Skip to content

Commit

Permalink
registry: use the privileged client to get signatures
Browse files Browse the repository at this point in the history
  • Loading branch information
@mfojtik
mfojtik committed Sep 17, 2017
1 parent 2c37b7c commit f7ec657
Show file tree
Hide file tree
Showing 5 changed files with 36 additions and 20 deletions.
6 changes: 5 additions & 1 deletion pkg/dockerregistry/server/app.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,11 @@ func NewApp(ctx context.Context, registryClient client.RegistryClient, dockerCon

// Registry extensions endpoint provides extra functionality to handle the image
// signatures.
RegisterSignatureHandler(dockerApp)
isImageClient, err := registryClient.Client()
if err != nil {
context.GetLogger(dockerApp).Fatalf("unable to get client for signatures: %v", err)
}
RegisterSignatureHandler(dockerApp, isImageClient)

// Registry extensions endpoint provides prometheus metrics.
if extraConfig.Metrics.Enabled {
Expand Down
2 changes: 2 additions & 0 deletions pkg/dockerregistry/server/auth.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -333,6 +333,8 @@ func (ac *AccessController) Authorized(ctx context.Context, accessRecords ...reg
if err := verifyImageSignatureAccess(ctx, namespace, name, osClient); err != nil {
return nil, ac.wrapErr(ctx, err)
}
default:
return nil, ac.wrapErr(ctx, ErrUnsupportedAction)
}

case "metrics":
Expand Down
37 changes: 21 additions & 16 deletions pkg/dockerregistry/server/signaturedispatcher.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ import (
"github.com/docker/distribution/registry/api/v2"
"github.com/docker/distribution/registry/handlers"

"github.com/openshift/origin/pkg/dockerregistry/server/client"
imageapi "github.com/openshift/origin/pkg/image/apis/image"
imageapiv1 "github.com/openshift/origin/pkg/image/apis/image/v1"

Expand Down Expand Up @@ -60,18 +61,27 @@ var (
)

type signatureHandler struct {
ctx *handlers.Context
reference imageapi.DockerImageReference
ctx *handlers.Context
reference imageapi.DockerImageReference
isImageClient client.ImageStreamImagesNamespacer
}

// SignatureDispatcher handles the GET and PUT requests for signature endpoint.
func SignatureDispatcher(ctx *handlers.Context, r *http.Request) http.Handler {
signatureHandler := &signatureHandler{ctx: ctx}
signatureHandler.reference, _ = imageapi.ParseDockerImageReference(ctxu.GetStringValue(ctx, "vars.name") + "@" + ctxu.GetStringValue(ctx, "vars.digest"))

return gorillahandlers.MethodHandler{
"GET": http.HandlerFunc(signatureHandler.Get),
"PUT": http.HandlerFunc(signatureHandler.Put),
// NewSignatureDispatcher provides a function that handles the GET and PUT
// requests for signature endpoint.
func NewSignatureDispatcher(isImageClient client.ImageStreamImagesNamespacer) func(*handlers.Context, *http.Request) http.Handler {
return func(ctx *handlers.Context, r *http.Request) http.Handler {
reference, _ := imageapi.ParseDockerImageReference(
ctxu.GetStringValue(ctx, "vars.name") + "@" + ctxu.GetStringValue(ctx, "vars.digest"),
)
signatureHandler := &signatureHandler{
ctx: ctx,
isImageClient: isImageClient,
reference: reference,
}
return gorillahandlers.MethodHandler{
"GET": http.HandlerFunc(signatureHandler.Get),
"PUT": http.HandlerFunc(signatureHandler.Put),
}
}
}

Expand Down Expand Up @@ -142,18 +152,13 @@ func (s *signatureHandler) Get(w http.ResponseWriter, req *http.Request) {
s.handleError(s.ctx, v2.ErrorCodeNameInvalid.WithDetail("missing image name or image ID"), w)
return
}
client, ok := userClientFrom(s.ctx)
if !ok {
s.handleError(s.ctx, errcode.ErrorCodeUnknown.WithDetail("unable to get origin client"), w)
return
}

if len(s.reference.ID) == 0 {
s.handleError(s.ctx, v2.ErrorCodeNameInvalid.WithDetail("the image ID must be specified (sha256:<digest>"), w)
return
}

image, err := client.ImageStreamImages(s.reference.Namespace).Get(imageapi.MakeImageStreamImageName(s.reference.Name, s.reference.ID), metav1.GetOptions{})
image, err := s.isImageClient.ImageStreamImages(s.reference.Namespace).Get(imageapi.MakeImageStreamImageName(s.reference.Name, s.reference.ID), metav1.GetOptions{})
switch {
case err == nil:
case kapierrors.IsUnauthorized(err):
Expand Down
4 changes: 4 additions & 0 deletions pkg/dockerregistry/server/signaturedispatcher_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,8 @@ func TestSignatureGet(t *testing.T) {
t.Fatal(err)
}

os.Setenv("OPENSHIFT_DEFAULT_REGISTRY", "localhost:5000")

ctx := context.Background()
ctx = withUserClient(ctx, osclient)
registryApp := NewApp(ctx, registryclient.NewFakeRegistryClient(imageClient), &configuration.Configuration{
Expand Down Expand Up @@ -163,6 +165,8 @@ func TestSignaturePut(t *testing.T) {
t.Fatal(err)
}

os.Setenv("OPENSHIFT_DEFAULT_REGISTRY", "localhost:5000")

ctx := context.Background()
ctx = withUserClient(ctx, osclient)
registryApp := NewApp(ctx, registryclient.NewFakeRegistryClient(imageClient), &configuration.Configuration{
Expand Down
7 changes: 4 additions & 3 deletions pkg/dockerregistry/server/signaturehandler.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,12 @@ import (
"github.com/docker/distribution/registry/handlers"

"github.com/openshift/origin/pkg/dockerregistry/server/api"
"github.com/openshift/origin/pkg/dockerregistry/server/client"
)

// RegisterSignatureHandler registers the Docker image signature extension to Docker
// registry.
func RegisterSignatureHandler(app *handlers.App) {
func RegisterSignatureHandler(app *handlers.App, isImageClient client.ImageStreamImagesNamespacer) {
extensionsRouter := app.NewRoute().PathPrefix(api.ExtensionsPrefix).Subrouter()
var (
getSignatureAccess = func(r *http.Request) []auth.Access {
Expand Down Expand Up @@ -40,13 +41,13 @@ func RegisterSignatureHandler(app *handlers.App) {
)
app.RegisterRoute(
extensionsRouter.Path(api.SignaturesPath).Methods("GET"),
SignatureDispatcher,
NewSignatureDispatcher(isImageClient),
handlers.NameRequired,
getSignatureAccess,
)
app.RegisterRoute(
extensionsRouter.Path(api.SignaturesPath).Methods("PUT"),
SignatureDispatcher,
NewSignatureDispatcher(isImageClient),
handlers.NameRequired,
putSignatureAccess,
)
Expand Down

0 comments on commit f7ec657

Please sign in to comment.