session: make sure all token request keep correct context
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>v0.9
Tonis Tiigi
parent
7e4e6768f3
commit
53e7116197
|
|
@ -52,8 +52,8 @@ func CredentialsFunc(sm *session.Manager, g session.Group) func(string) (session
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func FetchToken(req *FetchTokenRequest, sm *session.Manager, g session.Group) (resp *FetchTokenResponse, err error) {
|
func FetchToken(ctx context.Context, req *FetchTokenRequest, sm *session.Manager, g session.Group) (resp *FetchTokenResponse, err error) {
|
||||||
err = sm.Any(context.TODO(), g, func(ctx context.Context, id string, c session.Caller) error {
|
err = sm.Any(ctx, g, func(ctx context.Context, id string, c session.Caller) error {
|
||||||
client := NewAuthClient(c.Conn())
|
client := NewAuthClient(c.Conn())
|
||||||
|
|
||||||
resp, err = client.FetchToken(ctx, req)
|
resp, err = client.FetchToken(ctx, req)
|
||||||
|
|
@ -68,9 +68,9 @@ func FetchToken(req *FetchTokenRequest, sm *session.Manager, g session.Group) (r
|
||||||
return resp, nil
|
return resp, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func VerifyTokenAuthority(host string, pubKey *[32]byte, sm *session.Manager, g session.Group) (sessionID string, ok bool, err error) {
|
func VerifyTokenAuthority(ctx context.Context, host string, pubKey *[32]byte, sm *session.Manager, g session.Group) (sessionID string, ok bool, err error) {
|
||||||
var verified bool
|
var verified bool
|
||||||
err = sm.Any(context.TODO(), g, func(ctx context.Context, id string, c session.Caller) error {
|
err = sm.Any(ctx, g, func(ctx context.Context, id string, c session.Caller) error {
|
||||||
client := NewAuthClient(c.Conn())
|
client := NewAuthClient(c.Conn())
|
||||||
|
|
||||||
payload := make([]byte, 32)
|
payload := make([]byte, 32)
|
||||||
|
|
@ -100,8 +100,8 @@ func VerifyTokenAuthority(host string, pubKey *[32]byte, sm *session.Manager, g
|
||||||
return sessionID, verified, nil
|
return sessionID, verified, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func GetTokenAuthority(host string, sm *session.Manager, g session.Group) (sessionID string, pubKey *[32]byte, err error) {
|
func GetTokenAuthority(ctx context.Context, host string, sm *session.Manager, g session.Group) (sessionID string, pubKey *[32]byte, err error) {
|
||||||
err = sm.Any(context.TODO(), g, func(ctx context.Context, id string, c session.Caller) error {
|
err = sm.Any(ctx, g, func(ctx context.Context, id string, c session.Caller) error {
|
||||||
client := NewAuthClient(c.Conn())
|
client := NewAuthClient(c.Conn())
|
||||||
|
|
||||||
resp, err := client.GetTokenAuthority(ctx, &GetTokenAuthorityRequest{
|
resp, err := client.GetTokenAuthority(ctx, &GetTokenAuthorityRequest{
|
||||||
|
|
|
||||||
|
|
@ -40,7 +40,7 @@ func newAuthHandlerNS(sm *session.Manager) *authHandlerNS {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *authHandlerNS) get(host string, sm *session.Manager, g session.Group) *authHandler {
|
func (a *authHandlerNS) get(ctx context.Context, host string, sm *session.Manager, g session.Group) *authHandler {
|
||||||
if g != nil {
|
if g != nil {
|
||||||
if iter := g.SessionIterator(); iter != nil {
|
if iter := g.SessionIterator(); iter != nil {
|
||||||
for {
|
for {
|
||||||
|
|
@ -65,7 +65,7 @@ func (a *authHandlerNS) get(host string, sm *session.Manager, g session.Group) *
|
||||||
}
|
}
|
||||||
if parts[0] == host {
|
if parts[0] == host {
|
||||||
if h.authority != nil {
|
if h.authority != nil {
|
||||||
session, ok, err := sessionauth.VerifyTokenAuthority(host, h.authority, sm, g)
|
session, ok, err := sessionauth.VerifyTokenAuthority(ctx, host, h.authority, sm, g)
|
||||||
if err == nil && ok {
|
if err == nil && ok {
|
||||||
a.handlers[host+"/"+session] = h
|
a.handlers[host+"/"+session] = h
|
||||||
h.lastUsed = time.Now()
|
h.lastUsed = time.Now()
|
||||||
|
|
@ -122,7 +122,7 @@ func (a *dockerAuthorizer) Authorize(ctx context.Context, req *http.Request) err
|
||||||
defer a.handlers.mu.Unlock()
|
defer a.handlers.mu.Unlock()
|
||||||
|
|
||||||
// skip if there is no auth handler
|
// skip if there is no auth handler
|
||||||
ah := a.handlers.get(req.URL.Host, a.sm, a.session)
|
ah := a.handlers.get(ctx, req.URL.Host, a.sm, a.session)
|
||||||
if ah == nil {
|
if ah == nil {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
@ -147,7 +147,7 @@ func (a *dockerAuthorizer) AddResponses(ctx context.Context, responses []*http.R
|
||||||
last := responses[len(responses)-1]
|
last := responses[len(responses)-1]
|
||||||
host := last.Request.URL.Host
|
host := last.Request.URL.Host
|
||||||
|
|
||||||
handler := a.handlers.get(host, a.sm, a.session)
|
handler := a.handlers.get(ctx, host, a.sm, a.session)
|
||||||
|
|
||||||
for _, c := range auth.ParseAuthHeader(last.Header) {
|
for _, c := range auth.ParseAuthHeader(last.Header) {
|
||||||
if c.Scheme == auth.BearerAuth {
|
if c.Scheme == auth.BearerAuth {
|
||||||
|
|
@ -177,7 +177,7 @@ func (a *dockerAuthorizer) AddResponses(ctx context.Context, responses []*http.R
|
||||||
}
|
}
|
||||||
|
|
||||||
var username, secret string
|
var username, secret string
|
||||||
session, pubKey, err := sessionauth.GetTokenAuthority(host, a.sm, a.session)
|
session, pubKey, err := sessionauth.GetTokenAuthority(ctx, host, a.sm, a.session)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
@ -339,7 +339,7 @@ func (ah *authHandler) fetchToken(ctx context.Context, sm *session.Manager, g se
|
||||||
}()
|
}()
|
||||||
|
|
||||||
if ah.authority != nil {
|
if ah.authority != nil {
|
||||||
resp, err := sessionauth.FetchToken(&sessionauth.FetchTokenRequest{
|
resp, err := sessionauth.FetchToken(ctx, &sessionauth.FetchTokenRequest{
|
||||||
ClientID: "buildkit-client",
|
ClientID: "buildkit-client",
|
||||||
Host: ah.host,
|
Host: ah.host,
|
||||||
Realm: to.Realm,
|
Realm: to.Realm,
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue