registry: use the privileged client to get signatures

Author: mfojtik

pkg/dockerregistry/server/app.go

@@ -115,7 +115,11 @@ func NewApp(ctx context.Context, registryClient client.RegistryClient, dockerCon
 
 	// Registry extensions endpoint provides extra functionality to handle the image
 	// signatures.
-	RegisterSignatureHandler(dockerApp)
+	isImageClient, err := registryClient.Client()
+	if err != nil {
+		context.GetLogger(dockerApp).Fatalf("unable to get client for signatures: %v", err)
+	}
+	RegisterSignatureHandler(dockerApp, isImageClient)
 
 	// Registry extensions endpoint provides prometheus metrics.
 	if extraConfig.Metrics.Enabled {

pkg/dockerregistry/server/auth.go

@@ -333,6 +333,8 @@ func (ac *AccessController) Authorized(ctx context.Context, accessRecords ...reg
 				if err := verifyImageSignatureAccess(ctx, namespace, name, osClient); err != nil {
 					return nil, ac.wrapErr(ctx, err)
 				}
+			default:
+				return nil, ac.wrapErr(ctx, ErrUnsupportedAction)
 			}
 
 		case "metrics":

pkg/dockerregistry/server/signaturedispatcher.go

@@ -17,6 +17,7 @@ import (
 	"github.com/docker/distribution/registry/api/v2"
 	"github.com/docker/distribution/registry/handlers"
 
+	"github.com/openshift/origin/pkg/dockerregistry/server/client"
 	imageapi "github.com/openshift/origin/pkg/image/apis/image"
 	imageapiv1 "github.com/openshift/origin/pkg/image/apis/image/v1"
 
@@ -60,18 +61,27 @@ var (
 )
 
 type signatureHandler struct {
-	ctx       *handlers.Context
-	reference imageapi.DockerImageReference
+	ctx           *handlers.Context
+	reference     imageapi.DockerImageReference
+	isImageClient client.ImageStreamImagesNamespacer
 }
 
-// SignatureDispatcher handles the GET and PUT requests for signature endpoint.
-func SignatureDispatcher(ctx *handlers.Context, r *http.Request) http.Handler {
-	signatureHandler := &signatureHandler{ctx: ctx}
-	signatureHandler.reference, _ = imageapi.ParseDockerImageReference(ctxu.GetStringValue(ctx, "vars.name") + "@" + ctxu.GetStringValue(ctx, "vars.digest"))
-
-	return gorillahandlers.MethodHandler{
-		"GET": http.HandlerFunc(signatureHandler.Get),
-		"PUT": http.HandlerFunc(signatureHandler.Put),
+// NewSignatureDispatcher provides a function that handles the GET and PUT
+// requests for signature endpoint.
+func NewSignatureDispatcher(isImageClient client.ImageStreamImagesNamespacer) func(*handlers.Context, *http.Request) http.Handler {
+	return func(ctx *handlers.Context, r *http.Request) http.Handler {
+		reference, _ := imageapi.ParseDockerImageReference(
+			ctxu.GetStringValue(ctx, "vars.name") + "@" + ctxu.GetStringValue(ctx, "vars.digest"),
+		)
+		signatureHandler := &signatureHandler{
+			ctx:           ctx,
+			isImageClient: isImageClient,
+			reference:     reference,
+		}
+		return gorillahandlers.MethodHandler{
+			"GET": http.HandlerFunc(signatureHandler.Get),
+			"PUT": http.HandlerFunc(signatureHandler.Put),
+		}
 	}
 }
 
@@ -142,18 +152,13 @@ func (s *signatureHandler) Get(w http.ResponseWriter, req *http.Request) {
 		s.handleError(s.ctx, v2.ErrorCodeNameInvalid.WithDetail("missing image name or image ID"), w)
 		return
 	}
-	client, ok := userClientFrom(s.ctx)
-	if !ok {
-		s.handleError(s.ctx, errcode.ErrorCodeUnknown.WithDetail("unable to get origin client"), w)
-		return
-	}
 
 	if len(s.reference.ID) == 0 {
 		s.handleError(s.ctx, v2.ErrorCodeNameInvalid.WithDetail("the image ID must be specified (sha256:<digest>"), w)
 		return
 	}
 
-	image, err := client.ImageStreamImages(s.reference.Namespace).Get(imageapi.MakeImageStreamImageName(s.reference.Name, s.reference.ID), metav1.GetOptions{})
+	image, err := s.isImageClient.ImageStreamImages(s.reference.Namespace).Get(imageapi.MakeImageStreamImageName(s.reference.Name, s.reference.ID), metav1.GetOptions{})
 	switch {
 	case err == nil:
 	case kapierrors.IsUnauthorized(err):

pkg/dockerregistry/server/signaturedispatcher_test.go

@@ -57,6 +57,8 @@ func TestSignatureGet(t *testing.T) {
 		t.Fatal(err)
 	}
 
+	os.Setenv("OPENSHIFT_DEFAULT_REGISTRY", "localhost:5000")
+
 	ctx := context.Background()
 	ctx = withUserClient(ctx, osclient)
 	registryApp := NewApp(ctx, registryclient.NewFakeRegistryClient(imageClient), &configuration.Configuration{
@@ -163,6 +165,8 @@ func TestSignaturePut(t *testing.T) {
 		t.Fatal(err)
 	}
 
+	os.Setenv("OPENSHIFT_DEFAULT_REGISTRY", "localhost:5000")
+
 	ctx := context.Background()
 	ctx = withUserClient(ctx, osclient)
 	registryApp := NewApp(ctx, registryclient.NewFakeRegistryClient(imageClient), &configuration.Configuration{

pkg/dockerregistry/server/signaturehandler.go

@@ -8,11 +8,12 @@ import (
 	"github.com/docker/distribution/registry/handlers"
 
 	"github.com/openshift/origin/pkg/dockerregistry/server/api"
+	"github.com/openshift/origin/pkg/dockerregistry/server/client"
 )
 
 // RegisterSignatureHandler registers the Docker image signature extension to Docker
 // registry.
-func RegisterSignatureHandler(app *handlers.App) {
+func RegisterSignatureHandler(app *handlers.App, isImageClient client.ImageStreamImagesNamespacer) {
 	extensionsRouter := app.NewRoute().PathPrefix(api.ExtensionsPrefix).Subrouter()
 	var (
 		getSignatureAccess = func(r *http.Request) []auth.Access {
@@ -40,13 +41,13 @@ func RegisterSignatureHandler(app *handlers.App) {
 	)
 	app.RegisterRoute(
 		extensionsRouter.Path(api.SignaturesPath).Methods("GET"),
-		SignatureDispatcher,
+		NewSignatureDispatcher(isImageClient),
 		handlers.NameRequired,
 		getSignatureAccess,
 	)
 	app.RegisterRoute(
 		extensionsRouter.Path(api.SignaturesPath).Methods("PUT"),
-		SignatureDispatcher,
+		NewSignatureDispatcher(isImageClient),
 		handlers.NameRequired,
 		putSignatureAccess,
 	)