Add endpoint to validate credential of an arbitrary container registry about wave HOT 12 CLOSED

Well, basic auth adds very little because it's just an encoding, a potential attacker would have no problem decoding it.

IMO the important thing is that it's not exposed as a query parameter, therefore a POST should be fine. We have other endpoints sending creds in clear and the pentest assessment we run never reported as a security threat.

I'll keep simple and if it emerges as a problem we'll use a different strategy for all endpoints sending sensible data.

from wave.

If I'm not wrong we'll need also the image (scope, see https://docs.docker.com/registry/spec/auth/jwt/)

we can use registry field as a full path, and parse it with RouteHelper, or include another field

from wave.

I think this is something we now need to figure out why the image is needed. When you login to a registry with docker login only the user name and pwd is needed. This API should provide a similar experience

from wave.

So, the steps to perform a login are:

• https://quay.io/v2/ Authorization:"Basic user:pwd.base64()"
• respond with 401 and WWW-Authenticate: Bearer realm="https://quay.io/v2/auth",service="quay.io" header
• https://quay.io/v2/auth Authorization:"Basic user:pwd.base64()"
• respond with a token if user/pwd are ok

also with docker.io

• https://registry-1.docker.io/v2/ Authorization:"Basic user:pwd.base64()"
• respond with 401 and www-authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io" header
• https://auth.docker.io/token Authorization:"Basic user:pwd.base64()"
• respond with a token if user/pwd are ok

so, basically first request to /v2 give the URL where authenticate the user in the www-authenticate header

from wave.

This is cool, nice finding

from wave.

Thinking about this issue I wonder how "secure" is we pass the user/password in the request, maybe we need to encrypt in some way?

from wave.

Why it should? the TLS layer over HTTP protocol should take care of that. Does it make sense?

from wave.

yes, but still send user/password in clear to me it's a little dirty

What I was thinking right now it's that maybe it's better to mimic docker protocol and validate the user/pwd into the /v2/ path instead to create our implementation, i.e. the client request /v2 with an Authorization: Basic base64 header

from wave.

and what do you think about to remove the /validate-creds endpoint and moving it to /v2 to be more a docker registry?

from wave.

Basically, you are suggesting exposing the standard registry API via the V2 controller, right?

Don't know, maybe it's a good idea but it looks like a bit different intent from my original goal, which was to provide a simple API for tower needs hiding the complexity of the registry authentication. This is also why it should go into a separate controller.

Maybe we can have both. I would start with the controller as suggested above. In a second step, we can decide to move this logic into Tower and implement the /v2 auth in this project. How does it sound to you ?

from wave.

perfect

from wave.

Then this could be closed. Can you please add a mini section in the Readme including a mini curl command to use this feature?

from wave.