summaryrefslogtreecommitdiff
path: root/pkg/auth/auth.go
Commit message (Collapse)AuthorAge
* pkg/auth: drop the TODOValentin Rothberg2022-05-25
| | | | | | It is not a TODO item and if, it should be added to c/image. Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
* Refactor manifest list operationsJhon Honce2022-01-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Update method/function signatures use the manifest list name and images associated with the operation explicitly, in general func f(ctx context.Context, manifestListName string, ImageNames []string, options *fOptions) * Leverage gorilla/mux Subrouters to support API v3.x and v4.x for manifests * Make manifest API endpoints more RESTful * Add PUT /manifest/{id} to update existing manifests * Add manifests.Annotate to go bindings, uncommented unit test * Add DELETE /manifest/{Id} to remove existing manifest list, use PUT /manifest/{id} to remove images from a list * Deprecated POST /manifest/{id}/add and /manifest/{id}/remove, use PUT /manifest/{id} instead * Corrected swagger godoc and updated to cover API changes * Update podman manifest commands to use registry.Context() * Expose utils.GetVar() to obtain query parameters by name * Unexpose server.registerSwaggerHandlers, not sure why this was ever exposed. * Refactored code to use http.Header instead of map[string]string when operating on HTTP headers. * Add API-Version header support in bindings to allow calling explicate versions of the API. Header is _NOT_ forwarded to the API service. Signed-off-by: Jhon Honce <jhonce@redhat.com>
* Make XRegistryAuthHeader and XRegistryConfigHeader privateMiloslav Trmač2021-12-10
| | | | | | | | | | | | ... now that they have no public users. Also remove the HeaderAuthName type, we don't need the type-safety so much for private constants, and using plain strings results in less visual noise. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Remove the authfile parameter of MakeXRegistryAuthHeaderMiloslav Trmač2021-12-10
| | | | | | | | | | | | | | Having a parameter that modifies the provides types.SystemContext seems rather unexpected and risky to have around - and the only user of that is actually a no-op, others only provide a nil SystemContext; so, remove that option and simplify (well, somewhat; many callers now have extra &types.SystemContext{AuthFilePath} boilerplate; at least that's consistent with that code carrying a TODO to create a larger-scope SystemContext). Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Remove the authfile parameter of MakeXRegistryConfigHeaderMiloslav Trmač2021-12-10
| | | | | | | | | | Having a parameter that modifies the provides types.SystemContext seems rather unexpected and risky to have around - and the only user of that is actually a no-op; so, remove that option and simplify. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Remove pkg/auth.HeaderMiloslav Trmač2021-12-10
| | | | | | | | | | | | | It is no longer used. Split the existing tests into MakeXRegistryConfigHeader and MakeXRegistryAuthHeader variants. For now we don't modify the implementations at all, to make review simpler; cleanups will follow. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Turn headerAuth into MakeXRegistryAuthHeaderMiloslav Trmač2021-12-10
| | | | | | | | | | | ... which can be called independently. For now, there are no new callers, to test that the behavior has not changed. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Turn headerConfig into MakeXRegistryConfigHeaderMiloslav Trmač2021-12-10
| | | | | | | | | | | ... which can be called independently. For now, there are no new callers, to test that the behavior has not changed. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Move the auth file creation to GetCredentialsMiloslav Trmač2021-12-10
| | | | | | | | | This shares the code, and makes getConfigCredentials and getAuthCredentials side-effect free and possibly easier to test. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Consolidate the error handling path in GetCredentialsMiloslav Trmač2021-12-10
| | | | | | | | We'll share even more code here in the future. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Only look up HTTP header values once in GetCredentialsMiloslav Trmač2021-12-10
| | | | | | | | | ... and have GetCredentials pass the values down to getConfigCredentials and getAuthCredentials. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Use Header.Values in GetCredentials.hasMiloslav Trmač2021-12-10
| | | | | | | | | It's possibly a bit more expensive, but semantically safer because it does header normalization. And we'll regain the cost by not looking up the value repeatedly. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Beautify GetCredentials.has a bitMiloslav Trmač2021-12-10
| | | | | | | | Use separate lines, and use the provided .String() API. Should not change behaivor. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Pass a header value directly to parseSingleAuthHeader and parseMultiAuthHeaderMiloslav Trmač2021-12-10
| | | | | | | | | Both have a single caller, so there's no point in looking up the header value twice. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Simplify parseSingleAuthHeaderMiloslav Trmač2021-12-10
| | | | | | | | | In the "no input" case, return a constant instead of continuing with the decode/convert path, converting empty data. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Simplify the interface of parseSingleAuthHeaderMiloslav Trmač2021-12-10
| | | | | | | | | | Don't create a single-element map only for the only caller to laboriously extract an element of that map; just return a single entry. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Don't return a header name from auth.GetCredentialsMiloslav Trmač2021-12-10
| | | | | | | | | | | Almost every caller is using it only to wrap an error in exactly the same way, so move that error context into GetCredentials and simplify the users. (The one other caller, build, was even wrapping the error incorrectly talking about query parameters; so let it use the same text as the others.) Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Fix normalizeAuthFileKey to use the correct semanticsMiloslav Trmač2021-12-10
| | | | Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Rename normalize and a few variablesMiloslav Trmač2021-12-10
| | | | | | | | ... to refer to auth file keys instead of servers and the like. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Add unit tests for singleAuthHeaderMiloslav Trmač2021-12-10
| | | | | | | | Also rename it to parseSingleAuthHeader Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* Add unit tests for multiAuthHeaderMiloslav Trmač2021-12-10
| | | | | | | | Also rename it to parseMultiAuthHeader. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
* standardize logrus messages to upper caseDaniel J Walsh2021-09-22
| | | | | | | | Remove ERROR: Error stutter from logrus messages also. [ NO TESTS NEEDED] This is just code cleanup. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Normalize auth key before calling `SetAuthentication`Sascha Grunert2021-09-09
| | | | | | | | | | | Recent changes in c/image caused the `SetAuthentication` API to be more restrictive in terms of validating the `key` (`server`) input. To ensure that manually modified or entries in `~/.docker/config.json` still work, we now strip the leading `http[s]://` prefix. Fixes https://github.com/containers/podman/issues/11235 Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
* Enable whitespace linterPaul Holzinger2021-02-11
| | | | | | | | Use the whitespace linter and fix the reported problems. [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
* Accept and ignore 'null' as value for X-Registry-AuthMilivoje Legenovic2021-01-22
| | | | | | | | | | docker-client is a library written in Java and used in Eclipse to speak with Docker API. When endpoint /images/search is called, HTTP header attribute X-Registry-Auth has value "null". This is for sure wrong but Docker tolerates this value, and call works. With this patch call works also with Podman. #7857 Signed-off-by: Milivoje Legenovic <m.legenovic@gmail.com>
* Add X-Registry-Config supportJhon Honce2020-09-29
| | | | | | | | | | | | * Refactor auth pkg to support X-Registry-Config * Refactor build endpoint to support X-Registry-Config. Supports: * --creds * --authfile * Added X-Reference-Id Header to http.Request to support log event correlation * Log headers from http.Request Signed-off-by: Jhon Honce <jhonce@redhat.com>
* Fix up errors found by codespellDaniel J Walsh2020-09-11
| | | | Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* compat handlers: add X-Registry-Auth header supportValentin Rothberg2020-05-29
* Support the `X-Registry-Auth` http-request header. * The content of the header is a base64 encoded JSON payload which can either be a single auth config or a map of auth configs (user+pw or token) with the corresponding registries being the keys. Vanilla Docker, projectatomic Docker and the bindings are transparantly supported. * Add a hidden `--registries-conf` flag. Buildah exposes the same flag, mostly for testing purposes. * Do all credential parsing in the client (i.e., `cmd/podman`) pass the username and password in the backend instead of unparsed credentials. * Add a `pkg/auth` which handles most of the heavy lifting. * Go through the authentication-handling code of most commands, bindings and endpoints. Migrate them to the new code and fix issues as seen. A final evaluation and more tests is still required *after* this change. * The manifest-push endpoint is missing certain parameters and should use the ABI function instead. Adding auth-support isn't really possible without these parts working. * The container commands and endpoints (i.e., create and run) have not been changed yet. The APIs don't yet account for the authfile. * Add authentication tests to `pkg/bindings`. Fixes: #6384 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>