| package distribution |
| |
| import ( |
| "fmt" |
| "io/ioutil" |
| "net/http" |
| "net/http/httptest" |
| "net/url" |
| "os" |
| "runtime" |
| "strings" |
| "testing" |
| |
| "github.com/Sirupsen/logrus" |
| "github.com/docker/distribution/reference" |
| "github.com/docker/docker/api/types" |
| registrytypes "github.com/docker/docker/api/types/registry" |
| "github.com/docker/docker/pkg/archive" |
| "github.com/docker/docker/pkg/stringid" |
| "github.com/docker/docker/registry" |
| "golang.org/x/net/context" |
| ) |
| |
| const secretRegistryToken = "mysecrettoken" |
| |
| type tokenPassThruHandler struct { |
| reached bool |
| gotToken bool |
| shouldSend401 func(url string) bool |
| } |
| |
| func (h *tokenPassThruHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { |
| h.reached = true |
| if strings.Contains(r.Header.Get("Authorization"), secretRegistryToken) { |
| logrus.Debug("Detected registry token in auth header") |
| h.gotToken = true |
| } |
| if h.shouldSend401 == nil || h.shouldSend401(r.RequestURI) { |
| w.Header().Set("WWW-Authenticate", `Bearer realm="foorealm"`) |
| w.WriteHeader(401) |
| } |
| } |
| |
| func testTokenPassThru(t *testing.T, ts *httptest.Server) { |
| tmp, err := testDirectory("") |
| if err != nil { |
| t.Fatal(err) |
| } |
| defer os.RemoveAll(tmp) |
| |
| uri, err := url.Parse(ts.URL) |
| if err != nil { |
| t.Fatalf("could not parse url from test server: %v", err) |
| } |
| |
| endpoint := registry.APIEndpoint{ |
| Mirror: false, |
| URL: uri, |
| Version: 2, |
| Official: false, |
| TrimHostname: false, |
| TLSConfig: nil, |
| } |
| n, _ := reference.ParseNormalizedNamed("testremotename") |
| repoInfo := ®istry.RepositoryInfo{ |
| Name: n, |
| Index: ®istrytypes.IndexInfo{ |
| Name: "testrepo", |
| Mirrors: nil, |
| Secure: false, |
| Official: false, |
| }, |
| Official: false, |
| } |
| imagePullConfig := &ImagePullConfig{ |
| Config: Config{ |
| MetaHeaders: http.Header{}, |
| AuthConfig: &types.AuthConfig{ |
| RegistryToken: secretRegistryToken, |
| }, |
| }, |
| Schema2Types: ImageTypes, |
| } |
| puller, err := newPuller(endpoint, repoInfo, imagePullConfig) |
| if err != nil { |
| t.Fatal(err) |
| } |
| p := puller.(*v2Puller) |
| ctx := context.Background() |
| p.repo, _, err = NewV2Repository(ctx, p.repoInfo, p.endpoint, p.config.MetaHeaders, p.config.AuthConfig, "pull") |
| if err != nil { |
| t.Fatal(err) |
| } |
| |
| logrus.Debug("About to pull") |
| // We expect it to fail, since we haven't mock'd the full registry exchange in our handler above |
| tag, _ := reference.WithTag(n, "tag_goes_here") |
| _ = p.pullV2Repository(ctx, tag) |
| } |
| |
| func TestTokenPassThru(t *testing.T) { |
| handler := &tokenPassThruHandler{shouldSend401: func(url string) bool { return url == "/v2/" }} |
| ts := httptest.NewServer(handler) |
| defer ts.Close() |
| |
| testTokenPassThru(t, ts) |
| |
| if !handler.reached { |
| t.Fatal("Handler not reached") |
| } |
| if !handler.gotToken { |
| t.Fatal("Failed to receive registry token") |
| } |
| } |
| |
| func TestTokenPassThruDifferentHost(t *testing.T) { |
| handler := new(tokenPassThruHandler) |
| ts := httptest.NewServer(handler) |
| defer ts.Close() |
| |
| tsredirect := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |
| if r.RequestURI == "/v2/" { |
| w.Header().Set("WWW-Authenticate", `Bearer realm="foorealm"`) |
| w.WriteHeader(401) |
| return |
| } |
| http.Redirect(w, r, ts.URL+r.URL.Path, http.StatusMovedPermanently) |
| })) |
| defer tsredirect.Close() |
| |
| testTokenPassThru(t, tsredirect) |
| |
| if !handler.reached { |
| t.Fatal("Handler not reached") |
| } |
| if handler.gotToken { |
| t.Fatal("Redirect should not forward Authorization header to another host") |
| } |
| } |
| |
| // testDirectory creates a new temporary directory and returns its path. |
| // The contents of directory at path `templateDir` is copied into the |
| // new directory. |
| func testDirectory(templateDir string) (dir string, err error) { |
| testID := stringid.GenerateNonCryptoID()[:4] |
| prefix := fmt.Sprintf("docker-test%s-%s-", testID, getCallerName(2)) |
| if prefix == "" { |
| prefix = "docker-test-" |
| } |
| dir, err = ioutil.TempDir("", prefix) |
| if err = os.Remove(dir); err != nil { |
| return |
| } |
| if templateDir != "" { |
| if err = archive.CopyWithTar(templateDir, dir); err != nil { |
| return |
| } |
| } |
| return |
| } |
| |
| // getCallerName introspects the call stack and returns the name of the |
| // function `depth` levels down in the stack. |
| func getCallerName(depth int) string { |
| // Use the caller function name as a prefix. |
| // This helps trace temp directories back to their test. |
| pc, _, _, _ := runtime.Caller(depth + 1) |
| callerLongName := runtime.FuncForPC(pc).Name() |
| parts := strings.Split(callerLongName, ".") |
| callerShortName := parts[len(parts)-1] |
| return callerShortName |
| } |