From 56968a9c80e010277f590ec61efe872388c26856 Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jeblair@redhat.com>
Date: Wed, 9 Oct 2019 09:46:35 -0700
Subject: [PATCH] Fix authorization URL

We need to return the actual public URL of the server as part of
the www-authenticate header.  Add that as a config option.

Also, handle the case where clients supply more than one scope=
parameter when obtaining a token.

Change-Id: Ic6a50083303c0cee5361e62e8dccf8d4cf07a836
---
 playbooks/functional-test/conf/registry.yaml |  1 +
 zuul_registry/main.py                        | 12 ++++++++----
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/playbooks/functional-test/conf/registry.yaml b/playbooks/functional-test/conf/registry.yaml
index 11e5e7b..af97dd5 100644
--- a/playbooks/functional-test/conf/registry.yaml
+++ b/playbooks/functional-test/conf/registry.yaml
@@ -1,6 +1,7 @@
 registry:
   address: '0.0.0.0'
   port: 9000
+  public-url: https://localhost:9000
   tls-cert: /tls/cert.pem
   tls-key: /tls/cert.key
   secret: test_token_secret
diff --git a/zuul_registry/main.py b/zuul_registry/main.py
index 4dad556..a223629 100644
--- a/zuul_registry/main.py
+++ b/zuul_registry/main.py
@@ -42,8 +42,9 @@ class Authorization(cherrypy.Tool):
     WRITE = 'write'
     AUTH = 'auth'
 
-    def __init__(self, secret, users):
+    def __init__(self, secret, users, public_url):
         self.secret = secret
+        self.public_url = public_url
         self.rw = {}
 
         for user in users:
@@ -61,7 +62,7 @@ class Authorization(cherrypy.Tool):
 
     def unauthorized(self):
         cherrypy.response.headers['www-authenticate'] = (
-            'Bearer realm="https://localhost:9000/auth/token"'
+            'Bearer realm="%s/auth/token"' % (self.public_url,)
         )
         raise cherrypy.HTTPError(401, 'Authentication required')
 
@@ -78,7 +79,9 @@ class Authorization(cherrypy.Tool):
 
     def _get_level(self, scope):
         level = None
-        for resource_scope in scope.split(' '):
+        if not isinstance(scope, list):
+            scope = scope.split(' ')
+        for resource_scope in scope:
             parts = resource_scope.split(':')
             if parts[0] == 'repository' and 'push' in parts[2]:
                 level = self.WRITE
@@ -314,7 +317,8 @@ class RegistryServer:
         backend = DRIVERS[driver](self.conf['storage'])
         self.store = storage.Storage(backend, self.conf['storage'])
 
-        authz = Authorization(self.conf['secret'], self.conf['users'])
+        authz = Authorization(self.conf['secret'], self.conf['users'],
+                              self.conf['public-url'])
 
         route_map = cherrypy.dispatch.RoutesDispatcher()
         api = RegistryAPI(self.store, authz)