smart_proxy_container_gateway 3.1.0 → 3.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f16bba86dcd701d0d51877ed12b0c44f3c8bb86f135c18fd1babb73bbecb2b9b
-  data.tar.gz: 7dabc1909e9c578020f923f9033a34271fa085f9bb75c212fd9f55aa9f2f7cc3
+  metadata.gz: 122f380fd60f0bbfae2a98fb2b76e18f2a4f000a12df75eeb31b9f4e0fee3dba
+  data.tar.gz: 2f1e2c8e328cf132fd2fe05b4bc2aead3e02daf20f379026d9636d40bfcbf75b
 SHA512:
-  metadata.gz: fd70d4d1b20e6f9f37a9c32dd14db3935f8321e723a7a3215cf135e513e4c0d839b1b5c963918c8ce92a19a91fc5a378f23ef427bd3d48cb3a7ffc5f955a0833
-  data.tar.gz: 4ce24b3e19d43bd838e1743ff2a8a34f93e00c64ed09c2db64848e6c40640e8dde91f2fa910b0d096bbca0b8055a5f13567b4b821a66359a6b6b84352235d62a
+  metadata.gz: d00eb53ee413aa6eef7cac95f61ba770b4b120348d57b38a14c1837bb12e021934154110df47b39f478d79768f922eb4f60ffd99765308733d69c91fe98f9231
+  data.tar.gz: ce89f410c1afdb8972ac996cccf97e5b27d98f55cc4e31dfffc81c15a459a3f6b394085e994ecf1a198a7c43205a252d0c807e34b270bd26e5d29be58544c178

data/lib/smart_proxy_container_gateway/container_gateway_api.rb

@@ -1,6 +1,7 @@
 require 'active_support'
 require 'active_support/core_ext/integer'
 require 'active_support/core_ext/string'
+require 'active_support/core_ext/object/blank'
 require 'active_support/time_with_zone'
 require 'sinatra'
 require 'smart_proxy_container_gateway/container_gateway'
@@ -137,6 +138,17 @@ module Proxy
       get '/v2/token' do
         response.headers['Docker-Distribution-API-Version'] = 'registry/2.0'
 
+        # Flatpak client requests do not contain the account param that podman relies on.
+        # It contains Base64 encoded username in the Authorization header.
+        # We need to extract the username from the Authorization header and
+        # set it as the account param to be used when inserting new token record.
+        if flatpak_client? && auth_header.raw_header.present?
+          encoded_string = auth_header.raw_header&.split(' ')&.[](1)
+          decoded_string = Base64.decode64(encoded_string) if encoded_string.present?
+          username = decoded_string.split(':')[0] if decoded_string.present?
+          request.params['account'] ||= username if username.present?
+        end
+
         unless auth_header.present? && auth_header.basic_auth?
           return { token: AuthorizationHeader::UNAUTHORIZED_TOKEN, issued_at: Time.now.rfc3339,
                    expires_in: 1.year.seconds.to_i }.to_json
@@ -164,12 +176,15 @@ module Proxy
           # 'expires_in' is an optional field. If not provided, assume 60 seconds per OAuth2 spec
           expires_in = token_response_body.fetch("expires_in", 60)
           expires_at = token_issue_time + expires_in.seconds
-
-          container_gateway_main.insert_token(
-            request.params['account'],
-            token_response_body['token'],
-            expires_at.rfc3339
-          )
+          if request.params['account'].present?
+            container_gateway_main.insert_token(
+              request.params['account'],
+              token_response_body['token'],
+              expires_at.rfc3339
+            )
+          else
+            halt 401, "unauthorized"
+          end
 
           repo_response = ForemanApi.new.fetch_user_repositories(auth_header.raw_header, request.params)
           if repo_response.code.to_i != 200
@@ -208,6 +223,10 @@ module Proxy
 
       private
 
+      def flatpak_client?
+        request.user_agent&.downcase&.include?('flatpak')
+      end
+
       def head_or_get_blobs
         repository = params[:splat][0]
         digest = params[:splat][1]
@@ -264,12 +283,21 @@ module Proxy
         if auth_header.present? && auth_header.valid_user_token?
           user_token_is_valid = true
           username = auth_header.user[:name]
+          # For flatpak client, header doesn't contain user name. Extract it from token.
+          username ||= container_gateway_main.token_user(@value.split(' ')[1]) if flatpak_client?
         end
         username = request.params['account'] if username.nil?
 
         return if container_gateway_main.authorized_for_repo?(repository, user_token_is_valid, username)
 
         redirect_authorization_headers
+
+        # If username couldn't be determined from the token or auth_headers
+        # which is case for first flatpak request, halt with 401 instead of 404
+        if flatpak_client? && username.nil?
+          halt 401, "unauthorized"
+        end
+
         throw_repo_not_found_error
       end
 

data/lib/smart_proxy_container_gateway/database.rb

@@ -5,6 +5,7 @@ module Proxy
       attr_reader :connection
 
       def initialize(connection_string, prior_sqlite_db_path = nil)
+        Sequel.default_timezone = :local
         @connection = Sequel.connect(connection_string)
         if connection_string.start_with?('sqlite://')
           @connection.run("PRAGMA foreign_keys = ON;")

data/lib/smart_proxy_container_gateway/version.rb

@@ -1,5 +1,5 @@
 module Proxy
   module ContainerGateway
-    VERSION = '3.1.0'.freeze
+    VERSION = '3.2.0'.freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: smart_proxy_container_gateway
 version: !ruby/object:Gem::Version
-  version: 3.1.0
+  version: 3.2.0
 platform: ruby
 authors:
 - Ian Ballou
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-08-08 00:00:00.000000000 Z
+date: 2025-01-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,57 +16,63 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '6.1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '8'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '6.1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '8'
 - !ruby/object:Gem::Dependency
   name: pg
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.5'
 - !ruby/object:Gem::Dependency
   name: sequel
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '5.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '5.0'
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
-description: Pulp 3 container registry support for Foreman/Katello Smart-Proxy
+        version: '1.4'
+description: Foreman Smart Proxy plug-in for Pulp 3 container registry support
 email: ianballou67@gmail.com
 executables: []
 extensions: []
@@ -93,7 +99,7 @@ files:
 - settings.d/container_gateway.yml.example
 homepage: https://github.com/Katello/smart_proxy_container_gateway
 licenses:
-- GPLv3
+- GPL-3.0-only
 metadata: {}
 post_install_message:
 rdoc_options: []