vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Fix quoting of scopes in WWW-Authenticate header

Browse source 
Fixes part of #2002
This commit is contained in:
Joseph Schorr 2016-10-17 14:32:43 -04:00
parent 18097a1bd6
commit 3439f814b6
2 changed files with 14 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
auth/registry_jwt_auth.py
View file

@ -127,9 +127,11 @@ def get_auth_headers(repository=None, scopes=None):
realm_auth_path, realm_auth_path,
app.config['SERVER_HOSTNAME']) app.config['SERVER_HOSTNAME'])
if repository: if repository:
authenticate += ',scope=repository:{0}'.format(repository) scopes_string = "repository:{0}".format(repository)
if scopes: if scopes:
authenticate += ':' + ','.join(scopes) scopes_string += ':' + ','.join(scopes)
authenticate += ',scope="{0}"'.format(scopes_string)
headers['WWW-Authenticate'] = authenticate headers['WWW-Authenticate'] = authenticate
headers['Docker-Distribution-API-Version'] = 'registry/2.0' headers['Docker-Distribution-API-Version'] = 'registry/2.0'

11
test/registry_tests.py
View file

@ -1327,6 +1327,13 @@ class V1RegistryTests(V1RegistryPullMixin, V1RegistryPushMixin, RegistryTestsMix
class V2RegistryTests(V2RegistryPullMixin, V2RegistryPushMixin, RegistryTestsMixin, class V2RegistryTests(V2RegistryPullMixin, V2RegistryPushMixin, RegistryTestsMixin,
RegistryTestCaseMixin, LiveServerTestCase): RegistryTestCaseMixin, LiveServerTestCase):
""" Tests for V2 registry. """ """ Tests for V2 registry. """
def test_proper_auth_response(self):
response = self.conduct('GET', '/v2/devtable/doesnotexist/tags/list', auth='jwt',
expected_code=401)
self.assertIn('WWW-Authenticate', response.headers)
self.assertIn('scope="repository:devtable/doesnotexist:pull"',
response.headers['WWW-Authenticate'])
def test_parent_misordered(self): def test_parent_misordered(self):
images = [ images = [
{ {
@ -1711,6 +1718,8 @@ class V2RegistryTests(V2RegistryPullMixin, V2RegistryPushMixin, RegistryTestsMix
# Assert 401s to non-auth endpoints also get the WWW-Authenticate header. # Assert 401s to non-auth endpoints also get the WWW-Authenticate header.
self.assertIn('WWW-Authenticate', response.headers) self.assertIn('WWW-Authenticate', response.headers)
self.assertIn('scope="repository:devtable/doesnotexist:pull"',
response.headers['WWW-Authenticate'])
def test_one_five_blacklist(self): def test_one_five_blacklist(self):
self.conduct('GET', '/v2/', expected_code=404, user_agent='Go 1.1 package http') self.conduct('GET', '/v2/', expected_code=404, user_agent='Go 1.1 package http')
@ -1735,7 +1744,7 @@ class V2RegistryTests(V2RegistryPullMixin, V2RegistryPushMixin, RegistryTestsMix
self.assertIsNotNone(response.headers.get('Link')) self.assertIsNotNone(response.headers.get('Link'))
# Request with the next link. # Request with the next link.
link_url = response.headers.get('Link').split(';')[0] link_url = response.headers.get('Link')[1:].split(';')[0][:-1]
v2_index = link_url.find('/v2/') v2_index = link_url.find('/v2/')
relative_url = link_url[v2_index:] relative_url = link_url[v2_index:]