This repository has been archived by the owner on Apr 17, 2023. It is now read-only.
Support auth protocol introduced by docker 1.8 #282
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The authorization protocol changed with Docker 1.8: * client does pull or push or whatever * daemon does ping to registry i.e. https://registry.ip/v2/ * registry returns 401 along with realm and service, but not scope * daemon asks for a token from the auth server, with service=<registry>&scope=repository:namespace/image:push,pull In other words, the daemon always asks for push,pull, even if you are just doing a pull. The auth server is supposed to respond in the following fashion: * If unauthenticated access is not allowed, return a 401 requiring user to authentictae * If unauthenticated access is allowed to that repo, return a web token When user tries the token path against the auth server with credentials: * If invalid credentials, return 401 * If valid credentials, always return a 200 with a JWT that has the maximum credentials allowed this user on this repository in this service that is a subset of the scope provided. The daemon will always ask for push,pull, and - as long as I am validly authenticated - the auth server should always return 200 with a valid Web token. The Web token will list the max I am allowed. * If I am not allowed push or pull, then return a token with no access * If I am allowed pull but not push, then return a token with pull access only * If I am allowed pull and push, then return a token with push and pull access This is some preliminary work to fix issue 276.
…d users The commit 05eb390 introduces a regression in which a logged in user can pull a repo from a private namespace that doesn't belong to it. The problem is that the delete_if method is screwing with the `each` iteration. To avoid this, the returned scopes from `scope_handler` is a duplicate, instead of being the same object. Signed-off-by: Miquel Sabaté Solà <[email protected]>
|
Ok, I've pushed a fix for a regression in the first commit. With this, Portus should be able to handle the changes from docker 1.8. I haven't added more tests for it, I'll do it later today. |
|
And this should be it. Rubocop is not passing because I pushed yesterday some stricter rules for the style. We can merge this anyways and I'll fix the style on master directly. LGTM. @flavio what do you think ? |
Moreover, I've also added more documentation in the `authorize_scopes` method. Finally, the `authorize_scopes` method will raise a `Pundit::NoAuthorizedError` exception if no scopes can be authorized for the current user. I've also updated the changelog file. Signed-off-by: Miquel Sabaté Solà <[email protected]>
|
Thanks @mssola ! |
flavio
added a commit
that referenced
this pull request
Sep 2, 2015
Support auth protocol introduced by docker 1.8
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
NOTE WELL: This is some preliminary work to fix issue #276. I'm about to leave for my vacation. @mssola please take a look at the code and vet it. I can fix the broken tests once I'm back on the 1st of September (unless you really want to take care of that once you are back from your vacation).
The issue
The authorization protocol changed with Docker 1.8:
service=&scope=repository:namespace/image:push,pull
In other words, the daemon always asks for push,pull, even if you are
just doing a pull. The auth server is supposed to respond in the
following fashion:
user to authentictae
token
When user tries the token path against the auth server with credentials:
maximum credentials allowed this user on this repository in this service
that is a subset of the scope provided.
The daemon will always ask for push,pull, and - as long as I am validly
authenticated - the auth server should always return 200 with a valid
Web token. The Web token will list the max I am allowed.
access only
pull access