@@ -24,8 +24,10 @@ import (
2424 "net/http"
2525 "net/url"
2626 "strings"
27+ "sync"
2728
2829 authchallenge "github.com/docker/distribution/registry/client/auth/challenge"
30+
2931 "github.com/google/go-containerregistry/internal/redact"
3032 "github.com/google/go-containerregistry/pkg/authn"
3133 "github.com/google/go-containerregistry/pkg/logs"
@@ -98,6 +100,7 @@ func fromChallenge(reg name.Registry, auth authn.Authenticator, t http.RoundTrip
98100}
99101
100102type bearerTransport struct {
103+ mx sync.RWMutex
101104 // Wrapped by bearerTransport.
102105 inner http.RoundTripper
103106 // Basic credentials that we exchange for bearer tokens.
@@ -139,7 +142,10 @@ func (bt *bearerTransport) RoundTrip(in *http.Request) (*http.Response, error) {
139142 // the registry with which we are interacting.
140143 // In case of redirect http.Client can use an empty Host, check URL too.
141144 if matchesHost (bt .registry .RegistryStr (), in , bt .scheme ) {
142- hdr := fmt .Sprintf ("Bearer %s" , bt .bearer .RegistryToken )
145+ bt .mx .RLock ()
146+ localToken := bt .bearer .RegistryToken
147+ bt .mx .RUnlock ()
148+ hdr := fmt .Sprintf ("Bearer %s" , localToken )
143149 in .Header .Set ("Authorization" , hdr )
144150 }
145151 return bt .inner .RoundTrip (in )
@@ -156,11 +162,12 @@ func (bt *bearerTransport) RoundTrip(in *http.Request) (*http.Response, error) {
156162 res .Body .Close ()
157163
158164 newScopes := []string {}
165+ bt .mx .Lock ()
166+ got := stringSet (bt .scopes )
159167 for _ , wac := range challenges {
160168 // TODO(jonjohnsonjr): Should we also update "realm" or "service"?
161169 if want , ok := wac .Parameters ["scope" ]; ok {
162170 // Add any scopes that we don't already request.
163- got := stringSet (bt .scopes )
164171 if _ , ok := got [want ]; ! ok {
165172 newScopes = append (newScopes , want )
166173 }
@@ -172,6 +179,7 @@ func (bt *bearerTransport) RoundTrip(in *http.Request) (*http.Response, error) {
172179 // otherwise the registry might just ignore it :/
173180 newScopes = append (newScopes , bt .scopes ... )
174181 bt .scopes = newScopes
182+ bt .mx .Unlock ()
175183
176184 // TODO(jonjohnsonjr): Teach transport.Error about "error" and "error_description" from challenge.
177185
@@ -196,7 +204,9 @@ func (bt *bearerTransport) refresh(ctx context.Context) error {
196204 }
197205
198206 if auth .RegistryToken != "" {
207+ bt .mx .Lock ()
199208 bt .bearer .RegistryToken = auth .RegistryToken
209+ bt .mx .Unlock ()
200210 return nil
201211 }
202212
@@ -212,7 +222,9 @@ func (bt *bearerTransport) refresh(ctx context.Context) error {
212222
213223 // Find a token to turn into a Bearer authenticator
214224 if response .Token != "" {
225+ bt .mx .Lock ()
215226 bt .bearer .RegistryToken = response .Token
227+ bt .mx .Unlock ()
216228 }
217229
218230 // If we obtained a refresh token from the oauth flow, use that for refresh() now.
@@ -306,7 +318,9 @@ func (bt *bearerTransport) refreshOauth(ctx context.Context) ([]byte, error) {
306318 }
307319
308320 v := url.Values {}
321+ bt .mx .RLock ()
309322 v .Set ("scope" , strings .Join (bt .scopes , " " ))
323+ bt .mx .RUnlock ()
310324 if bt .service != "" {
311325 v .Set ("service" , bt .service )
312326 }
@@ -362,7 +376,9 @@ func (bt *bearerTransport) refreshBasic(ctx context.Context) ([]byte, error) {
362376 client := http.Client {Transport : b }
363377
364378 v := u .Query ()
379+ bt .mx .RLock ()
365380 v ["scope" ] = bt .scopes
381+ bt .mx .RUnlock ()
366382 v .Set ("service" , bt .service )
367383 u .RawQuery = v .Encode ()
368384
0 commit comments