From 7a95c9e81cc899b3702cfa9644aff1dc05e1e630 Mon Sep 17 00:00:00 2001 From: Yan Song Date: Wed, 28 Sep 2022 04:03:46 +0000 Subject: [PATCH] storage: add ut for anonymous authorization Signed-off-by: Yan Song --- storage/src/backend/registry.rs | 46 +++++++++++++++++++++------------ 1 file changed, 29 insertions(+), 17 deletions(-) diff --git a/storage/src/backend/registry.rs b/storage/src/backend/registry.rs index 14d3304189b..36857d0c91e 100644 --- a/storage/src/backend/registry.rs +++ b/storage/src/backend/registry.rs @@ -286,32 +286,33 @@ struct RegistryReader { } impl RegistryReader { - /// Request registry server with `authorization` header + /// Request registry server with authorization workflow, it has two authentication modes: /// - /// Bearer token authenticate workflow: + /// # Bearer token authenticate workflow: /// - /// Request: POST https://my-registry.com/test/repo/blobs/uploads + /// Request: GET https://my-registry.com/namespace/repo/blobs/sha256: /// Response: status: 401 Unauthorized - /// header: www-authenticate: Bearer realm="https://auth.my-registry.com/token",service="my-registry.com",scope="repository:test/repo:pull,push" + /// header: www-authenticate: Bearer realm="https://auth.my-registry.com/token",service="my-registry.com",scope="repository:namespace/repo:pull,push" /// /// Request: POST https://auth.my-registry.com/token - /// body: "service=my-registry.com&scope=repository:test/repo:pull,push&grant_type=password&username=x&password=x&client_id=nydus-registry-client" + /// body: "service=my-registry.com&scope=repository:namespace/repo:pull,push&grant_type=password&username=x&password=x&client_id=nydus-registry-client" /// Response: status: 200 Ok /// body: { "token": "" } /// - /// Request: POST https://my-registry.com/test/repo/blobs/uploads + /// Request: GET https://my-registry.com/namespace/repo/blobs/sha256: /// header: authorization: Bearer - /// Response: status: 200 Ok + /// Response: status: 200/301/307 + /// /// - /// Basic authenticate workflow: + /// # Basic authenticate workflow: /// - /// Request: POST https://my-registry.com/test/repo/blobs/uploads + /// Request: GET https://my-registry.com/namespace/repo/blobs/sha256: /// Response: status: 401 Unauthorized /// header: www-authenticate: Basic /// - /// Request: POST https://my-registry.com/test/repo/blobs/uploads + /// Request: GET https://my-registry.com/namespace/repo/blobs/sha256: /// header: authorization: Basic base64() - /// Response: status: 200 Ok + /// Response: status: 200/301/307 fn request( &self, method: Method, @@ -377,17 +378,16 @@ impl RegistryReader { respond(resp, catch_status).map_err(RegistryError::Request) } - /// Read data from registry server - /// - /// Step: + /// Read data from registry server, steps: /// /// Request: GET /blobs/sha256: - /// Response: status: 307 Temporary Redirect + /// Response: status: 301/307 /// header: location: https://raw-blob-storage-host.com/signature=x /// /// Request: GET https://raw-blob-storage-host.com/signature=x - /// Response: status: 200 Ok / 403 Forbidden - /// If responding 403, we need to repeat step one + /// Response: status: 200/403 + /// + /// If responding with 403, we need to go authorization workflow fn _try_read( &self, mut buf: &mut [u8], @@ -748,4 +748,16 @@ mod tests { assert_eq!(trim(Some(" te st ".to_owned())), Some("te st".to_owned())); assert_eq!(trim(Some("te st".to_owned())), Some("te st".to_owned())); } + + #[test] + fn test_ghcr() { + let config = + serde_json::json!({"scheme":"https","host":"ghcr.io","repo":"changweige/python"}); + let registry = Registry::new(config, Some("registry")).unwrap(); + + let reader = registry + .get_reader("b91a341ac9a53528c4d96806e1c07c3307a95ede5841f2a13ac4972c7699b067") + .unwrap(); + let _ = reader.blob_size().unwrap(); + } }