dragonflyoss · imeoer · Oct 20, 2023 · Sep 15, 2023 · Oct 18, 2023
@@ -93,19 +93,22 @@ impl Cache {
 }
 
 #[derive(Default)]
-struct HashCache(RwLock<HashMap<String, String>>);
+struct HashCache<T>(RwLock<HashMap<String, T>>);
 
-impl HashCache {
+impl<T> HashCache<T> {
     fn new() -> Self {
         HashCache(RwLock::new(HashMap::new()))
     }
 
-    fn get(&self, key: &str) -> Option<String> {
+    fn get(&self, key: &str) -> Option<T>
+    where
+        T: Clone,
+    {
         let cached_guard = self.0.read().unwrap();
         cached_guard.get(key).cloned()
     }
 
-    fn set(&self, key: String, value: String) {
+    fn set(&self, key: String, value: T) {
         let mut cached_guard = self.0.write().unwrap();
         cached_guard.insert(key, value);
     }
@@ -136,11 +139,11 @@ struct BasicAuth {
 }
 
 #[derive(Debug, Clone)]
+#[allow(dead_code)]
 struct BearerAuth {
     realm: String,
     service: String,
     scope: String,
-    header: Option<HeaderValue>,
 }
 
 #[derive(Debug)]
@@ -189,10 +192,14 @@ struct RegistryState {
     // Example: RwLock<"Bearer <token>">
     //          RwLock<"Basic base64(<username:password>)">
     cached_auth: Cache,
+    // Cache for the HTTP method when getting auth, it is "true" when using "GET" method.
+    // Due to the different implementations of various image registries, auth requests
+    // may use the GET or POST methods, we need to cache the method after the
+    // fallback, so it can be reused next time and reduce an unnecessary request.
+    cached_auth_using_http_get: HashCache<bool>,
     // Cache 30X redirect url
     // Example: RwLock<HashMap<"<blob_id>", "<redirected_url>">>
-    cached_redirect: HashCache,
-
+    cached_redirect: HashCache<String>,
     // The epoch timestamp of token expiration, which is obtained from the registry server.
     token_expired_at: ArcSwapOption<u64>,
     // Cache bearer auth for refreshing token.
@@ -236,12 +243,89 @@ impl RegistryState {
         }
     }
 
-    /// Request registry authentication server to get bearer token
+    // Request registry authentication server to get bearer token
     fn get_token(&self, auth: BearerAuth, connection: &Arc<Connection>) -> Result<TokenResponse> {
-        // The information needed for getting token needs to be placed both in
-        // the query and in the body to be compatible with different registry
-        // implementations, which have been tested on these platforms:
-        // docker hub, harbor, github ghcr, aliyun acr.
+        let http_get = self
+            .cached_auth_using_http_get
+            .get(&self.host)
+            .unwrap_or_default();
+        let resp = if http_get {
+            self.get_token_with_get(&auth, connection)?
+        } else {
+            match self.get_token_with_post(&auth, connection) {
+                Ok(resp) => resp,
+                Err(_) => {
+                    warn!("retry http GET method to get auth token");
+                    let resp = self.get_token_with_get(&auth, connection)?;
+                    // Cache http method for next use.
+                    self.cached_auth_using_http_get.set(self.host.clone(), true);
+                    resp
+                }
+            }
+        };
+
+        let ret: TokenResponse = resp.json().map_err(|e| {
+            einval!(format!(
+                "registry auth server response decode failed: {:?}",
+                e
+            ))
+        })?;
+
+        if let Ok(now_timestamp) = SystemTime::now().duration_since(UNIX_EPOCH) {
+            self.token_expired_at
+                .store(Some(Arc::new(now_timestamp.as_secs() + ret.expires_in)));
+            debug!(
+                "cached bearer auth, next time: {}",
+                now_timestamp.as_secs() + ret.expires_in
+            );
+        }
+
+        // Cache bearer auth for refreshing token.
+        self.cached_bearer_auth.store(Some(Arc::new(auth)));
+
+        Ok(ret)
+    }
+
+    // Get bearer token using a POST request
+    fn get_token_with_post(
+        &self,
+        auth: &BearerAuth,
+        connection: &Arc<Connection>,
+    ) -> Result<Response> {
+        let mut form = HashMap::new();
+        form.insert("service".to_string(), auth.service.clone());
+        form.insert("scope".to_string(), auth.scope.clone());
+        form.insert("grant_type".to_string(), "password".to_string());
+        form.insert("username".to_string(), self.username.clone());
+        form.insert("passward".to_string(), self.password.clone());
+        form.insert("client_id".to_string(), REGISTRY_CLIENT_ID.to_string());
+
+        let token_resp = connection
+            .call::<&[u8]>(
+                Method::POST,
+                auth.realm.as_str(),
+                None,
+                Some(ReqBody::Form(form)),
+                &mut HeaderMap::new(),
+                true,
+            )
+            .map_err(|e| {
+                warn!(
+                    "failed to request registry auth server by POST method: {:?}",
+                    e
+                );
+                einval!()
+            })?;
+
+        Ok(token_resp)
+    }
+
+    // Get bearer token using a GET request
+    fn get_token_with_get(
+        &self,
+        auth: &BearerAuth,
+        connection: &Arc<Connection>,
+    ) -> Result<Response> {
         let query = [
             ("service", auth.service.as_str()),
             ("scope", auth.scope.as_str()),
@@ -251,45 +335,36 @@ impl RegistryState {
             ("client_id", REGISTRY_CLIENT_ID),
         ];
 
-        let mut form = HashMap::new();
-        for (k, v) in &query {
-            form.insert(k.to_string(), v.to_string());
-        }
-
         let mut headers = HeaderMap::new();
-        if let Some(auth_header) = &auth.header {
-            headers.insert(HEADER_AUTHORIZATION, auth_header.clone());
+
+        // Insert the basic auth header to ensure the compatibility (e.g. Harbor registry)
+        // of fetching token by HTTP GET method.
+        // This refers containerd implementation: https://github.com/containerd/containerd/blob/dc7dba9c20f7210c38e8255487fc0ee12692149d/remotes/docker/auth/fetch.go#L187
+        if let Some(auth) = &self.auth {
+            headers.insert(
+                HEADER_AUTHORIZATION,
+                format!("Basic {}", auth).parse().unwrap(),
+            );
         }
 
         let token_resp = connection
             .call::<&[u8]>(
                 Method::GET,
                 auth.realm.as_str(),
                 Some(&query),
-                Some(ReqBody::Form(form)),
+                None,
                 &mut headers,
                 true,
             )
-            .map_err(|e| einval!(format!("registry auth server request failed {:?}", e)))?;
-        let ret: TokenResponse = token_resp.json().map_err(|e| {
-            einval!(format!(
-                "registry auth server response decode failed: {:?}",
-                e
-            ))
-        })?;
-        if let Ok(now_timestamp) = SystemTime::now().duration_since(UNIX_EPOCH) {
-            self.token_expired_at
-                .store(Some(Arc::new(now_timestamp.as_secs() + ret.expires_in)));
-            debug!(
-                "cached bearer auth, next time: {}",
-                now_timestamp.as_secs() + ret.expires_in
-            );
-        }
-
-        // Cache bearer auth for refreshing token.
-        self.cached_bearer_auth.store(Some(Arc::new(auth)));
+            .map_err(|e| {
+                warn!(
+                    "failed to request registry auth server by GET method: {:?}",
+                    e
+                );
+                einval!()
+            })?;
 
-        Ok(ret)
+        Ok(token_resp)
     }
 
     fn get_auth_header(&self, auth: Auth, connection: &Arc<Connection>) -> Result<String> {
@@ -308,7 +383,7 @@ impl RegistryState {
 
     /// Parse `www-authenticate` response header respond from registry server
     /// The header format like: `Bearer realm="https://auth.my-registry.com/token",service="my-registry.com",scope="repository:test/repo:pull,push"`
-    fn parse_auth(source: &HeaderValue, auth: &Option<String>) -> Option<Auth> {
+    fn parse_auth(source: &HeaderValue) -> Option<Auth> {
         let source = source.to_str().unwrap();
         let source: Vec<&str> = source.splitn(2, ' ').collect();
         if source.len() < 2 {
@@ -345,15 +420,10 @@ impl RegistryState {
                     return None;
                 }
 
-                let header = auth
-                    .as_ref()
-                    .map(|auth| HeaderValue::from_str(&format!("Basic {}", auth)).unwrap());
-
                 Some(Auth::Bearer(BearerAuth {
                     realm: (*paras.get("realm").unwrap()).to_string(),
                     service: (*paras.get("service").unwrap()).to_string(),
                     scope: (*paras.get("scope").unwrap()).to_string(),
-                    header,
                 }))
             }
             _ => None,
@@ -515,7 +585,7 @@ impl RegistryReader {
 
             if let Some(resp_auth_header) = resp.headers().get(HEADER_WWW_AUTHENTICATE) {
                 // Get token from registry authorization server
-                if let Some(auth) = RegistryState::parse_auth(resp_auth_header, &self.state.auth) {
+                if let Some(auth) = RegistryState::parse_auth(resp_auth_header) {
                     let auth_header = self
                         .state
                         .get_auth_header(auth, &self.connection)
@@ -807,6 +877,7 @@ impl Registry {
             retry_limit,
             blob_url_scheme: config.blob_url_scheme.clone(),
             blob_redirected_host: config.blob_redirected_host.clone(),
+            cached_auth_using_http_get: HashCache::new(),
             cached_redirect: HashCache::new(),
             token_expired_at: ArcSwapOption::new(None),
             cached_bearer_auth: ArcSwapOption::new(None),
@@ -988,6 +1059,7 @@ mod tests {
             retry_limit: 5,
             blob_url_scheme: "https".to_string(),
             blob_redirected_host: "oss.alibaba-inc.com".to_string(),
+            cached_auth_using_http_get: Default::default(),
             cached_auth: Default::default(),
             cached_redirect: Default::default(),
             token_expired_at: ArcSwapOption::new(None),
@@ -1008,7 +1080,7 @@ mod tests {
     fn test_parse_auth() {
         let str = "Bearer realm=\"https://auth.my-registry.com/token\",service=\"my-registry.com\",scope=\"repository:test/repo:pull,push\"";
         let header = HeaderValue::from_str(str).unwrap();
-        let auth = RegistryState::parse_auth(&header, &None).unwrap();
+        let auth = RegistryState::parse_auth(&header).unwrap();
         match auth {
             Auth::Bearer(auth) => {
                 assert_eq!(&auth.realm, "https://auth.my-registry.com/token");
@@ -1020,15 +1092,15 @@ mod tests {
 
         let str = "Basic realm=\"https://auth.my-registry.com/token\"";
         let header = HeaderValue::from_str(str).unwrap();
-        let auth = RegistryState::parse_auth(&header, &None).unwrap();
+        let auth = RegistryState::parse_auth(&header).unwrap();
         match auth {
             Auth::Basic(auth) => assert_eq!(&auth.realm, "https://auth.my-registry.com/token"),
             _ => panic!("failed to pase `Bearer` authentication header"),
         }
 
         let str = "Base realm=\"https://auth.my-registry.com/token\"";
         let header = HeaderValue::from_str(str).unwrap();
-        assert!(RegistryState::parse_auth(&header, &None).is_none());
+        assert!(RegistryState::parse_auth(&header).is_none());
     }
 
     #[test]