Blame SOURCES/flatpak-1.6.2-oci-fixes2.patch

e98b2f
From 1b9a64e943e2233e009e01a08191b4c17580b3f6 Mon Sep 17 00:00:00 2001
e98b2f
From: Alexander Larsson <alexl@redhat.com>
e98b2f
Date: Mon, 4 May 2020 13:00:35 +0200
e98b2f
Subject: [PATCH 1/7] oci authenticator: Accept the right docker manifest when
e98b2f
 authenticating
e98b2f
e98b2f
Without this I got for the fedora registry:
e98b2f
e98b2f
```
e98b2f
getting token for https://registry.fedoraproject.org/v2/f32/flatpak-runtime/manifests/sha256:bd83b4f6974094848efac22b933419c1dbe11b553def148a82f821faf595de8a
e98b2f
F: Anonymous authentication failed: Unexpected response status 404 from repo
e98b2f
```
e98b2f
e98b2f
(cherry picked from commit 1ee132e70e5d0cb5fa0e022c2271f76bcfd03054)
e98b2f
---
e98b2f
 common/flatpak-oci-registry.c | 3 +++
e98b2f
 1 file changed, 3 insertions(+)
e98b2f
e98b2f
diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c
e98b2f
index 2505771ee..ae363bc1a 100644
e98b2f
--- a/common/flatpak-oci-registry.c
e98b2f
+++ b/common/flatpak-oci-registry.c
e98b2f
@@ -1015,6 +1015,9 @@ flatpak_oci_registry_get_token (FlatpakOciRegistry *self,
e98b2f
 
e98b2f
   msg = soup_message_new_from_uri ("HEAD", uri);
e98b2f
 
e98b2f
+  soup_message_headers_replace (msg->request_headers, "Accept",
e98b2f
+                                FLATPAK_OCI_MEDIA_TYPE_IMAGE_MANIFEST ", " FLATPAK_DOCKER_MEDIA_TYPE_IMAGE_MANIFEST2);
e98b2f
+
e98b2f
   stream = soup_session_send (self->soup_session, msg, NULL, error);
e98b2f
   if (stream == NULL)
e98b2f
     return NULL;
e98b2f
e98b2f
From 0d4deebbd5855ceef1cdb5bac3d5c6fb630dc29e Mon Sep 17 00:00:00 2001
e98b2f
From: Alexander Larsson <alexl@redhat.com>
e98b2f
Date: Mon, 4 May 2020 12:35:16 +0200
e98b2f
Subject: [PATCH 2/7] By default, always try to auth to OCI remotes
e98b2f
e98b2f
This makes for instance docker hub work.
e98b2f
e98b2f
(cherry picked from commit fdfcae7a91e3af207c4acec918276511f112cafe)
e98b2f
---
e98b2f
 common/flatpak-auth.c | 4 ++++
e98b2f
 common/flatpak-dir.c  | 5 +++++
e98b2f
 2 files changed, 9 insertions(+)
e98b2f
e98b2f
diff --git a/common/flatpak-auth.c b/common/flatpak-auth.c
e98b2f
index 9d0f689fc..9e45da41e 100644
e98b2f
--- a/common/flatpak-auth.c
e98b2f
+++ b/common/flatpak-auth.c
e98b2f
@@ -49,6 +49,10 @@ flatpak_auth_new_for_remote (FlatpakDir *dir,
e98b2f
       if (!ostree_repo_get_remote_option (repo, remote, FLATPAK_REMOTE_CONFIG_AUTHENTICATOR_NAME, NULL, &name, error))
e98b2f
         return NULL;
e98b2f
     }
e98b2f
+
e98b2f
+  if (name == NULL && flatpak_dir_get_remote_oci (dir, remote))
e98b2f
+    name = g_strdup ("org.flatpak.Authenticator.Oci");
e98b2f
+
e98b2f
   if (name == NULL || *name == 0 /* or if no repo */)
e98b2f
     {
e98b2f
       flatpak_fail (error, _("No authenticator configured for remote `%s`"), remote);
e98b2f
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
e98b2f
index 2c8e12eaf..19de4fd38 100644
e98b2f
--- a/common/flatpak-dir.c
e98b2f
+++ b/common/flatpak-dir.c
e98b2f
@@ -11233,6 +11233,11 @@ _flatpak_dir_get_remote_state (FlatpakDir   *self,
e98b2f
         }
e98b2f
     }
e98b2f
 
e98b2f
+  if (flatpak_dir_get_remote_oci (self, remote_or_uri))
e98b2f
+    {
e98b2f
+      state->default_token_type = 1;
e98b2f
+    }
e98b2f
+
e98b2f
   if (state->collection_id == NULL)
e98b2f
     {
e98b2f
       if (state->summary != NULL) /* In the optional case we might not have a summary */
e98b2f
e98b2f
From 77e4db40f40a92f4f7e0ddb21ae367e9a0af9cb4 Mon Sep 17 00:00:00 2001
e98b2f
From: Alexander Larsson <alexl@redhat.com>
e98b2f
Date: Fri, 8 May 2020 15:09:02 +0200
e98b2f
Subject: [PATCH 3/7] oci: Add flatpak_oci_registry_is_local()
e98b2f
e98b2f
(cherry picked from commit d4962628aa8db6132e98660fe52aa5a9ac5d3637)
e98b2f
---
e98b2f
 common/flatpak-oci-registry-private.h | 1 +
e98b2f
 common/flatpak-oci-registry.c         | 6 ++++++
e98b2f
 2 files changed, 7 insertions(+)
e98b2f
e98b2f
diff --git a/common/flatpak-oci-registry-private.h b/common/flatpak-oci-registry-private.h
e98b2f
index 1804e43b6..6745c5f65 100644
e98b2f
--- a/common/flatpak-oci-registry-private.h
e98b2f
+++ b/common/flatpak-oci-registry-private.h
e98b2f
@@ -62,6 +62,7 @@ FlatpakOciRegistry  *  flatpak_oci_registry_new (const char           *uri,
e98b2f
                                                  GError              **error);
e98b2f
 void                   flatpak_oci_registry_set_token (FlatpakOciRegistry *self,
e98b2f
                                                        const char *token);
e98b2f
+gboolean               flatpak_oci_registry_is_local (FlatpakOciRegistry *self);
e98b2f
 const char          *  flatpak_oci_registry_get_uri (FlatpakOciRegistry *self);
e98b2f
 FlatpakOciIndex     *  flatpak_oci_registry_load_index (FlatpakOciRegistry *self,
e98b2f
                                                         GCancellable       *cancellable,
e98b2f
diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c
e98b2f
index ae363bc1a..fdeee56bd 100644
e98b2f
--- a/common/flatpak-oci-registry.c
e98b2f
+++ b/common/flatpak-oci-registry.c
e98b2f
@@ -205,6 +205,12 @@ flatpak_oci_registry_init (FlatpakOciRegistry *self)
e98b2f
   self->tmp_dfd = -1;
e98b2f
 }
e98b2f
 
e98b2f
+gboolean
e98b2f
+flatpak_oci_registry_is_local (FlatpakOciRegistry *self)
e98b2f
+{
e98b2f
+  return self->dfd != -1;
e98b2f
+}
e98b2f
+
e98b2f
 const char *
e98b2f
 flatpak_oci_registry_get_uri (FlatpakOciRegistry *self)
e98b2f
 {
e98b2f
e98b2f
From 3deeea1ad50b469f7daaca7e2e0d7ba9c5efc26e Mon Sep 17 00:00:00 2001
e98b2f
From: Alexander Larsson <alexl@redhat.com>
e98b2f
Date: Fri, 8 May 2020 15:10:38 +0200
e98b2f
Subject: [PATCH 4/7] oci: Set token on child oci registry and pass to
e98b2f
 system-helper
e98b2f
e98b2f
When we create a system child registry we also set the current token on
e98b2f
it. This is not used directly in the client, however its saved in a
e98b2f
file called .token and re-read in the system-helper, allowing it to
e98b2f
also do the remote registry operations it needs to verify the child
e98b2f
registry.
e98b2f
e98b2f
(cherry picked from commit 5d8fd2d1be914a26e128ab97be6f00e9c34bfa9d)
e98b2f
---
e98b2f
 common/flatpak-dir.c          |  8 ++++++--
e98b2f
 common/flatpak-oci-registry.c | 15 +++++++++++++++
e98b2f
 2 files changed, 21 insertions(+), 2 deletions(-)
e98b2f
e98b2f
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
e98b2f
index 19de4fd38..25f874ecf 100644
e98b2f
--- a/common/flatpak-dir.c
e98b2f
+++ b/common/flatpak-dir.c
e98b2f
@@ -92,6 +92,7 @@ G_DEFINE_AUTOPTR_CLEANUP_FUNC (AutoPolkitSubject, g_object_unref)
e98b2f
 
e98b2f
 static FlatpakOciRegistry *flatpak_dir_create_system_child_oci_registry (FlatpakDir   *self,
e98b2f
                                                                          GLnxLockFile *file_lock,
e98b2f
+                                                                         const char   *token,
e98b2f
                                                                          GError      **error);
e98b2f
 
e98b2f
 static OstreeRepo * flatpak_dir_create_child_repo (FlatpakDir   *self,
e98b2f
@@ -8602,6 +8603,7 @@ flatpak_dir_deploy_update (FlatpakDir   *self,
e98b2f
 static FlatpakOciRegistry *
e98b2f
 flatpak_dir_create_system_child_oci_registry (FlatpakDir   *self,
e98b2f
                                               GLnxLockFile *file_lock,
e98b2f
+                                              const char   *token,
e98b2f
                                               GError      **error)
e98b2f
 {
e98b2f
   g_autoptr(GFile) cache_dir = NULL;
e98b2f
@@ -8636,6 +8638,8 @@ flatpak_dir_create_system_child_oci_registry (FlatpakDir   *self,
e98b2f
   if (new_registry == NULL)
e98b2f
     return NULL;
e98b2f
 
e98b2f
+  flatpak_oci_registry_set_token (new_registry, token);
e98b2f
+
e98b2f
   return g_steal_pointer (&new_registry);
e98b2f
 }
e98b2f
 
e98b2f
@@ -8952,7 +8956,7 @@ flatpak_dir_install (FlatpakDir          *self,
e98b2f
           g_autoptr(FlatpakOciRegistry) registry = NULL;
e98b2f
           g_autoptr(GFile) registry_file = NULL;
e98b2f
 
e98b2f
-          registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, error);
e98b2f
+          registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, token, error);
e98b2f
           if (registry == NULL)
e98b2f
             return FALSE;
e98b2f
 
e98b2f
@@ -9662,7 +9666,7 @@ flatpak_dir_update (FlatpakDir                           *self,
e98b2f
           g_autoptr(FlatpakOciRegistry) registry = NULL;
e98b2f
           g_autoptr(GFile) registry_file = NULL;
e98b2f
 
e98b2f
-          registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, error);
e98b2f
+          registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, token, error);
e98b2f
           if (registry == NULL)
e98b2f
             return FALSE;
e98b2f
 
e98b2f
diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c
e98b2f
index fdeee56bd..c3ddb8c2b 100644
e98b2f
--- a/common/flatpak-oci-registry.c
e98b2f
+++ b/common/flatpak-oci-registry.c
e98b2f
@@ -223,8 +223,15 @@ flatpak_oci_registry_set_token (FlatpakOciRegistry *self,
e98b2f
 {
e98b2f
   g_free (self->token);
e98b2f
   self->token = g_strdup (token);
e98b2f
+
e98b2f
+  if (self->token)
e98b2f
+    (void)glnx_file_replace_contents_at (self->dfd, ".token",
e98b2f
+                                         (guchar *)self->token,
e98b2f
+                                         strlen (self->token),
e98b2f
+                                         0, NULL, NULL);
e98b2f
 }
e98b2f
 
e98b2f
+
e98b2f
 FlatpakOciRegistry *
e98b2f
 flatpak_oci_registry_new (const char   *uri,
e98b2f
                           gboolean      for_write,
e98b2f
@@ -415,6 +422,7 @@ flatpak_oci_registry_ensure_local (FlatpakOciRegistry *self,
e98b2f
   int dfd;
e98b2f
   g_autoptr(GError) local_error = NULL;
e98b2f
   g_autoptr(GBytes) oci_layout_bytes = NULL;
e98b2f
+  g_autoptr(GBytes) token_bytes = NULL;
e98b2f
   gboolean not_json;
e98b2f
 
e98b2f
   if (self->dfd != -1)
e98b2f
@@ -476,6 +484,13 @@ flatpak_oci_registry_ensure_local (FlatpakOciRegistry *self,
e98b2f
   else if (!verify_oci_version (oci_layout_bytes, &not_json, cancellable, error))
e98b2f
     return FALSE;
e98b2f
 
e98b2f
+  if (self->dfd != -1)
e98b2f
+    {
e98b2f
+      token_bytes = local_load_file (self->dfd, ".token", cancellable, NULL);
e98b2f
+      if (token_bytes != NULL)
e98b2f
+        self->token = g_strndup (g_bytes_get_data (token_bytes, NULL), g_bytes_get_size (token_bytes));
e98b2f
+    }
e98b2f
+
e98b2f
   if (self->dfd == -1 && local_dfd != -1)
e98b2f
     self->dfd = glnx_steal_fd (&local_dfd);
e98b2f
 
e98b2f
e98b2f
From 36f87863baa848c8709b75958c85857f45e97e0a Mon Sep 17 00:00:00 2001
e98b2f
From: Alexander Larsson <alexl@redhat.com>
e98b2f
Date: Thu, 11 Jun 2020 15:43:16 +0200
e98b2f
Subject: [PATCH 5/7] OCI: Also look for the docker media type when looking
e98b2f
 manifests
e98b2f
e98b2f
We handle both types, so look for both.
e98b2f
e98b2f
(cherry picked from commit 0fdec95fe068cd497b1c5a5b60d21103c711d2a4)
e98b2f
---
e98b2f
 common/flatpak-json-oci.c | 3 ++-
e98b2f
 1 file changed, 2 insertions(+), 1 deletion(-)
e98b2f
e98b2f
diff --git a/common/flatpak-json-oci.c b/common/flatpak-json-oci.c
e98b2f
index 6d60279d0..f5b3f0a0c 100644
e98b2f
--- a/common/flatpak-json-oci.c
e98b2f
+++ b/common/flatpak-json-oci.c
e98b2f
@@ -469,7 +469,8 @@ const char *
e98b2f
 flatpak_oci_manifest_descriptor_get_ref (FlatpakOciManifestDescriptor *m)
e98b2f
 {
e98b2f
   if (m->parent.mediatype == NULL ||
e98b2f
-      strcmp (m->parent.mediatype, FLATPAK_OCI_MEDIA_TYPE_IMAGE_MANIFEST) != 0)
e98b2f
+      (strcmp (m->parent.mediatype, FLATPAK_OCI_MEDIA_TYPE_IMAGE_MANIFEST) != 0 &&
e98b2f
+       strcmp (m->parent.mediatype, FLATPAK_DOCKER_MEDIA_TYPE_IMAGE_MANIFEST2) != 0))
e98b2f
     return NULL;
e98b2f
 
e98b2f
   if (m->parent.annotations == NULL)
e98b2f
e98b2f
From 0da4a6c82c16d4560d4931d567e2685efd8dff0d Mon Sep 17 00:00:00 2001
e98b2f
From: Alexander Larsson <alexl@redhat.com>
e98b2f
Date: Mon, 4 May 2020 15:51:48 +0200
e98b2f
Subject: [PATCH 6/7] tests: Make OCI authenticator available
e98b2f
e98b2f
(cherry picked from commit 4d79110cb682b79819913aa6ce033cb7a7787c86)
e98b2f
---
e98b2f
 tests/Makefile.am.inc | 7 ++++++-
e98b2f
 1 file changed, 6 insertions(+), 1 deletion(-)
e98b2f
e98b2f
diff --git a/tests/Makefile.am.inc b/tests/Makefile.am.inc
e98b2f
index 7c2e8271f..15f521485 100644
e98b2f
--- a/tests/Makefile.am.inc
e98b2f
+++ b/tests/Makefile.am.inc
e98b2f
@@ -105,11 +105,15 @@ tests/services/org.flatpak.Authenticator.test.service: tests/org.flatpak.Authent
e98b2f
 	mkdir -p tests/services
e98b2f
 	$(AM_V_GEN) $(SED) -e "s|\@libexecdir\@|$(abs_top_builddir)/tests|" $< > $@
e98b2f
 
e98b2f
+tests/services/org.flatpak.Authenticator.Oci.service: oci-authenticator/org.flatpak.Authenticator.Oci.service.in
e98b2f
+	mkdir -p tests/services
e98b2f
+	$(AM_V_GEN) $(SED) -e "s|\@libexecdir\@|$(abs_top_builddir)|" $< > $@
e98b2f
+
e98b2f
 tests/share/xdg-desktop-portal/portals/test.portal: tests/test.portal.in
e98b2f
 	mkdir -p tests/share/xdg-desktop-portal/portals
e98b2f
 	$(AM_V_GEN) install -m644 $< $@
e98b2f
 
e98b2f
-tests/libtest.sh: tests/services/org.freedesktop.Flatpak.service tests/services/org.freedesktop.Flatpak.SystemHelper.service tests/services/org.freedesktop.portal.Flatpak.service tests/share/xdg-desktop-portal/portals/test.portal tests/services/org.freedesktop.impl.portal.desktop.test.service tests/services/org.flatpak.Authenticator.test.service
e98b2f
+tests/libtest.sh: tests/services/org.freedesktop.Flatpak.service tests/services/org.freedesktop.Flatpak.SystemHelper.service tests/services/org.freedesktop.portal.Flatpak.service tests/share/xdg-desktop-portal/portals/test.portal tests/services/org.freedesktop.impl.portal.desktop.test.service tests/services/org.flatpak.Authenticator.test.service tests/services/org.flatpak.Authenticator.Oci.service
e98b2f
 
e98b2f
 install-test-data-hook:
e98b2f
 if ENABLE_INSTALLED_TESTS
e98b2f
@@ -223,6 +227,7 @@ DISTCLEANFILES += \
e98b2f
 	tests/services/org.freedesktop.portal.Flatpak.service \
e98b2f
 	tests/services/org.freedesktop.impl.portal.desktop.test.service \
e98b2f
 	tests/services/org.flatpak.Authenticator.test.service \
e98b2f
+	tests/services/org.flatpak.Authenticator.Oci.service \
e98b2f
 	tests/share/xdg-desktop-portal/portals/test.portal \
e98b2f
 	tests/package_version.txt \
e98b2f
 	$(NULL)
e98b2f
e98b2f
From 8fb4369439e57cc25c706610c5ce1ee776220278 Mon Sep 17 00:00:00 2001
e98b2f
From: Alexander Larsson <alexl@redhat.com>
e98b2f
Date: Mon, 4 May 2020 15:51:59 +0200
e98b2f
Subject: [PATCH 7/7] Tests: Support HEAD requests in oci-registry-server
e98b2f
e98b2f
This just does a GET, which is not quite right, but will work.
e98b2f
This is needed for the authenticator.
e98b2f
e98b2f
(cherry picked from commit 530475b9abff81d990424ca46ec57458e1bb9604)
e98b2f
---
e98b2f
 tests/oci-registry-server.py | 3 +++
e98b2f
 1 file changed, 3 insertions(+)
e98b2f
e98b2f
diff --git a/tests/oci-registry-server.py b/tests/oci-registry-server.py
e98b2f
index 23c2db916..33c3b646b 100755
e98b2f
--- a/tests/oci-registry-server.py
e98b2f
+++ b/tests/oci-registry-server.py
e98b2f
@@ -135,6 +135,9 @@ def do_GET(self):
e98b2f
             else:
e98b2f
                 self.wfile.write(response_string.encode('utf-8'))
e98b2f
 
e98b2f
+    def do_HEAD(self):
e98b2f
+        return self.do_GET()
e98b2f
+
e98b2f
     def do_POST(self):
e98b2f
         if self.check_route('/testing/@repo_name/@tag'):
e98b2f
             repo_name = self.matches['repo_name']