c.creds[u.String()]
return up.username, up.password
return c.creds[u.String()].Basic(u)
}
func (c credentials) RefreshToken(u *url.URL, service string) string {
@ -35,12 +44,12 @@ func (c credentials) SetRefreshToken(u *url.URL, service, token string) {
}
// configureAuth stores credentials for challenge responses
func configureAuth(username, password, remoteURL string) (auth.CredentialStore, error) {
func configureAuth(username, password, remoteURL string) (auth.CredentialStore, auth.CredentialStore, error) {
creds := map[string]userpass{}
authURLs, err := getAuthURLs(remoteURL)
if err != nil {
return nil, err
return nil, nil, err
}
for _, url := range authURLs {
@ -51,7 +60,7 @@ func configureAuth(username, password, remoteURL string) (auth.CredentialStore,
}
}
return credentials{creds: creds}, nil
return credentials{creds: creds}, userpass{username: username, password: password}, nil
}
func getAuthURLs(remoteURL string) ([]string, error) {

View file

@ -8,6 +8,8 @@ import (
"sync"
"time"
"github.com/distribution/reference"
"github.com/distribution/distribution/v3"
"github.com/distribution/distribution/v3/configuration"
"github.com/distribution/distribution/v3/internal/client"
@ -18,7 +20,6 @@ import (
"github.com/distribution/distribution/v3/registry/proxy/scheduler"
"github.com/distribution/distribution/v3/registry/storage"
"github.com/distribution/distribution/v3/registry/storage/driver"
"github.com/distribution/reference"
)
var repositoryTTL = 24 * 7 * time.Hour
@ -30,6 +31,7 @@ type proxyingRegistry struct {
ttl *time.Duration
remoteURL url.URL
authChallenger authChallenger
basicAuth auth.CredentialStore
}
// NewRegistryPullThroughCache creates a registry acting as a pull through cache
@ -112,7 +114,7 @@ func NewRegistryPullThroughCache(ctx context.Context, registry distribution.Name
}
}
cs, err := configureAuth(config.Username, config.Password, config.RemoteURL)
cs, b, err := configureAuth(config.Username, config.Password, config.RemoteURL)
if err != nil {
return nil, err
}
@ -127,6 +129,7 @@ func NewRegistryPullThroughCache(ctx context.Context, registry distribution.Name
cm: challenge.NewSimpleManager(),
cs: cs,
},
basicAuth: b,
}, nil
}
@ -155,7 +158,8 @@ func (pr *proxyingRegistry) Repository(ctx context.Context, name reference.Named
tr := transport.NewTransport(http.DefaultTransport,
auth.NewAuthorizer(c.challengeManager(),
auth.NewTokenHandlerWithOptions(tkopts)))
auth.NewTokenHandlerWithOptions(tkopts),
auth.NewBasicHandler(pr.basicAuth)))
localRepo, err := pr.embedded.Repository(ctx, name)
if err != nil {