public async Task <IActionResult> Post([FromBody] RegistryCredentials credentials)
{
// must specify a registry
if (string.IsNullOrEmpty(credentials.Registry))
{
return(Unauthorized());
}
// deny requests for foreign instances, if configured
if (!string.IsNullOrEmpty(Config.Registry) && credentials.Registry.ToLowerInvariant() != Config.Registry.ToLowerInvariant())
{
return(Unauthorized());
}
try
{
credentials.Registry = RegistryCredentials.DeAliasDockerHub(credentials.Registry);
var handler = new AuthHandler(cache, Config, loggerFactory.CreateLogger <AuthHandler>());
await handler.LoginAsync(credentials.Registry, credentials.Username, credentials.Password);
var json = JsonConvert.SerializeObject(credentials);
// publicly visible parameters for session validation
var headers = new Dictionary <string, object>
{
{ "iat", DateTimeOffset.UtcNow.ToUnixTimeSeconds() },
{ "exp", DateTimeOffset.UtcNow.ToUnixTimeSeconds() + Config.AuthTokenLifetime },
{ "reg", credentials.Registry }
};
var token = new Token
{
Usr = credentials.Username,
Pwd = credentials.Password,
Reg = credentials.Registry,
Iat = DateTimeOffset.UtcNow.ToUnixTimeSeconds(),
Exp = DateTimeOffset.UtcNow.ToUnixTimeSeconds() + Config.AuthTokenLifetime
};
var jwe = Jose.JWT.Encode(token, crypto, JweAlgorithm.RSA_OAEP, JweEncryption.A256GCM, extraHeaders: headers);
return(Ok(new
{
token = jwe
}));
}
catch (Exception ex)
{
Logger.LogError(ex, "Error authenticating token request.");
return(Unauthorized());
}
}
public Task <AuthenticateResult> AuthenticateAsync(string authorization)
{
try
{
var header = AuthenticationHeaderValue.Parse(authorization);
logger.LogTrace($"Got authorization header: {header}");
var jweHeader = Jose.JWT.Headers(header.Parameter);
logger.LogDebug($"JWE Header: {string.Join(", ", jweHeader.Select(p => string.Join(": ", p.Key, p.Value)))}");
if (!jweHeader.ContainsKey("exp") || (long)jweHeader["exp"] <= DateTimeOffset.UtcNow.ToUnixTimeSeconds())
{
return(Task.FromResult(AuthenticateResult.Fail("{ \"error\": \"The token has expired\" }")));
}
var token = Jose.JWT.Decode <Token>(header.Parameter, crypto);
var credentials = new RegistryCredentials
{
Password = token.Pwd,
Username = token.Usr,
Registry = token.Reg
};
logger.LogDebug($"Decoded token for {credentials.Registry}");
if (!string.IsNullOrEmpty(config.Registry) && RegistryCredentials.DeAliasDockerHub(config.Registry.ToLowerInvariant()) != credentials.Registry.ToLowerInvariant())
{
return(Task.FromResult(AuthenticateResult.Fail("{ error: \"The supplied token is for an unsupported registry.\" }")));
}
var principal = new ClaimsPrincipal(credentials.ToClaimsIdentity());
var ticket = new AuthenticationTicket(principal, "token");
return(Task.FromResult(AuthenticateResult.Success(ticket)));
}
catch (Exception ex)
{
logger.LogError(ex, "Token authentication failed.");
return(Task.FromResult(AuthenticateResult.Fail("{ \"error\": \"The supplied token is invalid.\" }")));
}
}