From fea039c5230e58ef0b383fa687ca57fe0c97afa7 Mon Sep 17 00:00:00 2001 From: tarilabs Date: Mon, 24 Jun 2024 22:03:01 +0200 Subject: [PATCH 1/9] fix(core): provider do_request to maintain verify in all request Signed-off-by: tarilabs --- oras/provider.py | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/oras/provider.py b/oras/provider.py index 8056ce47..b6941ec1 100644 --- a/oras/provider.py +++ b/oras/provider.py @@ -950,6 +950,7 @@ def do_request( json=json, headers=headers, stream=stream, + verify=self._tls_verify, ) # One retry if 403 denied (need new token?) @@ -957,11 +958,14 @@ def do_request( headers, changed = self.auth.authenticate_request( response, headers, refresh=True ) - return self.session.request( - method, - url, - data=data, - json=json, - headers=headers, - stream=stream, - ) + response = self.session.request( + method, + url, + data=data, + json=json, + headers=headers, + stream=stream, + verify=self._tls_verify, + ) + + return response From 5fab6ddddc84cb2ccc0ceb8134bc2a7a88ec3438 Mon Sep 17 00:00:00 2001 From: tarilabs Date: Mon, 24 Jun 2024 22:29:47 +0200 Subject: [PATCH 2/9] basic headers maintenance Signed-off-by: tarilabs --- oras/auth/basic.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/oras/auth/basic.py b/oras/auth/basic.py index 686eeea9..bd9e72ac 100644 --- a/oras/auth/basic.py +++ b/oras/auth/basic.py @@ -39,4 +39,8 @@ def authenticate_request( :param originalResponse: original response to get the Www-Authenticate header :type originalResponse: requests.Response """ - return self.get_auth_header(), True + result = {} + if headers is not None: + result.update(headers) + result.update(self.get_auth_header()) + return result, True From fc3207d8d583216c5181324cbaf7837fb9b3cec1 Mon Sep 17 00:00:00 2001 From: tarilabs Date: Tue, 25 Jun 2024 08:40:21 +0200 Subject: [PATCH 3/9] add test case Signed-off-by: tarilabs --- oras/tests/test_oras.py | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/oras/tests/test_oras.py b/oras/tests/test_oras.py index 82ebd314..e46dc001 100644 --- a/oras/tests/test_oras.py +++ b/oras/tests/test_oras.py @@ -136,3 +136,33 @@ def test_directory_push_pull(tmp_path, registry, credentials, target_dir): assert str(tmp_path) in files[0] assert os.path.exists(files[0]) assert "artifact.txt" in os.listdir(files[0]) + + +@pytest.mark.with_auth(True) +def test_directory_push_pull_selfsigned_auth( + tmp_path, registry, credentials, target_dir +): + """ + Test push and pull for directory using a self-signed cert registry (`tls_verify=False`) and basic auth (`auth_backend="basic"`) + """ + client = oras.client.OrasClient( + hostname=registry, tls_verify=False, auth_backend="basic" + ) + res = client.login( + hostname=registry, + username=credentials.user, + password=credentials.password, + ) + assert res["Status"] == "Login Succeeded" + + # Test upload of a directory + upload_dir = os.path.join(here, "upload_data") + res = client.push(files=[upload_dir], target=target_dir) + assert res.status_code == 201 + files = client.pull(target=target_dir, outdir=tmp_path) + + assert len(files) == 1 + assert os.path.basename(files[0]) == "upload_data" + assert str(tmp_path) in files[0] + assert os.path.exists(files[0]) + assert "artifact.txt" in os.listdir(files[0]) From c70d728c86f3e1b3dd3969b6a0341bef6f687815 Mon Sep 17 00:00:00 2001 From: tarilabs Date: Tue, 25 Jun 2024 09:38:10 +0200 Subject: [PATCH 4/9] amending test for GHA setup Signed-off-by: tarilabs --- oras/tests/test_oras.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/oras/tests/test_oras.py b/oras/tests/test_oras.py index e46dc001..efd00fe3 100644 --- a/oras/tests/test_oras.py +++ b/oras/tests/test_oras.py @@ -146,7 +146,7 @@ def test_directory_push_pull_selfsigned_auth( Test push and pull for directory using a self-signed cert registry (`tls_verify=False`) and basic auth (`auth_backend="basic"`) """ client = oras.client.OrasClient( - hostname=registry, tls_verify=False, auth_backend="basic" + hostname=registry, insecure=True, tls_verify=False, auth_backend="basic" ) res = client.login( hostname=registry, From 154e1c75879d769d778ca8600071ee0d3dbe6820 Mon Sep 17 00:00:00 2001 From: tarilabs Date: Tue, 25 Jun 2024 09:44:23 +0200 Subject: [PATCH 5/9] add CHANGELOG entry Signed-off-by: tarilabs --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2a570875..29a490ca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ and **Merged pull requests**. Critical items to know are: The versions coincide with releases on pip. Only major versions will be released as tags on Github. ## [0.0.x](https://github.com/oras-project/oras-py/tree/main) (0.0.x) + - bugfix maintain requests's verify valorization for all invocations, augment basic auth header to existing headers (0.2.0) - refactor of auth to be provided by backend modules (0.2.0) - Allow generating a Subject from a pre-existing Manifest (0.1.30) - add option to not refresh headers during the pushing flow, useful for push with basic auth (0.1.29) From 8950923838ce16c8a06c06aafe1839c233fbcab9 Mon Sep 17 00:00:00 2001 From: tarilabs Date: Tue, 25 Jun 2024 15:59:43 +0200 Subject: [PATCH 6/9] implement review feedback Signed-off-by: tarilabs --- .github/workflows/auth-tests.yaml | 4 ++++ oras/tests/test_oras.py | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/auth-tests.yaml b/.github/workflows/auth-tests.yaml index ca06d310..ff67209b 100644 --- a/.github/workflows/auth-tests.yaml +++ b/.github/workflows/auth-tests.yaml @@ -23,9 +23,13 @@ jobs: registry_port: 5000 with_auth: true REGISTRY_AUTH: "{htpasswd: {realm: localhost, path: /etc/docker/registry/auth.htpasswd}}" + REGISTRY_HTTP_TLS_CERTIFICATE: "/etc/docker/registry/server.cert" + REGISTRY_HTTP_TLS_KEY: "/etc/docker/registry/server.key" REGISTRY_STORAGE_DELETE_ENABLED: "true" run: | htpasswd -cB -b auth.htpasswd myuser mypass cp auth.htpasswd /etc/docker/registry/auth.htpasswd + apk add openssl + openssl req -newkey rsa:4096 -nodes -sha256 -keyout /etc/docker/registry/server.key -x509 -days 365 -subj "/C=IT/ST=Lombardy/L=Milan/O=Acme Org/OU=IT Department/CN=example.com" -out /etc/docker/registry/server.cert registry serve /etc/docker/registry/config.yml & sleep 5 echo $PWD && ls $PWD && make test diff --git a/oras/tests/test_oras.py b/oras/tests/test_oras.py index efd00fe3..e46dc001 100644 --- a/oras/tests/test_oras.py +++ b/oras/tests/test_oras.py @@ -146,7 +146,7 @@ def test_directory_push_pull_selfsigned_auth( Test push and pull for directory using a self-signed cert registry (`tls_verify=False`) and basic auth (`auth_backend="basic"`) """ client = oras.client.OrasClient( - hostname=registry, insecure=True, tls_verify=False, auth_backend="basic" + hostname=registry, tls_verify=False, auth_backend="basic" ) res = client.login( hostname=registry, From c06067ac8bd06e3e91fa4c874f1fccd47f792f58 Mon Sep 17 00:00:00 2001 From: tarilabs Date: Tue, 25 Jun 2024 16:10:26 +0200 Subject: [PATCH 7/9] align previously existing auth test to tls_verify=False Signed-off-by: tarilabs --- oras/tests/test_oras.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/oras/tests/test_oras.py b/oras/tests/test_oras.py index e46dc001..2cbbd1d8 100644 --- a/oras/tests/test_oras.py +++ b/oras/tests/test_oras.py @@ -25,9 +25,10 @@ def test_login_logout(registry, credentials): """ Login and logout are all we can test with basic auth! """ - client = oras.client.OrasClient(hostname=registry, insecure=True) + client = oras.client.OrasClient(hostname=registry, tls_verify=False) res = client.login( hostname=registry, + tls_verify=False, username=credentials.user, password=credentials.password, ) From 1b405b49ce8e9a3a218ddd4e019b71a783f3ea20 Mon Sep 17 00:00:00 2001 From: tarilabs Date: Tue, 25 Jun 2024 17:55:42 +0200 Subject: [PATCH 8/9] use tls_verify also for login for consistency Signed-off-by: tarilabs --- oras/tests/test_oras.py | 1 + 1 file changed, 1 insertion(+) diff --git a/oras/tests/test_oras.py b/oras/tests/test_oras.py index 2cbbd1d8..ab9432d7 100644 --- a/oras/tests/test_oras.py +++ b/oras/tests/test_oras.py @@ -151,6 +151,7 @@ def test_directory_push_pull_selfsigned_auth( ) res = client.login( hostname=registry, + tls_verify=False, username=credentials.user, password=credentials.password, ) From f8487521aa4264b2e83a72e7375e3fa1fcc9c2f2 Mon Sep 17 00:00:00 2001 From: tarilabs Date: Wed, 26 Jun 2024 00:02:31 +0200 Subject: [PATCH 9/9] changelog nest items belonging to 0.2.0 Signed-off-by: tarilabs --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 29a490ca..affe9f82 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,8 +14,8 @@ and **Merged pull requests**. Critical items to know are: The versions coincide with releases on pip. Only major versions will be released as tags on Github. ## [0.0.x](https://github.com/oras-project/oras-py/tree/main) (0.0.x) - - bugfix maintain requests's verify valorization for all invocations, augment basic auth header to existing headers (0.2.0) - refactor of auth to be provided by backend modules (0.2.0) + - bugfix maintain requests's verify valorization for all invocations, augment basic auth header to existing headers - Allow generating a Subject from a pre-existing Manifest (0.1.30) - add option to not refresh headers during the pushing flow, useful for push with basic auth (0.1.29) - enable additionalProperties in schema validation (0.1.28)