From 022416c5024a196c36acf78e05d7d0f45346c25c Mon Sep 17 00:00:00 2001
From: Derek McGowan <derek@mcgstyle.net>
Date: Tue, 12 Jul 2016 17:13:43 -0700
Subject: [PATCH] Add support for registry type in scope

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
---
 contrib/token-server/main.go | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/contrib/token-server/main.go b/contrib/token-server/main.go
index edd894f4..6a4c1778 100644
--- a/contrib/token-server/main.go
+++ b/contrib/token-server/main.go
@@ -163,14 +163,21 @@ func filterAccessList(ctx context.Context, scope string, requestedAccessList []a
 	}
 	grantedAccessList := make([]auth.Access, 0, len(requestedAccessList))
 	for _, access := range requestedAccessList {
-		if access.Type != "repository" {
+		if access.Type == "repository" {
+			if !strings.HasPrefix(access.Name, scope) {
+				context.GetLogger(ctx).Debugf("Resource scope not allowed: %s", access.Name)
+				continue
+			}
+		} else if access.Type == "registry" {
+			if access.Name != "catalog" {
+				context.GetLogger(ctx).Debugf("Unknown registry resource: %s", access.Name)
+				continue
+			}
+			// TODO: Limit some actions to "admin" users
+		} else {
 			context.GetLogger(ctx).Debugf("Skipping unsupported resource type: %s", access.Type)
 			continue
 		}
-		if !strings.HasPrefix(access.Name, scope) {
-			context.GetLogger(ctx).Debugf("Resource scope not allowed: %s", access.Name)
-			continue
-		}
 		grantedAccessList = append(grantedAccessList, access)
 	}
 	return grantedAccessList