Skip to content

[registry] Fix auth token parsing for access_token #1689

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 28, 2025
Merged

[registry] Fix auth token parsing for access_token #1689

merged 2 commits into from
Apr 28, 2025

Conversation

Fricounet
Copy link
Contributor

Relevant Issue (if applicable)

If there are Issues related to this PullRequest, please list it.

Details

Please describe the details of PullRequest.

Extend auth token parsing to support token in different json fields.
There is no real consensus on Oauth2 token response format, which means that each registry can implement their own. In particular, Azure ACR uses access_token as described here https://github.com/Azure/acr/blob/main/docs/Token-BasicAuth.md#get-a-pull-access-token-for-the-user. As such, when attempting to parse the JSON response containing the authorization token, we should attempt to deserialize using either token or access_token (and potentially more fields in the future if needed).

To not break the integration with existing registry, the behavior is to fallback to access_token only if token does not exist in the response. The requested behavior is implemented by an intermediary struct TokenRegistryResponse which allows both token and access_token as Options (to not fail the JSON parsing if one is missing). Afterwards, the struct is cast to TokenRegistry, selecting at the same time the right token field by order of priority.

Types of changes

What types of changes does your PullRequest introduce? Put an x in all the boxes that apply:

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation Update (if none of the other choices apply)

Checklist

Go over all the following points, and put an x in all the boxes that apply.

  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.

@Fricounet
[registry] Fix auth token parsing for access_token
670ebc5 
Extend auth token parsing to support token in different json fields.
There is no real consensus on Oauth2 token response format, which means that each registry can implement their own. In particular, Azure ACR uses `access_token` as described here https://github.com/Azure/acr/blob/main/docs/Token-BasicAuth.md#get-a-pull-access-token-for-the-user. As such, when attempting to parse the JSON response containing the authorization token, we should attempt to deserialize using either `token` or `access_token` (and potentially more fields in the future if needed).
To not break the integration with existing registry, the behavior is to fallback to `access_token` only if `token` does not exist in the response.

Signed-off-by: Baptiste Girard-Carrabin <baptiste.girardcarrabin@datadoghq.com>
@Fricounet Fricounet requested a review from a team as a code owner April 25, 2025 14:00
@Fricounet Fricounet requested review from bergwolf, imeoer and jiangliu and removed request for a team April 25, 2025 14:00
@codecov Codecov
Copy link

codecov bot commented Apr 25, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 89.18919% with 8 lines in your changes missing coverage. Please review.

Project coverage is 55.50%. Comparing base (21206e7) to head (a2ca336).
Report is 4 commits behind head on master.

Files with missing lines Patch % Lines
storage/src/backend/registry.rs 89.18% 6 Missing and 2 partials ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1689      +/-   ##
==========================================
+ Coverage   55.45%   55.50%   +0.04%     
==========================================
  Files         197      197              
  Lines       55754    55824      +70     
  Branches    47176    47246      +70     
==========================================
+ Hits        30920    30986      +66     
  Misses      23235    23235              
- Partials     1599     1603       +4
Files with missing lines Coverage Δ
storage/src/backend/registry.rs 37.25% <89.18%> (+5.77%) ⬆️

... and 4 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

imeoer
imeoer reviewed Apr 27, 2025
View reviewed changes
storage/src/backend/registry.rs Outdated
@@ -119,6 +119,17 @@ impl<T> HashCache<T> {
}
}

#[derive(Clone, serde::Deserialize)]
struct TokenRegistryResponse {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, very nice PR!

How about reusing the TokenResponse struct but:

struct TokenResponse {
    #[serde(default)]
    token: String,
    #[serde(default)]
    access_token: String,
    #[serde(default = "default_expires_in")]
    expires_in: u64,
}

Then we can implement:

impl TokenResponse {
    fn from_resp(resp: Response) -> Result<Self> {
        // TODO: the codes in previous `extract_token`.
    }
}

And use it:

let ret = TokenResponse::from_resp(resp)?;

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for your comment. I'm very new to Rust so I do appreciate a lot your feedback to improve my code!

I didn't know about serde(default) so that's indeed a good way to not have to add an additional struct.
I've updated my code in a2ca336 with this change. If that works for you, I'll squash the commit properly afterwards.

@Fricounet
[registry] Modify TokenResponse instead
a2ca336 
Apply github comment.
Use `serde:default` in TokenResponse to have the same behavior as Option<String> without changing the struct signature.

Signed-off-by: Baptiste Girard-Carrabin <baptiste.girardcarrabin@datadoghq.com>
imeoer
imeoer reviewed Apr 28, 2025
View reviewed changes
Copy link
Collaborator

@imeoer imeoer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

very nice updates, LGTM!

@imeoer imeoer merged commit d36295a into dragonflyoss:master Apr 28, 2025
24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imeoer imeoer imeoer approved these changes

@bergwolf bergwolf Awaiting requested review from bergwolf bergwolf is a code owner automatically assigned from dragonflyoss/nydus-reviewers

@jiangliu jiangliu Awaiting requested review from jiangliu jiangliu is a code owner automatically assigned from dragonflyoss/nydus-reviewers

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Fricounet @imeoer