summaryrefslogtreecommitdiff
path: root/pkg/auth
diff options
context:
space:
mode:
authorSascha Grunert <sgrunert@redhat.com>2021-09-03 09:42:27 +0200
committerSascha Grunert <sgrunert@redhat.com>2021-09-09 09:17:22 +0200
commitbbdaf837b190fc7b941c5b1d49404bc610ab70fc (patch)
tree91c1e7ba6ea0f386f4c0f7759fe257e85269e87a /pkg/auth
parent858d3e47c26788e64083842cc6617b666f4279a1 (diff)
downloadpodman-bbdaf837b190fc7b941c5b1d49404bc610ab70fc.tar.gz
podman-bbdaf837b190fc7b941c5b1d49404bc610ab70fc.tar.bz2
podman-bbdaf837b190fc7b941c5b1d49404bc610ab70fc.zip
Normalize auth key before calling `SetAuthentication`
Recent changes in c/image caused the `SetAuthentication` API to be more restrictive in terms of validating the `key` (`server`) input. To ensure that manually modified or entries in `~/.docker/config.json` still work, we now strip the leading `http[s]://` prefix. Fixes https://github.com/containers/podman/issues/11235 Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
Diffstat (limited to 'pkg/auth')
-rw-r--r--pkg/auth/auth.go20
-rw-r--r--pkg/auth/auth_test.go66
2 files changed, 85 insertions, 1 deletions
diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
index ecfa6651c..6aff880f4 100644
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@@ -259,7 +259,9 @@ func authConfigsToAuthFile(authConfigs map[string]types.DockerAuthConfig) (strin
// tested, and we make sure to use the same code as the image backend.
sys := types.SystemContext{AuthFilePath: authFilePath}
for server, config := range authConfigs {
- // Note that we do not validate the credentials here. Wassume
+ server = normalize(server)
+
+ // Note that we do not validate the credentials here. We assume
// that all credentials are valid. They'll be used on demand
// later.
if err := imageAuth.SetAuthentication(&sys, server, config.Username, config.Password); err != nil {
@@ -270,6 +272,22 @@ func authConfigsToAuthFile(authConfigs map[string]types.DockerAuthConfig) (strin
return authFilePath, nil
}
+// normalize takes a server and removes the leading "http[s]://" prefix as well
+// as removes path suffixes from docker registries.
+func normalize(server string) string {
+ stripped := strings.TrimPrefix(server, "http://")
+ stripped = strings.TrimPrefix(stripped, "https://")
+
+ /// Normalize docker registries
+ if strings.HasPrefix(stripped, "index.docker.io/") ||
+ strings.HasPrefix(stripped, "registry-1.docker.io/") ||
+ strings.HasPrefix(stripped, "docker.io/") {
+ stripped = strings.SplitN(stripped, "/", 2)[0]
+ }
+
+ return stripped
+}
+
// dockerAuthToImageAuth converts a docker auth config to one we're using
// internally from c/image. Note that the Docker types look slightly
// different, so we need to convert to be extra sure we're not running into
diff --git a/pkg/auth/auth_test.go b/pkg/auth/auth_test.go
new file mode 100644
index 000000000..da2d9a5c5
--- /dev/null
+++ b/pkg/auth/auth_test.go
@@ -0,0 +1,66 @@
+package auth
+
+import (
+ "io/ioutil"
+ "testing"
+
+ "github.com/containers/image/v5/types"
+ "github.com/stretchr/testify/assert"
+)
+
+func TestAuthConfigsToAuthFile(t *testing.T) {
+ for _, tc := range []struct {
+ name string
+ server string
+ shouldErr bool
+ expectedContains string
+ }{
+ {
+ name: "empty auth configs",
+ server: "",
+ shouldErr: false,
+ expectedContains: "{}",
+ },
+ {
+ name: "registry with prefix",
+ server: "my-registry.local/username",
+ shouldErr: false,
+ expectedContains: `"my-registry.local/username":`,
+ },
+ {
+ name: "normalize https:// prefix",
+ server: "http://my-registry.local/username",
+ shouldErr: false,
+ expectedContains: `"my-registry.local/username":`,
+ },
+ {
+ name: "normalize docker registry with https prefix",
+ server: "http://index.docker.io/v1/",
+ shouldErr: false,
+ expectedContains: `"index.docker.io":`,
+ },
+ {
+ name: "normalize docker registry without https prefix",
+ server: "docker.io/v2/",
+ shouldErr: false,
+ expectedContains: `"docker.io":`,
+ },
+ } {
+ configs := map[string]types.DockerAuthConfig{}
+ if tc.server != "" {
+ configs[tc.server] = types.DockerAuthConfig{}
+ }
+
+ filePath, err := authConfigsToAuthFile(configs)
+
+ if tc.shouldErr {
+ assert.NotNil(t, err)
+ assert.Empty(t, filePath)
+ } else {
+ assert.Nil(t, err)
+ content, err := ioutil.ReadFile(filePath)
+ assert.Nil(t, err)
+ assert.Contains(t, string(content), tc.expectedContains)
+ }
+ }
+}