From f7ec657bbc718757a8d5d46b465cd359a015d280 Mon Sep 17 00:00:00 2001 From: Michal Fojtik Date: Thu, 14 Sep 2017 17:19:22 +0200 Subject: [PATCH] registry: use the privileged client to get signatures --- pkg/dockerregistry/server/app.go | 6 ++- pkg/dockerregistry/server/auth.go | 2 + .../server/signaturedispatcher.go | 37 +++++++++++-------- .../server/signaturedispatcher_test.go | 4 ++ pkg/dockerregistry/server/signaturehandler.go | 7 ++-- 5 files changed, 36 insertions(+), 20 deletions(-) diff --git a/pkg/dockerregistry/server/app.go b/pkg/dockerregistry/server/app.go index 949ba0b0097a..6fe96b797584 100644 --- a/pkg/dockerregistry/server/app.go +++ b/pkg/dockerregistry/server/app.go @@ -115,7 +115,11 @@ func NewApp(ctx context.Context, registryClient client.RegistryClient, dockerCon // Registry extensions endpoint provides extra functionality to handle the image // signatures. - RegisterSignatureHandler(dockerApp) + isImageClient, err := registryClient.Client() + if err != nil { + context.GetLogger(dockerApp).Fatalf("unable to get client for signatures: %v", err) + } + RegisterSignatureHandler(dockerApp, isImageClient) // Registry extensions endpoint provides prometheus metrics. if extraConfig.Metrics.Enabled { diff --git a/pkg/dockerregistry/server/auth.go b/pkg/dockerregistry/server/auth.go index 58ba13b5ee36..2f86060ae755 100644 --- a/pkg/dockerregistry/server/auth.go +++ b/pkg/dockerregistry/server/auth.go @@ -333,6 +333,8 @@ func (ac *AccessController) Authorized(ctx context.Context, accessRecords ...reg if err := verifyImageSignatureAccess(ctx, namespace, name, osClient); err != nil { return nil, ac.wrapErr(ctx, err) } + default: + return nil, ac.wrapErr(ctx, ErrUnsupportedAction) } case "metrics": diff --git a/pkg/dockerregistry/server/signaturedispatcher.go b/pkg/dockerregistry/server/signaturedispatcher.go index 620e3845b760..53175e2608b7 100644 --- a/pkg/dockerregistry/server/signaturedispatcher.go +++ b/pkg/dockerregistry/server/signaturedispatcher.go @@ -17,6 +17,7 @@ import ( "github.com/docker/distribution/registry/api/v2" "github.com/docker/distribution/registry/handlers" + "github.com/openshift/origin/pkg/dockerregistry/server/client" imageapi "github.com/openshift/origin/pkg/image/apis/image" imageapiv1 "github.com/openshift/origin/pkg/image/apis/image/v1" @@ -60,18 +61,27 @@ var ( ) type signatureHandler struct { - ctx *handlers.Context - reference imageapi.DockerImageReference + ctx *handlers.Context + reference imageapi.DockerImageReference + isImageClient client.ImageStreamImagesNamespacer } -// SignatureDispatcher handles the GET and PUT requests for signature endpoint. -func SignatureDispatcher(ctx *handlers.Context, r *http.Request) http.Handler { - signatureHandler := &signatureHandler{ctx: ctx} - signatureHandler.reference, _ = imageapi.ParseDockerImageReference(ctxu.GetStringValue(ctx, "vars.name") + "@" + ctxu.GetStringValue(ctx, "vars.digest")) - - return gorillahandlers.MethodHandler{ - "GET": http.HandlerFunc(signatureHandler.Get), - "PUT": http.HandlerFunc(signatureHandler.Put), +// NewSignatureDispatcher provides a function that handles the GET and PUT +// requests for signature endpoint. +func NewSignatureDispatcher(isImageClient client.ImageStreamImagesNamespacer) func(*handlers.Context, *http.Request) http.Handler { + return func(ctx *handlers.Context, r *http.Request) http.Handler { + reference, _ := imageapi.ParseDockerImageReference( + ctxu.GetStringValue(ctx, "vars.name") + "@" + ctxu.GetStringValue(ctx, "vars.digest"), + ) + signatureHandler := &signatureHandler{ + ctx: ctx, + isImageClient: isImageClient, + reference: reference, + } + return gorillahandlers.MethodHandler{ + "GET": http.HandlerFunc(signatureHandler.Get), + "PUT": http.HandlerFunc(signatureHandler.Put), + } } } @@ -142,18 +152,13 @@ func (s *signatureHandler) Get(w http.ResponseWriter, req *http.Request) { s.handleError(s.ctx, v2.ErrorCodeNameInvalid.WithDetail("missing image name or image ID"), w) return } - client, ok := userClientFrom(s.ctx) - if !ok { - s.handleError(s.ctx, errcode.ErrorCodeUnknown.WithDetail("unable to get origin client"), w) - return - } if len(s.reference.ID) == 0 { s.handleError(s.ctx, v2.ErrorCodeNameInvalid.WithDetail("the image ID must be specified (sha256:"), w) return } - image, err := client.ImageStreamImages(s.reference.Namespace).Get(imageapi.MakeImageStreamImageName(s.reference.Name, s.reference.ID), metav1.GetOptions{}) + image, err := s.isImageClient.ImageStreamImages(s.reference.Namespace).Get(imageapi.MakeImageStreamImageName(s.reference.Name, s.reference.ID), metav1.GetOptions{}) switch { case err == nil: case kapierrors.IsUnauthorized(err): diff --git a/pkg/dockerregistry/server/signaturedispatcher_test.go b/pkg/dockerregistry/server/signaturedispatcher_test.go index a8f3b8791309..01f9675de85f 100644 --- a/pkg/dockerregistry/server/signaturedispatcher_test.go +++ b/pkg/dockerregistry/server/signaturedispatcher_test.go @@ -57,6 +57,8 @@ func TestSignatureGet(t *testing.T) { t.Fatal(err) } + os.Setenv("OPENSHIFT_DEFAULT_REGISTRY", "localhost:5000") + ctx := context.Background() ctx = withUserClient(ctx, osclient) registryApp := NewApp(ctx, registryclient.NewFakeRegistryClient(imageClient), &configuration.Configuration{ @@ -163,6 +165,8 @@ func TestSignaturePut(t *testing.T) { t.Fatal(err) } + os.Setenv("OPENSHIFT_DEFAULT_REGISTRY", "localhost:5000") + ctx := context.Background() ctx = withUserClient(ctx, osclient) registryApp := NewApp(ctx, registryclient.NewFakeRegistryClient(imageClient), &configuration.Configuration{ diff --git a/pkg/dockerregistry/server/signaturehandler.go b/pkg/dockerregistry/server/signaturehandler.go index dc815bc6d571..0751e85333f7 100644 --- a/pkg/dockerregistry/server/signaturehandler.go +++ b/pkg/dockerregistry/server/signaturehandler.go @@ -8,11 +8,12 @@ import ( "github.com/docker/distribution/registry/handlers" "github.com/openshift/origin/pkg/dockerregistry/server/api" + "github.com/openshift/origin/pkg/dockerregistry/server/client" ) // RegisterSignatureHandler registers the Docker image signature extension to Docker // registry. -func RegisterSignatureHandler(app *handlers.App) { +func RegisterSignatureHandler(app *handlers.App, isImageClient client.ImageStreamImagesNamespacer) { extensionsRouter := app.NewRoute().PathPrefix(api.ExtensionsPrefix).Subrouter() var ( getSignatureAccess = func(r *http.Request) []auth.Access { @@ -40,13 +41,13 @@ func RegisterSignatureHandler(app *handlers.App) { ) app.RegisterRoute( extensionsRouter.Path(api.SignaturesPath).Methods("GET"), - SignatureDispatcher, + NewSignatureDispatcher(isImageClient), handlers.NameRequired, getSignatureAccess, ) app.RegisterRoute( extensionsRouter.Path(api.SignaturesPath).Methods("PUT"), - SignatureDispatcher, + NewSignatureDispatcher(isImageClient), handlers.NameRequired, putSignatureAccess, )