Comments (12)
Well, basic auth adds very little because it's just an encoding, a potential attacker would have no problem decoding it.
IMO the important thing is that it's not exposed as a query parameter, therefore a POST should be fine. We have other endpoints sending creds in clear and the pentest assessment we run never reported as a security threat.
I'll keep simple and if it emerges as a problem we'll use a different strategy for all endpoints sending sensible data.
from wave.
If I'm not wrong we'll need also the image (scope, see https://docs.docker.com/registry/spec/auth/jwt/)
we can use registry
field as a full path, and parse it with RouteHelper, or include another field
from wave.
I think this is something we now need to figure out why the image is needed. When you login to a registry with docker login
only the user name and pwd is needed. This API should provide a similar experience
from wave.
So, the steps to perform a login are:
- https://quay.io/v2/ Authorization:"Basic user:pwd.base64()"
- respond with 401 and
WWW-Authenticate: Bearer realm="https://quay.io/v2/auth",service="quay.io"
header - https://quay.io/v2/auth Authorization:"Basic user:pwd.base64()"
- respond with a token if user/pwd are ok
also with docker.io
- https://registry-1.docker.io/v2/ Authorization:"Basic user:pwd.base64()"
- respond with 401 and
www-authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io"
header - https://auth.docker.io/token Authorization:"Basic user:pwd.base64()"
- respond with a token if user/pwd are ok
so, basically first request to /v2
give the URL where authenticate the user in the www-authenticate header
from wave.
This is cool, nice finding
from wave.
Thinking about this issue I wonder how "secure" is we pass the user/password in the request, maybe we need to encrypt in some way?
from wave.
Why it should? the TLS layer over HTTP protocol should take care of that. Does it make sense?
from wave.
yes, but still send user/password in clear to me it's a little dirty
What I was thinking right now it's that maybe it's better to mimic docker protocol and validate the user/pwd into the /v2/
path instead to create our implementation, i.e. the client request /v2
with an Authorization: Basic base64
header
from wave.
and what do you think about to remove the /validate-creds
endpoint and moving it to /v2
to be more a docker registry?
from wave.
Basically, you are suggesting exposing the standard registry API via the V2 controller, right?
Don't know, maybe it's a good idea but it looks like a bit different intent from my original goal, which was to provide a simple API for tower needs hiding the complexity of the registry authentication. This is also why it should go into a separate controller.
Maybe we can have both. I would start with the controller as suggested above. In a second step, we can decide to move this logic into Tower and implement the /v2 auth in this project. How does it sound to you ?
from wave.
perfect
from wave.
Then this could be closed. Can you please add a mini section in the Readme including a mini curl
command to use this feature?
from wave.
Related Issues (20)
- Document how metrics counter works
- Aggregate metrics
- Use K8s Job instead of pod for Blob cache transfer
- Detection and deletion of corrupted uploads HOT 2
- Improve error message when augmenting with a sha256 tag HOT 1
- Use buildkit for container image builds HOT 4
- Wave container builds failing due to private ECR path modifications HOT 5
- Blob Upload Stress Test HOT 1
- Cleanup of complete blob upload jobs HOT 6
- TypeSpec API definition
- Add Trivy SBOM scan for wave build containers HOT 1
- Decouple build status from persistence service HOT 1
- Prevent the use of Community registry with containerImage attribute HOT 1
- Add breakdown per org on stats metrics when a date is specified
- Keep the ASCII color codes of k8s pod logs
- image name strategy is not working as expected
- Update accesstoken when refreshing jwt token HOT 1
- Build page reports invalid error status while the build is running HOT 1
- Add Troubleshoot guide
- Use Pixi to resolve Conda environment
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wave.