From fac9fa17acd020c086f2ad342cd04f9dc11e95e4 Mon Sep 17 00:00:00 2001 From: Don Penney Date: Tue, 14 Jan 2020 20:38:34 +0000 Subject: [PATCH] Revert "Enable POST method support for token fetch" This reverts commit d2fcf67ded6d27b4ce6257bbd8b431720ba0120d. Reverting due to https://bugs.launchpad.net/starlingx/+bug/1859686 Change-Id: If30034c4011162361c469072bd08c8e3b4975c33 --- registry-token-server/src/keystone/access.go | 30 ++++---------------- registry-token-server/src/main.go | 12 ++++---- 2 files changed, 12 insertions(+), 30 deletions(-) diff --git a/registry-token-server/src/keystone/access.go b/registry-token-server/src/keystone/access.go index 99f007e..f9d0244 100644 --- a/registry-token-server/src/keystone/access.go +++ b/registry-token-server/src/keystone/access.go @@ -16,8 +16,8 @@ import ( "github.com/docker/distribution/context" "github.com/docker/distribution/registry/auth" - "github.com/gophercloud/gophercloud" - "github.com/gophercloud/gophercloud/openstack" + "github.com/gophercloud/gophercloud" + "github.com/gophercloud/gophercloud/openstack" ) type accessController struct { @@ -57,9 +57,9 @@ func (ac *accessController) Authorized(ctx context.Context, accessRecords ...aut opts := gophercloud.AuthOptions{ IdentityEndpoint: ac.endpoint, - Username: username, - Password: password, - DomainID: "default", + Username: username, + Password: password, + DomainID: "default", } if _, err := openstack.AuthenticatedClient(opts); err != nil { @@ -73,25 +73,6 @@ func (ac *accessController) Authorized(ctx context.Context, accessRecords ...aut return auth.WithUser(ctx, auth.UserInfo{Name: username}), nil } -// AuthenticateUser checks a given user:password credential by keystone. -// If the check passes, nil is returned. -func (ac *accessController) AuthenticateUser(username string, password string) error { - - opts := gophercloud.AuthOptions{ - IdentityEndpoint: ac.endpoint, - Username: username, - Password: password, - DomainID: "default", - } - - if _, err := openstack.AuthenticatedClient(opts); err != nil { - context.GetLogger(context.Background()).Errorf("error authenticating user %q: %v", username, err) - return auth.ErrAuthenticationFailure - } - - return nil -} - // challenge implements the auth.Challenge interface. type challenge struct { realm string @@ -112,3 +93,4 @@ func (ch challenge) Error() string { func init() { auth.Register("keystone", auth.InitFunc(newAccessController)) } + diff --git a/registry-token-server/src/main.go b/registry-token-server/src/main.go index d69e869..fcf43dd 100644 --- a/registry-token-server/src/main.go +++ b/registry-token-server/src/main.go @@ -20,9 +20,9 @@ import ( "github.com/docker/distribution/context" "github.com/docker/distribution/registry/api/errcode" "github.com/docker/distribution/registry/auth" + _ "registry-token-server/keystone" "github.com/docker/libtrust" "github.com/gorilla/mux" - _ "registry-token-server/keystone" ) var ( @@ -82,8 +82,8 @@ func main() { } ac, err := auth.GetAccessController("keystone", map[string]interface{}{ - "realm": realm, - "endpoint": keystoneEndpoint, + "realm": realm, + "endpoint": keystoneEndpoint, }) if err != nil { logrus.Fatalf("Error initializing access controller: %v", err) @@ -179,9 +179,9 @@ func filterAccessList(ctx context.Context, scope string, requestedAccessList []a grantedAccessList := make([]auth.Access, 0, len(requestedAccessList)) for _, access := range requestedAccessList { if access.Type == "repository" { - // filter access to repos if the user is not "admin" - // need to have a "/" at the end because it adds one at the beginning of the fcn - // probably to prevent people making accounts like "adminnot" to steal admin powers + // filter access to repos if the user is not "admin" + // need to have a "/" at the end because it adds one at the beginning of the fcn + // probably to prevent people making accounts like "adminnot" to steal admin powers if !strings.HasPrefix(access.Name, scope) && scope != "admin/" { context.GetLogger(ctx).Debugf("Resource scope not allowed: %s", access.Name) continue