Skip to content

Commit

Permalink
fix(core): provider do_request to maintain verify in all request, bas…
Browse files Browse the repository at this point in the history
…ic headers (#145)

* fix(core): provider do_request to maintain verify in all request
* basic headers maintenance
* add test case
* amending test for GHA setup
* add CHANGELOG entry
* use tls_verify also for login for consistency

Signed-off-by: tarilabs <matteo.mortari@gmail.com>
  • Loading branch information
tarilabs authored Jun 25, 2024
1 parent b8c4885 commit caf8db5
Show file tree
Hide file tree
Showing 5 changed files with 55 additions and 10 deletions.
4 changes: 4 additions & 0 deletions .github/workflows/auth-tests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,13 @@ jobs:
registry_port: 5000
with_auth: true
REGISTRY_AUTH: "{htpasswd: {realm: localhost, path: /etc/docker/registry/auth.htpasswd}}"
REGISTRY_HTTP_TLS_CERTIFICATE: "/etc/docker/registry/server.cert"
REGISTRY_HTTP_TLS_KEY: "/etc/docker/registry/server.key"
REGISTRY_STORAGE_DELETE_ENABLED: "true"
run: |
htpasswd -cB -b auth.htpasswd myuser mypass
cp auth.htpasswd /etc/docker/registry/auth.htpasswd
apk add openssl
openssl req -newkey rsa:4096 -nodes -sha256 -keyout /etc/docker/registry/server.key -x509 -days 365 -subj "/C=IT/ST=Lombardy/L=Milan/O=Acme Org/OU=IT Department/CN=example.com" -out /etc/docker/registry/server.cert
registry serve /etc/docker/registry/config.yml & sleep 5
echo $PWD && ls $PWD && make test
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ The versions coincide with releases on pip. Only major versions will be released

## [0.0.x](https://github.com/oras-project/oras-py/tree/main) (0.0.x)
- refactor of auth to be provided by backend modules (0.2.0)
- bugfix maintain requests's verify valorization for all invocations, augment basic auth header to existing headers
- Allow generating a Subject from a pre-existing Manifest (0.1.30)
- add option to not refresh headers during the pushing flow, useful for push with basic auth (0.1.29)
- enable additionalProperties in schema validation (0.1.28)
Expand Down
6 changes: 5 additions & 1 deletion oras/auth/basic.py
Original file line number Diff line number Diff line change
Expand Up @@ -39,4 +39,8 @@ def authenticate_request(
:param originalResponse: original response to get the Www-Authenticate header
:type originalResponse: requests.Response
"""
return self.get_auth_header(), True
result = {}
if headers is not None:
result.update(headers)
result.update(self.get_auth_header())
return result, True
20 changes: 12 additions & 8 deletions oras/provider.py
Original file line number Diff line number Diff line change
Expand Up @@ -953,18 +953,22 @@ def do_request(
json=json,
headers=headers,
stream=stream,
verify=self._tls_verify,
)

# One retry if 403 denied (need new token?)
if response.status_code == 403:
headers, changed = self.auth.authenticate_request(
response, headers, refresh=True
)
return self.session.request(
method,
url,
data=data,
json=json,
headers=headers,
stream=stream,
)
response = self.session.request(
method,
url,
data=data,
json=json,
headers=headers,
stream=stream,
verify=self._tls_verify,
)

return response
34 changes: 33 additions & 1 deletion oras/tests/test_oras.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,10 @@ def test_login_logout(registry, credentials):
"""
Login and logout are all we can test with basic auth!
"""
client = oras.client.OrasClient(hostname=registry, insecure=True)
client = oras.client.OrasClient(hostname=registry, tls_verify=False)
res = client.login(
hostname=registry,
tls_verify=False,
username=credentials.user,
password=credentials.password,
)
Expand Down Expand Up @@ -158,3 +159,34 @@ def test_directory_push_pull(tmp_path, registry, credentials, target_dir):
assert str(tmp_path) in files[0]
assert os.path.exists(files[0])
assert "artifact.txt" in os.listdir(files[0])


@pytest.mark.with_auth(True)
def test_directory_push_pull_selfsigned_auth(
tmp_path, registry, credentials, target_dir
):
"""
Test push and pull for directory using a self-signed cert registry (`tls_verify=False`) and basic auth (`auth_backend="basic"`)
"""
client = oras.client.OrasClient(
hostname=registry, tls_verify=False, auth_backend="basic"
)
res = client.login(
hostname=registry,
tls_verify=False,
username=credentials.user,
password=credentials.password,
)
assert res["Status"] == "Login Succeeded"

# Test upload of a directory
upload_dir = os.path.join(here, "upload_data")
res = client.push(files=[upload_dir], target=target_dir)
assert res.status_code == 201
files = client.pull(target=target_dir, outdir=tmp_path)

assert len(files) == 1
assert os.path.basename(files[0]) == "upload_data"
assert str(tmp_path) in files[0]
assert os.path.exists(files[0])
assert "artifact.txt" in os.listdir(files[0])

0 comments on commit caf8db5

Please sign in to comment.