Return 401 instead of 403

closes pulp#918
lubosmj · Aug 19, 2022 · 3979fb6 · 3979fb6
1 parent 770761c
commit 3979fb6
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 1 deletion.
diff --git a/CHANGES/918.bugfix b/CHANGES/918.bugfix
@@ -0,0 +1,2 @@
+Started returning an HTTP 401 response in case of invalid credentials provided by a container
+client (e.g., ``podman``).
diff --git a/pulp_container/app/registry_api.py b/pulp_container/app/registry_api.py
@@ -28,6 +28,7 @@
 from pulpcore.plugin.files import PulpTemporaryUploadedFile
 from pulpcore.plugin.tasking import add_and_remove, dispatch
 from pulpcore.plugin.util import get_objects_for_user
+from rest_framework.authentication import BasicAuthentication
 from rest_framework.exceptions import (
     AuthenticationFailed,
     NotAuthenticated,
@@ -355,6 +356,7 @@ class BearerTokenView(APIView):
     """
 
     # Allow everyone to access but still value authenticated users.
+    authentication_classes = [BasicAuthentication]
     permission_classes = []
 
     def get(self, request):

diff --git a/pulp_container/tests/functional/api/test_token_authentication.py b/pulp_container/tests/functional/api/test_token_authentication.py
@@ -1,4 +1,6 @@
 """Tests for token authentication."""
+import aiohttp
+import asyncio
 import unittest
 
 from urllib.parse import urljoin, urlparse
@@ -135,3 +137,16 @@ def compare_config_blob_digests(self, pulled_manifest_digest):
 
         config_blob_response = self.client.get(manifest_response["config_blob"])
         self.assertEqual(pulled_manifest_digest, config_blob_response["digest"])
+
+
+def test_invalid_user(token_server_url, local_registry):
+    """Test if the token server correctly returns a 401 error in case of invalid credentials."""
+
+    async def get_token():
+        url = f"{token_server_url}?service={local_registry.name}"
+        async with aiohttp.ClientSession() as session:
+            async with session.get(url, auth=aiohttp.BasicAuth("test", "invalid")) as response:
+                return response.status
+
+    status = asyncio.run(get_token())
+    assert status == 401
diff --git a/pulp_container/tests/functional/conftest.py b/pulp_container/tests/functional/conftest.py
@@ -5,7 +5,7 @@
 
 from urllib.parse import urljoin, urlparse
 
-from pulp_smash.utils import execute_pulpcore_python, uuid4
+from pulp_smash.utils import execute_pulpcore_python, uuid4, get_pulp_setting
 from pulp_smash.cli import RegistryClient
 
 from pulpcore.client.pulp_container import (
@@ -291,3 +291,9 @@ def container_blob_api(container_client):
 def container_signature_api(container_client):
     """Container image signature API fixture."""
     return ContentSignaturesApi(container_client)
+
+
+@pytest.fixture(scope="session")
+def token_server_url(cli_client):
+    """The URL of the token server."""
+    return get_pulp_setting(cli_client, "TOKEN_SERVER")
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		Started returning an HTTP 401 response in case of invalid credentials provided by a container
		client (e.g., ``podman``).