From 6da4b54673c308c53951c8f91db5f361eec56d18 Mon Sep 17 00:00:00 2001
From: Quinn James <qjames@redhat.com>
Date: Thu, 12 Oct 2023 20:40:33 +0000
Subject: [PATCH] Fixes #36827 - Container registries on Katello now return the
 correct header information: changed expires_at to expires_in. This is
 calculated from existing tokens. Fixed proxies controller tests to respect
 these changes.

Updated minimum token time to 60 seconds to match docker spec.

Expanded to make verification easier.

Rubocop fixes

Push to rerun tests
---
 .../registry/registry_proxies_controller.rb   | 12 +++++--
 .../registry_proxies_controller_test.rb       | 32 +++++++++++++------
 2 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/app/controllers/katello/api/registry/registry_proxies_controller.rb b/app/controllers/katello/api/registry/registry_proxies_controller.rb
index a0afd98e631..5a0a994f11b 100644
--- a/app/controllers/katello/api/registry/registry_proxies_controller.rb
+++ b/app/controllers/katello/api/registry/registry_proxies_controller.rb
@@ -134,7 +134,8 @@ def authorize_repository_read
 
     def token
       if !require_user_authorization?
-        personal_token = OpenStruct.new(token: 'unauthenticated', issued_at: Time.now, expires_at: Time.now + 3)
+        # Docker spec requires minimum token expiry to be 60 seconds
+        personal_token = OpenStruct.new(token: 'unauthenticated', issued_at: Time.now, expires_at: 60.seconds.from_now)
       else
         personal_token = PersonalAccessToken.where(user_id: User.current.id, name: 'registry').first
         if personal_token.nil?
@@ -147,8 +148,15 @@ def token
         end
       end
 
+      expiration_seconds = (personal_token.expires_at.to_time - Time.now).seconds.to_int
+      issue_time = Time.now.rfc3339
+
       response.headers['Docker-Distribution-API-Version'] = 'registry/2.0'
-      render json: { token: personal_token.token, expires_at: personal_token.expires_at, issued_at: personal_token.created_at }
+      render json: {
+        token: personal_token.token,
+        expires_in: expiration_seconds,
+        issued_at: issue_time
+      }
     end
 
     def pull_manifest
diff --git a/test/controllers/api/registry/registry_proxies_controller_test.rb b/test/controllers/api/registry/registry_proxies_controller_test.rb
index 25caba3d85d..ed4ac2fa24c 100644
--- a/test/controllers/api/registry/registry_proxies_controller_test.rb
+++ b/test/controllers/api/registry/registry_proxies_controller_test.rb
@@ -136,13 +136,16 @@ def setup_permissions
         PersonalAccessToken.expects(:where)
                            .with(user_id: User.current.id, name: 'registry')
                            .returns([])
-        expiration = Time.now
+        issue_time = Time.now
+        expiry_time = 30.minutes.from_now
+        tolerance = 3.seconds
+
         token = mock('token')
         token.stubs(:token).returns("12345")
         token.stubs(:generate_token).returns("12345")
         token.stubs(:user_id).returns(User.current.id)
-        token.stubs(:expires_at).returns("#{expiration}")
-        token.stubs(:created_at).returns("#{expiration}")
+        token.stubs(:expires_at).returns("#{expiry_time.rfc3339}")
+        token.stubs(:created_at).returns("#{issue_time.rfc3339}")
         token.stubs('save!').returns(true)
         PersonalAccessToken.expects(:new).returns(token)
 
@@ -151,18 +154,24 @@ def setup_permissions
         assert_equal 'registry/2.0', response.headers['Docker-Distribution-API-Version']
         body = JSON.parse(response.body)
         assert_equal "12345", body['token']
-        assert_equal "#{expiration}", body['expires_at']
-        assert_equal "#{expiration}", body['issued_at']
+
+        response_issue_time = body['issued_at'].to_time
+        response_expiry_time = response_issue_time + body['expires_in'].seconds
+        assert (response_expiry_time - tolerance) < expiry_time
+        assert (response_expiry_time + tolerance) > expiry_time
       end
 
       it "token - has 'registry' token" do
-        expiration = Time.now
+        issue_time = Time.now
+        expiry_time = 30.minutes.from_now
+        tolerance = 3.seconds
+
         token = mock('token')
         token.stubs(:token).returns("12345")
         token.stubs(:generate_token).returns("12345")
         token.stubs(:user_id).returns(User.current.id)
-        token.stubs(:expires_at).returns("#{expiration}")
-        token.stubs(:created_at).returns("#{expiration}")
+        token.stubs(:expires_at).returns("#{expiry_time.rfc3339}")
+        token.stubs(:created_at).returns("#{issue_time.rfc3339}")
         token.stubs('save!').returns(true)
         token.expects('expires_at=').returns(true)
         PersonalAccessToken.expects(:where)
@@ -175,8 +184,11 @@ def setup_permissions
         assert_equal 'registry/2.0', response.headers['Docker-Distribution-API-Version']
         body = JSON.parse(response.body)
         assert_equal "12345", body['token']
-        assert_equal "#{expiration}", body['expires_at']
-        assert_equal "#{expiration}", body['issued_at']
+
+        response_issue_time = body['issued_at'].to_time
+        response_expiry_time = response_issue_time + body['expires_in'].seconds
+        assert (response_expiry_time - tolerance) < expiry_time
+        assert (response_expiry_time + tolerance) > expiry_time
       end
 
       it "token - unscoped is authorized" do