From 3cbee7e935eb6e783c36b17d6eb79eb6edcda15b Mon Sep 17 00:00:00 2001 From: kimsm28 Date: Thu, 2 Jul 2026 21:49:33 +0900 Subject: [PATCH] fix(registry): use plain-http registry in token-auth scope test The scope test configured a TLS registry while advertising an http token realm. oras refuses to send credentials to an http token realm when the registry itself was contacted over https, so the auth server was never reached and the test timed out ("timeout waiting for auth request"). Use a plain-http registry so the registry and token-realm schemes match; the scope carried in the token request is what this test verifies, and that is independent of TLS. Also make the auth handler's channel send non-blocking so that a client retry can never block the handler and stall the push/pull flow, which addresses the review comment about a potential deadlock. Co-Authored-By: Claude Opus 4.8 (1M context) Signed-off-by: kimsm28 --- pkg/registry/client_scope_test.go | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/pkg/registry/client_scope_test.go b/pkg/registry/client_scope_test.go index b1da20a6b..98cdc74ff 100644 --- a/pkg/registry/client_scope_test.go +++ b/pkg/registry/client_scope_test.go @@ -30,17 +30,18 @@ import ( ) type RegistryScopeTestSuite struct { - TestSuite + TestRegistry } func (suite *RegistryScopeTestSuite) SetupSuite() { - // set registry use token auth - dockerRegistry := setup(&suite.TestSuite, true, true, "token") - // Start Docker registry - go dockerRegistry.ListenAndServe() + // Set up a plain-HTTP registry that uses token auth. The token realm is + // served over http (see setup), so the registry must be contacted over + // http as well: oras refuses to send credentials to an http token realm + // when the registry itself was reached over https. + setup(&suite.TestRegistry, false, false, "token") } func (suite *RegistryScopeTestSuite) TearDownSuite() { - teardown(&suite.TestSuite) + teardown(&suite.TestRegistry) os.RemoveAll(suite.WorkspaceDir) } @@ -48,7 +49,13 @@ func (suite *RegistryScopeTestSuite) Test_1_Check_Push_Request_Scope() { requestURL := make(chan string, 1) handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - requestURL <- r.URL.String() + // Capture only the first auth request; never block the handler if the + // client happens to retry, so the auth server always responds and the + // push/pull flow can't deadlock waiting on us. + select { + case requestURL <- r.URL.String(): + default: + } w.WriteHeader(http.StatusOK) }) listener, err := net.Listen("tcp", suite.AuthServerHost) @@ -88,7 +95,13 @@ func (suite *RegistryScopeTestSuite) Test_2_Check_Pull_Request_Scope() { requestURL := make(chan string, 1) handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - requestURL <- r.URL.String() + // Capture only the first auth request; never block the handler if the + // client happens to retry, so the auth server always responds and the + // push/pull flow can't deadlock waiting on us. + select { + case requestURL <- r.URL.String(): + default: + } w.WriteHeader(http.StatusOK) }) listener, err := net.Listen("tcp", suite.AuthServerHost)