Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(core): provider do_request to maintain verify in all request, basic headers #145

Merged
merged 9 commits into from
Jun 25, 2024
Merged

fix(core): provider do_request to maintain verify in all request, basic headers #145

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
fea039c
fix(core): provider do_request to maintain verify in all request
tarilabs Jun 24, 2024
5fab6dd
basic headers maintenance
tarilabs Jun 24, 2024
fc3207d
add test case
tarilabs Jun 25, 2024
c70d728
amending test for GHA setup
tarilabs Jun 25, 2024
154e1c7
add CHANGELOG entry
tarilabs Jun 25, 2024
8950923
implement review feedback
tarilabs Jun 25, 2024
c06067a
align previously existing auth test to tls_verify=False
tarilabs Jun 25, 2024
1b405b4
use tls_verify also for login for consistency
tarilabs Jun 25, 2024
f848752
changelog nest items belonging to 0.2.0
tarilabs Jun 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/workflows/auth-tests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,13 @@ jobs:
registry_port: 5000
with_auth: true
REGISTRY_AUTH: "{htpasswd: {realm: localhost, path: /etc/docker/registry/auth.htpasswd}}"
REGISTRY_HTTP_TLS_CERTIFICATE: "/etc/docker/registry/server.cert"
REGISTRY_HTTP_TLS_KEY: "/etc/docker/registry/server.key"
REGISTRY_STORAGE_DELETE_ENABLED: "true"
run: |
htpasswd -cB -b auth.htpasswd myuser mypass
cp auth.htpasswd /etc/docker/registry/auth.htpasswd
apk add openssl
openssl req -newkey rsa:4096 -nodes -sha256 -keyout /etc/docker/registry/server.key -x509 -days 365 -subj "/C=IT/ST=Lombardy/L=Milan/O=Acme Org/OU=IT Department/CN=example.com" -out /etc/docker/registry/server.cert
registry serve /etc/docker/registry/config.yml & sleep 5
echo $PWD && ls $PWD && make test
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ and **Merged pull requests**. Critical items to know are:
The versions coincide with releases on pip. Only major versions will be released as tags on Github.

## [0.0.x](https://github.com/oras-project/oras-py/tree/main) (0.0.x)
- bugfix maintain requests's verify valorization for all invocations, augment basic auth header to existing headers (0.2.0)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this is also 0.2.0 (your addition is correct!) but let's indent the line below it to be a sub-bullet, and remove the second mention of 0.2.0.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will do! 👍

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done with f848752 🚀

- refactor of auth to be provided by backend modules (0.2.0)
- Allow generating a Subject from a pre-existing Manifest (0.1.30)
- add option to not refresh headers during the pushing flow, useful for push with basic auth (0.1.29)
Expand Down
6 changes: 5 additions & 1 deletion oras/auth/basic.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,4 +39,8 @@ def authenticate_request(
:param originalResponse: original response to get the Www-Authenticate header
:type originalResponse: requests.Response
"""
return self.get_auth_header(), True
result = {}
if headers is not None:
result.update(headers)
result.update(self.get_auth_header())
return result, True
20 changes: 12 additions & 8 deletions oras/provider.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -950,18 +950,22 @@ def do_request(
json=json,
headers=headers,
stream=stream,
verify=self._tls_verify,
)

# One retry if 403 denied (need new token?)
if response.status_code == 403:
headers, changed = self.auth.authenticate_request(
response, headers, refresh=True
)
return self.session.request(
method,
url,
data=data,
json=json,
headers=headers,
stream=stream,
)
response = self.session.request(
method,
url,
data=data,
json=json,
headers=headers,
stream=stream,
verify=self._tls_verify,
)

return response
34 changes: 33 additions & 1 deletion oras/tests/test_oras.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,10 @@ def test_login_logout(registry, credentials):
"""
Login and logout are all we can test with basic auth!
"""
client = oras.client.OrasClient(hostname=registry, insecure=True)
client = oras.client.OrasClient(hostname=registry, tls_verify=False)
res = client.login(
hostname=registry,
tls_verify=False,
username=credentials.user,
password=credentials.password,
)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vsoch I've also aligned the previously existing auth test to make use of the self-signed certs server workflow 🤗

let me know if overall this PR now matches your expectations :)

Expand Down Expand Up @@ -136,3 +137,34 @@ def test_directory_push_pull(tmp_path, registry, credentials, target_dir):
assert str(tmp_path) in files[0]
assert os.path.exists(files[0])
assert "artifact.txt" in os.listdir(files[0])

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great! We now have a proper test for ssl.


@pytest.mark.with_auth(True)
def test_directory_push_pull_selfsigned_auth(
tmp_path, registry, credentials, target_dir
):
"""
Test push and pull for directory using a self-signed cert registry (`tls_verify=False`) and basic auth (`auth_backend="basic"`)
"""
client = oras.client.OrasClient(
hostname=registry, tls_verify=False, auth_backend="basic"
)
res = client.login(
hostname=registry,
tls_verify=False,
username=credentials.user,
password=credentials.password,
)
assert res["Status"] == "Login Succeeded"

# Test upload of a directory
upload_dir = os.path.join(here, "upload_data")
res = client.push(files=[upload_dir], target=target_dir)
assert res.status_code == 201
files = client.pull(target=target_dir, outdir=tmp_path)

assert len(files) == 1
assert os.path.basename(files[0]) == "upload_data"
assert str(tmp_path) in files[0]
assert os.path.exists(files[0])
assert "artifact.txt" in os.listdir(files[0])
Loading