This patch adds a new function that checks if a response was a redirect
for an a request and removes the Authorization header that we usually
send if it is not one of our trusted hosts. This prevents authorization
keys from going to insecure places. This is similar logic that exists in
the moby registry code[0].
Additionally improves the cachability of blobs from docker.io because
they are redirects to files that exist on a CDN that doesn't actually
require authentication. The upstream CI registry caching system doesn't
cache any requests with the Authorization header per the apache cache
documentation[1].
Reviewed: https:/ /review. opendev. org/744467 /git.openstack. org/cgit/ openstack/ tripleo- common/ commit/ ?id=4dd1bd199f4 5cbc905924f2936 733678a07d4255
Committed: https:/
Submitter: Zuul
Branch: stable/train
commit 4dd1bd199f45cbc 905924f29367336 78a07d4255
Author: Alex Schultz <email address hidden>
Date: Tue Jul 28 14:42:59 2020 -0600
Handle redirects for blobs better
This patch adds a new function that checks if a response was a redirect
for an a request and removes the Authorization header that we usually
send if it is not one of our trusted hosts. This prevents authorization
keys from going to insecure places. This is similar logic that exists in
the moby registry code[0].
Additionally improves the cachability of blobs from docker.io because on[1].
they are redirects to files that exist on a CDN that doesn't actually
require authentication. The upstream CI registry caching system doesn't
cache any requests with the Authorization header per the apache cache
documentati
[0] https:/ /github. com/moby/ moby/blob/ a072d726c753c3b 02232e6a7b08d7e 7ce79fffa5/ registry/ registry. go#L140- L174 /httpd. apache. org/docs/ 2.4/caching. html
[1] https:/
Change-Id: I415eec5d307ac7 3456aa556db9d61 ceac1eaa565 508e236b1fea8db 7601fa2e7b)
Partial-Bug: #1889122
(cherry picked from commit d3af31414747f28