Merge 6d3278cf5f into b606424ea2

10 hours ago · 56474ba102
parent b606424ea2 6d3278cf5f
commit 56474ba102
8 changed files with 156 additions and 9 deletions
--- a/go.mod
+++ b/go.mod
@ -81,6 +81,7 @@ require (
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/go-errors/errors v1.5.1 // indirect
 	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.1 // indirect
--- a/go.sum
+++ b/go.sum
@ -105,6 +105,8 @@ github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8b
 github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs=
 github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw=
+github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
+github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
--- a/pkg/registry/client.go
+++ b/pkg/registry/client.go
@ -702,6 +702,8 @@ func (c *Client) Push(data []byte, ref string, options ...PushOption) (*PushResu
 	repository.PlainHTTP = c.plainHTTP
 	repository.Client = c.authorizer

+	ctx = WithScopeHint(ctx, repository, auth.ActionPush, auth.ActionPull)
+
 	manifestDescriptor, err = oras.ExtendedCopy(ctx, memoryStore, parsedRef.String(), repository, parsedRef.String(), oras.DefaultExtendedCopyOptions)
 	if err != nil {
 		return nil, err
@ -914,3 +916,10 @@ func (c *Client) tagManifest(ctx context.Context, memoryStore *memory.Store,
 	return oras.TagBytes(ctx, memoryStore, ocispec.MediaTypeImageManifest,
 		manifestData, parsedRef.String())
 }
+
+func WithScopeHint(ctx context.Context, target any, actions ...string) context.Context {
+	if repo, ok := target.(*remote.Repository); ok {
+		return auth.AppendRepositoryScope(ctx, repo.Reference, actions...)
+	}
+	return ctx
+}
--- a/pkg/registry/client_http_test.go
+++ b/pkg/registry/client_http_test.go
@ -32,7 +32,7 @@ type HTTPRegistryClientTestSuite struct {

 func (suite *HTTPRegistryClientTestSuite) SetupSuite() {
 	// init test client
-	setup(&suite.TestSuite, false, false)
+	setup(&suite.TestSuite, false, false, "htpasswd")
 }

 func (suite *HTTPRegistryClientTestSuite) TearDownSuite() {
--- a/pkg/registry/client_insecure_tls_test.go
+++ b/pkg/registry/client_insecure_tls_test.go
@ -29,7 +29,8 @@ type InsecureTLSRegistryClientTestSuite struct {

 func (suite *InsecureTLSRegistryClientTestSuite) SetupSuite() {
 	// init test client
-	setup(&suite.TestSuite, true, true)
+	setup(&suite.TestSuite, true, true, "htpasswd")
+
 }

 func (suite *InsecureTLSRegistryClientTestSuite) TearDownSuite() {
--- a/pkg/registry/client_scope_test.go
+++ b/pkg/registry/client_scope_test.go
@ -0,0 +1,111 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package registry
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net/http"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/suite"
+)
+
+type RegistryScopeTestSuite struct {
+	TestSuite
+}
+
+func (suite *RegistryScopeTestSuite) SetupSuite() {
+	// set registry use token auth
+	setup(&suite.TestSuite, true, true, "token")
+
+}
+func (suite *RegistryScopeTestSuite) TearDownSuite() {
+	teardown(&suite.TestSuite)
+	os.RemoveAll(suite.WorkspaceDir)
+}
+
+func (suite *RegistryScopeTestSuite) Test_1_Check_Push_Request_Scope() {
+
+	//set simple auth server to check the auth request scope
+	server := &http.Server{
+		Addr: suite.AuthServerHost,
+		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			suite.Equal(string("/auth?scope=repository%3Atestrepo%2Flocal-subchart%3Apull%2Cpush&service=testservice"), r.URL.String())
+			w.WriteHeader(http.StatusOK)
+		}),
+	}
+	go func() {
+		err := server.ListenAndServe()
+		if err != nil && err != http.ErrServerClosed {
+			log.Fatalf("http server failed to ListenAndServe:%v", err)
+		}
+	}()
+
+	// basic push, good ref
+	testingChartCreationTime := "1977-09-02T22:04:05Z"
+	chartData, err := os.ReadFile("../downloader/testdata/local-subchart-0.1.0.tgz")
+	suite.Nil(err, "no error loading test chart")
+	meta, err := extractChartMeta(chartData)
+	suite.Nil(err, "no error extracting chart meta")
+	ref := fmt.Sprintf("%s/testrepo/%s:%s", suite.DockerRegistryHost, meta.Name, meta.Version)
+	_, err = suite.RegistryClient.Push(chartData, ref, PushOptCreationTime(testingChartCreationTime))
+	suite.NotNil(err, "error pushing good ref because auth server don't give proper token")
+
+	//shutdown auth server
+	err = server.Shutdown(context.Background())
+	suite.Nil(err, "shutdown simple auth server")
+
+}
+
+func (suite *RegistryScopeTestSuite) Test_2_Check_Pull_Request_Scope() {
+
+	//set simple auth server to check the auth request scope
+	server := &http.Server{
+		Addr: suite.AuthServerHost,
+		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			suite.Equal(string("/auth?scope=repository%3Atestrepo%2Flocal-subchart%3Apull&service=testservice"), r.URL.String())
+			w.WriteHeader(http.StatusOK)
+		}),
+	}
+	go func() {
+		err := server.ListenAndServe()
+		if err != nil && err != http.ErrServerClosed {
+			log.Fatalf("http server failed to ListenAndServe:%v", err)
+		}
+	}()
+
+	// Load test chart (to build ref pushed in previous test)
+	// Simple pull, chart only
+	chartData, err := os.ReadFile("../downloader/testdata/local-subchart-0.1.0.tgz")
+	suite.Nil(err, "no error loading test chart")
+	meta, err := extractChartMeta(chartData)
+	suite.Nil(err, "no error extracting chart meta")
+	ref := fmt.Sprintf("%s/testrepo/%s:%s", suite.DockerRegistryHost, meta.Name, meta.Version)
+	_, err = suite.RegistryClient.Pull(ref)
+	suite.NotNil(err, "error pulling a simple chart because auth server don't give proper token")
+
+	//shutdown auth server
+	err = server.Shutdown(context.Background())
+	suite.Nil(err, "shutdown simple auth server")
+}
+
+func TestRegistryScopeTestSuite(t *testing.T) {
+	suite.Run(t, new(RegistryScopeTestSuite))
+}
--- a/pkg/registry/client_tls_test.go
+++ b/pkg/registry/client_tls_test.go
@ -31,7 +31,8 @@ type TLSRegistryClientTestSuite struct {

 func (suite *TLSRegistryClientTestSuite) SetupSuite() {
 	// init test client
-	setup(&suite.TestSuite, true, false)
+	setup(&suite.TestSuite, true, false, "htpasswd")
+
 }

 func (suite *TLSRegistryClientTestSuite) TearDownSuite() {
--- a/pkg/registry/utils_test.go
+++ b/pkg/registry/utils_test.go
@ -34,6 +34,7 @@ import (
 	"github.com/distribution/distribution/v3/configuration"
 	"github.com/distribution/distribution/v3/registry"
 	_ "github.com/distribution/distribution/v3/registry/auth/htpasswd"
+	_ "github.com/distribution/distribution/v3/registry/auth/token"
 	_ "github.com/distribution/distribution/v3/registry/storage/driver/inmemory"
 	"github.com/stretchr/testify/suite"
 	"golang.org/x/crypto/bcrypt"
@ -54,19 +55,22 @@ var (
 	testHtpasswdFileBasename = "authtest.htpasswd"
 	testUsername             = "myuser"
 	testPassword             = "mypass"
+	testIssuer               = "testissuer"
+	testService              = "testservice"
 )

 type TestSuite struct {
 	suite.Suite
 	Out                     io.Writer
 	DockerRegistryHost      string
+	AuthServerHost          string
 	CompromisedRegistryHost string
 	WorkspaceDir            string
 	RegistryClient          *Client
 	dockerRegistry          *registry.Registry
 }

-func setup(suite *TestSuite, tlsEnabled, insecure bool) {
+func setup(suite *TestSuite, tlsEnabled, insecure bool, auth string) {
 	suite.WorkspaceDir = testWorkspaceDir
 	os.RemoveAll(suite.WorkspaceDir)
 	os.Mkdir(suite.WorkspaceDir, 0700)
@ -136,11 +140,29 @@ func setup(suite *TestSuite, tlsEnabled, insecure bool) {
 	config.HTTP.DrainTimeout = time.Duration(10) * time.Second
 	config.Storage = map[string]configuration.Parameters{"inmemory": map[string]interface{}{}}

-	config.Auth = configuration.Auth{
-		"htpasswd": configuration.Parameters{
-			"realm": "localhost",
-			"path":  htpasswdPath,
-		},
+	if auth == "token" {
+		ln, err := net.Listen("tcp", "127.0.0.1:0")
+		suite.Nil(err, "no error finding free port for test auth server")
+		defer ln.Close()
+
+		//set test auth server host
+		suite.AuthServerHost = ln.Addr().String()
+
+		config.Auth = configuration.Auth{
+			"token": configuration.Parameters{
+				"realm":          "http://" + suite.AuthServerHost + "/auth",
+				"service":        testService,
+				"issuer":         testIssuer,
+				"rootcertbundle": tlsServerCert,
+			},
+		}
+	} else {
+		config.Auth = configuration.Auth{
+			"htpasswd": configuration.Parameters{
+				"realm": "localhost",
+				"path":  htpasswdPath,
+			},
+		}
 	}

 	// config tls