RubyGems - smart_proxy_container_gateway - Versions diffs - 3.1.1 → 3.2.0 - Mend

smart_proxy_container_gateway 3.1.1 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml +4 -4
data/lib/smart_proxy_container_gateway/container_gateway_api.rb +34 -6
data/lib/smart_proxy_container_gateway/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 129561beba74e2d626b09ec8236defd0d7fc01b9f2a3a55f18c8da358f9b22d7
-  data.tar.gz: e7ad6221d17625f4dfd236ae5299a18d19b2d97f92fb13fcb1d2246394f1b48a
+  metadata.gz: 122f380fd60f0bbfae2a98fb2b76e18f2a4f000a12df75eeb31b9f4e0fee3dba
+  data.tar.gz: 2f1e2c8e328cf132fd2fe05b4bc2aead3e02daf20f379026d9636d40bfcbf75b
 SHA512:
-  metadata.gz: cf49a821ff8e81465ec017be198c8b7a3217a236c223a33934ee7fc3e530daf2761e628710694937609be70f5e1823065fb9ad47addc33fddd12da1fc8267468
-  data.tar.gz: 6bd2923fcf74cdcae8ff5828ec38eeca41e29b52d759ca4b306da5bc377d1b2c07fab9180fb5acd3d2e8d88277905e4ed4852dadee9d0c24fc0564dedc92a7d9
+  metadata.gz: d00eb53ee413aa6eef7cac95f61ba770b4b120348d57b38a14c1837bb12e021934154110df47b39f478d79768f922eb4f60ffd99765308733d69c91fe98f9231
+  data.tar.gz: ce89f410c1afdb8972ac996cccf97e5b27d98f55cc4e31dfffc81c15a459a3f6b394085e994ecf1a198a7c43205a252d0c807e34b270bd26e5d29be58544c178

data/lib/smart_proxy_container_gateway/container_gateway_api.rb CHANGED Viewed

@@ -1,6 +1,7 @@
 require 'active_support'
 require 'active_support/core_ext/integer'
 require 'active_support/core_ext/string'
+require 'active_support/core_ext/object/blank'
 require 'active_support/time_with_zone'
 require 'sinatra'
 require 'smart_proxy_container_gateway/container_gateway'
@@ -137,6 +138,17 @@ module Proxy
       get '/v2/token' do
         response.headers['Docker-Distribution-API-Version'] = 'registry/2.0'
+        # Flatpak client requests do not contain the account param that podman relies on.
+        # It contains Base64 encoded username in the Authorization header.
+        # We need to extract the username from the Authorization header and
+        # set it as the account param to be used when inserting new token record.
+        if flatpak_client? && auth_header.raw_header.present?
+          encoded_string = auth_header.raw_header&.split(' ')&.[](1)
+          decoded_string = Base64.decode64(encoded_string) if encoded_string.present?
+          username = decoded_string.split(':')[0] if decoded_string.present?
+          request.params['account'] ||= username if username.present?
+        end
         unless auth_header.present? && auth_header.basic_auth?
           return { token: AuthorizationHeader::UNAUTHORIZED_TOKEN, issued_at: Time.now.rfc3339,
                    expires_in: 1.year.seconds.to_i }.to_json
@@ -164,12 +176,15 @@ module Proxy
           # 'expires_in' is an optional field. If not provided, assume 60 seconds per OAuth2 spec
           expires_in = token_response_body.fetch("expires_in", 60)
           expires_at = token_issue_time + expires_in.seconds
-          container_gateway_main.insert_token(
-            request.params['account'],
-            token_response_body['token'],
-            expires_at.rfc3339
-          )
+          if request.params['account'].present?
+            container_gateway_main.insert_token(
+              request.params['account'],
+              token_response_body['token'],
+              expires_at.rfc3339
+            )
+          else
+            halt 401, "unauthorized"
+          end
           repo_response = ForemanApi.new.fetch_user_repositories(auth_header.raw_header, request.params)
           if repo_response.code.to_i != 200
@@ -208,6 +223,10 @@ module Proxy
       private
+      def flatpak_client?
+        request.user_agent&.downcase&.include?('flatpak')
+      end
       def head_or_get_blobs
         repository = params[:splat][0]
         digest = params[:splat][1]
@@ -264,12 +283,21 @@ module Proxy
         if auth_header.present? && auth_header.valid_user_token?
           user_token_is_valid = true
           username = auth_header.user[:name]
+          # For flatpak client, header doesn't contain user name. Extract it from token.
+          username ||= container_gateway_main.token_user(@value.split(' ')[1]) if flatpak_client?
         end
         username = request.params['account'] if username.nil?
         return if container_gateway_main.authorized_for_repo?(repository, user_token_is_valid, username)
         redirect_authorization_headers
+        # If username couldn't be determined from the token or auth_headers
+        # which is case for first flatpak request, halt with 401 instead of 404
+        if flatpak_client? && username.nil?
+          halt 401, "unauthorized"
+        end
         throw_repo_not_found_error
       end

data/lib/smart_proxy_container_gateway/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Proxy
   module ContainerGateway
-    VERSION = '3.1.1'.freeze
+    VERSION = '3.2.0'.freeze
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: smart_proxy_container_gateway
 version: !ruby/object:Gem::Version
-  version: 3.1.1
+  version: 3.2.0
 platform: ruby
 authors:
 - Ian Ballou
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-12-05 00:00:00.000000000 Z
+date: 2025-01-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport