feat(auth): Implement HMAC-SHA256 OCI JWTs; enhance PyPI & RubyGems uploads and normalize responses
This commit is contained in:
@@ -180,11 +180,7 @@ export class OciRegistry extends BaseRegistry {
|
||||
body?: Buffer | any
|
||||
): Promise<IResponse> {
|
||||
if (!await this.checkPermission(token, repository, 'push')) {
|
||||
return {
|
||||
status: 401,
|
||||
headers: {},
|
||||
body: this.createError('DENIED', 'Insufficient permissions'),
|
||||
};
|
||||
return this.createUnauthorizedResponse(repository, 'push');
|
||||
}
|
||||
|
||||
// Check for monolithic upload (digest + body provided)
|
||||
@@ -255,11 +251,7 @@ export class OciRegistry extends BaseRegistry {
|
||||
}
|
||||
|
||||
if (!await this.checkPermission(token, session.repository, 'push')) {
|
||||
return {
|
||||
status: 401,
|
||||
headers: {},
|
||||
body: this.createError('DENIED', 'Insufficient permissions'),
|
||||
};
|
||||
return this.createUnauthorizedResponse(session.repository, 'push');
|
||||
}
|
||||
|
||||
switch (method) {
|
||||
@@ -336,11 +328,7 @@ export class OciRegistry extends BaseRegistry {
|
||||
token: IAuthToken | null
|
||||
): Promise<IResponse> {
|
||||
if (!await this.checkPermission(token, repository, 'pull')) {
|
||||
return {
|
||||
status: 401,
|
||||
headers: {},
|
||||
body: null,
|
||||
};
|
||||
return this.createUnauthorizedHeadResponse(repository, 'pull');
|
||||
}
|
||||
|
||||
// Similar logic as getManifest but return headers only
|
||||
@@ -437,11 +425,7 @@ export class OciRegistry extends BaseRegistry {
|
||||
}
|
||||
|
||||
if (!await this.checkPermission(token, repository, 'delete')) {
|
||||
return {
|
||||
status: 401,
|
||||
headers: {},
|
||||
body: this.createError('DENIED', 'Insufficient permissions'),
|
||||
};
|
||||
return this.createUnauthorizedResponse(repository, 'delete');
|
||||
}
|
||||
|
||||
await this.storage.deleteOciManifest(repository, digest);
|
||||
@@ -460,11 +444,7 @@ export class OciRegistry extends BaseRegistry {
|
||||
range?: string
|
||||
): Promise<IResponse> {
|
||||
if (!await this.checkPermission(token, repository, 'pull')) {
|
||||
return {
|
||||
status: 401,
|
||||
headers: {},
|
||||
body: this.createError('DENIED', 'Insufficient permissions'),
|
||||
};
|
||||
return this.createUnauthorizedResponse(repository, 'pull');
|
||||
}
|
||||
|
||||
const data = await this.storage.getOciBlob(digest);
|
||||
@@ -492,7 +472,7 @@ export class OciRegistry extends BaseRegistry {
|
||||
token: IAuthToken | null
|
||||
): Promise<IResponse> {
|
||||
if (!await this.checkPermission(token, repository, 'pull')) {
|
||||
return { status: 401, headers: {}, body: null };
|
||||
return this.createUnauthorizedHeadResponse(repository, 'pull');
|
||||
}
|
||||
|
||||
const exists = await this.storage.ociBlobExists(digest);
|
||||
@@ -518,11 +498,7 @@ export class OciRegistry extends BaseRegistry {
|
||||
token: IAuthToken | null
|
||||
): Promise<IResponse> {
|
||||
if (!await this.checkPermission(token, repository, 'delete')) {
|
||||
return {
|
||||
status: 401,
|
||||
headers: {},
|
||||
body: this.createError('DENIED', 'Insufficient permissions'),
|
||||
};
|
||||
return this.createUnauthorizedResponse(repository, 'delete');
|
||||
}
|
||||
|
||||
await this.storage.deleteOciBlob(digest);
|
||||
@@ -631,11 +607,7 @@ export class OciRegistry extends BaseRegistry {
|
||||
query: Record<string, string>
|
||||
): Promise<IResponse> {
|
||||
if (!await this.checkPermission(token, repository, 'pull')) {
|
||||
return {
|
||||
status: 401,
|
||||
headers: {},
|
||||
body: this.createError('DENIED', 'Insufficient permissions'),
|
||||
};
|
||||
return this.createUnauthorizedResponse(repository, 'pull');
|
||||
}
|
||||
|
||||
const tags = await this.getTagsData(repository);
|
||||
@@ -660,11 +632,7 @@ export class OciRegistry extends BaseRegistry {
|
||||
query: Record<string, string>
|
||||
): Promise<IResponse> {
|
||||
if (!await this.checkPermission(token, repository, 'pull')) {
|
||||
return {
|
||||
status: 401,
|
||||
headers: {},
|
||||
body: this.createError('DENIED', 'Insufficient permissions'),
|
||||
};
|
||||
return this.createUnauthorizedResponse(repository, 'pull');
|
||||
}
|
||||
|
||||
const response: IReferrersResponse = {
|
||||
@@ -712,6 +680,33 @@ export class OciRegistry extends BaseRegistry {
|
||||
};
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an unauthorized response with proper WWW-Authenticate header.
|
||||
* Per OCI Distribution Spec, 401 responses MUST include WWW-Authenticate header.
|
||||
*/
|
||||
private createUnauthorizedResponse(repository: string, action: string): IResponse {
|
||||
return {
|
||||
status: 401,
|
||||
headers: {
|
||||
'WWW-Authenticate': `Bearer realm="${this.basePath}/v2/token",service="registry",scope="repository:${repository}:${action}"`,
|
||||
},
|
||||
body: this.createError('DENIED', 'Insufficient permissions'),
|
||||
};
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an unauthorized HEAD response (no body per HTTP spec).
|
||||
*/
|
||||
private createUnauthorizedHeadResponse(repository: string, action: string): IResponse {
|
||||
return {
|
||||
status: 401,
|
||||
headers: {
|
||||
'WWW-Authenticate': `Bearer realm="${this.basePath}/v2/token",service="registry",scope="repository:${repository}:${action}"`,
|
||||
},
|
||||
body: null,
|
||||
};
|
||||
}
|
||||
|
||||
private startUploadSessionCleanup(): void {
|
||||
this.cleanupInterval = setInterval(() => {
|
||||
const now = new Date();
|
||||
|
||||
Reference in New Issue
Block a user