From 800a5674bb37ff6e6abef41c18ccb1e9b46e0970 Mon Sep 17 00:00:00 2001 From: oliver-goetz Date: Fri, 15 Dec 2023 00:42:50 +0100 Subject: [PATCH] Add support for `Basic Authentication` to `proxyingRegistry` Signed-off-by: oliver-goetz --- registry/proxy/proxyauth.go | 29 +++++++++++++++++++---------- registry/proxy/proxyregistry.go | 10 +++++++--- 2 files changed, 26 insertions(+), 13 deletions(-) diff --git a/registry/proxy/proxyauth.go b/registry/proxy/proxyauth.go index 8cdc3ebffe8..bdc5fee8e1e 100644 --- a/registry/proxy/proxyauth.go +++ b/registry/proxy/proxyauth.go @@ -12,19 +12,28 @@ import ( const challengeHeader = "Docker-Distribution-Api-Version" -type userpass struct { +type basicAuth struct { username string password string } +func (b basicAuth) Basic(u *url.URL) (string, string) { + return b.username, b.password +} + +func (b basicAuth) RefreshToken(u *url.URL, service string) string { + return "" +} + +func (b basicAuth) SetRefreshToken(u *url.URL, service, token string) { +} + type credentials struct { - creds map[string]userpass + creds map[string]basicAuth } func (c credentials) Basic(u *url.URL) (string, string) { - up := c.creds[u.String()] - - return up.username, up.password + return c.creds[u.String()].Basic(u) } func (c credentials) RefreshToken(u *url.URL, service string) string { @@ -35,23 +44,23 @@ func (c credentials) SetRefreshToken(u *url.URL, service, token string) { } // configureAuth stores credentials for challenge responses -func configureAuth(username, password, remoteURL string) (auth.CredentialStore, error) { - creds := map[string]userpass{} +func configureAuth(username, password, remoteURL string) (auth.CredentialStore, auth.CredentialStore, error) { + creds := map[string]basicAuth{} authURLs, err := getAuthURLs(remoteURL) if err != nil { - return nil, err + return nil, nil, err } for _, url := range authURLs { dcontext.GetLogger(dcontext.Background()).Infof("Discovered token authentication URL: %s", url) - creds[url] = userpass{ + creds[url] = basicAuth{ username: username, password: password, } } - return credentials{creds: creds}, nil + return credentials{creds: creds}, basicAuth{username: username, password: password}, nil } func getAuthURLs(remoteURL string) ([]string, error) { diff --git a/registry/proxy/proxyregistry.go b/registry/proxy/proxyregistry.go index 33dcc4afa14..6f9a4185039 100644 --- a/registry/proxy/proxyregistry.go +++ b/registry/proxy/proxyregistry.go @@ -8,6 +8,8 @@ import ( "sync" "time" + "github.com/distribution/reference" + "github.com/distribution/distribution/v3" "github.com/distribution/distribution/v3/configuration" "github.com/distribution/distribution/v3/internal/client" @@ -18,7 +20,6 @@ import ( "github.com/distribution/distribution/v3/registry/proxy/scheduler" "github.com/distribution/distribution/v3/registry/storage" "github.com/distribution/distribution/v3/registry/storage/driver" - "github.com/distribution/reference" ) var repositoryTTL = 24 * 7 * time.Hour @@ -30,6 +31,7 @@ type proxyingRegistry struct { ttl *time.Duration remoteURL url.URL authChallenger authChallenger + basicAuth auth.CredentialStore } // NewRegistryPullThroughCache creates a registry acting as a pull through cache @@ -112,7 +114,7 @@ func NewRegistryPullThroughCache(ctx context.Context, registry distribution.Name } } - cs, err := configureAuth(config.Username, config.Password, config.RemoteURL) + cs, b, err := configureAuth(config.Username, config.Password, config.RemoteURL) if err != nil { return nil, err } @@ -127,6 +129,7 @@ func NewRegistryPullThroughCache(ctx context.Context, registry distribution.Name cm: challenge.NewSimpleManager(), cs: cs, }, + basicAuth: b, }, nil } @@ -155,7 +158,8 @@ func (pr *proxyingRegistry) Repository(ctx context.Context, name reference.Named tr := transport.NewTransport(http.DefaultTransport, auth.NewAuthorizer(c.challengeManager(), - auth.NewTokenHandlerWithOptions(tkopts))) + auth.NewTokenHandlerWithOptions(tkopts), + auth.NewBasicHandler(pr.basicAuth))) localRepo, err := pr.embedded.Repository(ctx, name) if err != nil {