Send the scope class as part of the token

As it is right now, it is not possible to authenticate plugin requests using `docker-auth`. The docker distribution registry expects[0] a scope with `Type` repository and `docker-auth` is sending `repository(plugin)` as that's what it receives in the request. Instead of sending `repository(plugin)` we should be sending `repository` and setting the scope class to `plugin`. The default class is `image`, which is why this works fine right now. Fixes cesanta#269
dliappis · Jan 31, 2020 · 27b3826 · 27b3826
1 parent df57cca
commit 27b3826
Showing 1 changed file with 28 additions and 2 deletions.
diff --git a/auth_server/server/server.go b/auth_server/server/server.go
@@ -38,6 +38,7 @@ import (
 
 var (
 	hostPortRegex = regexp.MustCompile(`\[?(.+?)\]?:\d+$`)
+	scopeRegex    = regexp.MustCompile(`([a-z0-9]+)(\([a-z0-9]+\))?`)
 )
 
 type AuthServer struct {
@@ -138,6 +139,7 @@ type authRequest struct {
 
 type authScope struct {
 	Type    string
+	Class   string
 	Name    string
 	Actions []string
 }
@@ -160,6 +162,22 @@ func parseRemoteAddr(ra string) net.IP {
 	return res
 }
 
+func parseScope(scope string) (string, string, error) {
+	parts := scopeRegex.FindStringSubmatch(scope)
+	if parts == nil {
+		return "", "", fmt.Errorf("malformed scope request")
+	}
+
+	switch len(parts) {
+	case 3:
+		return parts[1], "", nil
+	case 4:
+		return parts[1], parts[3], nil
+	default:
+		return "", "", fmt.Errorf("malformed scope request")
+	}
+}
+
 func (as *AuthServer) ParseRequest(req *http.Request) (*authRequest, error) {
 	ar := &authRequest{RemoteConnAddr: req.RemoteAddr, RemoteAddr: req.RemoteAddr}
 	if as.config.Server.RealIPHeader != "" {
@@ -212,16 +230,24 @@ func (as *AuthServer) ParseRequest(req *http.Request) (*authRequest, error) {
 		for _, scopeStr := range req.Form["scope"] {
 			parts := strings.Split(scopeStr, ":")
 			var scope authScope
+
+			scopeType, scopeClass, err := parseScope(parts[0])
+			if err != nil {
+				return nil, err
+			}
+
 			switch len(parts) {
 			case 3:
 				scope = authScope{
-					Type:    parts[0],
+					Type:    scopeType,
+					Class:   scopeClass,
 					Name:    parts[1],
 					Actions: strings.Split(parts[2], ","),
 				}
 			case 4:
 				scope = authScope{
-					Type:    parts[0],
+					Type:    scopeType,
+					Class:   scopeClass,
 					Name:    parts[1] + ":" + parts[2],
 					Actions: strings.Split(parts[3], ","),
 				}