Fix Docker authentication

app/controllers/api/v1/release_engines/oci/blobs_controller.rb

@@ -11,18 +11,30 @@ class Oci::BlobsController < Api::V1::BaseController
     def show
       authorize! package
 
-      descriptor = authorized_scope(package.descriptors).find_by!(
+      descriptor = package.descriptors.find_by!(
         content_digest: params[:digest],
       )
       authorize! descriptor
 
       if request.head?
+        response.headers['Docker-Content-Digest'] = descriptor.content_digest # oras likes these
+        response.headers['Content-Length']        = descriptor.content_length
+
         # see: https://github.com/opencontainers/distribution-spec/blob/main/spec.md#checking-if-content-exists-in-the-registry
         head :ok
       else
         redirect_to vanity_v1_account_release_artifact_url(current_account, descriptor.artifact, filename: descriptor.content_path, host: request.host),
           status: :see_other
       end
+    rescue ActionPolicy::Unauthorized
+      # FIXME(ezekg) docker expects a 401 Unauthorized response with an WWW-Authenticate
+      #              challenge, so unfortunately, we can't return a 404 here like we
+      #              usually do for unauthorized requests (so as not to leak data).
+      if current_bearer.nil?
+        render_unauthorized(code: 'UNAUTHORIZED')
+      else
+        render_forbidden(code: 'DENIED')
+      end
     end
 
     private
@@ -32,10 +44,11 @@ def show
     def require_ee! = super(entitlements: %i[oci_engine])
 
     def set_package
-      scoped_packages = authorized_scope(current_account.release_packages.oci)
-                          .where_assoc_exists(
-                            :descriptors, # must exist
-                          )
+      # NOTE(ezekg) see above comment i.r.t. docker authentication on why we're
+      #             skipping authorized_scope here and elsewhere
+      scoped_packages = current_account.release_packages.oci.where_assoc_exists(
+                          :descriptors, # must exist
+                        )
 
       @package = Current.resource = FindByAliasService.call(
         scoped_packages,

app/controllers/api/v1/release_engines/oci/manifests_controller.rb

@@ -11,7 +11,7 @@ class Oci::ManifestsController < Api::V1::BaseController
     def show
       authorize! package
 
-      manifest = authorized_scope(package.manifests).find_by_reference!(params[:reference],
+      manifest = package.manifests.find_by_reference!(params[:reference],
         accepts: request.accepts.collect(&:to_s),
         prefers: %w[
           application/vnd.oci.image.index.v1+json
@@ -30,11 +30,23 @@ def show
       response.content_type = manifest.content_type
 
       if request.head?
+        response.headers['Docker-Content-Digest'] = manifest.content_digest # oras likes these
+        response.headers['Content-Length']        = manifest.content_length
+
         # see: https://github.com/opencontainers/distribution-spec/blob/main/spec.md#checking-if-content-exists-in-the-registry
         head :ok
       else
         render body: manifest.content
       end
+    rescue ActionPolicy::Unauthorized
+      # FIXME(ezekg) docker expects a 401 Unauthorized response with an WWW-Authenticate
+      #              challenge, so unfortunately, we can't return a 404 here like we
+      #              usually do for unauthorized requests (so as not to leak data).
+      if current_bearer.nil?
+        render_unauthorized(code: 'UNAUTHORIZED')
+      else
+        render_forbidden(code: 'DENIED')
+      end
     end
 
     private
@@ -44,10 +56,11 @@ def show
     def require_ee! = super(entitlements: %i[oci_engine])
 
     def set_package
-      scoped_packages = authorized_scope(current_account.release_packages.oci)
-                          .where_assoc_exists(
-                            :manifests, # must exist
-                          )
+      # NOTE(ezekg) see above comment i.r.t. docker authentication on why we're
+      #             skipping authorized_scope here and elsewhere
+      scoped_packages = current_account.release_packages.oci.where_assoc_exists(
+                          :manifests, # must exist
+                        )
 
       @package = Current.resource = FindByAliasService.call(
         scoped_packages,

app/controllers/api/v1/release_engines/oci/tags_controller.rb

@@ -22,6 +22,15 @@ def index
         name: package.key,
         tags:,
       }
+    rescue ActionPolicy::Unauthorized
+      # FIXME(ezekg) docker expects a 401 Unauthorized response with an WWW-Authenticate
+      #              challenge, so unfortunately, we can't return a 404 here like we
+      #              usually do for unauthorized requests (so as not to leak data).
+      if current_bearer.nil?
+        render_unauthorized(code: 'UNAUTHORIZED')
+      else
+        render_forbidden(code: 'DENIED')
+      end
     end
 
     private
@@ -31,7 +40,9 @@ def index
     def require_ee! = super(entitlements: %i[oci_engine])
 
     def set_package
-      scoped_packages = authorized_scope(current_account.release_packages.oci)
+      # NOTE(ezekg) see above comment i.r.t. docker authentication on why we're
+      #             skipping authorized_scope here
+      scoped_packages = current_account.release_packages.oci
 
       @package = Current.resource = FindByAliasService.call(
         scoped_packages,

app/controllers/application_controller.rb

@@ -107,7 +107,16 @@ def render_forbidden(**kwargs)
   def render_unauthorized(**kwargs)
     skip_verify_authorized!
 
-    self.headers['WWW-Authenticate'] = %(Bearer realm="keygen")
+    # FIXME(ezekg) docker wants to do a jwt token dance unless we stick to a basic
+    #              auth scheme (which is fine since our basic auth scheme only
+    #              supports license keys and tokens, not passwords!)
+    default_challenge_scheme = oci? ? 'Basic' : 'Bearer'
+
+    challenge_scheme = authentication_scheme&.capitalize || default_challenge_scheme
+    challenge_realm  = 'keygen'
+    challenge        = %(#{challenge_scheme} realm="#{challenge_realm}")
+
+    response.headers['WWW-Authenticate'] = challenge
 
     respond_to do |format|
       format.any {
@@ -567,6 +576,8 @@ def rescue_from_exceptions
     )
   end
 
+  def oci? = request.subdomain == 'oci.pkg'
+
   def prefers?(preference)
     preferences = request.headers.fetch('Prefer') { request.query_parameters.fetch(:prefer, '').to_s }
                                  .split(',')

app/models/release_package.rb

@@ -115,6 +115,10 @@ class ReleasePackage < ApplicationRecord
     to: :engine,
     allow_nil: true
 
+  delegate :open?, :closed?, :licensed?,
+    to: :product,
+    allow_nil: true
+
   def engine_id? = release_engine_id?
   def engine_id  = release_engine_id
   def engine_id=(id)

app/policies/product_policy.rb

@@ -30,9 +30,9 @@ def index?
     case bearer
     in role: Role(:admin | :developer | :sales_agent | :support_agent | :read_only | :environment)
       allow!
-    in role: Role(:user) if record.all? { _1.open? || _1.id.in?(bearer.product_ids) }
+    in role: Role(:user) if record.all? { _1.open? || _1.licensed? && _1.id.in?(bearer.product_ids) }
       allow!
-    in role: Role(:license) if record.all? { _1.open? || _1 == bearer.product }
+    in role: Role(:license) if record.all? { _1.open? || _1.licensed? && _1 == bearer.product }
       allow!
     else
       deny!
@@ -50,9 +50,9 @@ def show?
       allow!
     in role: Role(:product) if record == bearer
       allow!
-    in role: Role(:user) if record.open? || bearer.products.exists?(record.id)
+    in role: Role(:user) if record.open? || record.licensed? && bearer.products.exists?(record.id)
       allow!
-    in role: Role(:license) if record.open? || record == bearer.product
+    in role: Role(:license) if record.open? || record.licensed? && record == bearer.product
       allow!
     else
       deny!

app/policies/products/release_artifact_policy.rb

@@ -21,8 +21,10 @@ def index?
         allow? :index, record, skip_verify_permissions: true, with: ::ReleaseArtifactPolicy
       in role: Role(:license) if product.open? || product == bearer.product
         allow? :index, record, skip_verify_permissions: true, with: ::ReleaseArtifactPolicy
+      in nil if product.open? && record.none?(&:constraints?)
+        allow!
       else
-        product.open? && record.none?(&:constraints?)
+        deny!
       end
     end
 
@@ -41,8 +43,10 @@ def show?
         allow? :show, record, skip_verify_permissions: true, with: ::ReleaseArtifactPolicy
       in role: Role(:license) if product.open? || product == bearer.product
         allow? :show, record, skip_verify_permissions: true, with: ::ReleaseArtifactPolicy
+      in nil if product.open? && record.constraints.none?
+        allow!
       else
-        product.open? && record.constraints.none?
+        deny!
       end
     end
   end

app/policies/products/release_policy.rb

@@ -21,8 +21,10 @@ def index?
         allow? :index, record, skip_verify_permissions: true, with: ::ReleasePolicy
       in role: Role(:license) if product.open? || product == bearer.product
         allow? :index, record, skip_verify_permissions: true, with: ::ReleasePolicy
+      in nil if product.open? && record.none?(&:constraints?)
+        allow!
       else
-        product.open? && record.none?(&:constraints?)
+        deny!
       end
     end
 
@@ -41,8 +43,10 @@ def show?
         allow? :show, record, skip_verify_permissions: true, with: ::ReleasePolicy
       in role: Role(:license) if product.open? || product == bearer.product
         allow? :show, record, skip_verify_permissions: true, with: ::ReleasePolicy
+      in nil if product.open? && record.constraints.none?
+        allow!
       else
-        product.open? && record.constraints.none?
+        deny!
       end
     end
   end

app/policies/release_package_policy.rb

@@ -34,12 +34,14 @@ def index?
       allow!
     in role: Role(:product) if record.all? { _1.product == bearer }
       allow!
-    in role: Role(:user) if record.all? { _1.product.open? || _1.product_id.in?(bearer.product_ids) }
+    in role: Role(:user) if record.all? { _1.open? || _1.licensed? && _1.product_id.in?(bearer.product_ids) }
       allow!
-    in role: Role(:license) if record.all? { _1.product.open? || _1.product == bearer.product }
+    in role: Role(:license) if record.all? { _1.open? || _1.licensed? && _1.product == bearer.product }
+      allow!
+    in nil if record.all?(&:open?)
       allow!
     else
-      record.all? { _1.product.open? }
+      deny!
     end
   end
 
@@ -54,12 +56,14 @@ def show?
       allow!
     in role: Role(:product) if record.product == bearer
       allow!
-    in role: Role(:user) if record.product.open? || bearer.products.exists?(record.product_id)
+    in role: Role(:user) if record.open? || record.licensed? && bearer.products.exists?(record.product_id)
       allow!
-    in role: Role(:license) if record.product.open? || record.product == bearer.product
+    in role: Role(:license) if record.open? || record.licensed? && record.product == bearer.product
+      allow!
+    in nil if record.open?
       allow!
     else
-      record.product.open?
+      deny!
     end
   end
 

config/routes.rb

@@ -664,8 +664,9 @@
     scope module: 'api/v1/release_engines', constraints: { subdomain: 'oci.pkg' } do
       # NOTE(ezekg) /v2 namespace is handled here because docker wants it at the root...
       scope :v2 do
+        # see: https://github.com/distribution/distribution/blob/main/docs/content/spec/api.md#api-version-check
         # see: https://github.com/opencontainers/distribution-spec/blob/main/spec.md#endpoints
-        match '/', via: %i[head get], to: -> env { [200, {}, []] }
+        match '/', via: %i[head get], to: -> env { [200, {'Docker-Distribution-Api-Version': 'registry/2.0'}, []] }
 
         case
         when Keygen.multiplayer?