Normalize auth key before calling SetAuthentication
#11430
Conversation
openshift-ci
bot
added
the
approved
saschagrunert
force-pushed
the
normalize-key
branch
from
62a698e to
e5a4a65
Compare
|
Shouldn't this be in containers/common/pkg/auth, then Buildah and other tools like Skopeo and CRI-O could use it. |
I don't think so, it's used for the REST API. |
saschagrunert
force-pushed
the
normalize-key
branch
2 times, most recently
from
e7bbc5a to
2276004
Compare
saschagrunert
force-pushed
the
normalize-key
branch
from
2276004 to
e0b32c2
Compare
pkg/auth/auth.go
Outdated
| // the resulting registry. | ||
| func stripHTTPSPrefix(server string) string { | ||
| stripped := strings.TrimPrefix(server, "http://") | ||
| return strings.TrimPrefix(stripped, "https://") |
There was a problem hiding this comment.
This turns the proverbial https://index.docker.io/v1/ into index.docker.io/v1/, a repo-namespaced value (and an invalid one at that.)
There was a problem hiding this comment.
Added normalization cases for docker registries as well.
There was a problem hiding this comment.
This is still so different from https://github.com/containers/image/blob/4fcb52359b759a276a760fb28c939c357b3aea48/pkg/docker/config/config.go#L732 . Why?
http{,s}://-prefixed entries are not namespaced; but it is supposed to be possible to have a docker.io/vendor namespaced entry.
It could even be interesting to have a test that provides a file directly to |
Recent changes in c/image caused the `SetAuthentication` API to be more restrictive in terms of validating the `key` (`server`) input. To ensure that manually modified or entries in `~/.docker/config.json` still work, we now strip the leading `http[s]://` prefix. Fixes containers#11235 Signed-off-by: Sascha Grunert <[email protected]>
saschagrunert
force-pushed
the
normalize-key
branch
from
e0b32c2 to
bbdaf83
Compare
Sure, I added unit tests around the covered use cases. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/lgtm |
| name: "normalize https:// prefix", | ||
| server: "http://my-registry.local/username", | ||
| shouldErr: false, | ||
| expectedContains: `"my-registry.local/username":`, |
There was a problem hiding this comment.
| name: "normalize docker registry with https prefix", | ||
| server: "http://index.docker.io/v1/", | ||
| shouldErr: false, | ||
| expectedContains: `"index.docker.io":`, |
There was a problem hiding this comment.
I’d expect the key to be docker.io here, although ultimately it works.
| name: "normalize docker registry without https prefix", | ||
| server: "docker.io/v2/", | ||
| shouldErr: false, | ||
| expectedContains: `"docker.io":`, |
There was a problem hiding this comment.
This should be docker.io/v2, or rejected as invalid due to the trailing slash. (it never matches in actual files).
|
containers/image#1373 could help with this problem by making But the server should still be doing its own normalization, at the very least to support older clients, incl. possibly (?) projectatomic/docker . |
github-actions
bot
added
the
locked - please file new issue/PR
Recent changes in c/image caused the
SetAuthenticationAPI to be morerestrictive in terms of validating the
key(server) input. To ensurethat manually modified or entries in
~/.docker/config.jsonstill work,we now strip the leading
http[s]://prefix.Fixes #11235