sapcc / keppel

81%

master: 81%

LAST BUILD ON BRANCH allow-reauth-on-anonymous-first-pull-error

branch: allow-reauth-on-anonymous-first-pull-error

CHANGE BRANCH

x

Reset

• allow-reauth-on-anonymous-first-pull-error
• SubjectDigest
• account-deletion
• account-deletion-storage-sweep
• account-deletion-stuck
• account-validation-cel-expressions
• alternate-registry-api-authz
• anycast-support
• api-account-same-account-name
• authz-refactor
• autoupdateable-deps
• bring-repo-up-to-code
• bump-docker
• bye-docker-distribution
• cleanup-licneses
• conformance
• disable-trivy-telemetry
• drop_maintenance
• eager-manifest-handling
• expose-labels
• fix-account-deletion-storage-sweep
• fix-lints
• fix-new-lints
• fix-nolintlint
• fix-shellcheck
• fix-validate
• fix_modernize
• garbage-collection
• gc-delete-untagged
• golangcilint2
• graceful-server-termination
• health-ping
• image-spec
• keppel-vulnerability-status-changed-resource
• kubernetes-driver
• kubernetes-orchestrator
• layer-chunking
• list-repos-manifests-api
• master
• misc
• misc-stuff
• negative-rbac
• new-test-db-infrastructure
• not-rescan-rotten
• obfuscated-errors
• oci-db
• optimize-db-queriesx
• options-everywhere
• persist-trivy-reports
• platform-filter
• protect-subject-manifests
• quotas
• ratelimit
• rbac
• registry-api-audit-trail
• remove-bcrypt
• remove-registry-orchestration
• remove-trivy-dep
• renovate/actions-checkout-5.x
• renovate/external-dependencies
• renovate/github.com-opencontainers-distribution-spec-specs-go-digest
• renovate/github.comsapcc
• renovate/go-github.com-golang-jwt-jwt-v5-vulnerability
• renovate/go-github.com-redis-go-redis-v9-vulnerability
• renovate/go-golang.org-x-crypto-vulnerability
• renovate/major-external-dependencies
• replication-on-first-use
• secret-handling
• serve-persisted-trivy-reports
• storage-sweep
• support-tagpolicy-in-managed-accounts
• swift-federation-driver
• swift-storage-driver-test-coverage
• switch-peer-auth-to-sha256
• sync-manifests
• tag-policy
• token-caching
• track-manifest-references
• track-repos-and-tags
• trivial-storage-mutex
• trivy-swift-deletion
• typos
• validation-retry
• vuln_status_changed_at
• vulnerability-scanning

Build # 14338700670

Build Type

Pull #522

github

Committed by majewsky

Commit Message

api/registry: respond 401 with challenge when anonymous first pull is rejected

The existing behavior breaks `helm pull`, which (as intended by the API spec)
tries to GET a manifest to be presented with a 401 error and
Www-Authenticate challenge if necessary. We did not do this before,
because _technically_ anonymous users could pull manifests _if_ they
were replicated. But then they were not, and we got stuck.

With this, Helm and friends should try to authenticate and then retry
the GET as an authenticated user.

Pull Request Pull Request #522: api/registry: respond 401 with challenge when anonymous first pull is rejected

Run Details

62 of 71 new or added lines in 12 files covered. (87.32%)

7497 of 9269 relevant lines covered (80.88%)

164.64 hits per line