Fixes #36827 - Container registries on Katello now return the correct…

… header information: changed expires_at to expires_in. This is calculated from existing tokens. Fixed proxies controller tests to respect these changes. Updated minimum token time to 60 seconds to match docker spec. Expanded to make verification easier. Rubocop fixes Push to rerun tests
Katello · Oct 13, 2023 · 6da4b54 · 6da4b54
1 parent a578284
commit 6da4b54
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 12 deletions.
diff --git a/app/controllers/katello/api/registry/registry_proxies_controller.rb b/app/controllers/katello/api/registry/registry_proxies_controller.rb
@@ -134,7 +134,8 @@ def authorize_repository_read
 
     def token
       if !require_user_authorization?
-        personal_token = OpenStruct.new(token: 'unauthenticated', issued_at: Time.now, expires_at: Time.now + 3)
+        # Docker spec requires minimum token expiry to be 60 seconds
+        personal_token = OpenStruct.new(token: 'unauthenticated', issued_at: Time.now, expires_at: 60.seconds.from_now)
       else
         personal_token = PersonalAccessToken.where(user_id: User.current.id, name: 'registry').first
         if personal_token.nil?
@@ -147,8 +148,15 @@ def token
         end
       end
 
+      expiration_seconds = (personal_token.expires_at.to_time - Time.now).seconds.to_int
+      issue_time = Time.now.rfc3339
+
       response.headers['Docker-Distribution-API-Version'] = 'registry/2.0'
-      render json: { token: personal_token.token, expires_at: personal_token.expires_at, issued_at: personal_token.created_at }
+      render json: {
+        token: personal_token.token,
+        expires_in: expiration_seconds,
+        issued_at: issue_time
+      }
     end
 
     def pull_manifest

diff --git a/test/controllers/api/registry/registry_proxies_controller_test.rb b/test/controllers/api/registry/registry_proxies_controller_test.rb
@@ -136,13 +136,16 @@ def setup_permissions
         PersonalAccessToken.expects(:where)
                            .with(user_id: User.current.id, name: 'registry')
                            .returns([])
-        expiration = Time.now
+        issue_time = Time.now
+        expiry_time = 30.minutes.from_now
+        tolerance = 3.seconds
+
         token = mock('token')
         token.stubs(:token).returns("12345")
         token.stubs(:generate_token).returns("12345")
         token.stubs(:user_id).returns(User.current.id)
-        token.stubs(:expires_at).returns("#{expiration}")
-        token.stubs(:created_at).returns("#{expiration}")
+        token.stubs(:expires_at).returns("#{expiry_time.rfc3339}")
+        token.stubs(:created_at).returns("#{issue_time.rfc3339}")
         token.stubs('save!').returns(true)
         PersonalAccessToken.expects(:new).returns(token)
 
@@ -151,18 +154,24 @@ def setup_permissions
         assert_equal 'registry/2.0', response.headers['Docker-Distribution-API-Version']
         body = JSON.parse(response.body)
         assert_equal "12345", body['token']
-        assert_equal "#{expiration}", body['expires_at']
-        assert_equal "#{expiration}", body['issued_at']
+
+        response_issue_time = body['issued_at'].to_time
+        response_expiry_time = response_issue_time + body['expires_in'].seconds
+        assert (response_expiry_time - tolerance) < expiry_time
+        assert (response_expiry_time + tolerance) > expiry_time
       end
 
       it "token - has 'registry' token" do
-        expiration = Time.now
+        issue_time = Time.now
+        expiry_time = 30.minutes.from_now
+        tolerance = 3.seconds
+
         token = mock('token')
         token.stubs(:token).returns("12345")
         token.stubs(:generate_token).returns("12345")
         token.stubs(:user_id).returns(User.current.id)
-        token.stubs(:expires_at).returns("#{expiration}")
-        token.stubs(:created_at).returns("#{expiration}")
+        token.stubs(:expires_at).returns("#{expiry_time.rfc3339}")
+        token.stubs(:created_at).returns("#{issue_time.rfc3339}")
         token.stubs('save!').returns(true)
         token.expects('expires_at=').returns(true)
         PersonalAccessToken.expects(:where)
@@ -175,8 +184,11 @@ def setup_permissions
         assert_equal 'registry/2.0', response.headers['Docker-Distribution-API-Version']
         body = JSON.parse(response.body)
         assert_equal "12345", body['token']
-        assert_equal "#{expiration}", body['expires_at']
-        assert_equal "#{expiration}", body['issued_at']
+
+        response_issue_time = body['issued_at'].to_time
+        response_expiry_time = response_issue_time + body['expires_in'].seconds
+        assert (response_expiry_time - tolerance) < expiry_time
+        assert (response_expiry_time + tolerance) > expiry_time
       end
 
       it "token - unscoped is authorized" do