Merge pull request #31211 from kimsungmin1/main-fix-push-scope

fix: set [pull,push] scope when helm push to a registry(use token auth) - v4
pull/32262/merge
Terry Howe 5 days ago committed by GitHub
commit 543b94d673
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

@ -80,6 +80,7 @@ require (
github.com/fxamacker/cbor/v2 v2.9.0 // indirect
github.com/go-errors/errors v1.5.1 // indirect
github.com/go-gorp/gorp/v3 v3.1.0 // indirect
github.com/go-jose/go-jose/v4 v4.1.4 // indirect
github.com/go-logr/logr v1.4.3 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/jsonpointer v0.21.1 // indirect

@ -105,6 +105,8 @@ github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8b
github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs=
github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw=
github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=

@ -717,6 +717,8 @@ func (c *Client) Push(data []byte, ref string, options ...PushOption) (*PushResu
repository.PlainHTTP = c.plainHTTP
repository.Client = c.authorizer
ctx = withScopeHint(ctx, repository, auth.ActionPull, auth.ActionPush)
manifestDescriptor, err = oras.ExtendedCopy(ctx, memoryStore, parsedRef.String(), repository, parsedRef.String(), oras.DefaultExtendedCopyOptions)
if err != nil {
return nil, err
@ -927,3 +929,14 @@ func (c *Client) tagManifest(ctx context.Context, memoryStore *memory.Store,
return oras.TagBytes(ctx, memoryStore, ocispec.MediaTypeImageManifest,
manifestData, parsedRef.String())
}
// add actions when request a registry authentication token(jwt)
// example1. when we want to pull 'testrepo/local-subchart' we can send below url, and 'pull' is the action
// auth?scope=repository%3Atestrepo%2Flocal-subchart%3Apull&service=testservice
// example2. when we want to push 'testrepo/local-subchart' we can send below url, and 'pull%2Cpush' are the actions
// auth?scope=repository%3Atestrepo%2Flocal-subchart%3Apull%2Cpush&service=testservice
// we can set the actions like below
// example) ctx = withScopeHint(ctx, repository, auth.ActionPush, auth.ActionPull)
func withScopeHint(ctx context.Context, repo *remote.Repository, actions ...string) context.Context {
return auth.AppendRepositoryScope(ctx, repo.Reference, actions...)
}

@ -30,7 +30,7 @@ type HTTPRegistryClientTestSuite struct {
func (suite *HTTPRegistryClientTestSuite) SetupSuite() {
// init test client
setup(&suite.TestRegistry, false, false)
setup(&suite.TestRegistry, false, false, "htpasswd")
}
func (suite *HTTPRegistryClientTestSuite) TearDownSuite() {

@ -29,7 +29,7 @@ type InsecureTLSRegistryClientTestSuite struct {
func (suite *InsecureTLSRegistryClientTestSuite) SetupSuite() {
// init test client
setup(&suite.TestRegistry, true, true)
setup(&suite.TestRegistry, true, true, "htpasswd")
}
func (suite *InsecureTLSRegistryClientTestSuite) TearDownSuite() {

@ -0,0 +1,142 @@
/*
Copyright The Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package registry
import (
"fmt"
"net"
"net/http"
"net/http/httptest"
"net/url"
"os"
"testing"
"time"
"github.com/stretchr/testify/suite"
)
type RegistryScopeTestSuite struct {
TestRegistry
}
func (suite *RegistryScopeTestSuite) SetupSuite() {
// Set up a plain-HTTP registry that uses token auth. The token realm is
// served over http (see setup), so the registry must be contacted over
// http as well: oras refuses to send credentials to an http token realm
// when the registry itself was reached over https.
setup(&suite.TestRegistry, false, false, "token")
}
func (suite *RegistryScopeTestSuite) TearDownSuite() {
teardown(&suite.TestRegistry)
os.RemoveAll(suite.WorkspaceDir)
}
func (suite *RegistryScopeTestSuite) Test_1_Check_Push_Request_Scope() {
requestURL := make(chan string, 1)
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Capture only the first auth request; never block the handler if the
// client happens to retry, so the auth server always responds and the
// push/pull flow can't deadlock waiting on us.
select {
case requestURL <- r.URL.String():
default:
}
w.WriteHeader(http.StatusOK)
})
lnCfg := net.ListenConfig{}
listener, err := lnCfg.Listen(suite.T().Context(), "tcp", suite.AuthServerHost)
suite.NoError(err, "no error creating server listener")
ts := httptest.NewUnstartedServer(handler)
ts.Listener = listener
ts.Start()
defer ts.Close()
// basic push, good ref
testingChartCreationTime := "1977-09-02T22:04:05Z"
chartData, err := os.ReadFile("../downloader/testdata/local-subchart-0.1.0.tgz")
suite.NoError(err, "no error loading test chart")
meta, err := extractChartMeta(chartData)
suite.NoError(err, "no error extracting chart meta")
ref := fmt.Sprintf("%s/testrepo/%s:%s", suite.DockerRegistryHost, meta.Name, meta.Version)
_, err = suite.RegistryClient.Push(chartData, ref, PushOptCreationTime(testingChartCreationTime))
suite.Error(err, "error pushing good ref because auth server doesn't give proper token")
//check the url that authentication server received
select {
case urlStr := <-requestURL:
u, err := url.Parse(urlStr)
suite.NoError(err, "no error parsing requested URL")
suite.Equal("/auth", u.Path)
suite.Equal("testservice", u.Query().Get("service"))
scope := u.Query().Get("scope")
suite.Contains(scope, "repository:testrepo/local-subchart:pull,push")
case <-time.After(5 * time.Second):
suite.T().Fatal("timeout waiting for auth request")
}
}
func (suite *RegistryScopeTestSuite) Test_2_Check_Pull_Request_Scope() {
requestURL := make(chan string, 1)
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Capture only the first auth request; never block the handler if the
// client happens to retry, so the auth server always responds and the
// push/pull flow can't deadlock waiting on us.
select {
case requestURL <- r.URL.String():
default:
}
w.WriteHeader(http.StatusOK)
})
lnCfg := net.ListenConfig{}
listener, err := lnCfg.Listen(suite.T().Context(), "tcp", suite.AuthServerHost)
suite.NoError(err, "no error creating server listener")
ts := httptest.NewUnstartedServer(handler)
ts.Listener = listener
ts.Start()
defer ts.Close()
// Load test chart (to build ref pushed in previous test)
// Simple pull, chart only
chartData, err := os.ReadFile("../downloader/testdata/local-subchart-0.1.0.tgz")
suite.NoError(err, "no error loading test chart")
meta, err := extractChartMeta(chartData)
suite.NoError(err, "no error extracting chart meta")
ref := fmt.Sprintf("%s/testrepo/%s:%s", suite.DockerRegistryHost, meta.Name, meta.Version)
_, err = suite.RegistryClient.Pull(ref)
suite.Error(err, "error pulling a simple chart because auth server doesn't give proper token")
//check the url that authentication server received
select {
case urlStr := <-requestURL:
u, err := url.Parse(urlStr)
suite.NoError(err, "no error parsing requested URL")
suite.Equal("/auth", u.Path)
suite.Equal("testservice", u.Query().Get("service"))
scope := u.Query().Get("scope")
suite.Contains(scope, "repository:testrepo/local-subchart:pull")
case <-time.After(5 * time.Second):
suite.T().Fatal("timeout waiting for auth request")
}
}
func TestRegistryScopeTestSuite(t *testing.T) {
suite.Run(t, new(RegistryScopeTestSuite))
}

@ -31,7 +31,7 @@ type TLSRegistryClientTestSuite struct {
func (suite *TLSRegistryClientTestSuite) SetupSuite() {
// init test client
setup(&suite.TestRegistry, true, false)
setup(&suite.TestRegistry, true, false, "htpasswd")
}
func (suite *TLSRegistryClientTestSuite) TearDownSuite() {

@ -33,6 +33,7 @@ import (
"github.com/distribution/distribution/v3/configuration"
"github.com/distribution/distribution/v3/registry"
_ "github.com/distribution/distribution/v3/registry/auth/htpasswd"
_ "github.com/distribution/distribution/v3/registry/auth/token"
_ "github.com/distribution/distribution/v3/registry/storage/driver/inmemory"
ocispec "github.com/opencontainers/image-spec/specs-go/v1"
"github.com/stretchr/testify/require"
@ -55,6 +56,8 @@ var (
testHtpasswdFileBasename = "authtest.htpasswd"
testUsername = "myuser"
testPassword = "mypass"
testIssuer = "testissuer"
testService = "testservice"
)
type TestRegistry struct {
@ -62,13 +65,14 @@ type TestRegistry struct {
Out io.Writer
FakeRegistryHost string
DockerRegistryHost string
AuthServerHost string
CompromisedRegistryHost string
WorkspaceDir string
RegistryClient *Client
dockerRegistry *registry.Registry
}
func setup(suite *TestRegistry, tlsEnabled, insecure bool) {
func setup(suite *TestRegistry, tlsEnabled, insecure bool, auth string) {
suite.WorkspaceDir = testWorkspaceDir
err := os.RemoveAll(suite.WorkspaceDir)
require.NoError(suite.T(), err, "no error removing test workspace dir")
@ -129,21 +133,42 @@ func setup(suite *TestRegistry, tlsEnabled, insecure bool) {
suite.Require().NoError(err, "no error finding free port for test registry")
defer func() { _ = ln.Close() }()
// Change the registry host to another host which is not localhost.
// This is required because Docker enforces HTTP if the registry
// host is localhost/127.0.0.1.
// Use localhost for HTTP tests and helm-test-registry for TLS tests.
// TLS tests need a different hostname to match the certificate.
port := ln.Addr().(*net.TCPAddr).Port
suite.DockerRegistryHost = fmt.Sprintf("helm-test-registry:%d", port)
if tlsEnabled {
suite.DockerRegistryHost = fmt.Sprintf("helm-test-registry:%d", port)
} else {
suite.DockerRegistryHost = fmt.Sprintf("127.0.0.1:%d", port)
}
config.HTTP.Addr = ln.Addr().String()
config.HTTP.DrainTimeout = time.Duration(10) * time.Second
config.Storage = map[string]configuration.Parameters{"inmemory": map[string]any{}}
config.Auth = configuration.Auth{
"htpasswd": configuration.Parameters{
"realm": "localhost",
"path": htpasswdPath,
},
if auth == "token" {
ln, err := lnCfg.Listen(suite.T().Context(), "tcp", "127.0.0.1:0")
suite.Require().NoError(err, "no error finding free port for test auth server")
defer ln.Close()
//set test auth server host
suite.AuthServerHost = ln.Addr().String()
config.Auth = configuration.Auth{
"token": configuration.Parameters{
"realm": "http://" + suite.AuthServerHost + "/auth",
"service": testService,
"issuer": testIssuer,
"rootcertbundle": tlsServerCert,
},
}
} else {
config.Auth = configuration.Auth{
"htpasswd": configuration.Parameters{
"realm": "localhost",
"path": htpasswdPath,
},
}
}
// config tls

Loading…
Cancel
Save