Commit 831d6f5f authored by Stan Hu's avatar Stan Hu

Properly handle container registry redirects to fix metadata stored on a S3 backend

The previous behavior would include the Authorization header, which would
make fetching an S3 blob fail quietly.

Closes #22403

Update sh-fix-container-registry-s3-redirects.yml
parent 39baadbd
---
title: Properly handle container registry redirects to fix metadata stored on a S3 backend
merge_request:
author:
...@@ -75,10 +75,7 @@ module ContainerRegistry ...@@ -75,10 +75,7 @@ module ContainerRegistry
def redirect_response(location) def redirect_response(location)
return unless location return unless location
# We explicitly remove authorization token faraday_redirect.get(location)
faraday_blob.get(location) do |req|
req['Authorization'] = ''
end
end end
def faraday def faraday
...@@ -93,5 +90,14 @@ module ContainerRegistry ...@@ -93,5 +90,14 @@ module ContainerRegistry
initialize_connection(conn, @options) initialize_connection(conn, @options)
end end
end end
# Create a new request to make sure the Authorization header is not inserted
# via the Faraday middleware
def faraday_redirect
@faraday_redirect ||= Faraday.new(@base_uri) do |conn|
conn.request :json
conn.adapter :net_http
end
end
end end
end end
...@@ -98,7 +98,7 @@ describe ContainerRegistry::Blob do ...@@ -98,7 +98,7 @@ describe ContainerRegistry::Blob do
context 'for a valid address' do context 'for a valid address' do
before do before do
stub_request(:get, location). stub_request(:get, location).
with(headers: { 'Authorization' => nil }). with { |request| !request.headers.include?('Authorization') }.
to_return( to_return(
status: 200, status: 200,
headers: { 'Content-Type' => 'application/json' }, headers: { 'Content-Type' => 'application/json' },
......
# coding: utf-8
require 'spec_helper'
describe ContainerRegistry::Client do
let(:token) { '12345' }
let(:options) { { token: token } }
let(:client) { described_class.new("http://container-registry", options) }
describe '#blob' do
it 'GET /v2/:name/blobs/:digest' do
stub_request(:get, "http://container-registry/v2/group/test/blobs/sha256:0123456789012345").
with(headers: {
'Accept' => 'application/octet-stream',
'Authorization' => "bearer #{token}"
}).
to_return(status: 200, body: "Blob")
expect(client.blob('group/test', 'sha256:0123456789012345')).to eq('Blob')
end
it 'follows 307 redirect for GET /v2/:name/blobs/:digest' do
stub_request(:get, "http://container-registry/v2/group/test/blobs/sha256:0123456789012345").
with(headers: {
'Accept' => 'application/octet-stream',
'Authorization' => "bearer #{token}"
}).
to_return(status: 307, body: "", headers: { Location: 'http://redirected' })
# We should probably use hash_excluding here, but that requires an update to WebMock:
# https://github.com/bblimke/webmock/blob/master/lib/webmock/matchers/hash_excluding_matcher.rb
stub_request(:get, "http://redirected/").
with { |request| !request.headers.include?('Authorization') }.
to_return(status: 200, body: "Successfully redirected")
response = client.blob('group/test', 'sha256:0123456789012345')
expect(response).to eq('Successfully redirected')
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment