search

cue-labs / oci

Go modules related to OCI (Open Container Initiative) registries
Apache License 2.0
24 stars 4 forks source link

ociclient: configurable HTTP client #4

Closed rogpeppe closed 1 year ago

rogpeppe commented 1 year ago

Currently ociclient currently uses http.DefaultClient but we need to provide configurability here.

This is also (probably) a prerequisite for implementing support for auth credentials. The oras-go module provides support for scoped authorization credentials, passing information about the kind of action down to the underlying client via the context. Perhaps we need to do the same: ociclient could easily pass down some kind of scope hint to the underlying client. The slice-of-string-based approach used by oras.land/oras-go/v2/registry/remote/auth seems like it could potentially be a bit more efficient though; maybe something like this:

package ociclient

// AuthActions is a bitmask that holds a set of actions required to
// be authorized for a call on a registry.
type AuthActions int

const (
    // ActionPull is for entry points that pull individual items
    // (for example all the methods in [ociregistry.Interface.Reader].
    ActionPull AuthActions =  1<<iota
    // ActionList is for entry points that return a list of items
    // (for example all the methods in [ociregistry.Interface.Lister].
    ActionList
    // ActionPush is for entry points that push items
    // (for example all the methods in [ociregistry.Interface.Writer].
    ActionPush
    // ActionPush is for entry points that delete items
    // (for example all the methods in [ociregistry.Interface.Deleter].
    ActionDelete
)

// AuthScope defines the authorization scope of a call (the permissions
// required for a call to succeed).
type AuthScope struct {
        // TargetRepo holds the repository that's the target of the request.
    // For Mount this is the destination repository, `toRepo`.
    // For Repositories, this will be empty.
    TargetRepo string
    // TargetActions holds the set of actions that will be made with respect
    // to the repository.
    TargetActions AuthActions
    // SourceRepo holds the repository that's the source of the request.
    // This is only used for Mount requests; the implied action is always
    // ActionPull.
    SourceRepo string
}

// ContextWithAuthScope returns ctx associated with the given authorization scope.
// In general this is only useful for tests, as `ociclient` itself is generally responsible
// for adding authorization scopes.
func ContextWithAuthScope(ctx context.Context, scope AuthScope) context.Context

// AuthScopeFromContext returns the authorization scope associated with context.
// If there is none, it returns the zero AuthScope.
func AuthScopeFromContext(ctx context.Context) AuthScope
rogpeppe commented 1 year ago

Implemented in 42afc2a86a0435f369d1f2d9e7a1709e8944c180.