-
Notifications
You must be signed in to change notification settings - Fork 542
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Inline dependency on (Apache licensed) auth challenge
This code was made internal in distribution/distribution#4126, because it was not intended to be consumed externally. As it is Apache-licensed, start by inlining the dependency; we can then enhance test coverage and address any shortcomings.
- Loading branch information
Showing
5 changed files
with
213 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,169 @@ | ||
package transport | ||
Check failure on line 1 in pkg/v1/remote/transport/response_challenge.go GitHub Actions / Boilerplate Check (go)
|
||
|
||
// This code is copy-paste imported from the Apache-licensed https://github.com/distribution/distribution, | ||
// as the dependency has been made internal upstream. | ||
// There is an alternative implementation in https://fuchsia.googlesource.com/tools/+/efc566f8f0dcc061dac3d57989b24f496b109ecb/net/digest/digest.go | ||
|
||
import ( | ||
"net/http" | ||
"strings" | ||
) | ||
|
||
// Octet types from RFC 2616. | ||
type octetType byte | ||
|
||
var octetTypes [256]octetType | ||
|
||
const ( | ||
isToken octetType = 1 << iota | ||
isSpace | ||
) | ||
|
||
func init() { | ||
// OCTET = <any 8-bit sequence of data> | ||
// CHAR = <any US-ASCII character (octets 0 - 127)> | ||
// CTL = <any US-ASCII control character (octets 0 - 31) and DEL (127)> | ||
// CR = <US-ASCII CR, carriage return (13)> | ||
// LF = <US-ASCII LF, linefeed (10)> | ||
// SP = <US-ASCII SP, space (32)> | ||
// HT = <US-ASCII HT, horizontal-tab (9)> | ||
// <"> = <US-ASCII double-quote mark (34)> | ||
// CRLF = CR LF | ||
// LWS = [CRLF] 1*( SP | HT ) | ||
// TEXT = <any OCTET except CTLs, but including LWS> | ||
// separators = "(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\" | <"> | ||
// | "/" | "[" | "]" | "?" | "=" | "{" | "}" | SP | HT | ||
// token = 1*<any CHAR except CTLs or separators> | ||
// qdtext = <any TEXT except <">> | ||
|
||
for c := 0; c < 256; c++ { | ||
var t octetType | ||
isCtl := c <= 31 || c == 127 | ||
isChar := 0 <= c && c <= 127 | ||
isSeparator := strings.ContainsRune(" \t\"(),/:;<=>?@[]\\{}", rune(c)) | ||
if strings.ContainsRune(" \t\r\n", rune(c)) { | ||
t |= isSpace | ||
} | ||
if isChar && !isCtl && !isSeparator { | ||
t |= isToken | ||
} | ||
octetTypes[c] = t | ||
} | ||
} | ||
|
||
// authResponseChallenges returns a list of authorization challenges | ||
// for the given http Response. Challenges are only checked if | ||
// the response status code was a 401. | ||
func authResponseChallenges(resp *http.Response) []authChallenge { | ||
if resp.StatusCode == http.StatusUnauthorized { | ||
// Parse the WWW-Authenticate Header and store the challenges | ||
// on this endpoint object. | ||
return parseAuthHeader(resp.Header) | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func parseAuthHeader(header http.Header) []authChallenge { | ||
challenges := []authChallenge{} | ||
for _, h := range header[http.CanonicalHeaderKey("WWW-Authenticate")] { | ||
v, p := parseValueAndParams(h) | ||
if v != "" { | ||
challenges = append(challenges, authChallenge{Scheme: v, Parameters: p}) | ||
} | ||
} | ||
return challenges | ||
} | ||
|
||
// Note: we may be able to combine with Challenge here | ||
type authChallenge struct { | ||
Scheme string | ||
|
||
// Following the challenge there are often key/value pairs | ||
// e.g. Bearer service="gcr.io",realm="https://auth.gcr.io/v36/tokenz" | ||
Parameters map[string]string | ||
} | ||
|
||
func parseValueAndParams(header string) (value string, params map[string]string) { | ||
params = make(map[string]string) | ||
value, s := expectToken(header) | ||
if value == "" { | ||
return | ||
} | ||
value = strings.ToLower(value) | ||
s = "," + skipSpace(s) | ||
for strings.HasPrefix(s, ",") { | ||
var pkey string | ||
pkey, s = expectToken(skipSpace(s[1:])) | ||
if pkey == "" { | ||
return | ||
} | ||
if !strings.HasPrefix(s, "=") { | ||
return | ||
} | ||
var pvalue string | ||
pvalue, s = expectTokenOrQuoted(s[1:]) | ||
if pvalue == "" { | ||
return | ||
} | ||
pkey = strings.ToLower(pkey) | ||
params[pkey] = pvalue | ||
s = skipSpace(s) | ||
} | ||
return | ||
} | ||
|
||
func skipSpace(s string) (rest string) { | ||
i := 0 | ||
for ; i < len(s); i++ { | ||
if octetTypes[s[i]]&isSpace == 0 { | ||
break | ||
} | ||
} | ||
return s[i:] | ||
} | ||
|
||
func expectToken(s string) (token, rest string) { | ||
i := 0 | ||
for ; i < len(s); i++ { | ||
if octetTypes[s[i]]&isToken == 0 { | ||
break | ||
} | ||
} | ||
return s[:i], s[i:] | ||
} | ||
|
||
func expectTokenOrQuoted(s string) (value string, rest string) { | ||
if !strings.HasPrefix(s, "\"") { | ||
return expectToken(s) | ||
} | ||
s = s[1:] | ||
for i := 0; i < len(s); i++ { | ||
switch s[i] { | ||
case '"': | ||
return s[:i], s[i+1:] | ||
case '\\': | ||
p := make([]byte, len(s)-1) | ||
j := copy(p, s[:i]) | ||
escape := true | ||
for i = i + 1; i < len(s); i++ { | ||
b := s[i] | ||
switch { | ||
case escape: | ||
escape = false | ||
p[j] = b | ||
j++ | ||
case b == '\\': | ||
escape = true | ||
case b == '"': | ||
return string(p[:j]), s[i+1:] | ||
default: | ||
p[j] = b | ||
j++ | ||
} | ||
} | ||
return "", "" | ||
} | ||
} | ||
return "", "" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
package transport | ||
Check failure on line 1 in pkg/v1/remote/transport/response_challenge_test.go GitHub Actions / Boilerplate Check (go)
|
||
|
||
// This code is copy-paste imported from the Apache-licensed https://github.com/distribution/distribution, | ||
// as the dependency has been made internal upstream. | ||
|
||
import ( | ||
"net/http" | ||
"testing" | ||
) | ||
|
||
func TestAuthChallengeParse(t *testing.T) { | ||
header := http.Header{} | ||
header.Add("WWW-Authenticate", `Bearer realm="https://auth.example.com/token",service="registry.example.com",other=fun,slashed="he\"\l\lo"`) | ||
|
||
challenges := parseAuthHeader(header) | ||
if len(challenges) != 1 { | ||
t.Fatalf("Unexpected number of auth challenges: %d, expected 1", len(challenges)) | ||
} | ||
challenge := challenges[0] | ||
|
||
if expected := "bearer"; challenge.Scheme != expected { | ||
t.Fatalf("Unexpected scheme: %s, expected: %s", challenge.Scheme, expected) | ||
} | ||
|
||
if expected := "https://auth.example.com/token"; challenge.Parameters["realm"] != expected { | ||
t.Fatalf("Unexpected param: %s, expected: %s", challenge.Parameters["realm"], expected) | ||
} | ||
|
||
if expected := "registry.example.com"; challenge.Parameters["service"] != expected { | ||
t.Fatalf("Unexpected param: %s, expected: %s", challenge.Parameters["service"], expected) | ||
} | ||
|
||
if expected := "fun"; challenge.Parameters["other"] != expected { | ||
t.Fatalf("Unexpected param: %s, expected: %s", challenge.Parameters["other"], expected) | ||
} | ||
|
||
if expected := "he\"llo"; challenge.Parameters["slashed"] != expected { | ||
t.Fatalf("Unexpected param: %s, expected: %s", challenge.Parameters["slashed"], expected) | ||
} | ||
} |