Merge pull request #2004 from coreos-inc/api-compliance

Registry API compliance fixes

auth/registry_jwt_auth.py

@@ -127,9 +127,11 @@ def get_auth_headers(repository=None, scopes=None):
                                                               realm_auth_path,
                                                               app.config['SERVER_HOSTNAME'])
   if repository:
-    authenticate += ',scope=repository:{0}'.format(repository)
+    scopes_string = "repository:{0}".format(repository)
     if scopes:
-      authenticate += ':' + ','.join(scopes)
+      scopes_string += ':' + ','.join(scopes)
+
+    authenticate += ',scope="{0}"'.format(scopes_string)
 
   headers['WWW-Authenticate'] = authenticate
   headers['Docker-Distribution-API-Version'] = 'registry/2.0'

endpoints/v2/__init__.py

@@ -59,8 +59,9 @@ def paginate(limit_kwarg_name='limit', offset_kwarg_name='offset',
           return
 
         next_page_token = encrypt_page_token({'offset': limit + offset})
-        link = get_app_url() + url_for(request.endpoint, **request.view_args)
-        link += '?%s; rel="next"' % urlencode({'n': limit, 'next_page': next_page_token})
+        link_url = get_app_url() + url_for(request.endpoint, **request.view_args)
+        link_param = urlencode({'n': limit, 'next_page': next_page_token})
+        link = '<%s?%s>; rel="next"' % (link_url, link_param)
         response.headers['Link'] = link
 
       kwargs[limit_kwarg_name] = limit

test/registry_tests.py

@@ -1327,6 +1327,13 @@ class V1RegistryTests(V1RegistryPullMixin, V1RegistryPushMixin, RegistryTestsMix
 class V2RegistryTests(V2RegistryPullMixin, V2RegistryPushMixin, RegistryTestsMixin,
                       RegistryTestCaseMixin, LiveServerTestCase):
   """ Tests for V2 registry. """
+  def test_proper_auth_response(self):
+    response = self.conduct('GET', '/v2/devtable/doesnotexist/tags/list', auth='jwt',
+                            expected_code=401)
+    self.assertIn('WWW-Authenticate', response.headers)
+    self.assertIn('scope="repository:devtable/doesnotexist:pull"',
+                  response.headers['WWW-Authenticate'])
+
   def test_parent_misordered(self):
     images = [
       {
@@ -1377,11 +1384,15 @@ class V2RegistryTests(V2RegistryPullMixin, V2RegistryPushMixin, RegistryTestsMix
         break
 
       # Check the next page of results.
-      link = result.headers['Link']
+      link_header = result.headers['Link']
+      self.assertTrue(link_header.startswith('<'))
+      self.assertTrue(link_header.endswith('>; rel="next"'))
+
+      link = link_header[1:]
       self.assertTrue(link.endswith('; rel="next"'))
 
       url, _ = link.split(';')
-      relative_url = url[len(self.get_server_url()):]
+      relative_url = url[len(self.get_server_url()):-1]
 
       encountered.update(set(result_json['tags']))
 
@@ -1707,6 +1718,8 @@ class V2RegistryTests(V2RegistryPullMixin, V2RegistryPushMixin, RegistryTestsMix
 
     # Assert 401s to non-auth endpoints also get the WWW-Authenticate header.
     self.assertIn('WWW-Authenticate', response.headers)
+    self.assertIn('scope="repository:devtable/doesnotexist:pull"',
+                  response.headers['WWW-Authenticate'])
 
   def test_one_five_blacklist(self):
     self.conduct('GET', '/v2/', expected_code=404, user_agent='Go 1.1 package http')
@@ -1731,7 +1744,7 @@ class V2RegistryTests(V2RegistryPullMixin, V2RegistryPushMixin, RegistryTestsMix
     self.assertIsNotNone(response.headers.get('Link'))
 
     # Request with the next link.
-    link_url = response.headers.get('Link').split(';')[0]
+    link_url = response.headers.get('Link')[1:].split(';')[0][:-1]
     v2_index = link_url.find('/v2/')
     relative_url = link_url[v2_index:]