1. record the local time when token is issued to avoid the mismatch of time for client and registry 2.recover the env variable

2024-06-26 14:55:06 +02:00 · 2016-09-09 18:08:20 +08:00 · 2016-09-09 18:08:20 +08:00 · f77485b926
commit f77485b926
parent b695424881
2 changed files with 17 additions and 12 deletions
--- a/Deploy/templates/ui/env
+++ b/Deploy/templates/ui/env
@ -17,6 +17,7 @@ LDAP_FILTER=$ldap_filter
 LDAP_UID=$ldap_uid
 LDAP_SCOPE=$ldap_scope
 UI_SECRET=$ui_secret
+SECRET_KEY=$secret_key
 SELF_REGISTRATION=$self_registration
 USE_COMPRESSED_JS=$use_compressed_js
 LOG_LEVEL=debug
--- a/utils/registry/auth/tokenauthorizer.go
+++ b/utils/registry/auth/tokenauthorizer.go
@ -32,6 +32,10 @@ import (
 	registry_error "github.com/vmware/harbor/utils/registry/error"
 )

+const (
+	latency int = 10 //second, the network latency when token is received
+)
+
 type scope struct {
 	Type    string
 	Name    string
@ -49,8 +53,7 @@ type tokenAuthorizer struct {
 	scope     *scope
 	tg        tokenGenerator
 	cache     string     // cached token
-	expiresIn int        // The duration in seconds since the token was issued that it will remain valid
-	issuedAt  *time.Time // The RFC3339-serialized UTC standard time at which a given token was issued
+	expiresAt *time.Time // The UTC standard time at when the token will expire
 	sync.Mutex
 }

@ -83,10 +86,10 @@ func (t *tokenAuthorizer) Authorize(req *http.Request, params map[string]string)

 	expired := true

-	cachedToken, cachedExpiredIn, cachedIssuedAt := t.getCachedToken()
+	cachedToken, cachedExpiredAt := t.getCachedToken()

-	if len(cachedToken) != 0 && cachedExpiredIn != 0 && cachedIssuedAt != nil {
-		expired = cachedIssuedAt.Add(time.Duration(cachedExpiredIn) * time.Second).Before(time.Now().UTC())
+	if len(cachedToken) != 0 && cachedExpiredAt != nil {
+		expired = cachedExpiredAt.Before(time.Now().UTC())
 	}

 	if expired || hasFrom {
@ -94,14 +97,14 @@ func (t *tokenAuthorizer) Authorize(req *http.Request, params map[string]string)
 		for _, scope := range scopes {
 			scopeStrs = append(scopeStrs, scope.string())
 		}
-		to, expiresIn, issuedAt, err := t.tg(params["realm"], params["service"], scopeStrs)
+		to, expiresIn, _, err := t.tg(params["realm"], params["service"], scopeStrs)
 		if err != nil {
 			return err
 		}
 		token = to

 		if !hasFrom {
-			t.updateCachedToken(to, expiresIn, issuedAt)
+			t.updateCachedToken(to, expiresIn)
 		}
 	} else {
 		token = cachedToken
@ -112,18 +115,19 @@ func (t *tokenAuthorizer) Authorize(req *http.Request, params map[string]string)
 	return nil
 }

-func (t *tokenAuthorizer) getCachedToken() (string, int, *time.Time) {
+func (t *tokenAuthorizer) getCachedToken() (string, *time.Time) {
 	t.Lock()
 	defer t.Unlock()
-	return t.cache, t.expiresIn, t.issuedAt
+	return t.cache, t.expiresAt
 }

-func (t *tokenAuthorizer) updateCachedToken(token string, expiresIn int, issuedAt *time.Time) {
+func (t *tokenAuthorizer) updateCachedToken(token string, expiresIn int) {
 	t.Lock()
 	defer t.Unlock()
 	t.cache = token
-	t.expiresIn = expiresIn
-	t.issuedAt = issuedAt
+	n := (time.Duration)(expiresIn - latency)
+	e := time.Now().Add(n * time.Second).UTC()
+	t.expiresAt = &e
 }

 // Implements interface Authorizer