Add function to set custom auth scope in context
Currently auth.docker.io uses a custom auth scope for (docker) plugins `repository(plugin):<repo>:<perms>`. This makes it impossible to use containerd distribution tooling to fetch plugins without also supplying a totally custom authorizer. This changes allows clients to set the correct scope on the context. It's a little bit nasty but "works". I'm also a bit suspect of some a couple of these unexported context functrions. Before the primary one used `contextWithRepositoryScope` overwrites any scope value and there is another one that appends the scope value. With this change they both append... Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This commit is contained in:
Brian Goff
parent
324a94790d
commit
e84a84a5a9
@ -51,19 +51,25 @@ func contextWithRepositoryScope(ctx context.Context, refspec reference.Spec, pus
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
return context.WithValue(ctx, tokenScopesKey{}, []string{s}), nil
|
return WithScope(ctx, s), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// WithScope appends a custom registry auth scope to the context.
|
||||||
|
func WithScope(ctx context.Context, scope string) context.Context {
|
||||||
|
var scopes []string
|
||||||
|
if v := ctx.Value(tokenScopesKey{}); v != nil {
|
||||||
|
scopes = v.([]string)
|
||||||
|
scopes = append(scopes, scope)
|
||||||
|
} else {
|
||||||
|
scopes = []string{scope}
|
||||||
|
}
|
||||||
|
return context.WithValue(ctx, tokenScopesKey{}, scopes)
|
||||||
}
|
}
|
||||||
|
|
||||||
// contextWithAppendPullRepositoryScope is used to append repository pull
|
// contextWithAppendPullRepositoryScope is used to append repository pull
|
||||||
// scope into existing scopes indexed by the tokenScopesKey{}.
|
// scope into existing scopes indexed by the tokenScopesKey{}.
|
||||||
func contextWithAppendPullRepositoryScope(ctx context.Context, repo string) context.Context {
|
func contextWithAppendPullRepositoryScope(ctx context.Context, repo string) context.Context {
|
||||||
var scopes []string
|
return WithScope(ctx, fmt.Sprintf("repository:%s:pull", repo))
|
||||||
|
|
||||||
if v := ctx.Value(tokenScopesKey{}); v != nil {
|
|
||||||
scopes = append(scopes, v.([]string)...)
|
|
||||||
}
|
|
||||||
scopes = append(scopes, fmt.Sprintf("repository:%s:pull", repo))
|
|
||||||
return context.WithValue(ctx, tokenScopesKey{}, scopes)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// getTokenScopes returns deduplicated and sorted scopes from ctx.Value(tokenScopesKey{}) and common scopes.
|
// getTokenScopes returns deduplicated and sorted scopes from ctx.Value(tokenScopesKey{}) and common scopes.
|
||||||
|
|||||||
@ -22,6 +22,7 @@ import (
|
|||||||
|
|
||||||
"github.com/containerd/containerd/reference"
|
"github.com/containerd/containerd/reference"
|
||||||
"gotest.tools/assert"
|
"gotest.tools/assert"
|
||||||
|
"gotest.tools/assert/cmp"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestRepositoryScope(t *testing.T) {
|
func TestRepositoryScope(t *testing.T) {
|
||||||
@ -94,3 +95,14 @@ func TestGetTokenScopes(t *testing.T) {
|
|||||||
assert.DeepEqual(t, tc.expected, actual)
|
assert.DeepEqual(t, tc.expected, actual)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestCustomScope(t *testing.T) {
|
||||||
|
scope := "whatever:foo/bar:pull"
|
||||||
|
ctx := WithScope(context.Background(), scope)
|
||||||
|
ctx = contextWithAppendPullRepositoryScope(ctx, "foo/bar")
|
||||||
|
|
||||||
|
scopes := getTokenScopes(ctx, []string{})
|
||||||
|
assert.Assert(t, cmp.Len(scopes, 2))
|
||||||
|
assert.Check(t, cmp.Equal(scopes[0], "repository:foo/bar:pull"))
|
||||||
|
assert.Check(t, cmp.Equal(scopes[1], scope))
|
||||||
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user