From fb9aa78f75342bd65da3c8e74cdc38582d5658c3 Mon Sep 17 00:00:00 2001 From: Wenkai Yin Date: Wed, 7 Dec 2016 18:20:25 +0800 Subject: [PATCH] do not add the authentication header to requests which are not sent to registry --- src/common/utils/registry/auth/authorizer.go | 28 +++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/src/common/utils/registry/auth/authorizer.go b/src/common/utils/registry/auth/authorizer.go index 325beb47f..1ca465664 100644 --- a/src/common/utils/registry/auth/authorizer.go +++ b/src/common/utils/registry/auth/authorizer.go @@ -18,6 +18,8 @@ package auth import ( "fmt" "net/http" + "net/url" + "strings" "time" au "github.com/docker/distribution/registry/client/auth" @@ -37,6 +39,7 @@ type Authorizer interface { // And it implements interface Modifier type AuthorizerStore struct { authorizers []Authorizer + ping *url.URL challenges []au.Challenge } @@ -49,15 +52,21 @@ func NewAuthorizerStore(endpoint string, insecure bool, authorizers ...Authorize Timeout: 30 * time.Second, } - resp, err := client.Get(buildPingURL(endpoint)) + pingURL := buildPingURL(endpoint) + resp, err := client.Get(pingURL) if err != nil { return nil, err } defer resp.Body.Close() challenges := ParseChallengeFromResponse(resp) + ping, err := url.Parse(pingURL) + if err != nil { + return nil, err + } return &AuthorizerStore{ authorizers: authorizers, + ping: ping, challenges: challenges, }, nil } @@ -68,6 +77,23 @@ func buildPingURL(endpoint string) string { // Modify adds authorization to the request func (a *AuthorizerStore) Modify(req *http.Request) error { + //only handle the requests sent to registry + v2Index := strings.Index(req.URL.Path, "/v2/") + if v2Index == -1 { + return nil + } + + ping := url.URL{ + Host: req.URL.Host, + Scheme: req.URL.Scheme, + Path: req.URL.Path[:v2Index+4], + } + + if ping.Host != a.ping.Host || ping.Scheme != a.ping.Scheme || + ping.Path != a.ping.Path { + return nil + } + for _, challenge := range a.challenges { for _, authorizer := range a.authorizers { if authorizer.Scheme() == challenge.Scheme {