diff --git a/CHANGES/918.bugfix b/CHANGES/918.bugfix new file mode 100644 index 000000000..daea9fe54 --- /dev/null +++ b/CHANGES/918.bugfix @@ -0,0 +1,2 @@ +Started returning an HTTP 401 response in case of invalid credentials provided by a container +client (e.g., ``podman``). diff --git a/pulp_container/app/registry_api.py b/pulp_container/app/registry_api.py index 995e36868..0663763a1 100644 --- a/pulp_container/app/registry_api.py +++ b/pulp_container/app/registry_api.py @@ -28,6 +28,7 @@ from pulpcore.plugin.files import PulpTemporaryUploadedFile from pulpcore.plugin.tasking import add_and_remove, dispatch from pulpcore.plugin.util import get_objects_for_user +from rest_framework.authentication import BasicAuthentication from rest_framework.exceptions import ( AuthenticationFailed, NotAuthenticated, @@ -355,6 +356,7 @@ class BearerTokenView(APIView): """ # Allow everyone to access but still value authenticated users. + authentication_classes = [BasicAuthentication] permission_classes = [] def get(self, request): diff --git a/pulp_container/tests/functional/api/test_token_authentication.py b/pulp_container/tests/functional/api/test_token_authentication.py index c36fba046..147895bb8 100644 --- a/pulp_container/tests/functional/api/test_token_authentication.py +++ b/pulp_container/tests/functional/api/test_token_authentication.py @@ -1,4 +1,6 @@ """Tests for token authentication.""" +import aiohttp +import asyncio import unittest from urllib.parse import urljoin, urlparse @@ -135,3 +137,16 @@ def compare_config_blob_digests(self, pulled_manifest_digest): config_blob_response = self.client.get(manifest_response["config_blob"]) self.assertEqual(pulled_manifest_digest, config_blob_response["digest"]) + + +def test_invalid_user(token_server_url, local_registry): + """Test if the token server correctly returns a 401 error in case of invalid credentials.""" + + async def get_token(): + url = f"{token_server_url}?service={local_registry.name}" + async with aiohttp.ClientSession() as session: + async with session.get(url, auth=aiohttp.BasicAuth("test", "invalid")) as response: + return response.status + + status = asyncio.run(get_token()) + assert status == 401 diff --git a/pulp_container/tests/functional/conftest.py b/pulp_container/tests/functional/conftest.py index 1c5b292ef..5f3540fd6 100644 --- a/pulp_container/tests/functional/conftest.py +++ b/pulp_container/tests/functional/conftest.py @@ -5,7 +5,7 @@ from urllib.parse import urljoin, urlparse -from pulp_smash.utils import execute_pulpcore_python, uuid4 +from pulp_smash.utils import execute_pulpcore_python, uuid4, get_pulp_setting from pulp_smash.cli import RegistryClient from pulpcore.client.pulp_container import ( @@ -291,3 +291,9 @@ def container_blob_api(container_client): def container_signature_api(container_client): """Container image signature API fixture.""" return ContentSignaturesApi(container_client) + + +@pytest.fixture(scope="session") +def token_server_url(cli_client): + """The URL of the token server.""" + return get_pulp_setting(cli_client, "TOKEN_SERVER")