smart_proxy_container_gateway 3.1.1 → 3.2.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/smart_proxy_container_gateway/container_gateway_api.rb +34 -6
  3. data/lib/smart_proxy_container_gateway/version.rb +1 -1
  4. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 129561beba74e2d626b09ec8236defd0d7fc01b9f2a3a55f18c8da358f9b22d7
4
- data.tar.gz: e7ad6221d17625f4dfd236ae5299a18d19b2d97f92fb13fcb1d2246394f1b48a
3
+ metadata.gz: 122f380fd60f0bbfae2a98fb2b76e18f2a4f000a12df75eeb31b9f4e0fee3dba
4
+ data.tar.gz: 2f1e2c8e328cf132fd2fe05b4bc2aead3e02daf20f379026d9636d40bfcbf75b
5
5
  SHA512:
6
- metadata.gz: cf49a821ff8e81465ec017be198c8b7a3217a236c223a33934ee7fc3e530daf2761e628710694937609be70f5e1823065fb9ad47addc33fddd12da1fc8267468
7
- data.tar.gz: 6bd2923fcf74cdcae8ff5828ec38eeca41e29b52d759ca4b306da5bc377d1b2c07fab9180fb5acd3d2e8d88277905e4ed4852dadee9d0c24fc0564dedc92a7d9
6
+ metadata.gz: d00eb53ee413aa6eef7cac95f61ba770b4b120348d57b38a14c1837bb12e021934154110df47b39f478d79768f922eb4f60ffd99765308733d69c91fe98f9231
7
+ data.tar.gz: ce89f410c1afdb8972ac996cccf97e5b27d98f55cc4e31dfffc81c15a459a3f6b394085e994ecf1a198a7c43205a252d0c807e34b270bd26e5d29be58544c178
data/lib/smart_proxy_container_gateway/container_gateway_api.rb CHANGED
@@ -1,6 +1,7 @@
1
1
  require 'active_support'
2
2
  require 'active_support/core_ext/integer'
3
3
  require 'active_support/core_ext/string'
4
+ require 'active_support/core_ext/object/blank'
4
5
  require 'active_support/time_with_zone'
5
6
  require 'sinatra'
6
7
  require 'smart_proxy_container_gateway/container_gateway'
@@ -137,6 +138,17 @@ module Proxy
137
138
  get '/v2/token' do
138
139
  response.headers['Docker-Distribution-API-Version'] = 'registry/2.0'
139
140
 
141
+ # Flatpak client requests do not contain the account param that podman relies on.
142
+ # It contains Base64 encoded username in the Authorization header.
143
+ # We need to extract the username from the Authorization header and
144
+ # set it as the account param to be used when inserting new token record.
145
+ if flatpak_client? && auth_header.raw_header.present?
146
+ encoded_string = auth_header.raw_header&.split(' ')&.[](1)
147
+ decoded_string = Base64.decode64(encoded_string) if encoded_string.present?
148
+ username = decoded_string.split(':')[0] if decoded_string.present?
149
+ request.params['account'] ||= username if username.present?
150
+ end
151
+
140
152
  unless auth_header.present? && auth_header.basic_auth?
141
153
  return { token: AuthorizationHeader::UNAUTHORIZED_TOKEN, issued_at: Time.now.rfc3339,
142
154
  expires_in: 1.year.seconds.to_i }.to_json
@@ -164,12 +176,15 @@ module Proxy
164
176
  # 'expires_in' is an optional field. If not provided, assume 60 seconds per OAuth2 spec
165
177
  expires_in = token_response_body.fetch("expires_in", 60)
166
178
  expires_at = token_issue_time + expires_in.seconds
167
-
168
- container_gateway_main.insert_token(
169
- request.params['account'],
170
- token_response_body['token'],
171
- expires_at.rfc3339
172
- )
179
+ if request.params['account'].present?
180
+ container_gateway_main.insert_token(
181
+ request.params['account'],
182
+ token_response_body['token'],
183
+ expires_at.rfc3339
184
+ )
185
+ else
186
+ halt 401, "unauthorized"
187
+ end
173
188
 
174
189
  repo_response = ForemanApi.new.fetch_user_repositories(auth_header.raw_header, request.params)
175
190
  if repo_response.code.to_i != 200
@@ -208,6 +223,10 @@ module Proxy
208
223
 
209
224
  private
210
225
 
226
+ def flatpak_client?
227
+ request.user_agent&.downcase&.include?('flatpak')
228
+ end
229
+
211
230
  def head_or_get_blobs
212
231
  repository = params[:splat][0]
213
232
  digest = params[:splat][1]
@@ -264,12 +283,21 @@ module Proxy
264
283
  if auth_header.present? && auth_header.valid_user_token?
265
284
  user_token_is_valid = true
266
285
  username = auth_header.user[:name]
286
+ # For flatpak client, header doesn't contain user name. Extract it from token.
287
+ username ||= container_gateway_main.token_user(@value.split(' ')[1]) if flatpak_client?
267
288
  end
268
289
  username = request.params['account'] if username.nil?
269
290
 
270
291
  return if container_gateway_main.authorized_for_repo?(repository, user_token_is_valid, username)
271
292
 
272
293
  redirect_authorization_headers
294
+
295
+ # If username couldn't be determined from the token or auth_headers
296
+ # which is case for first flatpak request, halt with 401 instead of 404
297
+ if flatpak_client? && username.nil?
298
+ halt 401, "unauthorized"
299
+ end
300
+
273
301
  throw_repo_not_found_error
274
302
  end
275
303
 
data/lib/smart_proxy_container_gateway/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Proxy
2
2
  module ContainerGateway
3
- VERSION = '3.1.1'.freeze
3
+ VERSION = '3.2.0'.freeze
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: smart_proxy_container_gateway
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.1.1
4
+ version: 3.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ian Ballou
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-12-05 00:00:00.000000000 Z
11
+ date: 2025-01-23 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport