Have the V2 registry endpoints raise Unauthorized with the proper header when anonymous access is disabled

Before this change, we'd raise a generic 401, which was breaking containerd and cri-o. Fixes https://jira.coreos.com/browse/QUAY-1332
2019-02-15 15:29:57 -05:00 · 2019-02-15 15:29:57 -05:00 · 7690d5d495
commit 7690d5d495
parent c4f7b28dc6
4 changed files with 19 additions and 5 deletions
--- a/test/registry/protocol_v2.py
+++ b/test/registry/protocol_v2.py
@ -49,6 +49,7 @@ class V2Protocol(RegistryProtocol):
      Failures.UNKNOWN_TAG: 404,
      Failures.UNAUTHORIZED: 401,
      Failures.DISALLOWED_LIBRARY_NAMESPACE: 400,
+      Failures.ANONYMOUS_NOT_ALLOWED: 401,
    },
    V2ProtocolSteps.GET_BLOB: {
      Failures.GEO_BLOCKED: 403,
@ -523,12 +524,14 @@ class V2Protocol(RegistryProtocol):
    # Perform auth and retrieve a token.
    token, _ = self.auth(session, credentials, namespace, repo_name, scopes=scopes,
                         expected_failure=expected_failure)
-    if token is None:
+    if token is None and not options.attempt_pull_without_token:
      return None

-    headers = {
-      'Authorization': 'Bearer ' + token,
-    }
+    headers = {}
+    if token:
+      headers = {
+        'Authorization': 'Bearer ' + token,
+      }

    if self.schema2:
      headers['Accept'] = ','.join(options.accept_mimetypes
@ -544,6 +547,9 @@ class V2Protocol(RegistryProtocol):
                                                       tag_name),
                              expected_status=(200, expected_failure, V2ProtocolSteps.GET_MANIFEST),
                              headers=headers)
+      if response.status_code == 401:
+        assert 'WWW-Authenticate' in response.headers
+
      response.encoding = 'utf-8'
      if expected_failure is not None:
        return None