-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix HTTP credentials passing #11538
Fix HTTP credentials passing #11538
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mtrmac The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
NOTE: The comments in the pkg/auth package talk about the AuthHeader using multiple values and ConfigHeader using a map, but the actual code supports multiple header values the other way around. Which one is correct? I’ve been assuming it’s the code. |
b362e5d
to
6df6c60
Compare
6df6c60
to
9c65002
Compare
9c65002
to
1e1fa05
Compare
A friendly reminder that this PR had no activity for 30 days. |
@mtrmac any progress on this? |
1e1fa05
to
09477b3
Compare
09477b3
to
494a87f
Compare
OK, rebased and enough with the refactoring. The PR now contains a fairly extensive refactoring of
Some parts of the above, especially of the refactor, might not be ideal, or might be actively unwanted based on concerns I’m not aware of. Please don’t hesitate to say so, I’d be happy to split this into multiple PRs, drop parts entirely, or change in any other way requested. |
494a87f
to
f51b8d8
Compare
A friendly reminder that this PR had no activity for 30 days. |
f51b8d8
to
c2cbb15
Compare
c2cbb15
to
7f05979
Compare
Almost every caller is using it only to wrap an error in exactly the same way, so move that error context into GetCredentials and simplify the users. (The one other caller, build, was even wrapping the error incorrectly talking about query parameters; so let it use the same text as the others.) Signed-off-by: Miloslav Trmač <[email protected]>
Don't create a single-element map only for the only caller to laboriously extract an element of that map; just return a single entry. Should not change behavior. Signed-off-by: Miloslav Trmač <[email protected]>
In the "no input" case, return a constant instead of continuing with the decode/convert path, converting empty data. Should not change behavior. Signed-off-by: Miloslav Trmač <[email protected]>
…uthHeader Both have a single caller, so there's no point in looking up the header value twice. Should not change behavior. Signed-off-by: Miloslav Trmač <[email protected]>
Use separate lines, and use the provided .String() API. Should not change behaivor. Signed-off-by: Miloslav Trmač <[email protected]>
It's possibly a bit more expensive, but semantically safer because it does header normalization. And we'll regain the cost by not looking up the value repeatedly. Signed-off-by: Miloslav Trmač <[email protected]>
... and have GetCredentials pass the values down to getConfigCredentials and getAuthCredentials. Should not change behavior. Signed-off-by: Miloslav Trmač <[email protected]>
We'll share even more code here in the future. Should not change behavior. Signed-off-by: Miloslav Trmač <[email protected]>
This shares the code, and makes getConfigCredentials and getAuthCredentials side-effect free and possibly easier to test. Should not change behavior. Signed-off-by: Miloslav Trmač <[email protected]>
... which can be called independently. For now, there are no new callers, to test that the behavior has not changed. Should not change behavior. Signed-off-by: Miloslav Trmač <[email protected]>
…Header) All callers hard-code a header value, so this is actually shorter. Should not change behavior. Signed-off-by: Miloslav Trmač <[email protected]>
... which can be called independently. For now, there are no new callers, to test that the behavior has not changed. Should not change behavior. Signed-off-by: Miloslav Trmač <[email protected]>
All callers hard-code a header value, so this is actually shorter. Should not change behavior. Signed-off-by: Miloslav Trmač <[email protected]>
It is no longer used. Split the existing tests into MakeXRegistryConfigHeader and MakeXRegistryAuthHeader variants. For now we don't modify the implementations at all, to make review simpler; cleanups will follow. Should not change behavior. Signed-off-by: Miloslav Trmač <[email protected]>
Should not change (test) behavior. Signed-off-by: Miloslav Trmač <[email protected]>
which used to contain more context, but now are just a pointless copy. Should not change (test) behavior. Signed-off-by: Miloslav Trmač <[email protected]>
Having a parameter that modifies the provides types.SystemContext seems rather unexpected and risky to have around - and the only user of that is actually a no-op; so, remove that option and simplify. Should not change behavior. Signed-off-by: Miloslav Trmač <[email protected]>
... now that two of the three cases are the same. Should not change behavior. Signed-off-by: Miloslav Trmač <[email protected]>
Having a parameter that modifies the provides types.SystemContext seems rather unexpected and risky to have around - and the only user of that is actually a no-op, others only provide a nil SystemContext; so, remove that option and simplify (well, somewhat; many callers now have extra &types.SystemContext{AuthFilePath} boilerplate; at least that's consistent with that code carrying a TODO to create a larger-scope SystemContext). Should not change behavior. Signed-off-by: Miloslav Trmač <[email protected]>
... now that they have no public users. Also remove the HeaderAuthName type, we don't need the type-safety so much for private constants, and using plain strings results in less visual noise. Should not change behavior. Signed-off-by: Miloslav Trmač <[email protected]>
93d7be0
to
5bbcfaf
Compare
LGTM |
/lgtm |
This primarily fixes the incorrect normalization added in #11430 .
That requires UNMERGED containers/image#1373Separately I abuse this PR for testing UNMERGED and mostly unrelated containers/common#763 .Also, this adds a lot of unit tests to the HTTP credential passing code, and proposes a fairly significant WIP refactoring.
Still outstanding:auth.Make…Header
(at the very least don’t modify caller’sSystemContext
)auth.MakeXRegistryAuthHeader
yet further into two, to emphasize the exclusive sets of parameters instead of pretending to handle both.See individual commit messages for details.