Allow checking credentials for image imports against repo url, not ju…

…st passed url
openshift · Jun 23, 2017 · d236486 · d236486
1 parent c3c286b
commit d236486
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 5 deletions.
diff --git a/pkg/image/importer/client.go b/pkg/image/importer/client.go
@@ -104,6 +104,15 @@ func (r *repositoryRetriever) Repository(ctx gocontext.Context, registry *url.UR
 		}
 	}
 
+	// Our credential store is given an address against which authorization happens.
+	// Sometimes, that address will be different than the repository, thus requiring
+	// users to create 2 secrets (one for repo and another for authn). We are
+	// setting the original address of the repo for the credential store to check
+	// both.
+	if scs, ok := r.credentials.(*SecretCredentialStore); ok {
+		scs.SetOrigin(&src)
+	}
+
 	rt := transport.NewTransport(
 		t,
 		// TODO: slightly smarter authorizer that retries unauthenticated requests

diff --git a/pkg/image/importer/credentials.go b/pkg/image/importer/credentials.go
@@ -82,7 +82,7 @@ type keyringCredentialStore struct {
 }
 
 func (s *keyringCredentialStore) Basic(url *url.URL) (string, string) {
-	return basicCredentialsFromKeyring(s.DockerKeyring, url)
+	return basicCredentialsFromKeyring(s.DockerKeyring, url, nil)
 }
 
 func (s *keyringCredentialStore) RefreshToken(url *url.URL, service string) string {
@@ -102,14 +102,15 @@ func NewLazyCredentialsForSecrets(secretsFn func() ([]kapi.Secret, error)) *Secr
 
 type SecretCredentialStore struct {
 	lock      sync.Mutex
+	origin    *url.URL
 	secrets   []kapi.Secret
 	secretsFn func() ([]kapi.Secret, error)
 	err       error
 	keyring   credentialprovider.DockerKeyring
 }
 
 func (s *SecretCredentialStore) Basic(url *url.URL) (string, string) {
-	return basicCredentialsFromKeyring(s.init(), url)
+	return basicCredentialsFromKeyring(s.init(), url, s.origin)
 }
 
 func (s *SecretCredentialStore) RefreshToken(url *url.URL, service string) string {
@@ -119,6 +120,12 @@ func (s *SecretCredentialStore) RefreshToken(url *url.URL, service string) strin
 func (s *SecretCredentialStore) SetRefreshToken(url *url.URL, service string, token string) {
 }
 
+func (s *SecretCredentialStore) SetOrigin(url *url.URL) {
+	s.lock.Lock()
+	defer s.lock.Unlock()
+	s.origin = url
+}
+
 func (s *SecretCredentialStore) Err() error {
 	s.lock.Lock()
 	defer s.lock.Unlock()
@@ -158,7 +165,7 @@ func (s *SecretCredentialStore) init() credentialprovider.DockerKeyring {
 	return keyring
 }
 
-func basicCredentialsFromKeyring(keyring credentialprovider.DockerKeyring, target *url.URL) (string, string) {
+func basicCredentialsFromKeyring(keyring credentialprovider.DockerKeyring, target *url.URL, origin *url.URL) (string, string) {
 	// TODO: compare this logic to Docker authConfig in v2 configuration
 	value := target.Host + target.Path
 
@@ -176,12 +183,17 @@ func basicCredentialsFromKeyring(keyring credentialprovider.DockerKeyring, targe
 		// do a special case check for docker.io to match historical lookups when we respond to a challenge
 		if value == "auth.docker.io/token" {
 			glog.V(5).Infof("Being asked for %s, trying %s for legacy behavior", target, "index.docker.io/v1")
-			return basicCredentialsFromKeyring(keyring, &url.URL{Host: "index.docker.io", Path: "/v1"})
+			return basicCredentialsFromKeyring(keyring, &url.URL{Host: "index.docker.io", Path: "/v1"}, nil)
 		}
 		// docker 1.9 saves 'docker.io' in config in f23, see https://bugzilla.redhat.com/show_bug.cgi?id=1309739
 		if value == "index.docker.io" {
 			glog.V(5).Infof("Being asked for %s, trying %s for legacy behavior", target, "docker.io")
-			return basicCredentialsFromKeyring(keyring, &url.URL{Host: "docker.io"})
+			return basicCredentialsFromKeyring(keyring, &url.URL{Host: "docker.io"}, nil)
+		}
+		// try origin url, if it's different than target
+		if origin != nil && origin.String() != target.String() {
+			glog.V(5).Infof("Trying origin %s, since it's different than target %s", origin, target)
+			return basicCredentialsFromKeyring(keyring, origin, nil)
 		}
 		glog.V(5).Infof("Unable to find a secret to match %s (%s)", target, value)
 		return "", ""