fix: Remove authorization header from core.windows.net requests… (#5274)

renovatebot · Feb 4, 2020 · 4c258e2 · 4c258e2
1 parent 58fd656
commit 4c258e2
Show file tree

Hide file tree

Showing 2 changed files with 114 additions and 20 deletions.
diff --git a/lib/datasource/docker/index.ts b/lib/datasource/docker/index.ts
@@ -1,3 +1,7 @@
+/**
+ * @copyright 2020-present by Avid Technology, Inc.
+ */
+
 import is from '@sindresorhus/is';
 import hasha from 'hasha';
 import URL from 'url';
@@ -420,33 +424,39 @@ async function getTags(
   }
 }
 
+export function getConfigResponseBeforeRedirectHook(options: any): void {
+  if (options.search?.includes('X-Amz-Algorithm')) {
+    // if there is no port in the redirect URL string, then delete it from the redirect options.
+    // This can be evaluated for removal after upgrading to Got v10
+    const portInUrl = options.href.split('/')[2].split(':')[1];
+    if (!portInUrl) {
+      // eslint-disable-next-line no-param-reassign
+      delete options.port; // Redirect will instead use 80 or 443 for HTTP or HTTPS respectively
+    }
+
+    // docker registry is hosted on amazon, redirect url includes authentication.
+    // eslint-disable-next-line no-param-reassign
+    delete options.headers.authorization;
+  }
+
+  if (
+    options.href?.includes('blob.core.windows.net') &&
+    options.headers?.authorization
+  ) {
+    // docker registry is hosted on Azure blob, redirect url includes authentication.
+    // eslint-disable-next-line no-param-reassign
+    delete options.headers.authorization;
+  }
+}
+
 export function getConfigResponse(
   url: string,
   headers: OutgoingHttpHeaders
 ): Promise<GotResponse> {
   return got(url, {
     headers,
     hooks: {
-      beforeRedirect: [
-        (options: any): void => {
-          if (
-            options.search &&
-            options.search.indexOf('X-Amz-Algorithm') !== -1
-          ) {
-            // if there is no port in the redirect URL string, then delete it from the redirect options.
-            // This can be evaluated for removal after upgrading to Got v10
-            const portInUrl = options.href.split('/')[2].split(':')[1];
-            if (!portInUrl) {
-              // eslint-disable-next-line no-param-reassign
-              delete options.port; // Redirect will instead use 80 or 443 for HTTP or HTTPS respectively
-            }
-
-            // docker registry is hosted on amazon, redirect url includes authentication.
-            // eslint-disable-next-line no-param-reassign
-            delete options.headers.authorization;
-          }
-        },
-      ],
+      beforeRedirect: [getConfigResponseBeforeRedirectHook],
     },
   });
 }

diff --git a/test/datasource/docker.spec.ts b/test/datasource/docker.spec.ts
@@ -411,4 +411,88 @@ describe('api/docker', () => {
       expect(res).toBeNull();
     });
   });
+  describe('getConfigResponseBeforeRedirectHook', () => {
+    it('leaves a non-Amazon or Microsoft request unmodified', () => {
+      const emptyOpts = {};
+      docker.getConfigResponseBeforeRedirectHook(emptyOpts);
+      expect(emptyOpts).toEqual({});
+
+      const nonAmzOpts = {
+        search: 'my-search-string',
+      };
+      docker.getConfigResponseBeforeRedirectHook(nonAmzOpts);
+      expect(nonAmzOpts).toEqual({
+        search: 'my-search-string',
+      });
+
+      const nonMsOpts = {
+        href: 'https://myurl.com',
+      };
+      docker.getConfigResponseBeforeRedirectHook(nonMsOpts);
+      expect(nonMsOpts).toEqual({
+        href: 'https://myurl.com',
+      });
+    });
+
+    it('removes the authorization header for Azure requests', () => {
+      const href = 'https://myaccount.blob.core.windows.net/xyz';
+      const opts = {
+        href,
+      };
+      docker.getConfigResponseBeforeRedirectHook(opts);
+      expect(opts).toEqual({ href });
+
+      const optsWithHeadersNoAuth = {
+        href,
+        headers: {},
+      };
+      docker.getConfigResponseBeforeRedirectHook(opts);
+      expect(optsWithHeadersNoAuth).toEqual({
+        href,
+        headers: {},
+      });
+
+      const optsWithAuth = {
+        href,
+        headers: {
+          authorization: 'Bearer xyz',
+        },
+      };
+      docker.getConfigResponseBeforeRedirectHook(optsWithAuth);
+      expect(optsWithAuth.headers).toBeDefined();
+      expect(optsWithAuth.headers.authorization).not.toBeDefined();
+    });
+
+    it('removes the authorization header for Amazon requests', () => {
+      const href = 'https://amazon.com';
+      const search = 'X-Amz-Algorithm';
+      const authorization = 'Bearer xyz';
+      const opts = {
+        href,
+        search,
+        headers: {
+          authorization,
+        },
+      };
+      docker.getConfigResponseBeforeRedirectHook(opts);
+      expect(opts).toEqual({ search, href, headers: {} });
+    });
+
+    it('removes the port when not specified in URL', () => {
+      const href = 'https://amazon.com/xyz';
+      const search = 'X-Amz-Algorithm';
+      const authorization = 'Bearer xyz';
+      const port = 8080;
+      const opts = {
+        href,
+        search,
+        port,
+        headers: {
+          authorization,
+        },
+      };
+      docker.getConfigResponseBeforeRedirectHook(opts);
+      expect(opts).toEqual({ search, href, headers: {} });
+    });
+  });
 });