Revert "Revert "Enable POST method support for token fetch""

This reverts commit fac9fa17acd020c086f2ad342cd04f9dc11e95e4. Depends-On: https://review.opendev.org/703263 Change-Id: I895fa04f593852beff58c3949d15aaf5688ff26c Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
2020-01-19 01:57:37 +00:00 · 2020-01-19 01:57:37 +00:00 · 8dc1c0a1da
commit 8dc1c0a1da
parent fac9fa17ac
2 changed files with 30 additions and 12 deletions
--- a/registry-token-server/src/keystone/access.go
+++ b/registry-token-server/src/keystone/access.go
@ -16,8 +16,8 @@ import (

 	"github.com/docker/distribution/context"
 	"github.com/docker/distribution/registry/auth"
-        "github.com/gophercloud/gophercloud"
-        "github.com/gophercloud/gophercloud/openstack"
+	"github.com/gophercloud/gophercloud"
+	"github.com/gophercloud/gophercloud/openstack"
 )

 type accessController struct {
@ -57,9 +57,9 @@ func (ac *accessController) Authorized(ctx context.Context, accessRecords ...aut

 	opts := gophercloud.AuthOptions{
 		IdentityEndpoint: ac.endpoint,
-		Username: username,
-		Password: password,
-		DomainID: "default",
+		Username:         username,
+		Password:         password,
+		DomainID:         "default",
 	}

 	if _, err := openstack.AuthenticatedClient(opts); err != nil {
@ -73,6 +73,25 @@ func (ac *accessController) Authorized(ctx context.Context, accessRecords ...aut
 	return auth.WithUser(ctx, auth.UserInfo{Name: username}), nil
 }

+// AuthenticateUser checks a given user:password credential by keystone.
+// If the check passes, nil is returned.
+func (ac *accessController) AuthenticateUser(username string, password string) error {
+
+	opts := gophercloud.AuthOptions{
+		IdentityEndpoint: ac.endpoint,
+		Username:         username,
+		Password:         password,
+		DomainID:         "default",
+	}
+
+	if _, err := openstack.AuthenticatedClient(opts); err != nil {
+		context.GetLogger(context.Background()).Errorf("error authenticating user %q: %v", username, err)
+		return auth.ErrAuthenticationFailure
+	}
+
+	return nil
+}
+
 // challenge implements the auth.Challenge interface.
 type challenge struct {
 	realm string
@ -93,4 +112,3 @@ func (ch challenge) Error() string {
 func init() {
 	auth.Register("keystone", auth.InitFunc(newAccessController))
 }
-
--- a/registry-token-server/src/main.go
+++ b/registry-token-server/src/main.go
@ -20,9 +20,9 @@ import (
 	"github.com/docker/distribution/context"
 	"github.com/docker/distribution/registry/api/errcode"
 	"github.com/docker/distribution/registry/auth"
-	_ "registry-token-server/keystone"
 	"github.com/docker/libtrust"
 	"github.com/gorilla/mux"
+	_ "registry-token-server/keystone"
 )

 var (
@ -82,8 +82,8 @@ func main() {
 	}

 	ac, err := auth.GetAccessController("keystone", map[string]interface{}{
-		"realm": realm,
-		"endpoint":  keystoneEndpoint,
+		"realm":    realm,
+		"endpoint": keystoneEndpoint,
 	})
 	if err != nil {
 		logrus.Fatalf("Error initializing access controller: %v", err)
@ -179,9 +179,9 @@ func filterAccessList(ctx context.Context, scope string, requestedAccessList []a
 	grantedAccessList := make([]auth.Access, 0, len(requestedAccessList))
 	for _, access := range requestedAccessList {
 		if access.Type == "repository" {
-                        // filter access to repos if the user is not "admin"
-                        // need to have a "/" at the end because it adds one at the beginning of the fcn
-                        // probably to prevent people making accounts like "adminnot" to steal admin powers
+			// filter access to repos if the user is not "admin"
+			// need to have a "/" at the end because it adds one at the beginning of the fcn
+			// probably to prevent people making accounts like "adminnot" to steal admin powers
 			if !strings.HasPrefix(access.Name, scope) && scope != "admin/" {
 				context.GetLogger(ctx).Debugf("Resource scope not allowed: %s", access.Name)
 				continue