zot/pkg/requestcontext/context.go

package requestcontext

import (
	"context"

	glob "github.com/bmatcuk/doublestar/v4" //nolint:gci
	"zotregistry.io/zot/errors"
)

type Key int

// request-local context key.
var authzCtxKey = Key(0) //nolint: gochecknoglobals

// pointer needed for use in context.WithValue.
func GetContextKey() *Key {
	return &authzCtxKey
}

// AccessControlContext context passed down to http.Handlers.
type AccessControlContext struct {
	// read method action
	ReadGlobPatterns map[string]bool
	// detectManifestCollision behaviour action
	DmcGlobPatterns map[string]bool
	IsAdmin         bool
	Username        string
}

func GetAccessControlContext(ctx context.Context) (*AccessControlContext, error) {
	authzCtxKey := GetContextKey()
	if authCtx := ctx.Value(authzCtxKey); authCtx != nil {
		acCtx, ok := authCtx.(AccessControlContext)
		if !ok {
			return nil, errors.ErrBadType
		}

		return &acCtx, nil
	}

	return nil, nil //nolint: nilnil
}

// returns either a user has or not rights on 'repository'.
func (acCtx *AccessControlContext) matchesRepo(globPatterns map[string]bool, repository string) bool {
	var longestMatchedPattern string

	// because of the longest path matching rule, we need to check all patterns from config
	for pattern := range globPatterns {
		matched, err := glob.Match(pattern, repository)
		if err == nil {
			if matched && len(pattern) > len(longestMatchedPattern) {
				longestMatchedPattern = pattern
			}
		}
	}

	allowed := globPatterns[longestMatchedPattern]

	return allowed
}

// returns either a user has or not read rights on 'repository'.
func (acCtx *AccessControlContext) CanReadRepo(repository string) bool {
	return acCtx.matchesRepo(acCtx.ReadGlobPatterns, repository)
}

// returns either a user has or not detectManifestCollision rights on 'repository'.
func (acCtx *AccessControlContext) CanDetectManifestCollision(repository string) bool {
	return acCtx.matchesRepo(acCtx.DmcGlobPatterns, repository)
}
graphql: Apply authorization on /_search endpoint - AccessControlContext now resides in a separate package from where it can be imported, along with the contextKey that will be used to set and retrieve this context value. - AccessControlContext has a new field called Username, that will be of use for future implementations in graphQL resolvers. - GlobalSearch resolver now uses this context to filter repos available to the logged user. - moved logic for uploading images in tests so that it can be used in every package - tests were added for multiple request scenarios, when zot-server requires authz on specific repos - added tests with injected errors for extended coverage - added tests for status code error injection utilities Closes https://github.com/project-zot/zot/issues/615 Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-08-16 03:57:09 -05:00			`package requestcontext`

fix(storage): deleting manifests with identical digests (#951) Suppose we push two identical manifests (sharing same digest) but with different tags, then deleting by digest should throw an error otherwise we end up deleting all image tags (with gc) or dangling references (without gc) This behaviour is controlled via Authorization, added a new policy action named detectManifestsCollision which enables this behaviour Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> Co-authored-by: Ramkumar Chinchani <rchincha@cisco.com> 2022-11-18 12:35:28 -05:00			`import (`
			`"context"`

			`glob "github.com/bmatcuk/doublestar/v4" //nolint:gci`
			`"zotregistry.io/zot/errors"`
			`)`

graphql: Apply authorization on /_search endpoint - AccessControlContext now resides in a separate package from where it can be imported, along with the contextKey that will be used to set and retrieve this context value. - AccessControlContext has a new field called Username, that will be of use for future implementations in graphQL resolvers. - GlobalSearch resolver now uses this context to filter repos available to the logged user. - moved logic for uploading images in tests so that it can be used in every package - tests were added for multiple request scenarios, when zot-server requires authz on specific repos - added tests with injected errors for extended coverage - added tests for status code error injection utilities Closes https://github.com/project-zot/zot/issues/615 Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-08-16 03:57:09 -05:00			`type Key int`

			`// request-local context key.`
Update go version to 1.19 (#829) * ci: Update go version to 1.19 Signed-off-by: Nicol Draghici <idraghic@cisco.com> * ci: Fix lint issues Signed-off-by: Nicol Draghici <idraghic@cisco.com> * ci: Added needprivileges to lint, made needprivileges pass lint Signed-off-by: Catalin Hofnar <catalin.hofnar@gmail.com> Signed-off-by: Nicol Draghici <idraghic@cisco.com> Signed-off-by: Nicol Draghici <idraghic@cisco.com> Signed-off-by: Catalin Hofnar <catalin.hofnar@gmail.com> Co-authored-by: Catalin Hofnar <catalin.hofnar@gmail.com> 2022-10-05 05:21:14 -05:00			`var authzCtxKey = Key(0) //nolint: gochecknoglobals`
graphql: Apply authorization on /_search endpoint - AccessControlContext now resides in a separate package from where it can be imported, along with the contextKey that will be used to set and retrieve this context value. - AccessControlContext has a new field called Username, that will be of use for future implementations in graphQL resolvers. - GlobalSearch resolver now uses this context to filter repos available to the logged user. - moved logic for uploading images in tests so that it can be used in every package - tests were added for multiple request scenarios, when zot-server requires authz on specific repos - added tests with injected errors for extended coverage - added tests for status code error injection utilities Closes https://github.com/project-zot/zot/issues/615 Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-08-16 03:57:09 -05:00
			`// pointer needed for use in context.WithValue.`
			`func GetContextKey() *Key {`
			`return &authzCtxKey`
			`}`

			`// AccessControlContext context passed down to http.Handlers.`
			`type AccessControlContext struct {`
fix(storage): deleting manifests with identical digests (#951) Suppose we push two identical manifests (sharing same digest) but with different tags, then deleting by digest should throw an error otherwise we end up deleting all image tags (with gc) or dangling references (without gc) This behaviour is controlled via Authorization, added a new policy action named detectManifestsCollision which enables this behaviour Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> Co-authored-by: Ramkumar Chinchani <rchincha@cisco.com> 2022-11-18 12:35:28 -05:00			`// read method action`
			`ReadGlobPatterns map[string]bool`
			`// detectManifestCollision behaviour action`
			`DmcGlobPatterns map[string]bool`
			`IsAdmin bool`
			`Username string`
			`}`

			`func GetAccessControlContext(ctx context.Context) (*AccessControlContext, error) {`
			`authzCtxKey := GetContextKey()`
			`if authCtx := ctx.Value(authzCtxKey); authCtx != nil {`
			`acCtx, ok := authCtx.(AccessControlContext)`
			`if !ok {`
			`return nil, errors.ErrBadType`
			`}`

			`return &acCtx, nil`
			`}`

			`return nil, nil //nolint: nilnil`
			`}`

			`// returns either a user has or not rights on 'repository'.`
			`func (acCtx *AccessControlContext) matchesRepo(globPatterns map[string]bool, repository string) bool {`
			`var longestMatchedPattern string`

			`// because of the longest path matching rule, we need to check all patterns from config`
			`for pattern := range globPatterns {`
			`matched, err := glob.Match(pattern, repository)`
			`if err == nil {`
			`if matched && len(pattern) > len(longestMatchedPattern) {`
			`longestMatchedPattern = pattern`
			`}`
			`}`
			`}`

			`allowed := globPatterns[longestMatchedPattern]`

			`return allowed`
			`}`

			`// returns either a user has or not read rights on 'repository'.`
			`func (acCtx *AccessControlContext) CanReadRepo(repository string) bool {`
			`return acCtx.matchesRepo(acCtx.ReadGlobPatterns, repository)`
			`}`

			`// returns either a user has or not detectManifestCollision rights on 'repository'.`
			`func (acCtx *AccessControlContext) CanDetectManifestCollision(repository string) bool {`
			`return acCtx.matchesRepo(acCtx.DmcGlobPatterns, repository)`
graphql: Apply authorization on /_search endpoint - AccessControlContext now resides in a separate package from where it can be imported, along with the contextKey that will be used to set and retrieve this context value. - AccessControlContext has a new field called Username, that will be of use for future implementations in graphQL resolvers. - GlobalSearch resolver now uses this context to filter repos available to the logged user. - moved logic for uploading images in tests so that it can be used in every package - tests were added for multiple request scenarios, when zot-server requires authz on specific repos - added tests with injected errors for extended coverage - added tests for status code error injection utilities Closes https://github.com/project-zot/zot/issues/615 Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> 2022-08-16 03:57:09 -05:00			`}`