Fix authorization URL

We need to return the actual public URL of the server as part of the www-authenticate header. Add that as a config option. Also, handle the case where clients supply more than one scope= parameter when obtaining a token. Change-Id: Ic6a50083303c0cee5361e62e8dccf8d4cf07a836
2019-10-09 09:46:35 -07:00 · 2019-10-09 09:46:35 -07:00 · 56968a9c80
commit 56968a9c80
parent e31f1892b6
2 changed files with 9 additions and 4 deletions
--- a/playbooks/functional-test/conf/registry.yaml
+++ b/playbooks/functional-test/conf/registry.yaml
@ -1,6 +1,7 @@
 registry:
  address: '0.0.0.0'
  port: 9000
+  public-url: https://localhost:9000
  tls-cert: /tls/cert.pem
  tls-key: /tls/cert.key
  secret: test_token_secret
--- a/zuul_registry/main.py
+++ b/zuul_registry/main.py
@ -42,8 +42,9 @@ class Authorization(cherrypy.Tool):
    WRITE = 'write'
    AUTH = 'auth'

-    def __init__(self, secret, users):
+    def __init__(self, secret, users, public_url):
        self.secret = secret
+        self.public_url = public_url
        self.rw = {}

        for user in users:
@ -61,7 +62,7 @@ class Authorization(cherrypy.Tool):

    def unauthorized(self):
        cherrypy.response.headers['www-authenticate'] = (
-            'Bearer realm="https://localhost:9000/auth/token"'
+            'Bearer realm="%s/auth/token"' % (self.public_url,)
        )
        raise cherrypy.HTTPError(401, 'Authentication required')

@ -78,7 +79,9 @@ class Authorization(cherrypy.Tool):

    def _get_level(self, scope):
        level = None
-        for resource_scope in scope.split(' '):
+        if not isinstance(scope, list):
+            scope = scope.split(' ')
+        for resource_scope in scope:
            parts = resource_scope.split(':')
            if parts[0] == 'repository' and 'push' in parts[2]:
                level = self.WRITE
@ -314,7 +317,8 @@ class RegistryServer:
        backend = DRIVERS[driver](self.conf['storage'])
        self.store = storage.Storage(backend, self.conf['storage'])

-        authz = Authorization(self.conf['secret'], self.conf['users'])
+        authz = Authorization(self.conf['secret'], self.conf['users'],
+                              self.conf['public-url'])

        route_map = cherrypy.dispatch.RoutesDispatcher()
        api = RegistryAPI(self.store, authz)