From: Lennart Poettering <lennart@amutable.com>
Date: Fri, 7 Nov 2025 07:31:34 +0000 (+0100)
Subject: pull-job: add helpers to detect requests for authentication, and accept bearer tokens
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=93915ec17abc484903af0f424b0a786a87a9674f;p=thirdparty%2Fsystemd.git

pull-job: add helpers to detect requests for authentication, and accept bearer tokens
---

diff --git a/src/import/pull-job.c b/src/import/pull-job.c
index 12bdf4c9940..80197d6c57e 100644
--- a/src/import/pull-job.c
+++ b/src/import/pull-job.c
@@ -30,6 +30,10 @@ static int http_status_etag_exists(CURLcode status) {
         return status == 304;
 }
 
+static int http_status_need_authentication(CURLcode status) {
+        return status == 401;
+}
+
 void pull_job_close_disk_fd(PullJob *j) {
         if (!j)
                 return;
@@ -65,6 +69,7 @@ PullJob* pull_job_unref(PullJob *j) {
         if (j->free_userdata)
                 j->free_userdata(j->userdata);
         free(j->description);
+        free(j->authentication_challenge);
 
         return mfree(j);
 }
@@ -204,6 +209,10 @@ void pull_job_curl_on_finished(CurlGlue *g, CURL *curl, CURLcode result) {
                         j->etag_exists = true;
                         r = 0;
                         goto finish;
+                } else if (http_status_need_authentication(status)) {
+                        log_info("Access to image requires authentication.");
+                        r = -ENOKEY;
+                        goto finish;
                 } else if (status >= 300) {
 
                         if (status == 404 && j->on_not_found) {
@@ -580,6 +589,19 @@ static size_t pull_job_header_callback(void *contents, size_t size, size_t nmemb
                 goto fail;
         }
 
+        if (http_status_need_authentication(status)) {
+                _cleanup_free_ char *challenge = NULL;
+
+                r = curl_header_strdup(contents, sz, "WWW-Authenticate:", &challenge);
+                if (r < 0) {
+                        log_oom();
+                        goto fail;
+                }
+                if (r > 0)
+                        free_and_replace(j->authentication_challenge, challenge);
+                return sz;
+        }
+
         if (http_status_ok(status) || http_status_etag_exists(status)) {
                 /* Check Etag on OK and etag exists responses. */
 
@@ -846,3 +868,13 @@ int pull_job_set_accept(PullJob *j, char * const *l) {
 
         return pull_job_add_request_header(j, f);
 }
+
+int pull_job_set_bearer_token(PullJob *j, const char *token) {
+        assert(j);
+
+        _cleanup_free_ char *f = strjoin("Authorization: Bearer ", token);
+        if (!f)
+                return -ENOMEM;
+
+        return pull_job_add_request_header(j, f);
+}
diff --git a/src/import/pull-job.h b/src/import/pull-job.h
index 7dd3a4cff79..bfbdb8cced6 100644
--- a/src/import/pull-job.h
+++ b/src/import/pull-job.h
@@ -87,6 +87,8 @@ typedef struct PullJob {
 
         bool sync;
         bool force_memory;
+
+        char *authentication_challenge;
 } PullJob;
 
 int pull_job_new(PullJob **ret, const char *url, CurlGlue *glue, void *userdata);
@@ -100,5 +102,6 @@ void pull_job_close_disk_fd(PullJob *j);
 
 int pull_job_add_request_header(PullJob *j, const char *hdr);
 int pull_job_set_accept(PullJob *j, char * const *l);
+int pull_job_set_bearer_token(PullJob *j, const char *token);
 
 DEFINE_TRIVIAL_CLEANUP_FUNC(PullJob*, pull_job_unref);