forked from TrueCloudLab/distribution
Update to address comments
Add logging to resolve scope Clarify response logs Better messaging for tls setup error Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
This commit is contained in:
parent
08d1f035f0
commit
e28c288444
2 changed files with 8 additions and 8 deletions
|
@ -86,7 +86,7 @@ func main() {
|
||||||
if cert == "" {
|
if cert == "" {
|
||||||
err = http.ListenAndServe(addr, router)
|
err = http.ListenAndServe(addr, router)
|
||||||
} else if certKey == "" {
|
} else if certKey == "" {
|
||||||
logrus.Fatalf("Must provide certficate and key")
|
logrus.Fatalf("Must provide certficate (-tlscert) and key (-tlskey)")
|
||||||
} else {
|
} else {
|
||||||
err = http.ListenAndServeTLS(addr, cert, certKey, router)
|
err = http.ListenAndServeTLS(addr, cert, certKey, router)
|
||||||
}
|
}
|
||||||
|
@ -134,7 +134,7 @@ func (ts *tokenServer) getToken(ctx context.Context, w http.ResponseWriter, r *h
|
||||||
service := params.Get("service")
|
service := params.Get("service")
|
||||||
scopeSpecifiers := params["scope"]
|
scopeSpecifiers := params["scope"]
|
||||||
|
|
||||||
requestedAccessList := ResolveScopeSpecifiers(scopeSpecifiers)
|
requestedAccessList := ResolveScopeSpecifiers(ctx, scopeSpecifiers)
|
||||||
|
|
||||||
authorizedCtx, err := ts.accessController.Authorized(ctx, requestedAccessList...)
|
authorizedCtx, err := ts.accessController.Authorized(ctx, requestedAccessList...)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -150,14 +150,13 @@ func (ts *tokenServer) getToken(ctx context.Context, w http.ResponseWriter, r *h
|
||||||
challenge.SetHeaders(w)
|
challenge.SetHeaders(w)
|
||||||
handleError(ctx, errcode.ErrorCodeUnauthorized.WithDetail(challenge.Error()), w)
|
handleError(ctx, errcode.ErrorCodeUnauthorized.WithDetail(challenge.Error()), w)
|
||||||
|
|
||||||
context.GetResponseLogger(ctx).Info("authentication challenged")
|
context.GetResponseLogger(ctx).Info("get token authentication challenge")
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
ctx = authorizedCtx
|
ctx = authorizedCtx
|
||||||
|
|
||||||
// TODO(dmcgowan): handle case where this could panic?
|
username := context.GetStringValue(ctx, "auth.user.name")
|
||||||
username := ctx.Value("auth.user.name").(string)
|
|
||||||
|
|
||||||
ctx = context.WithValue(ctx, "acctSubject", username)
|
ctx = context.WithValue(ctx, "acctSubject", username)
|
||||||
ctx = context.WithLogger(ctx, context.GetLogger(ctx, "acctSubject"))
|
ctx = context.WithLogger(ctx, context.GetLogger(ctx, "acctSubject"))
|
||||||
|
@ -198,5 +197,5 @@ func (ts *tokenServer) getToken(ctx context.Context, w http.ResponseWriter, r *h
|
||||||
w.Header().Set("Content-Type", "application/json")
|
w.Header().Set("Content-Type", "application/json")
|
||||||
json.NewEncoder(w).Encode(map[string]string{"token": token})
|
json.NewEncoder(w).Encode(map[string]string{"token": token})
|
||||||
|
|
||||||
context.GetResponseLogger(ctx).Info("getToken complete")
|
context.GetResponseLogger(ctx).Info("get token complete")
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,6 +10,7 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/docker/distribution/context"
|
||||||
"github.com/docker/distribution/registry/auth"
|
"github.com/docker/distribution/registry/auth"
|
||||||
"github.com/docker/distribution/registry/auth/token"
|
"github.com/docker/distribution/registry/auth/token"
|
||||||
"github.com/docker/libtrust"
|
"github.com/docker/libtrust"
|
||||||
|
@ -17,7 +18,7 @@ import (
|
||||||
|
|
||||||
// ResolveScopeSpecifiers converts a list of scope specifiers from a token
|
// ResolveScopeSpecifiers converts a list of scope specifiers from a token
|
||||||
// request's `scope` query parameters into a list of standard access objects.
|
// request's `scope` query parameters into a list of standard access objects.
|
||||||
func ResolveScopeSpecifiers(scopeSpecs []string) []auth.Access {
|
func ResolveScopeSpecifiers(ctx context.Context, scopeSpecs []string) []auth.Access {
|
||||||
requestedAccessSet := make(map[auth.Access]struct{}, 2*len(scopeSpecs))
|
requestedAccessSet := make(map[auth.Access]struct{}, 2*len(scopeSpecs))
|
||||||
|
|
||||||
for _, scopeSpecifier := range scopeSpecs {
|
for _, scopeSpecifier := range scopeSpecs {
|
||||||
|
@ -25,7 +26,7 @@ func ResolveScopeSpecifiers(scopeSpecs []string) []auth.Access {
|
||||||
parts := strings.SplitN(scopeSpecifier, ":", 3)
|
parts := strings.SplitN(scopeSpecifier, ":", 3)
|
||||||
|
|
||||||
if len(parts) != 3 {
|
if len(parts) != 3 {
|
||||||
// Ignore malformed scope specifiers.
|
context.GetLogger(ctx).Infof("ignoring unsupported scope format %s", scopeSpecifier)
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue