fix(registry): address anonymous pull issue

The assumption that either a username and/or password OR an error is
returned appears to be wrong, and results in an error later on which
looks something like the following:

```
failed to authorize: failed to fetch anonymous token: unexpected status
from GET request to https://auth.docker.io/token?scope=repository%3AXXX%2FYYY%3Apull&service=registry.docker.io:
401 Unauthorized
```

To mitigate this, confirm we actually have one of the values before
setting the `Authorization` header.

Co-authored-by: Joe Julian <me@joejulian.name>
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
pull/12424/head
Hidde Beydals 1 year ago
parent 0e72b64797
commit fe4c01f624
No known key found for this signature in database
GPG Key ID: 979F380FC2341744

@ -105,12 +105,7 @@ func NewClient(options ...ClientOption) (*Client, error) {
if err != nil { if err != nil {
return nil, errors.New("unable to retrieve credentials") return nil, errors.New("unable to retrieve credentials")
} }
// A blank returned username and password value is a bearer token authHeader(username, password, &headers)
if username == "" && password != "" {
headers.Set("Authorization", fmt.Sprintf("Bearer %s", password))
} else {
headers.Set("Authorization", fmt.Sprintf("Basic %s", basicAuth(username, password)))
}
} }
opts := []auth.ResolverOption{auth.WithResolverHeaders(headers)} opts := []auth.ResolverOption{auth.WithResolverHeaders(headers)}

@ -256,3 +256,22 @@ func basicAuth(username, password string) string {
auth := username + ":" + password auth := username + ":" + password
return base64.StdEncoding.EncodeToString([]byte(auth)) return base64.StdEncoding.EncodeToString([]byte(auth))
} }
// authHeader generates an HTTP authorization header based on the provided
// username and password and sets it in the provided HTTP headers pointer.
//
// If both username and password are empty, no header is set.
// If only the password is provided, a "Bearer" token is created and set in
// the Authorization header.
// If both username and password are provided, a "Basic" authentication token
// is created using the basicAuth function, and set in the Authorization header.
func authHeader(username, password string, headers *http.Header) {
if username == "" && password == "" {
return
}
if username == "" {
headers.Set("Authorization", fmt.Sprintf("Bearer %s", password))
return
}
headers.Set("Authorization", fmt.Sprintf("Basic %s", basicAuth(username, password)))
}

@ -17,6 +17,7 @@ limitations under the License.
package registry // import "helm.sh/helm/v3/pkg/registry" package registry // import "helm.sh/helm/v3/pkg/registry"
import ( import (
"net/http"
"reflect" "reflect"
"testing" "testing"
"time" "time"
@ -266,3 +267,49 @@ func Test_basicAuth(t *testing.T) {
}) })
} }
} }
func Test_authHeader(t *testing.T) {
tests := []struct {
name string
username string
password string
expectedHeader http.Header
}{
{
name: "basic login header with username and password",
username: "admin",
password: "passw0rd",
expectedHeader: func() http.Header {
header := http.Header{}
header.Set("Authorization", "Basic YWRtaW46cGFzc3cwcmQ=")
return header
}(),
},
{
name: "bearer login header with no username and password",
username: "",
password: "hunter2",
expectedHeader: func() http.Header {
header := http.Header{}
header.Set("Authorization", "Bearer hunter2")
return header
}(),
},
{
name: "no change in header with neither username nor password",
username: "",
password: "",
expectedHeader: http.Header{},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := &http.Header{}
authHeader(tt.username, tt.password, got)
if !reflect.DeepEqual(*got, tt.expectedHeader) {
t.Errorf("authHeader got %#v wanted %#v", *got, tt.expectedHeader)
}
})
}
}

Loading…
Cancel
Save