Properly handle container registry redirects to fix metadata stored on a S3 backend

The previous behavior would include the Authorization header, which would make fetching an S3 blob fail quietly. Closes #22403 Update sh-fix-container-registry-s3-redirects.yml
2017-05-16 22:51:56 -07:00 · 2017-05-16 22:51:56 -07:00 · 831d6f5f77
parent 39baadbd01
commit 831d6f5f77
4 changed files with 54 additions and 5 deletions
--- a/changelogs/unreleased/sh-fix-container-registry-s3-redirects.yml
+++ b/changelogs/unreleased/sh-fix-container-registry-s3-redirects.yml
@ -0,0 +1,4 @@
+---
+title: Properly handle container registry redirects to fix metadata stored on a S3 backend
+merge_request:
+author:
--- a/lib/container_registry/client.rb
+++ b/lib/container_registry/client.rb
@ -75,10 +75,7 @@ module ContainerRegistry
    def redirect_response(location)
      return unless location

-      # We explicitly remove authorization token
-      faraday_blob.get(location) do |req|
-        req['Authorization'] = ''
-      end
+      faraday_redirect.get(location)
    end

    def faraday
@ -93,5 +90,14 @@ module ContainerRegistry
        initialize_connection(conn, @options)
      end
    end
+
+    # Create a new request to make sure the Authorization header is not inserted
+    # via the Faraday middleware
+    def faraday_redirect
+      @faraday_redirect ||= Faraday.new(@base_uri) do |conn|
+        conn.request :json
+        conn.adapter :net_http
+      end
+    end
  end
 end
--- a/spec/lib/container_registry/blob_spec.rb
+++ b/spec/lib/container_registry/blob_spec.rb
@ -98,7 +98,7 @@ describe ContainerRegistry::Blob do
      context 'for a valid address' do
        before do
          stub_request(:get, location).
-            with(headers: { 'Authorization' => nil }).
+            with { |request| !request.headers.include?('Authorization') }.
            to_return(
              status: 200,
              headers: { 'Content-Type' => 'application/json' },
--- a/spec/lib/container_registry/client_spec.rb
+++ b/spec/lib/container_registry/client_spec.rb
@ -0,0 +1,39 @@
+# coding: utf-8
+require 'spec_helper'
+
+describe ContainerRegistry::Client do
+  let(:token) { '12345' }
+  let(:options) { { token: token } }
+  let(:client) { described_class.new("http://container-registry", options) }
+
+  describe '#blob' do
+    it 'GET /v2/:name/blobs/:digest' do
+      stub_request(:get, "http://container-registry/v2/group/test/blobs/sha256:0123456789012345").
+        with(headers: {
+               'Accept' => 'application/octet-stream',
+               'Authorization' => "bearer #{token}"
+             }).
+        to_return(status: 200, body: "Blob")
+
+      expect(client.blob('group/test', 'sha256:0123456789012345')).to eq('Blob')
+    end
+
+    it 'follows 307 redirect for GET /v2/:name/blobs/:digest' do
+      stub_request(:get, "http://container-registry/v2/group/test/blobs/sha256:0123456789012345").
+        with(headers: {
+               'Accept' => 'application/octet-stream',
+               'Authorization' => "bearer #{token}"
+             }).
+        to_return(status: 307, body: "", headers: { Location: 'http://redirected' })
+      # We should probably use hash_excluding here, but that requires an update to WebMock:
+      # https://github.com/bblimke/webmock/blob/master/lib/webmock/matchers/hash_excluding_matcher.rb
+      stub_request(:get, "http://redirected/").
+        with { |request| !request.headers.include?('Authorization') }.
+        to_return(status: 200, body: "Successfully redirected")
+
+      response = client.blob('group/test', 'sha256:0123456789012345')
+
+      expect(response).to eq('Successfully redirected')
+    end
+  end
+end