Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Remove authorization header from core.windows.net requests for Azure docker registries #5274

Merged
merged 6 commits into from Feb 4, 2020
Merged

fix: Remove authorization header from core.windows.net requests for Azure docker registries #5274

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
1606e08
Unpack access_token correctly from auth header
joeapearson Jan 31, 2020
bda79f1
Backwards compatible fix
joeapearson Jan 31, 2020
931616c
fix: don't pass auth when using azurecr.io registries
joeapearson Jan 31, 2020
48df0a0
Merge remote-tracking branch 'upstream/master'
joeapearson Jan 31, 2020
6bfe923
Add tests
joeapearson Feb 3, 2020
b30f16a
pr suggestions
joeapearson Feb 4, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
50 changes: 30 additions & 20 deletions lib/datasource/docker/index.ts
View file
Open in desktop
@@ -1,3 +1,7 @@
/**
* @copyright 2020-present by Avid Technology, Inc.
*/

import is from '@sindresorhus/is';
import hasha from 'hasha';
import URL from 'url';
Expand Down Expand Up @@ -420,33 +424,39 @@ async function getTags(
}
}

export function getConfigResponseBeforeRedirectHook(options: any): void {
viceice marked this conversation as resolved.
Show resolved Hide resolved
if (options.search?.includes('X-Amz-Algorithm')) {
// if there is no port in the redirect URL string, then delete it from the redirect options.
// This can be evaluated for removal after upgrading to Got v10
const portInUrl = options.href.split('/')[2].split(':')[1];
if (!portInUrl) {
// eslint-disable-next-line no-param-reassign
delete options.port; // Redirect will instead use 80 or 443 for HTTP or HTTPS respectively
}

// docker registry is hosted on amazon, redirect url includes authentication.
// eslint-disable-next-line no-param-reassign
delete options.headers.authorization;
}

if (
options.href?.includes('blob.core.windows.net') &&
viceice marked this conversation as resolved.
Show resolved Hide resolved
options.headers?.authorization
) {
// docker registry is hosted on Azure blob, redirect url includes authentication.
// eslint-disable-next-line no-param-reassign
delete options.headers.authorization;
}
}

export function getConfigResponse(
url: string,
headers: OutgoingHttpHeaders
): Promise<GotResponse> {
return got(url, {
headers,
hooks: {
beforeRedirect: [
(options: any): void => {
if (
options.search &&
options.search.indexOf('X-Amz-Algorithm') !== -1
) {
// if there is no port in the redirect URL string, then delete it from the redirect options.
// This can be evaluated for removal after upgrading to Got v10
const portInUrl = options.href.split('/')[2].split(':')[1];
if (!portInUrl) {
// eslint-disable-next-line no-param-reassign
delete options.port; // Redirect will instead use 80 or 443 for HTTP or HTTPS respectively
}

// docker registry is hosted on amazon, redirect url includes authentication.
// eslint-disable-next-line no-param-reassign
delete options.headers.authorization;
}
},
],
beforeRedirect: [getConfigResponseBeforeRedirectHook],
},
});
}
Expand Down
84 changes: 84 additions & 0 deletions test/datasource/docker.spec.ts
View file
Open in desktop
Expand Up @@ -411,4 +411,88 @@ describe('api/docker', () => {
expect(res).toBeNull();
});
});
describe('getConfigResponseBeforeRedirectHook', () => {
it('leaves a non-Amazon or Microsoft request unmodified', () => {
const emptyOpts = {};
docker.getConfigResponseBeforeRedirectHook(emptyOpts);
expect(emptyOpts).toEqual({});

const nonAmzOpts = {
search: 'my-search-string',
};
docker.getConfigResponseBeforeRedirectHook(nonAmzOpts);
expect(nonAmzOpts).toEqual({
search: 'my-search-string',
});

const nonMsOpts = {
href: 'https://myurl.com',
};
docker.getConfigResponseBeforeRedirectHook(nonMsOpts);
expect(nonMsOpts).toEqual({
href: 'https://myurl.com',
});
});

it('removes the authorization header for Azure requests', () => {
const href = 'https://myaccount.blob.core.windows.net/xyz';
const opts = {
href,
};
docker.getConfigResponseBeforeRedirectHook(opts);
expect(opts).toEqual({ href });

const optsWithHeadersNoAuth = {
href,
headers: {},
};
docker.getConfigResponseBeforeRedirectHook(opts);
expect(optsWithHeadersNoAuth).toEqual({
href,
headers: {},
});

const optsWithAuth = {
href,
headers: {
authorization: 'Bearer xyz',
},
};
docker.getConfigResponseBeforeRedirectHook(optsWithAuth);
expect(optsWithAuth.headers).toBeDefined();
expect(optsWithAuth.headers.authorization).not.toBeDefined();
});

it('removes the authorization header for Amazon requests', () => {
const href = 'https://amazon.com';
const search = 'X-Amz-Algorithm';
const authorization = 'Bearer xyz';
const opts = {
href,
search,
headers: {
authorization,
},
};
docker.getConfigResponseBeforeRedirectHook(opts);
expect(opts).toEqual({ search, href, headers: {} });
});

it('removes the port when not specified in URL', () => {
const href = 'https://amazon.com/xyz';
const search = 'X-Amz-Algorithm';
const authorization = 'Bearer xyz';
const port = 8080;
const opts = {
href,
search,
port,
headers: {
authorization,
},
};
docker.getConfigResponseBeforeRedirectHook(opts);
expect(opts).toEqual({ search, href, headers: {} });
});
});
});