|
|
1aef41 |
diff -urN flatpak-1.6.2/common/flatpak-oci-registry.c flatpak-1.6.2.new/common/flatpak-oci-registry.c
|
|
|
1aef41 |
--- flatpak-1.6.2/common/flatpak-oci-registry.c 2019-12-20 09:52:17.000000000 +0000
|
|
|
1aef41 |
+++ flatpak-1.6.2.new/common/flatpak-oci-registry.c 2020-03-20 12:01:39.923000000 +0000
|
|
|
1aef41 |
@@ -901,6 +901,7 @@
|
|
|
1aef41 |
|
|
|
1aef41 |
static char *
|
|
|
1aef41 |
get_token_for_www_auth (FlatpakOciRegistry *self,
|
|
|
1aef41 |
+ const char *repository,
|
|
|
1aef41 |
const char *www_authenticate,
|
|
|
1aef41 |
const char *auth,
|
|
|
1aef41 |
GCancellable *cancellable,
|
|
|
1aef41 |
@@ -911,6 +912,7 @@
|
|
|
1aef41 |
g_autoptr(GHashTable) params = NULL;
|
|
|
1aef41 |
g_autoptr(GHashTable) args = NULL;
|
|
|
1aef41 |
const char *realm, *service, *scope, *token;
|
|
|
1aef41 |
+ g_autofree char *default_scope = NULL;
|
|
|
1aef41 |
g_autoptr(SoupURI) auth_uri = NULL;
|
|
|
1aef41 |
g_autoptr(GBytes) body = NULL;
|
|
|
1aef41 |
g_autoptr(JsonNode) json = NULL;
|
|
|
1aef41 |
@@ -941,16 +943,21 @@
|
|
|
1aef41 |
service = g_hash_table_lookup (params, "service");
|
|
|
1aef41 |
if (service)
|
|
|
1aef41 |
g_hash_table_insert (args, "service", (char *)service);
|
|
|
1aef41 |
+
|
|
|
1aef41 |
scope = g_hash_table_lookup (params, "scope");
|
|
|
1aef41 |
- if (scope)
|
|
|
1aef41 |
- g_hash_table_insert (args, "scope", (char *)scope);
|
|
|
1aef41 |
+ if (scope == NULL)
|
|
|
1aef41 |
+ scope = default_scope = g_strdup_printf("repository:%s:pull", repository);
|
|
|
1aef41 |
+ g_hash_table_insert (args, "scope", (char *)scope);
|
|
|
1aef41 |
|
|
|
1aef41 |
soup_uri_set_query_from_form (auth_uri, args);
|
|
|
1aef41 |
|
|
|
1aef41 |
auth_msg = soup_message_new_from_uri ("GET", auth_uri);
|
|
|
1aef41 |
|
|
|
1aef41 |
- g_autofree char *basic_auth = g_strdup_printf ("Basic %s", auth);
|
|
|
1aef41 |
- soup_message_headers_replace (auth_msg->request_headers, "Authorization", basic_auth);
|
|
|
1aef41 |
+ if (auth)
|
|
|
1aef41 |
+ {
|
|
|
1aef41 |
+ g_autofree char *basic_auth = g_strdup_printf ("Basic %s", auth);
|
|
|
1aef41 |
+ soup_message_headers_replace (auth_msg->request_headers, "Authorization", basic_auth);
|
|
|
1aef41 |
+ }
|
|
|
1aef41 |
|
|
|
1aef41 |
auth_stream = soup_session_send (self->soup_session, auth_msg, NULL, error);
|
|
|
1aef41 |
if (auth_stream == NULL)
|
|
|
1aef41 |
@@ -1030,7 +1037,7 @@
|
|
|
1aef41 |
return NULL;
|
|
|
1aef41 |
}
|
|
|
1aef41 |
|
|
|
1aef41 |
- token = get_token_for_www_auth (self, www_authenticate, basic_auth, cancellable, error);
|
|
|
1aef41 |
+ token = get_token_for_www_auth (self, repository, www_authenticate, basic_auth, cancellable, error);
|
|
|
1aef41 |
if (token == NULL)
|
|
|
1aef41 |
return NULL;
|
|
|
1aef41 |
|
|
|
1aef41 |
diff -urN flatpak-1.6.2/oci-authenticator/flatpak-oci-authenticator.c flatpak-1.6.2.new/oci-authenticator/flatpak-oci-authenticator.c
|
|
|
1aef41 |
--- flatpak-1.6.2/oci-authenticator/flatpak-oci-authenticator.c 2019-12-19 09:33:40.000000000 +0000
|
|
|
1aef41 |
+++ flatpak-1.6.2.new/oci-authenticator/flatpak-oci-authenticator.c 2020-03-20 12:01:39.936000000 +0000
|
|
|
1aef41 |
@@ -428,10 +428,12 @@
|
|
|
1aef41 |
g_autoptr(GError) error = NULL;
|
|
|
1aef41 |
g_autoptr(AutoFlatpakAuthenticatorRequest) request = NULL;
|
|
|
1aef41 |
const char *auth = NULL;
|
|
|
1aef41 |
+ gboolean have_auth;
|
|
|
1aef41 |
const char *oci_registry_uri = NULL;
|
|
|
1aef41 |
gsize n_refs, i;
|
|
|
1aef41 |
gboolean no_interaction = FALSE;
|
|
|
1aef41 |
g_autoptr(FlatpakOciRegistry) registry = NULL;
|
|
|
1aef41 |
+ g_autofree char *first_token = NULL;
|
|
|
1aef41 |
GVariantBuilder tokens;
|
|
|
1aef41 |
GVariantBuilder results;
|
|
|
1aef41 |
g_autofree char *sender = g_strdup (g_dbus_method_invocation_get_sender (invocation));
|
|
|
1aef41 |
@@ -439,6 +441,7 @@
|
|
|
1aef41 |
g_debug ("handling Authenticator.RequestRefTokens");
|
|
|
1aef41 |
|
|
|
1aef41 |
g_variant_lookup (arg_authenticator_options, "auth", "&s", &auth);
|
|
|
1aef41 |
+ have_auth = auth != NULL;
|
|
|
1aef41 |
|
|
|
1aef41 |
if (!g_variant_lookup (arg_options, "xa.oci-registry-uri", "&s", &oci_registry_uri))
|
|
|
1aef41 |
{
|
|
|
1aef41 |
@@ -476,18 +479,33 @@
|
|
|
1aef41 |
return error_request (request, sender, error->message);
|
|
|
1aef41 |
|
|
|
1aef41 |
|
|
|
1aef41 |
- if (auth == NULL)
|
|
|
1aef41 |
+ /* Look up credentials in config files */
|
|
|
1aef41 |
+ if (!have_auth)
|
|
|
1aef41 |
{
|
|
|
1aef41 |
g_debug ("Looking for %s in auth info", oci_registry_uri);
|
|
|
1aef41 |
auth = lookup_auth_from_config (oci_registry_uri);
|
|
|
1aef41 |
+ have_auth = auth != NULL;
|
|
|
1aef41 |
}
|
|
|
1aef41 |
|
|
|
1aef41 |
+ /* Try to see if we can get a token without presenting credentials */
|
|
|
1aef41 |
n_refs = g_variant_n_children (arg_refs);
|
|
|
1aef41 |
- if (auth == NULL && n_refs > 0 &&
|
|
|
1aef41 |
+ if (!have_auth && n_refs > 0)
|
|
|
1aef41 |
+ {
|
|
|
1aef41 |
+ g_autoptr(GVariant) ref_data = g_variant_get_child_value (arg_refs, 0);
|
|
|
1aef41 |
+
|
|
|
1aef41 |
+ first_token = get_token_for_ref (registry, ref_data, NULL, &error);
|
|
|
1aef41 |
+ if (first_token != NULL)
|
|
|
1aef41 |
+ have_auth = TRUE;
|
|
|
1aef41 |
+ else
|
|
|
1aef41 |
+ g_clear_error (&error);
|
|
|
1aef41 |
+ }
|
|
|
1aef41 |
+
|
|
|
1aef41 |
+ /* Prompt the user for credentials */
|
|
|
1aef41 |
+ n_refs = g_variant_n_children (arg_refs);
|
|
|
1aef41 |
+ if (!have_auth && n_refs > 0 &&
|
|
|
1aef41 |
!no_interaction)
|
|
|
1aef41 |
{
|
|
|
1aef41 |
g_autoptr(GVariant) ref_data = g_variant_get_child_value (arg_refs, 0);
|
|
|
1aef41 |
- g_autofree char *token = NULL;
|
|
|
1aef41 |
|
|
|
1aef41 |
while (auth == NULL)
|
|
|
1aef41 |
{
|
|
|
1aef41 |
@@ -498,13 +516,21 @@
|
|
|
1aef41 |
if (test_auth == NULL)
|
|
|
1aef41 |
return cancel_request (request, sender);
|
|
|
1aef41 |
|
|
|
1aef41 |
- token = get_token_for_ref (registry, ref_data, test_auth, &error);
|
|
|
1aef41 |
- if (token != NULL)
|
|
|
1aef41 |
- auth = g_steal_pointer (&test_auth);
|
|
|
1aef41 |
+ first_token = get_token_for_ref (registry, ref_data, test_auth, &error);
|
|
|
1aef41 |
+ if (first_token != NULL)
|
|
|
1aef41 |
+ {
|
|
|
1aef41 |
+ auth = g_steal_pointer (&test_auth);
|
|
|
1aef41 |
+ have_auth = TRUE;
|
|
|
1aef41 |
+ }
|
|
|
1aef41 |
+ else
|
|
|
1aef41 |
+ {
|
|
|
1aef41 |
+ g_debug ("Failed to get token: %s", error->message);
|
|
|
1aef41 |
+ g_clear_error (&error);
|
|
|
1aef41 |
+ }
|
|
|
1aef41 |
}
|
|
|
1aef41 |
}
|
|
|
1aef41 |
|
|
|
1aef41 |
- if (auth == NULL)
|
|
|
1aef41 |
+ if (!have_auth)
|
|
|
1aef41 |
return error_request (request, sender, "No authentication information available");
|
|
|
1aef41 |
|
|
|
1aef41 |
g_variant_builder_init (&tokens, G_VARIANT_TYPE ("a{sas}"));
|
|
|
1aef41 |
@@ -515,9 +541,16 @@
|
|
|
1aef41 |
char *for_refs_strv[2] = { NULL, NULL};
|
|
|
1aef41 |
g_autofree char *token = NULL;
|
|
|
1aef41 |
|
|
|
1aef41 |
- token = get_token_for_ref (registry, ref_data, auth, &error);
|
|
|
1aef41 |
- if (token == NULL)
|
|
|
1aef41 |
- return error_request (request, sender, error->message);
|
|
|
1aef41 |
+ if (i == 0 && first_token != NULL)
|
|
|
1aef41 |
+ {
|
|
|
1aef41 |
+ token = g_steal_pointer (&first_token);
|
|
|
1aef41 |
+ }
|
|
|
1aef41 |
+ else
|
|
|
1aef41 |
+ {
|
|
|
1aef41 |
+ token = get_token_for_ref (registry, ref_data, auth, &error);
|
|
|
1aef41 |
+ if (token == NULL)
|
|
|
1aef41 |
+ return error_request (request, sender, error->message);
|
|
|
1aef41 |
+ }
|
|
|
1aef41 |
|
|
|
1aef41 |
g_variant_get_child (ref_data, 0, "&s", &for_refs_strv[0]);
|
|
|
1aef41 |
g_variant_builder_add (&tokens, "{s^as}", token, for_refs_strv);
|