From af6a1f49b35f10faff1102a5d776050eb74cd0d0 Mon Sep 17 00:00:00 2001
From: Hank Donnay <hdonnay@redhat.com>
Date: Thu, 3 Jun 2021 13:04:21 -0500
Subject: [PATCH] config: omit Authorization header for empty claims

This change makes the HTTP client configuration method accept a Claims
pointer, and if `nil` is passed, omits the automatic signing that would
happen if a PSK was configured.

Fixes #1283.

Signed-off-by: Hank Donnay <hdonnay@redhat.com>
---
 cmd/clairctl/export.go     |  2 +-
 cmd/clairctl/import.go     |  2 +-
 cmd/clairctl/report.go     |  2 +-
 config/httpclient.go       | 30 ++++++++++++++++++------------
 httptransport/auth_test.go |  2 +-
 initialize/services.go     |  6 +++---
 6 files changed, 25 insertions(+), 19 deletions(-)

diff --git a/cmd/clairctl/export.go b/cmd/clairctl/export.go
index b51e082a8f..75f83579d8 100644
--- a/cmd/clairctl/export.go
+++ b/cmd/clairctl/export.go
@@ -66,7 +66,7 @@ func exportAction(c *cli.Context) error {
 	}
 
 	tr := http.DefaultTransport.(*http.Transport).Clone()
-	cl, _, err := cfg.Client(httputil.RateLimiter(tr), commonClaim)
+	cl, _, err := cfg.Client(httputil.RateLimiter(tr), &commonClaim)
 	if err != nil {
 		return err
 	}
diff --git a/cmd/clairctl/import.go b/cmd/clairctl/import.go
index 7757c40d9a..70c8e95fbd 100644
--- a/cmd/clairctl/import.go
+++ b/cmd/clairctl/import.go
@@ -35,7 +35,7 @@ func importAction(c *cli.Context) error {
 		return err
 	}
 
-	cl, _, err := cfg.Client(nil, commonClaim)
+	cl, _, err := cfg.Client(nil, &commonClaim)
 	if err != nil {
 		return err
 	}
diff --git a/cmd/clairctl/report.go b/cmd/clairctl/report.go
index 3df297c43c..fcfbbc218b 100644
--- a/cmd/clairctl/report.go
+++ b/cmd/clairctl/report.go
@@ -121,7 +121,7 @@ func reportAction(c *cli.Context) error {
 		if e != nil {
 			return e
 		}
-		hc, _, e := cfg.Client(nil, commonClaim)
+		hc, _, e := cfg.Client(nil, &commonClaim)
 		if e != nil {
 			return e
 		}
diff --git a/config/httpclient.go b/config/httpclient.go
index bfdfe556b3..c14d8b8853 100644
--- a/config/httpclient.go
+++ b/config/httpclient.go
@@ -13,38 +13,44 @@ import (
 // Client returns an http.Client configured according to the supplied
 // configuration.
 //
+// If nil is passed for a claim, the returned client does no signing.
+//
 // It returns an *http.Client and a boolean indicating whether the client is
 // configured for authentication, or an error that occurred during construction.
-func (cfg *Config) Client(next http.RoundTripper, cl jwt.Claims) (c *http.Client, authed bool, err error) {
+func (cfg *Config) Client(next http.RoundTripper, cl *jwt.Claims) (c *http.Client, authed bool, err error) {
 	if next == nil {
 		next = http.DefaultTransport.(*http.Transport).Clone()
 	}
 	authed = false
-	sk := jose.SigningKey{Algorithm: jose.HS256}
+	jar, err := cookiejar.New(&cookiejar.Options{
+		PublicSuffixList: publicsuffix.List,
+	})
+	if err != nil {
+		return nil, false, err
+	}
+	c = &http.Client{
+		Jar: jar,
+	}
 
+	sk := jose.SigningKey{Algorithm: jose.HS256}
 	// Keep this organized from "best" to "worst". That way, we can add methods
 	// and keep everything working with some careful cluster rolling.
 	switch {
+	case cl == nil: // Skip signing
 	case cfg.Auth.Keyserver != nil:
 		sk.Key = cfg.Auth.Keyserver.Intraservice
 	case cfg.Auth.PSK != nil:
 		sk.Key = cfg.Auth.PSK.Key
 	default:
 	}
-	jar, err := cookiejar.New(&cookiejar.Options{
-		PublicSuffixList: publicsuffix.List,
-	})
-	if err != nil {
-		return nil, false, err
-	}
 	rt := &transport{
 		next: next,
-		base: cl,
 	}
-	c = &http.Client{
-		Jar:       jar,
-		Transport: rt,
+	// If we have a claim, make a copy into the transport.
+	if cl != nil {
+		rt.base = *cl
 	}
+	c.Transport = rt
 
 	// Both of the JWT-based methods set the signing key.
 	if sk.Key != nil {
diff --git a/httptransport/auth_test.go b/httptransport/auth_test.go
index 8a07fb088a..02422b5146 100644
--- a/httptransport/auth_test.go
+++ b/httptransport/auth_test.go
@@ -64,7 +64,7 @@ func (tc *authTestcase) Run(t *testing.T) {
 	}
 
 	// Create a client that has auth according to the config.
-	c, authed, err := tc.Config.Client(nil, *tc.Claims)
+	c, authed, err := tc.Config.Client(nil, tc.Claims)
 	if err != nil {
 		t.Error(err)
 	}
diff --git a/initialize/services.go b/initialize/services.go
index 173ef90334..8c4bedb590 100644
--- a/initialize/services.go
+++ b/initialize/services.go
@@ -141,7 +141,7 @@ func localIndexer(ctx context.Context, cfg *config.Config) (indexer.Service, err
 	// Use an empty claim because this shouldn't be talking to something that
 	// needs preconfigured authz. Callers should be providing credentials to the
 	// indexing process in the submitted manifest.
-	c, _, err := cfg.Client(tr, jwt.Claims{})
+	c, _, err := cfg.Client(tr, nil)
 	if err != nil {
 		return nil, mkErr(err)
 	}
@@ -167,7 +167,7 @@ func remoteIndexer(ctx context.Context, cfg *config.Config, addr string) (indexe
 
 func remoteClient(ctx context.Context, cfg *config.Config, claim jwt.Claims, addr string) (*client.HTTP, error) {
 	tr := http.DefaultTransport.(*http.Transport).Clone()
-	c, auth, err := cfg.Client(tr, claim)
+	c, auth, err := cfg.Client(tr, &claim)
 	switch {
 	case err != nil:
 		return nil, err
@@ -244,7 +244,7 @@ func localNotifier(ctx context.Context, cfg *config.Config, i indexer.Service, m
 	}
 
 	tr := http.DefaultTransport.(*http.Transport).Clone()
-	c, _, err := cfg.Client(tr, notifierClaim)
+	c, _, err := cfg.Client(tr, &notifierClaim)
 	if err != nil {
 		return nil, mkErr(err)
 	}