github/distribution
1
0
Fork 0
mirror of https://github.com/distribution/distribution.git synced 2025-08-18 23:07:38 +00:00
Code Issues Projects Releases Wiki Activity

Fix broken signing algorithm configuration for token authentication (#4578)

Browse Source
This commit is contained in:
Milos Gajdos 2025-02-24 07:41:25 -08:00 committed by GitHub
commit 9e96aec357
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 16 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
registry/auth/token/accesscontroller.go
View File

@ -197,7 +197,7 @@ func checkOptions(options map[string]interface{}) (tokenAccessOptions, error) {
vals = append(vals, "") vals = append(vals, "")
continue continue
} }
return opts, fmt.Errorf("token auth requires a valid option string: %q", key) return tokenAccessOptions{}, fmt.Errorf("token auth requires a valid option string: %q", key)
} }
vals = append(vals, val) vals = append(vals, val)
} }
@ -208,7 +208,7 @@ func checkOptions(options map[string]interface{}) (tokenAccessOptions, error) {
if ok { if ok {
autoRedirect, ok := autoRedirectVal.(bool) autoRedirect, ok := autoRedirectVal.(bool)
if !ok { if !ok {
return opts, errors.New("token auth requires a valid option bool: autoredirect") return tokenAccessOptions{}, errors.New("token auth requires a valid option bool: autoredirect")
} }
opts.autoRedirect = autoRedirect opts.autoRedirect = autoRedirect
} }
@ -217,7 +217,7 @@ func checkOptions(options map[string]interface{}) (tokenAccessOptions, error) {
if ok { if ok {
autoRedirectPath, ok := autoRedirectPathVal.(string) autoRedirectPath, ok := autoRedirectPathVal.(string)
if !ok { if !ok {
return opts, errors.New("token auth requires a valid option string: autoredirectpath") return tokenAccessOptions{}, errors.New("token auth requires a valid option string: autoredirectpath")
} }
opts.autoRedirectPath = autoRedirectPath opts.autoRedirectPath = autoRedirectPath
} }
@ -228,11 +228,19 @@ func checkOptions(options map[string]interface{}) (tokenAccessOptions, error) {
signingAlgos, ok := options["signingalgorithms"] signingAlgos, ok := options["signingalgorithms"]
if ok { if ok {
signingAlgorithmsVals, ok := signingAlgos.([]string) signingAlgorithmsVals, ok := signingAlgos.([]interface{})
if !ok { if !ok {
return opts, errors.New("signingalgorithms must be a list of signing algorithms") return tokenAccessOptions{}, errors.New("signingalgorithms must be a list of signing algorithms")
}
for _, signingAlgorithmVal := range signingAlgorithmsVals {
signingAlgorithm, ok := signingAlgorithmVal.(string)
if !ok {
return tokenAccessOptions{}, errors.New("signingalgorithms must be a list of signing algorithms")
}
opts.signingAlgorithms = append(opts.signingAlgorithms, signingAlgorithm)
} }
opts.signingAlgorithms = signingAlgorithmsVals
} }
return opts, nil return opts, nil
@ -298,11 +306,11 @@ func getJwks(path string) (*jose.JSONWebKeySet, error) {
func getSigningAlgorithms(algos []string) ([]jose.SignatureAlgorithm, error) { func getSigningAlgorithms(algos []string) ([]jose.SignatureAlgorithm, error) {
signAlgVals := make([]jose.SignatureAlgorithm, 0, len(algos)) signAlgVals := make([]jose.SignatureAlgorithm, 0, len(algos))
for _, alg := range algos { for _, alg := range algos {
alg, ok := signingAlgorithms[alg] signAlg, ok := signingAlgorithms[alg]
if !ok { if !ok {
return nil, fmt.Errorf("unsupported signing algorithm: %s", alg) return nil, fmt.Errorf("unsupported signing algorithm: %s", alg)
} }
signAlgVals = append(signAlgVals, alg) signAlgVals = append(signAlgVals, signAlg)
} }
return signAlgVals, nil return signAlgVals, nil
} }