NERSC · scanon · Nov 15, 2018 · Nov 15, 2018 · Mar 6, 2019 · Aug 3, 2019
diff --git a/imagegw/shifter_imagegw/dockerv2.py b/imagegw/shifter_imagegw/dockerv2.py
@@ -372,7 +372,7 @@ def do_token_auth(self, auth_loc_str, creds=False):
         # TODO, figure out what mode was for
         (_, auth_data_str) = auth_loc_str.split(' ', 2)
 
-        auth_data = {}
+        auth_data = {'service':'', 'scope':'pull'}
         for item in filter(None, re.split(r'(\w+=".*?"),', auth_data_str)):
             (key, val) = item.split('=', 2)
-            (key, val) = item.split('=', 2)
+             (key, val) = item.split('=', 1)
-            (key, val) = item.split('=', 2)
+             (key, val) = item.split('=', 1)
             auth_data[key] = val.replace('"', '')
-            auth_data[key] = val.replace('"', '')
+             auth_data[key] = val.replace('"', '')
+             if '?scope=' in auth_data['realm']:
+                 auth_data['realm'], auth_data['scope'] = auth_data['realm'].split('?scope=', 1)
-            auth_data[key] = val.replace('"', '')
+             auth_data[key] = val.replace('"', '')
+             if '?scope=' in auth_data['realm']:
+                 auth_data['realm'], auth_data['scope'] = auth_data['realm'].split('?scope=', 1)
@@ -383,7 +383,10 @@ def do_token_auth(self, auth_loc_str, creds=False):
                              'failed to get auth connection')
 
         headers = {}
-        if creds and self.username is not None and self.password is not None:
+        if self.username=='$oauthtoken':
+            self.private = True
+            headers['Authoriation'] = 'Bearer %s' % (self.password)
+        elif creds and self.username is not None and self.password is not None:
             self.private = True
             auth = '%s:%s' % (self.username, self.password)
             headers['Authorization'] = 'Basic %s' % base64.b64encode(auth)
@@ -400,8 +403,6 @@ def do_token_auth(self, auth_loc_str, creds=False):
 
         if resp.status != 200:
             raise ValueError('Bad response getting token: %d', resp.status)
-        if resp.getheader('content-type') != 'application/json':
-            raise ValueError('Invalid response getting token, not json')
 
         auth_resp = json.loads(resp.read())
         self.token = auth_resp['token']
@@ -528,12 +529,12 @@ def save_layer(self, layer, cachedir='./'):
                     os.unlink(filename)
 
             # If the redirect path includes a verify in the path
-            # then we don't need the header.  If try to use the
+            # then we don't need the header.  If we try to use the
             # header, we may get back a 400.
-            if path.find('verify') > 0:
-                conn.request("GET", path, None, {})
-            else:
-                conn.request("GET", path, None, self.headers)
+            headers = self.headers
+            if path.find('verify') > 0 or path.find('X-Amz-Algorithm')>0:
+                headers = {}
+            conn.request("GET", path, None, headers)
             resp1 = conn.getresponse()
             location = resp1.getheader('location')
             if resp1.status == 200: