diff --git a/pkg/registry/client.go b/pkg/registry/client.go index 366251c60..1fe4b7813 100644 --- a/pkg/registry/client.go +++ b/pkg/registry/client.go @@ -717,7 +717,7 @@ func (c *Client) Push(data []byte, ref string, options ...PushOption) (*PushResu repository.PlainHTTP = c.plainHTTP repository.Client = c.authorizer - ctx = WithScopeHint(ctx, repository, auth.ActionPush, auth.ActionPull) + ctx = withScopeHint(ctx, repository, auth.ActionPull, auth.ActionPush) manifestDescriptor, err = oras.ExtendedCopy(ctx, memoryStore, parsedRef.String(), repository, parsedRef.String(), oras.DefaultExtendedCopyOptions) if err != nil { @@ -930,7 +930,14 @@ func (c *Client) tagManifest(ctx context.Context, memoryStore *memory.Store, manifestData, parsedRef.String()) } -func WithScopeHint(ctx context.Context, target any, actions ...string) context.Context { +// add actions when request a registry authentication token(jwt) +// example1. when we want to pull 'testrepo/local-subchart' we can send bellow url, and 'pull' is the action +// auth?scope=repository%3Atestrepo%2Flocal-subchart%3Apull&service=testservice +// example2. when we want to push 'testrepo/local-subchart' we can send bellow url, and 'pull%2Cpush' are the actions +// auth?scope=repository%3Atestrepo%2Flocal-subchart%3Apull%2Cpush&service=testservice +// we can set the actions like bellow +// example) ctx = WithScopeHint(ctx, repository, auth.ActionPush, auth.ActionPull) +func withScopeHint(ctx context.Context, target any, actions ...string) context.Context { if repo, ok := target.(*remote.Repository); ok { return auth.AppendRepositoryScope(ctx, repo.Reference, actions...) } diff --git a/pkg/registry/client_scope_test.go b/pkg/registry/client_scope_test.go index 2039faad9..2a3def6f6 100644 --- a/pkg/registry/client_scope_test.go +++ b/pkg/registry/client_scope_test.go @@ -44,12 +44,14 @@ func (suite *RegistryScopeTestSuite) TearDownSuite() { func (suite *RegistryScopeTestSuite) Test_1_Check_Push_Request_Scope() { + var requestUrl string + handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - suite.Equal(string("/auth?scope=repository%3Atestrepo%2Flocal-subchart%3Apull%2Cpush&service=testservice"), r.URL.String()) + requestUrl = r.URL.String() w.WriteHeader(http.StatusOK) }) listener, err := net.Listen("tcp", suite.AuthServerHost) - suite.NoError(err, "no error creating server listner") + suite.NoError(err, "no error creating server listener") ts := httptest.NewUnstartedServer(handler) ts.Listener = listener @@ -64,18 +66,23 @@ func (suite *RegistryScopeTestSuite) Test_1_Check_Push_Request_Scope() { suite.NoError(err, "no error extracting chart meta") ref := fmt.Sprintf("%s/testrepo/%s:%s", suite.DockerRegistryHost, meta.Name, meta.Version) _, err = suite.RegistryClient.Push(chartData, ref, PushOptCreationTime(testingChartCreationTime)) - suite.Error(err, "error pushing good ref because auth server don't give proper token") + suite.Error(err, "error pushing good ref because auth server doesn't give proper token") + + //check the url that authentication server received + suite.Equal("/auth?scope=repository%3Atestrepo%2Flocal-subchart%3Apull%2Cpush&service=testservice", requestUrl) } func (suite *RegistryScopeTestSuite) Test_2_Check_Pull_Request_Scope() { + var requestUrl string + handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - suite.Equal(string("/auth?scope=repository%3Atestrepo%2Flocal-subchart%3Apull&service=testservice"), r.URL.String()) + requestUrl = r.URL.String() w.WriteHeader(http.StatusOK) }) listener, err := net.Listen("tcp", suite.AuthServerHost) - suite.NoError(err, "no error creating server listner") + suite.NoError(err, "no error creating server listener") ts := httptest.NewUnstartedServer(handler) ts.Listener = listener @@ -90,8 +97,10 @@ func (suite *RegistryScopeTestSuite) Test_2_Check_Pull_Request_Scope() { suite.NoError(err, "no error extracting chart meta") ref := fmt.Sprintf("%s/testrepo/%s:%s", suite.DockerRegistryHost, meta.Name, meta.Version) _, err = suite.RegistryClient.Pull(ref) - suite.Error(err, "error pulling a simple chart because auth server don't give proper token") + suite.Error(err, "error pulling a simple chart because auth server doesn't give proper token") + //check the url that authentication server received + suite.Equal("/auth?scope=repository%3Atestrepo%2Flocal-subchart%3Apull&service=testservice", requestUrl) } func TestRegistryScopeTestSuite(t *testing.T) { diff --git a/pkg/registry/registry_test.go b/pkg/registry/registry_test.go index 5f745c8a1..3dc65908a 100644 --- a/pkg/registry/registry_test.go +++ b/pkg/registry/registry_test.go @@ -146,7 +146,6 @@ func setup(suite *TestRegistry, tlsEnabled, insecure bool, auth string) { if auth == "token" { ln, err := net.Listen("tcp", "127.0.0.1:0") suite.Nil(err, "no error finding free port for test auth server") - defer ln.Close() //set test auth server host suite.AuthServerHost = ln.Addr().String()