add /auth for docker compatibility

[troyready]

This endpoint just validates credentials:
https://github.com/moby/moby/blob/v20.10.4/api/swagger.yaml#L7936-L7977

Fixes: #9564

[troyready]

The core element of this is working now (tested and verified with AWS ECR).

I'm not sure how to proceed with a unit test for it. If I understand correctly, it would mean setting up a docker registry.

Would appreciate a second set of eyes on the testing for an idea of how to go forward.

[mheon]

@edsantiago might have an answer on testing

[edsantiago]

Ugh. This is a solved problem for our system tests in CI, but not for apiv2 tests. It's probably about a 2- to 3-hour effort to set it up for apiv2 tests; unfortunately I won't have that time until mid-March.

[rhatdan]

LGTM
I am fine with getting this in, without testing in CI, since it is a feature we are missing.

[rhatdan]

@containers/podman-maintainers PTAL
@baude @jwhonce PTAL

[edsantiago]

Quick comment: I'm working on a testing framework for this. It's not ready, but one thing I've found is that this might not be compatible with docker. The docker API documentation implies that serveraddress should be a full URL, of the form https://host:port/v2. That doesn't work with your code; your code works if I pass in just host:port. Can you look into this? (I might be mistaken).

[edsantiago]

Also: the tlsVerify(false) code is never triggering; I can't figure out how to make it trigger (possibly because serveraddress is getting set internally somehow to https://localhost which will never match http://localhost)

Also: on successful auth I get {"IdentityToken":"","Status":"Login Succeeded"} - shouldn't IdentityToken be non-null?

[edsantiago]

@troyready try this:

$ make          ! (in your source tree, with these changes)
$ git pr 9669   ! requires git-extras
$ ./test/apiv2/test-apiv2 auth
Generating a RSA private key
.......................................++++
......++++
writing new private key to '/dev/shm/test-apiv2.tmp.33vdZT/registry/auth/domain.key'
-----
ok 1 [60-auth] POST /v1.40/auth [-d {"username":"uRIU5jdv","password":"WrOnGPassWord","serveraddress":"localhost:5066/"}] : status=400
ok 2 [60-auth] POST /v1.40/auth [-d {"username":"uRIU5jdv","password":"WrOnGPassWord","serveraddress":"localhost:5066/"}] : .Status ('login attempt to localhost:5066/ failed with status: unable to retrieve auth token: invalid username/password: unauthorized') ~ .* invalid username/password
ok 3 [60-auth] POST /v1.40/auth [-d {"username":"uRIU5jdv","password":"pVhgy0Bi","serveraddress":"localhost:5066/"}] : status=200
ok 4 [60-auth] POST /v1.40/auth [-d {"username":"uRIU5jdv","password":"pVhgy0Bi","serveraddress":"localhost:5066/"}] : .Status=Login Succeeded
not ok 5 [60-auth] POST /v1.40/auth [-d {"username":"uRIU5jdv","password":"pVhgy0Bi","serveraddress":"localhost:5066/"}] : .IdentityToken
#  expected: ~ [a-zA-Z0-9]
#    actual:
1..5

That will run my tests against your PR, with a local registry. It will fail, because See Above. To iterate:

$ git co your-working-branch
edit-edit-edit
$ make
$ git co pr/9669

HTH.

(Postscript: the results above partly-succeed only because I hardcoded skipTLS=false)

[troyready]

Thanks for looking into it @edsantiago !

The docker API documentation implies that serveraddress should be a full URL, of the form https://host:port/v2. That doesn't work with your code; your code works if I pass in just host:port. Can you look into this? (I might be mistaken).

I think I ran into the same issue, where getting the http (no s) through from the api wasn't working (mangling it like pre-pending a https// or something akin to that). So as is, the tlsVerify(false) conditional isn't really useful.

To be clear, this seems to be specific to testing (which I think is the only scenario where TLS would be avoided -- this doesn't appear to be an issue when using it with a trusted https:// address (my actual integration tests were run against an AWS ECR).

Also: on successful auth I get {"IdentityToken":"","Status":"Login Succeeded"} - shouldn't IdentityToken be non-null?

The IdentityToken appears to be optional; when testing the same API using Docker against AWS ECR, I get the same empty string.

[troyready]

Thanks again @edsantiago -- with the new test setup I was able to figure out what was going wrong. Latest commit fixes the issue: tests are working now, and I've confirmed it still works with a normal live (trusted TLS) repo as well.

(I'm pretty sure the zuul build failure is unrelated to changes here)

[edsantiago]

/hold

@troyready could you please rebase, then update your added .at file to reflect the new parameter format (space-separated)? Now that #9686 has merged, if your PR merges it will break all of CI for everyone. I apologize for the inconvenience but hope that the new POST param format makes things easier.

[troyready]

Sure thing, done @edsantiago

[edsantiago]

Tests LGTM but I'll leave final approval to @jwhonce or @baude. Thank you for your efforts on this.

IdentityToken appears to be optional

I still find this weird, and pointless, but hey, if it matches docker, shrug. Thank you for testing against docker.

[TomSweeneyRedHat]

LGTM

[rhatdan]

Great work @troyready Thanks.
/lgtm
/approve
/hold cancel

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rhatdan, troyready

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rhatdan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment