From b8e87ed57b8042c56cc4875aa99e79906b7b9ad5 Mon Sep 17 00:00:00 2001 From: Alfonso Acosta Date: Sat, 10 Aug 2024 01:41:51 +0000 Subject: [PATCH] remote/transport: Make bearer transport go-routine-safe (#1806) --- pkg/v1/remote/transport/bearer.go | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/pkg/v1/remote/transport/bearer.go b/pkg/v1/remote/transport/bearer.go index be3bec9c3..ea652d4ae 100644 --- a/pkg/v1/remote/transport/bearer.go +++ b/pkg/v1/remote/transport/bearer.go @@ -24,8 +24,10 @@ import ( "net/http" "net/url" "strings" + "sync" authchallenge "github.com/docker/distribution/registry/client/auth/challenge" + "github.com/google/go-containerregistry/internal/redact" "github.com/google/go-containerregistry/pkg/authn" "github.com/google/go-containerregistry/pkg/logs" @@ -98,6 +100,7 @@ func fromChallenge(reg name.Registry, auth authn.Authenticator, t http.RoundTrip } type bearerTransport struct { + mx sync.RWMutex // Wrapped by bearerTransport. inner http.RoundTripper // Basic credentials that we exchange for bearer tokens. @@ -139,7 +142,10 @@ func (bt *bearerTransport) RoundTrip(in *http.Request) (*http.Response, error) { // the registry with which we are interacting. // In case of redirect http.Client can use an empty Host, check URL too. if matchesHost(bt.registry.RegistryStr(), in, bt.scheme) { - hdr := fmt.Sprintf("Bearer %s", bt.bearer.RegistryToken) + bt.mx.RLock() + localToken := bt.bearer.RegistryToken + bt.mx.RUnlock() + hdr := fmt.Sprintf("Bearer %s", localToken) in.Header.Set("Authorization", hdr) } return bt.inner.RoundTrip(in) @@ -156,11 +162,12 @@ func (bt *bearerTransport) RoundTrip(in *http.Request) (*http.Response, error) { res.Body.Close() newScopes := []string{} + bt.mx.Lock() + got := stringSet(bt.scopes) for _, wac := range challenges { // TODO(jonjohnsonjr): Should we also update "realm" or "service"? if want, ok := wac.Parameters["scope"]; ok { // Add any scopes that we don't already request. - got := stringSet(bt.scopes) if _, ok := got[want]; !ok { newScopes = append(newScopes, want) } @@ -172,6 +179,7 @@ func (bt *bearerTransport) RoundTrip(in *http.Request) (*http.Response, error) { // otherwise the registry might just ignore it :/ newScopes = append(newScopes, bt.scopes...) bt.scopes = newScopes + bt.mx.Unlock() // TODO(jonjohnsonjr): Teach transport.Error about "error" and "error_description" from challenge. @@ -196,7 +204,9 @@ func (bt *bearerTransport) refresh(ctx context.Context) error { } if auth.RegistryToken != "" { + bt.mx.Lock() bt.bearer.RegistryToken = auth.RegistryToken + bt.mx.Unlock() return nil } @@ -212,7 +222,9 @@ func (bt *bearerTransport) refresh(ctx context.Context) error { // Find a token to turn into a Bearer authenticator if response.Token != "" { + bt.mx.Lock() bt.bearer.RegistryToken = response.Token + bt.mx.Unlock() } // If we obtained a refresh token from the oauth flow, use that for refresh() now. @@ -306,7 +318,9 @@ func (bt *bearerTransport) refreshOauth(ctx context.Context) ([]byte, error) { } v := url.Values{} + bt.mx.RLock() v.Set("scope", strings.Join(bt.scopes, " ")) + bt.mx.RUnlock() if bt.service != "" { v.Set("service", bt.service) } @@ -362,7 +376,9 @@ func (bt *bearerTransport) refreshBasic(ctx context.Context) ([]byte, error) { client := http.Client{Transport: b} v := u.Query() + bt.mx.RLock() v["scope"] = bt.scopes + bt.mx.RUnlock() v.Set("service", bt.service) u.RawQuery = v.Encode()