vbatts/registry
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

add autoredirect auth config

Browse source 
It redirects the user to to the Host header's domain whenever they try to use
token auth.

Signed-off-by: David Wu <david.wu@docker.com>
This commit is contained in:
Viktor Stanchev 2017-03-13 16:35:15 -07:00 committed by David Wu
parent 16128bbac4
commit f730f3ab77
5 changed files with 43 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
registry/auth/auth.go
View file

@ -21,7 +21,7 @@
// if ctx, err := accessController.Authorized(ctx, access); err != nil { // if ctx, err := accessController.Authorized(ctx, access); err != nil {
// if challenge, ok := err.(auth.Challenge) { // if challenge, ok := err.(auth.Challenge) {
// // Let the challenge write the response. // // Let the challenge write the response.
// challenge.SetHeaders(w) // challenge.SetHeaders(r, w)
// w.WriteHeader(http.StatusUnauthorized) // w.WriteHeader(http.StatusUnauthorized)
// return // return
// } else { // } else {
@ -87,7 +87,7 @@ type Challenge interface {
// adding the an HTTP challenge header on the response message. Callers // adding the an HTTP challenge header on the response message. Callers
// are expected to set the appropriate HTTP status code (e.g. 401) // are expected to set the appropriate HTTP status code (e.g. 401)
// themselves. // themselves.
SetHeaders(w http.ResponseWriter) SetHeaders(r *http.Request, w http.ResponseWriter)
} }
// AccessController controls access to registry resources based on a request // AccessController controls access to registry resources based on a request

2
registry/auth/htpasswd/access.go
View file

@ -111,7 +111,7 @@ type challenge struct {
var _ auth.Challenge = challenge{} var _ auth.Challenge = challenge{}
// SetHeaders sets the basic challenge header on the response. // SetHeaders sets the basic challenge header on the response.
func (ch challenge) SetHeaders(w http.ResponseWriter) { func (ch challenge) SetHeaders(r *http.Request, w http.ResponseWriter) {
w.Header().Set("WWW-Authenticate", fmt.Sprintf("Basic realm=%q", ch.realm)) w.Header().Set("WWW-Authenticate", fmt.Sprintf("Basic realm=%q", ch.realm))
} }

2
registry/auth/silly/access.go
View file

@ -82,7 +82,7 @@ type challenge struct {
var _ auth.Challenge = challenge{} var _ auth.Challenge = challenge{}
// SetHeaders sets a simple bearer challenge on the response. // SetHeaders sets a simple bearer challenge on the response.
func (ch challenge) SetHeaders(w http.ResponseWriter) { func (ch challenge) SetHeaders(r *http.Request, w http.ResponseWriter) {
header := fmt.Sprintf("Bearer realm=%q,service=%q", ch.realm, ch.service) header := fmt.Sprintf("Bearer realm=%q,service=%q", ch.realm, ch.service)
if ch.scope != "" { if ch.scope != "" {

25
registry/auth/token/accesscontroller.go
View file

@ -78,6 +78,7 @@ var (
type authChallenge struct { type authChallenge struct {
err error err error
realm string realm string
autoRedirect bool
service string service string
accessSet accessSet accessSet accessSet
} }
@ -97,8 +98,14 @@ func (ac authChallenge) Status() int {
// challengeParams constructs the value to be used in // challengeParams constructs the value to be used in
// the WWW-Authenticate response challenge header. // the WWW-Authenticate response challenge header.
// See https://tools.ietf.org/html/rfc6750#section-3 // See https://tools.ietf.org/html/rfc6750#section-3
func (ac authChallenge) challengeParams() string { func (ac authChallenge) challengeParams(r *http.Request) string {
str := fmt.Sprintf("Bearer realm=%q,service=%q", ac.realm, ac.service) var realm string
if ac.autoRedirect {
realm = fmt.Sprintf("https://%s/auth/token", r.Host)
} else {
realm = ac.realm
}
str := fmt.Sprintf("Bearer realm=%q,service=%q", realm, ac.service)
if scope := ac.accessSet.scopeParam(); scope != "" { if scope := ac.accessSet.scopeParam(); scope != "" {
str = fmt.Sprintf("%s,scope=%q", str, scope) str = fmt.Sprintf("%s,scope=%q", str, scope)
@ -114,13 +121,14 @@ func (ac authChallenge) challengeParams() string {
} }
// SetChallenge sets the WWW-Authenticate value for the response. // SetChallenge sets the WWW-Authenticate value for the response.
func (ac authChallenge) SetHeaders(w http.ResponseWriter) { func (ac authChallenge) SetHeaders(r *http.Request, w http.ResponseWriter) {
w.Header().Add("WWW-Authenticate", ac.challengeParams()) w.Header().Add("WWW-Authenticate", ac.challengeParams(r))
} }
// accessController implements the auth.AccessController interface. // accessController implements the auth.AccessController interface.
type accessController struct { type accessController struct {
realm string realm string
autoRedirect bool
issuer string issuer string
service string service string
rootCerts *x509.CertPool rootCerts *x509.CertPool
@ -131,6 +139,7 @@ type accessController struct {
// options to the contstructor of an accessController. // options to the contstructor of an accessController.
type tokenAccessOptions struct { type tokenAccessOptions struct {
realm string realm string
autoRedirect bool
issuer string issuer string
service string service string
rootCertBundle string rootCertBundle string
@ -153,6 +162,12 @@ func checkOptions(options map[string]interface{}) (tokenAccessOptions, error) {
opts.realm, opts.issuer, opts.service, opts.rootCertBundle = vals[0], vals[1], vals[2], vals[3] opts.realm, opts.issuer, opts.service, opts.rootCertBundle = vals[0], vals[1], vals[2], vals[3]
autoRedirect, ok := options["autoredirect"].(bool)
if !ok {
return opts, fmt.Errorf("token auth requires a valid option bool: autoredirect")
}
opts.autoRedirect = autoRedirect
return opts, nil return opts, nil
} }
@ -206,6 +221,7 @@ func newAccessController(options map[string]interface{}) (auth.AccessController,
return &accessController{ return &accessController{
realm: config.realm, realm: config.realm,
autoRedirect: config.autoRedirect,
issuer: config.issuer, issuer: config.issuer,
service: config.service, service: config.service,
rootCerts: rootPool, rootCerts: rootPool,
@ -218,6 +234,7 @@ func newAccessController(options map[string]interface{}) (auth.AccessController,
func (ac *accessController) Authorized(ctx context.Context, accessItems ...auth.Access) (context.Context, error) { func (ac *accessController) Authorized(ctx context.Context, accessItems ...auth.Access) (context.Context, error) {
challenge := &authChallenge{ challenge := &authChallenge{
realm: ac.realm, realm: ac.realm,
autoRedirect: ac.autoRedirect,
service: ac.service, service: ac.service,
accessSet: newAccessSet(accessItems...), accessSet: newAccessSet(accessItems...),
} }

2
registry/handlers/app.go
View file

@ -847,7 +847,7 @@ func (app *App) authorized(w http.ResponseWriter, r *http.Request, context *Cont
switch err := err.(type) { switch err := err.(type) {
case auth.Challenge: case auth.Challenge:
// Add the appropriate WWW-Auth header // Add the appropriate WWW-Auth header
err.SetHeaders(w) err.SetHeaders(r, w)
if err := errcode.ServeJSON(w, errcode.ErrorCodeUnauthorized.WithDetail(accessRecords)); err != nil { if err := errcode.ServeJSON(w, errcode.ErrorCodeUnauthorized.WithDetail(accessRecords)); err != nil {
dcontext.GetLogger(context).Errorf("error serving error json: %v (from %v)", err, context.Errors) dcontext.GetLogger(context).Errorf("error serving error json: %v (from %v)", err, context.Errors)