Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle Uri-less Realms during basic auth, and fix auth lookups for hosts with ports specified #32371

Closed
wants to merge 7 commits into from
Closed

Handle Uri-less Realms during basic auth, and fix auth lookups for hosts with ports specified #32371

wants to merge 7 commits into from

Conversation

baronfel
Copy link
Member

@baronfel baronfel commented May 9, 2023

@baronfel
Add separate handling for Basic auth per Docker examples
584f760 
Basic auth can have a realm that doesn't have any of the other
parameters, and isn't itself a Uri, so for non-Uri realms we should
defer to that of the underlying registry being accessed.
@baronfel
use RegistryName to lookup auth instead of just the host
2be8690
@dotnet-issue-labeler
Copy link

I couldn't figure out the best area label to add to this PR. If you have write-permissions please help me learn by adding exactly one area label.

@dotnet-issue-labeler dotnet-issue-labeler bot added the untriaged Request triage from a team member label May 9, 2023
@baronfel baronfel added Area-Containers Related to dotnet SDK containers functionality and removed untriaged Request triage from a team member labels May 9, 2023
@baronfel baronfel marked this pull request as ready for review May 10, 2023 21:17
@baronfel baronfel requested a review from a team as a code owner May 10, 2023 21:17
@baronfel
Copy link
Member Author

@vlada-shubina the test I made relies on docker-compose (for easier local testing), but compose isn't available on the ubuntu runner. Do you know what we can do to request that? or should I just do the long docker command that is the equivalent of the compose file?

@baronfel baronfel force-pushed the container-auth-private-local-registry branch from 906e68a to 8e093e3 Compare May 11, 2023 02:43
@baronfel baronfel mentioned this pull request Jun 23, 2023
Closed
tmds
tmds reviewed Jun 26, 2023
View reviewed changes
src/Containers/Microsoft.NET.Build.Containers/AuthHandshakeMessageHandler.cs
Comment on lines +62 to 63
if (authValues.TryGetValue("realm", out string? realm) && authValues.TryGetValue("service", out string? service))
{
Copy link
Member

@tmds tmds Jun 26, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (authValues.TryGetValue("realm", out string? realm) && authValues.TryGetValue("service", out string? service))
{
if (authValues.TryGetValue("realm", out string? realm))
{
string? service = null;
authValues.TryGetValue("service", out service);

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fixes an issue with the OpenShift internal registry which doesn't include a service.

KalleOlaviNiemitalo
KalleOlaviNiemitalo reviewed Jun 26, 2023
View reviewed changes
src/Containers/Microsoft.NET.Build.Containers/AuthHandshakeMessageHandler.cs
Comment on lines +76 to +83
if (authValues.TryGetValue("realm", out string? realm))
{
if (string.IsNullOrWhiteSpace(realm) || !Uri.IsWellFormedUriString(realm, UriKind.Absolute))
{
realm = $"{requestUri.Scheme}://{registry}";
}
string? scope = null;
authInfo = new AuthInfo(new Uri(realm), string.Empty, scope);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This still treats the realm as a URI if specified. RFC 7617 section 2:

The realm value is a free-form string that can only be compared for equality with other realms on that server.

RFC 7235 section 2.2:

A protection space is defined by the canonical root URI (the scheme and authority components of the effective request URI; see Section 5.5 of [RFC7230]) of the server being accessed, in combination with the realm value if present.

so, I'd expect a tuple (uri.GetLeftPart(UriPartial.Authority), realm) as a key. Docker Registry v2 Token Authentication Specification does not specify any different treatment of realm.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This still treats the realm as a URI if specified

Right, it should be treated as an opaque string.

so, I'd expect a tuple (uri.GetLeftPart(UriPartial.Authority), realm) as a key.

You mean as a key for the AuthHeaderCache?

What do you think about getting rid of the static AuthHeaderCache and instead storing the AuthenticationHeaderValue directly in the AuthHandshakeMessageHandler as a field?

@tmds tmds mentioned this pull request Jul 3, 2023
Merged
@tmds
Copy link
Member

tmds commented Jul 4, 2023

#33753 supersedes this PR, and targets the main branch.

@baronfel
Copy link
Member Author

baronfel commented Jul 7, 2023

Closing in favor of #33753

@baronfel baronfel closed this Jul 7, 2023
@baronfel baronfel deleted the container-auth-private-local-registry branch July 7, 2023 14:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tmds tmds tmds left review comments

@KalleOlaviNiemitalo KalleOlaviNiemitalo KalleOlaviNiemitalo left review comments

Assignees
No one assigned
Labels
Area-Containers Related to dotnet SDK containers functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@baronfel @tmds @KalleOlaviNiemitalo