Merge pull request #6165 from jmacelroy/main

Generating token options with each scope as a separate string.
2021-10-27 16:08:59 -04:00 · 2021-10-27 16:08:59 -04:00 · 64f7abd696
commit 64f7abd696
parent 7207818307 88fc5cf2d0
3 changed files with 186 additions and 1 deletions
--- a/remotes/docker/auth/fetch.go
+++ b/remotes/docker/auth/fetch.go
@ -58,7 +58,7 @@ func GenerateTokenOptions(ctx context.Context, host, username, secret string, c

 	scope, ok := c.Parameters["scope"]
 	if ok {
-		to.Scopes = append(to.Scopes, scope)
+		to.Scopes = append(to.Scopes, strings.Split(scope, " ")...)
 	} else {
 		log.G(ctx).WithField("host", host).Debug("no scope specified for token auth challenge")
 	}
--- a/remotes/docker/auth/fetch_test.go
+++ b/remotes/docker/auth/fetch_test.go
@ -0,0 +1,114 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package auth
+
+import (
+	"context"
+	"reflect"
+	"strings"
+	"testing"
+)
+
+func TestGenerateTokenOptions(t *testing.T) {
+	for _, tc := range []struct {
+		name     string
+		realm    string
+		service  string
+		username string
+		secret   string
+		scope    string
+	}{
+		{
+			name:     "MultipleScopes",
+			realm:    "https://test-realm.com",
+			service:  "registry-service",
+			username: "username",
+			secret:   "secret",
+			scope:    "repository:foo/bar:pull repository:foo/bar:pull,push",
+		},
+		{
+			name:     "SingleScope",
+			realm:    "https://test-realm.com",
+			service:  "registry-service",
+			username: "username",
+			secret:   "secret",
+			scope:    "repository:foo/bar:pull",
+		},
+		{
+			name:     "NoScope",
+			realm:    "https://test-realm.com",
+			service:  "registry-service",
+			username: "username",
+			secret:   "secret",
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			c := Challenge{
+				Scheme: BearerAuth,
+				Parameters: map[string]string{
+					"realm":   tc.realm,
+					"service": tc.service,
+					"scope":   tc.scope,
+				},
+			}
+			options, err := GenerateTokenOptions(context.Background(), "host", tc.username, tc.secret, c)
+			if err != nil {
+				t.Fatalf("unexpected error %v", err)
+			}
+
+			expected := TokenOptions{
+				Realm:    tc.realm,
+				Service:  tc.service,
+				Scopes:   strings.Split(tc.scope, " "),
+				Username: tc.username,
+				Secret:   tc.secret,
+			}
+			if !reflect.DeepEqual(options, expected) {
+				t.Fatalf("expected %v, but got %v", expected, options)
+			}
+		})
+	}
+
+	t.Run("MissingRealm", func(t *testing.T) {
+		c := Challenge{
+			Scheme: BearerAuth,
+			Parameters: map[string]string{
+				"service": "service",
+				"scope":   "repository:foo/bar:pull,push",
+			},
+		}
+		_, err := GenerateTokenOptions(context.Background(), "host", "username", "secret", c)
+		if err == nil {
+			t.Fatal("expected an err and got nil")
+		}
+	})
+
+	t.Run("RealmParseError", func(t *testing.T) {
+		c := Challenge{
+			Scheme: BearerAuth,
+			Parameters: map[string]string{
+				"realm":   "127.0.0.1:8080",
+				"service": "service",
+				"scope":   "repository:foo/bar:pull,push",
+			},
+		}
+		_, err := GenerateTokenOptions(context.Background(), "host", "username", "secret", c)
+		if err == nil {
+			t.Fatal("expected an err and got nil")
+		}
+	})
+}
--- a/remotes/docker/auth/parse_test.go
+++ b/remotes/docker/auth/parse_test.go
@ -0,0 +1,71 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package auth
+
+import (
+	"fmt"
+	"net/http"
+	"reflect"
+	"testing"
+)
+
+func TestParseAuthHeader(t *testing.T) {
+	headerTemplate := `Bearer realm="%s",service="%s",scope="%s"`
+
+	for _, tc := range []struct {
+		name    string
+		realm   string
+		service string
+		scope   string
+	}{
+		{
+			name:    "SingleScope",
+			realm:   "https://auth.docker.io/token",
+			service: "registry.docker.io",
+			scope:   "repository:foo/bar:pull,push",
+		},
+		{
+			name:    "MultipleScopes",
+			realm:   "https://auth.docker.io/token",
+			service: "registry.docker.io",
+			scope:   "repository:foo/bar:pull,push repository:foo/baz:pull repository:foo/foo:push",
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			expected := []Challenge{
+				{
+					Scheme: BearerAuth,
+					Parameters: map[string]string{
+						"realm":   tc.realm,
+						"service": tc.service,
+						"scope":   tc.scope,
+					},
+				},
+			}
+
+			hdr := http.Header{
+				http.CanonicalHeaderKey("WWW-Authenticate"): []string{fmt.Sprintf(
+					headerTemplate, tc.realm, tc.service, tc.scope,
+				)},
+			}
+			actual := ParseAuthHeader(hdr)
+			if !reflect.DeepEqual(expected, actual) {
+				t.Fatalf("expected %v, but got %v", expected, actual)
+			}
+		})
+	}
+}