Merge pull request #12237 from cuisongliu/auth_basic

fix(main): fix basic auth for helm pull or push
2 years ago · 819931b226
parent 7d190be0d0 4a27baaffc
commit 819931b226
3 changed files with 66 additions and 8 deletions
--- a/pkg/registry/client.go
+++ b/pkg/registry/client.go
@ -59,7 +59,7 @@ type (
 		out                io.Writer
 		authorizer         auth.Client
 		registryAuthorizer *registryauth.Client
-		resolver           remotes.Resolver
+		resolver           func(ref registry.Reference) (remotes.Resolver, error)
 		httpClient         *http.Client
 		plainHTTP          bool
 	}
@ -87,9 +87,23 @@ func NewClient(options ...ClientOption) (*Client, error) {
 		}
 		client.authorizer = authClient
 	}
-	if client.resolver == nil {
+	client.resolver = func(ref registry.Reference) (remotes.Resolver, error) {
 		headers := http.Header{}
 		headers.Set("User-Agent", version.GetUserAgent())
+		dockerClient, ok := client.authorizer.(*dockerauth.Client)
+		if ok {
+			username, password, err := dockerClient.Credential(ref.Registry)
+			if err != nil {
+				return nil, errors.New("unable to retrieve credentials")
+			}
+			// A blank returned username and password value is a bearer token
+			if username == "" && password != "" {
+				headers.Set("Authorization", fmt.Sprintf("Bearer %s", password))
+			} else {
+				headers.Set("Authorization", fmt.Sprintf("Basic %s", basicAuth(username, password)))
+			}
+		}
+
 		opts := []auth.ResolverOption{auth.WithResolverHeaders(headers)}
 		if client.httpClient != nil {
 			opts = append(opts, auth.WithResolverClient(client.httpClient))
@ -101,9 +115,8 @@ func NewClient(options ...ClientOption) (*Client, error) {
 		if err != nil {
 			return nil, err
 		}
-		client.resolver = resolver
+		return resolver, nil
 	}
-
 	// allocate a cache if option is set
 	var cache registryauth.Cache
 	if client.enableCache {
@ -121,7 +134,6 @@ func NewClient(options ...ClientOption) (*Client, error) {
 				if !ok {
 					return registryauth.EmptyCredential, errors.New("unable to obtain docker client")
 				}
-
 				username, password, err := dockerClient.Credential(reg)
 				if err != nil {
 					return registryauth.EmptyCredential, errors.New("unable to retrieve credentials")
@ -334,7 +346,11 @@ func (c *Client) Pull(ref string, options ...PullOption) (*PullResult, error) {
 	}

 	var descriptors, layers []ocispec.Descriptor
-	registryStore := content.Registry{Resolver: c.resolver}
+	remotesResolver, err := c.resolver(parsedRef)
+	if err != nil {
+		return nil, err
+	}
+	registryStore := content.Registry{Resolver: remotesResolver}

 	manifest, err := oras.Copy(ctx(c.out, c.debug), registryStore, parsedRef.String(), memoryStore, "",
 		oras.WithPullEmptyNameAllowed(),
@ -572,8 +588,11 @@ func (c *Client) Push(data []byte, ref string, options ...PushOption) (*PushResu
 	if err := memoryStore.StoreManifest(parsedRef.String(), manifest, manifestData); err != nil {
 		return nil, err
 	}
-
-	registryStore := content.Registry{Resolver: c.resolver}
+	remotesResolver, err := c.resolver(parsedRef)
+	if err != nil {
+		return nil, err
+	}
+	registryStore := content.Registry{Resolver: remotesResolver}
 	_, err = oras.Copy(ctx(c.out, c.debug), memoryStore, parsedRef.String(), registryStore, "",
 		oras.WithNameValidation(nil))
 	if err != nil {
--- a/pkg/registry/util.go
+++ b/pkg/registry/util.go
@ -19,6 +19,7 @@ package registry // import "helm.sh/helm/v3/pkg/registry"
 import (
 	"bytes"
 	"context"
+	"encoding/base64"
 	"fmt"
 	"io"
 	"net/http"
@ -245,3 +246,13 @@ func addToMap(inputMap map[string]string, newKey string, newValue string) map[st
 	return inputMap

 }
+
+// See 2 (end of page 4) https://www.ietf.org/rfc/rfc2617.txt
+// "To receive authorization, the client sends the userid and password,
+// separated by a single colon (":") character, within a base64
+// encoded string in the credentials."
+// It is not meant to be urlencoded.
+func basicAuth(username, password string) string {
+	auth := username + ":" + password
+	return base64.StdEncoding.EncodeToString([]byte(auth))
+}
--- a/pkg/registry/util_test.go
+++ b/pkg/registry/util_test.go
@ -238,3 +238,31 @@ func TestGenerateOCICreatedAnnotations(t *testing.T) {
 	}

 }
+
+func Test_basicAuth(t *testing.T) {
+	type args struct {
+		username string
+		password string
+	}
+	tests := []struct {
+		name string
+		args args
+		want string
+	}{
+		{
+			name: "Basic Auth",
+			args: args{
+				username: "admin",
+				password: "passw0rd",
+			},
+			want: "YWRtaW46cGFzc3cwcmQ=",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := basicAuth(tt.args.username, tt.args.password); got != tt.want {
+				t.Errorf("basicAuth() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}