fix scope when helm push to a registry that use token auth

Signed-off-by: kimsungmin1 <sm28.kim@samsung.com>
4 weeks ago · 86a808e3c7
parent 523d0b305e
commit 86a808e3c7
8 changed files with 154 additions and 9 deletions
--- a/go.mod
+++ b/go.mod
@ -26,6 +26,7 @@ require (
 	github.com/mitchellh/copystructure v1.2.0
 	github.com/moby/term v0.5.2
 	github.com/opencontainers/image-spec v1.1.1
+	github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5
 	github.com/rubenv/sql-migrate v1.8.0
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2
 	github.com/spf13/cobra v1.9.1
@ -75,6 +76,7 @@ require (
 	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
 	github.com/go-errors/errors v1.5.1 // indirect
 	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.1 // indirect
--- a/go.sum
+++ b/go.sum
@ -99,6 +99,8 @@ github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8b
 github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs=
 github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw=
+github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
+github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
@ -246,6 +248,8 @@ github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJw
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
 github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
+github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI=
+github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
--- a/pkg/registry/client.go
+++ b/pkg/registry/client.go
@ -699,6 +699,8 @@ func (c *Client) Push(data []byte, ref string, options ...PushOption) (*PushResu
 	repository.PlainHTTP = c.plainHTTP
 	repository.Client = c.authorizer

+	ctx = WithScopeHint(ctx, repository, auth.ActionPush, auth.ActionPull)
+
 	manifestDescriptor, err = oras.ExtendedCopy(ctx, memoryStore, parsedRef.String(), repository, parsedRef.String(), oras.DefaultExtendedCopyOptions)
 	if err != nil {
 		return nil, err
@ -909,3 +911,10 @@ func (c *Client) tagManifest(ctx context.Context, memoryStore *memory.Store,
 	return oras.TagBytes(ctx, memoryStore, ocispec.MediaTypeImageManifest,
 		manifestData, parsedRef.String())
 }
+
+func WithScopeHint(ctx context.Context, target any, actions ...string) context.Context {
+	if repo, ok := target.(*remote.Repository); ok {
+		return auth.AppendRepositoryScope(ctx, repo.Reference, actions...)
+	}
+	return ctx
+}
--- a/pkg/registry/client_http_test.go
+++ b/pkg/registry/client_http_test.go
@ -32,7 +32,7 @@ type HTTPRegistryClientTestSuite struct {

 func (suite *HTTPRegistryClientTestSuite) SetupSuite() {
 	// init test client
-	dockerRegistry := setup(&suite.TestSuite, false, false)
+	dockerRegistry := setup(&suite.TestSuite, false, false, "htpasswd")

 	// Start Docker registry
 	go dockerRegistry.ListenAndServe()
--- a/pkg/registry/client_insecure_tls_test.go
+++ b/pkg/registry/client_insecure_tls_test.go
@ -29,7 +29,7 @@ type InsecureTLSRegistryClientTestSuite struct {

 func (suite *InsecureTLSRegistryClientTestSuite) SetupSuite() {
 	// init test client
-	dockerRegistry := setup(&suite.TestSuite, true, true)
+	dockerRegistry := setup(&suite.TestSuite, true, true, "htpasswd")

 	// Start Docker registry
 	go dockerRegistry.ListenAndServe()
--- a/pkg/registry/client_scope_test.go
+++ b/pkg/registry/client_scope_test.go
@ -0,0 +1,109 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package registry
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net/http"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/suite"
+)
+
+type RegistryScopeTestSuite struct {
+	TestSuite
+}
+
+func (suite *RegistryScopeTestSuite) SetupSuite() {
+	// set registry use token auth
+	dockerRegistry := setup(&suite.TestSuite, true, true, "token")
+	// Start Docker registry
+	go dockerRegistry.ListenAndServe()
+}
+func (suite *RegistryScopeTestSuite) TearDownSuite() {
+	teardown(&suite.TestSuite)
+	os.RemoveAll(suite.WorkspaceDir)
+}
+
+func (suite *RegistryScopeTestSuite) Test_1_Cehck_Push_Request_Scope() {
+
+	//set simple auth server to check the auth request scope
+	server := &http.Server{
+		Addr: suite.AuthServerHost,
+		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			suite.Equal(string("/auth?scope=repository%3Atestrepo%2Flocal-subchart%3Apull%2Cpush&service=testservice"), r.URL.String())
+			w.WriteHeader(http.StatusOK)
+		}),
+	}
+	go func() {
+		err := server.ListenAndServe()
+		if err != nil && err != http.ErrServerClosed {
+			log.Fatalf("http server failed to ListenAndServe:%v", err)
+		}
+	}()
+
+	// basic push, good ref
+	testingChartCreationTime := "1977-09-02T22:04:05Z"
+	chartData, err := os.ReadFile("../downloader/testdata/local-subchart-0.1.0.tgz")
+	suite.Nil(err, "no error loading test chart")
+	meta, err := extractChartMeta(chartData)
+	suite.Nil(err, "no error extracting chart meta")
+	ref := fmt.Sprintf("%s/testrepo/%s:%s", suite.DockerRegistryHost, meta.Name, meta.Version)
+	_, err = suite.RegistryClient.Push(chartData, ref, PushOptCreationTime(testingChartCreationTime))
+	suite.NotNil(err, "error pushing good ref because auth server don't give proper token")
+
+	//shutdown auth server
+	err = server.Shutdown(context.Background())
+	suite.Nil(err, "shutdown simple auth server")
+
+}
+
+func (suite *RegistryScopeTestSuite) Test_2_Cehck_Pull_Request_Scope() {
+
+	//set simple auth server to check the auth request scope
+	server := &http.Server{
+		Addr: suite.AuthServerHost,
+		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			suite.Equal(string("/auth?scope=repository%3Atestrepo%2Flocal-subchart%3Apull&service=testservice"), r.URL.String())
+			w.WriteHeader(http.StatusOK)
+		}),
+	}
+	go func() {
+		err := server.ListenAndServe()
+		if err != nil && err != http.ErrServerClosed {
+			log.Fatalf("http server failed to ListenAndServe:%v", err)
+		}
+	}()
+
+	// Load test chart (to build ref pushed in previous test)
+	// Simple pull, chart only
+	chartData, err := os.ReadFile("../downloader/testdata/local-subchart-0.1.0.tgz")
+	suite.Nil(err, "no error loading test chart")
+	meta, err := extractChartMeta(chartData)
+	suite.Nil(err, "no error extracting chart meta")
+	ref := fmt.Sprintf("%s/testrepo/%s:%s", suite.DockerRegistryHost, meta.Name, meta.Version)
+	_, err = suite.RegistryClient.Pull(ref)
+	suite.NotNil(err, "error pulling a simple chart because auth server don't give proper token")
+
+	//shutdown auth server
+	err = server.Shutdown(context.Background())
+	suite.Nil(err, "shutdown simple auth server")
+}
+
+func TestRegistryScopeTestSuite(t *testing.T) {
+	suite.Run(t, new(RegistryScopeTestSuite))
+}
--- a/pkg/registry/client_tls_test.go
+++ b/pkg/registry/client_tls_test.go
@ -31,7 +31,7 @@ type TLSRegistryClientTestSuite struct {

 func (suite *TLSRegistryClientTestSuite) SetupSuite() {
 	// init test client
-	dockerRegistry := setup(&suite.TestSuite, true, false)
+	dockerRegistry := setup(&suite.TestSuite, true, false, "htpasswd")

 	// Start Docker registry
 	go dockerRegistry.ListenAndServe()
--- a/pkg/registry/utils_test.go
+++ b/pkg/registry/utils_test.go
@ -35,8 +35,10 @@ import (
 	"github.com/distribution/distribution/v3/configuration"
 	"github.com/distribution/distribution/v3/registry"
 	_ "github.com/distribution/distribution/v3/registry/auth/htpasswd"
+	_ "github.com/distribution/distribution/v3/registry/auth/token"
 	_ "github.com/distribution/distribution/v3/registry/storage/driver/inmemory"
 	"github.com/foxcpp/go-mockdns"
+	"github.com/phayes/freeport"
 	"github.com/stretchr/testify/suite"
 	"golang.org/x/crypto/bcrypt"

@ -56,12 +58,15 @@ var (
 	testHtpasswdFileBasename = "authtest.htpasswd"
 	testUsername             = "myuser"
 	testPassword             = "mypass"
+	testIssuer               = "testissuer"
+	testService              = "testservice"
 )

 type TestSuite struct {
 	suite.Suite
 	Out                     io.Writer
 	DockerRegistryHost      string
+	AuthServerHost          string
 	CompromisedRegistryHost string
 	WorkspaceDir            string
 	RegistryClient          *Client
@ -70,7 +75,7 @@ type TestSuite struct {
 	srv *mockdns.Server
 }

-func setup(suite *TestSuite, tlsEnabled, insecure bool) *registry.Registry {
+func setup(suite *TestSuite, tlsEnabled, insecure bool, auth string) *registry.Registry {
 	suite.WorkspaceDir = testWorkspaceDir
 	os.RemoveAll(suite.WorkspaceDir)
 	os.Mkdir(suite.WorkspaceDir, 0700)
@ -147,11 +152,27 @@ func setup(suite *TestSuite, tlsEnabled, insecure bool) *registry.Registry {
 	config.HTTP.DrainTimeout = time.Duration(10) * time.Second
 	config.Storage = map[string]configuration.Parameters{"inmemory": map[string]interface{}{}}

-	config.Auth = configuration.Auth{
-		"htpasswd": configuration.Parameters{
-			"realm": "localhost",
-			"path":  htpasswdPath,
-		},
+	if auth == "token" {
+		port, err := freeport.GetFreePort()
+		suite.Nil(err, "no error finding free port for test auth server")
+
+		suite.AuthServerHost = fmt.Sprintf("localhost:%d", port)
+
+		config.Auth = configuration.Auth{
+			"token": configuration.Parameters{
+				"realm":          "http://" + suite.AuthServerHost + "/auth",
+				"service":        testService,
+				"issuer":         testIssuer,
+				"rootcertbundle": tlsServerCert,
+			},
+		}
+	} else {
+		config.Auth = configuration.Auth{
+			"htpasswd": configuration.Parameters{
+				"realm": "localhost",
+				"path":  htpasswdPath,
+			},
+		}
 	}

 	// config tls