Revert "Revert "Enable POST method support for token fetch""

This reverts commit fac9fa17ac.

Depends-On: https://review.opendev.org/703263
Change-Id: I895fa04f593852beff58c3949d15aaf5688ff26c
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
This commit is contained in:
Lin Shuicheng 2020-01-19 01:57:37 +00:00
parent fac9fa17ac
commit 8dc1c0a1da
2 changed files with 30 additions and 12 deletions

View File

@ -16,8 +16,8 @@ import (
"github.com/docker/distribution/context"
"github.com/docker/distribution/registry/auth"
"github.com/gophercloud/gophercloud"
"github.com/gophercloud/gophercloud/openstack"
"github.com/gophercloud/gophercloud"
"github.com/gophercloud/gophercloud/openstack"
)
type accessController struct {
@ -57,9 +57,9 @@ func (ac *accessController) Authorized(ctx context.Context, accessRecords ...aut
opts := gophercloud.AuthOptions{
IdentityEndpoint: ac.endpoint,
Username: username,
Password: password,
DomainID: "default",
Username: username,
Password: password,
DomainID: "default",
}
if _, err := openstack.AuthenticatedClient(opts); err != nil {
@ -73,6 +73,25 @@ func (ac *accessController) Authorized(ctx context.Context, accessRecords ...aut
return auth.WithUser(ctx, auth.UserInfo{Name: username}), nil
}
// AuthenticateUser checks a given user:password credential by keystone.
// If the check passes, nil is returned.
func (ac *accessController) AuthenticateUser(username string, password string) error {
opts := gophercloud.AuthOptions{
IdentityEndpoint: ac.endpoint,
Username: username,
Password: password,
DomainID: "default",
}
if _, err := openstack.AuthenticatedClient(opts); err != nil {
context.GetLogger(context.Background()).Errorf("error authenticating user %q: %v", username, err)
return auth.ErrAuthenticationFailure
}
return nil
}
// challenge implements the auth.Challenge interface.
type challenge struct {
realm string
@ -93,4 +112,3 @@ func (ch challenge) Error() string {
func init() {
auth.Register("keystone", auth.InitFunc(newAccessController))
}

View File

@ -20,9 +20,9 @@ import (
"github.com/docker/distribution/context"
"github.com/docker/distribution/registry/api/errcode"
"github.com/docker/distribution/registry/auth"
_ "registry-token-server/keystone"
"github.com/docker/libtrust"
"github.com/gorilla/mux"
_ "registry-token-server/keystone"
)
var (
@ -82,8 +82,8 @@ func main() {
}
ac, err := auth.GetAccessController("keystone", map[string]interface{}{
"realm": realm,
"endpoint": keystoneEndpoint,
"realm": realm,
"endpoint": keystoneEndpoint,
})
if err != nil {
logrus.Fatalf("Error initializing access controller: %v", err)
@ -179,9 +179,9 @@ func filterAccessList(ctx context.Context, scope string, requestedAccessList []a
grantedAccessList := make([]auth.Access, 0, len(requestedAccessList))
for _, access := range requestedAccessList {
if access.Type == "repository" {
// filter access to repos if the user is not "admin"
// need to have a "/" at the end because it adds one at the beginning of the fcn
// probably to prevent people making accounts like "adminnot" to steal admin powers
// filter access to repos if the user is not "admin"
// need to have a "/" at the end because it adds one at the beginning of the fcn
// probably to prevent people making accounts like "adminnot" to steal admin powers
if !strings.HasPrefix(access.Name, scope) && scope != "admin/" {
context.GetLogger(ctx).Debugf("Resource scope not allowed: %s", access.Name)
continue