2021-05-13 13:59:12 -05:00
|
|
|
package api
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
2022-02-24 15:31:36 -05:00
|
|
|
"fmt"
|
2021-05-13 13:59:12 -05:00
|
|
|
"net/http"
|
2022-08-16 03:57:09 -05:00
|
|
|
"strings"
|
2021-05-13 13:59:12 -05:00
|
|
|
"time"
|
|
|
|
|
2021-09-10 10:23:26 -05:00
|
|
|
glob "github.com/bmatcuk/doublestar/v4"
|
2021-05-13 13:59:12 -05:00
|
|
|
"github.com/gorilla/mux"
|
2022-10-20 11:39:20 -05:00
|
|
|
|
2021-12-03 22:50:58 -05:00
|
|
|
"zotregistry.io/zot/pkg/api/config"
|
2022-02-24 15:31:36 -05:00
|
|
|
"zotregistry.io/zot/pkg/api/constants"
|
2021-12-29 10:14:56 -05:00
|
|
|
"zotregistry.io/zot/pkg/common"
|
2021-12-03 22:50:58 -05:00
|
|
|
"zotregistry.io/zot/pkg/log"
|
2022-08-16 03:57:09 -05:00
|
|
|
localCtx "zotregistry.io/zot/pkg/requestcontext"
|
2021-05-13 13:59:12 -05:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
2022-11-18 12:35:28 -05:00
|
|
|
// method actions.
|
|
|
|
Create = "create"
|
|
|
|
Read = "read"
|
|
|
|
Update = "update"
|
|
|
|
Delete = "delete"
|
|
|
|
// behaviour actions.
|
|
|
|
DetectManifestCollision = "detectManifestCollision"
|
2021-05-13 13:59:12 -05:00
|
|
|
)
|
|
|
|
|
|
|
|
// AccessController authorizes users to act on resources.
|
|
|
|
type AccessController struct {
|
2021-06-08 15:11:18 -05:00
|
|
|
Config *config.AccessControlConfig
|
2021-05-13 13:59:12 -05:00
|
|
|
Log log.Logger
|
|
|
|
}
|
|
|
|
|
2021-06-08 15:11:18 -05:00
|
|
|
func NewAccessController(config *config.Config) *AccessController {
|
2021-05-13 13:59:12 -05:00
|
|
|
return &AccessController{
|
2023-03-08 14:47:15 -05:00
|
|
|
Config: config.HTTP.AccessControl,
|
2021-05-13 13:59:12 -05:00
|
|
|
Log: log.NewLogger(config.Log.Level, config.Log.Output),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-11-18 12:35:28 -05:00
|
|
|
// getGlobPatterns gets glob patterns from authz config on which <username> has <action> perms.
|
2021-09-10 10:23:26 -05:00
|
|
|
// used to filter /v2/_catalog repositories based on user rights.
|
2023-03-08 14:47:15 -05:00
|
|
|
func (ac *AccessController) getGlobPatterns(username string, groups []string, action string) map[string]bool {
|
2021-09-10 10:23:26 -05:00
|
|
|
globPatterns := make(map[string]bool)
|
2021-05-13 13:59:12 -05:00
|
|
|
|
2021-09-10 10:23:26 -05:00
|
|
|
for pattern, policyGroup := range ac.Config.Repositories {
|
2022-11-18 12:35:28 -05:00
|
|
|
if username == "" {
|
|
|
|
// check anonymous policy
|
|
|
|
if common.Contains(policyGroup.AnonymousPolicy, action) {
|
|
|
|
globPatterns[pattern] = true
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
// check default policy (authenticated user)
|
|
|
|
if common.Contains(policyGroup.DefaultPolicy, action) {
|
|
|
|
globPatterns[pattern] = true
|
|
|
|
}
|
2021-09-10 10:23:26 -05:00
|
|
|
}
|
2022-11-18 12:35:28 -05:00
|
|
|
|
2021-09-10 10:23:26 -05:00
|
|
|
// check user based policy
|
|
|
|
for _, p := range policyGroup.Policies {
|
2022-11-18 12:35:28 -05:00
|
|
|
if common.Contains(p.Users, username) && common.Contains(p.Actions, action) {
|
2021-09-10 10:23:26 -05:00
|
|
|
globPatterns[pattern] = true
|
2021-05-13 13:59:12 -05:00
|
|
|
}
|
|
|
|
}
|
2021-09-10 10:23:26 -05:00
|
|
|
|
2023-03-08 14:47:15 -05:00
|
|
|
// check group based policy
|
|
|
|
for _, group := range groups {
|
|
|
|
for _, p := range policyGroup.Policies {
|
|
|
|
if common.Contains(p.Groups, group) && common.Contains(p.Actions, action) {
|
|
|
|
globPatterns[pattern] = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-09-10 10:23:26 -05:00
|
|
|
// if not allowed then mark it
|
|
|
|
if _, ok := globPatterns[pattern]; !ok {
|
|
|
|
globPatterns[pattern] = false
|
|
|
|
}
|
2021-05-13 13:59:12 -05:00
|
|
|
}
|
|
|
|
|
2021-09-10 10:23:26 -05:00
|
|
|
return globPatterns
|
2021-05-13 13:59:12 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
// can verifies if a user can do action on repository.
|
2023-03-08 14:47:15 -05:00
|
|
|
func (ac *AccessController) can(ctx context.Context, username, action, repository string) bool {
|
2021-05-13 13:59:12 -05:00
|
|
|
can := false
|
2021-09-10 10:23:26 -05:00
|
|
|
|
|
|
|
var longestMatchedPattern string
|
|
|
|
|
|
|
|
for pattern := range ac.Config.Repositories {
|
|
|
|
matched, err := glob.Match(pattern, repository)
|
|
|
|
if err == nil {
|
|
|
|
if matched && len(pattern) > len(longestMatchedPattern) {
|
|
|
|
longestMatchedPattern = pattern
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-03-08 14:47:15 -05:00
|
|
|
acCtx, err := localCtx.GetAccessControlContext(ctx)
|
|
|
|
if err != nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
userGroups := acCtx.Groups
|
|
|
|
|
2021-09-10 10:23:26 -05:00
|
|
|
// check matched repo based policy
|
|
|
|
pg, ok := ac.Config.Repositories[longestMatchedPattern]
|
2021-05-13 13:59:12 -05:00
|
|
|
if ok {
|
2023-03-08 14:47:15 -05:00
|
|
|
can = ac.isPermitted(userGroups, username, action, pg)
|
2021-05-13 13:59:12 -05:00
|
|
|
}
|
|
|
|
|
2021-12-13 14:23:31 -05:00
|
|
|
// check admins based policy
|
2021-05-13 13:59:12 -05:00
|
|
|
if !can {
|
2021-12-29 10:14:56 -05:00
|
|
|
if ac.isAdmin(username) && common.Contains(ac.Config.AdminPolicy.Actions, action) {
|
2021-05-13 13:59:12 -05:00
|
|
|
can = true
|
|
|
|
}
|
2023-03-08 14:47:15 -05:00
|
|
|
|
|
|
|
if ac.isAnyGroupInAdminPolicy(userGroups) && common.Contains(ac.Config.AdminPolicy.Actions, action) {
|
|
|
|
can = true
|
|
|
|
}
|
2021-05-13 13:59:12 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
return can
|
|
|
|
}
|
|
|
|
|
|
|
|
// isAdmin .
|
|
|
|
func (ac *AccessController) isAdmin(username string) bool {
|
2021-12-29 10:14:56 -05:00
|
|
|
return common.Contains(ac.Config.AdminPolicy.Users, username)
|
2021-05-13 13:59:12 -05:00
|
|
|
}
|
|
|
|
|
2023-03-08 14:47:15 -05:00
|
|
|
func (ac *AccessController) isAnyGroupInAdminPolicy(userGroups []string) bool {
|
|
|
|
for _, group := range userGroups {
|
|
|
|
if common.Contains(ac.Config.AdminPolicy.Groups, group) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
func (ac *AccessController) getUserGroups(username string) []string {
|
|
|
|
var groupNames []string
|
|
|
|
|
|
|
|
for groupName, group := range ac.Config.Groups {
|
|
|
|
for _, user := range group.Users {
|
|
|
|
// find if the user is part of any groups
|
|
|
|
if user == username {
|
|
|
|
groupNames = append(groupNames, groupName)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return groupNames
|
|
|
|
}
|
|
|
|
|
2021-05-13 13:59:12 -05:00
|
|
|
// getContext builds ac context(allowed to read repos and if user is admin) and returns it.
|
2021-12-13 14:23:31 -05:00
|
|
|
func (ac *AccessController) getContext(username string, request *http.Request) context.Context {
|
2023-03-08 14:47:15 -05:00
|
|
|
acCtx, err := localCtx.GetAccessControlContext(request.Context())
|
|
|
|
if err != nil {
|
|
|
|
return nil
|
2022-08-16 03:57:09 -05:00
|
|
|
}
|
2021-05-13 13:59:12 -05:00
|
|
|
|
2023-03-08 14:47:15 -05:00
|
|
|
readGlobPatterns := ac.getGlobPatterns(username, acCtx.Groups, Read)
|
|
|
|
dmcGlobPatterns := ac.getGlobPatterns(username, acCtx.Groups, DetectManifestCollision)
|
|
|
|
|
|
|
|
acCtx.ReadGlobPatterns = readGlobPatterns
|
|
|
|
acCtx.DmcGlobPatterns = dmcGlobPatterns
|
|
|
|
|
2021-05-13 13:59:12 -05:00
|
|
|
if ac.isAdmin(username) {
|
2022-08-16 03:57:09 -05:00
|
|
|
acCtx.IsAdmin = true
|
2021-05-13 13:59:12 -05:00
|
|
|
} else {
|
2022-08-16 03:57:09 -05:00
|
|
|
acCtx.IsAdmin = false
|
2021-05-13 13:59:12 -05:00
|
|
|
}
|
|
|
|
|
2022-08-16 03:57:09 -05:00
|
|
|
authzCtxKey := localCtx.GetContextKey()
|
2023-03-08 14:47:15 -05:00
|
|
|
ctx := context.WithValue(request.Context(), authzCtxKey, *acCtx)
|
2021-05-13 13:59:12 -05:00
|
|
|
|
|
|
|
return ctx
|
|
|
|
}
|
|
|
|
|
|
|
|
// isPermitted returns true if username can do action on a repository policy.
|
2023-03-08 14:47:15 -05:00
|
|
|
func (ac *AccessController) isPermitted(userGroups []string, username, action string,
|
|
|
|
policyGroup config.PolicyGroup,
|
|
|
|
) bool {
|
2021-05-13 13:59:12 -05:00
|
|
|
var result bool
|
2023-03-08 14:47:15 -05:00
|
|
|
|
2021-05-13 13:59:12 -05:00
|
|
|
// check repo/system based policies
|
2021-12-13 14:23:31 -05:00
|
|
|
for _, p := range policyGroup.Policies {
|
2021-12-29 10:14:56 -05:00
|
|
|
if common.Contains(p.Users, username) && common.Contains(p.Actions, action) {
|
2021-05-13 13:59:12 -05:00
|
|
|
result = true
|
2021-12-13 14:23:31 -05:00
|
|
|
|
2023-03-08 14:47:15 -05:00
|
|
|
return result
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if userGroups != nil {
|
|
|
|
for _, p := range policyGroup.Policies {
|
|
|
|
if common.Contains(p.Actions, action) {
|
|
|
|
for _, group := range p.Groups {
|
|
|
|
if common.Contains(userGroups, group) {
|
|
|
|
result = true
|
|
|
|
|
|
|
|
return result
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2021-05-13 13:59:12 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// check defaultPolicy
|
|
|
|
if !result {
|
2022-07-14 10:13:46 -05:00
|
|
|
if common.Contains(policyGroup.DefaultPolicy, action) && username != "" {
|
|
|
|
result = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// check anonymousPolicy
|
|
|
|
if !result {
|
|
|
|
if common.Contains(policyGroup.AnonymousPolicy, action) && username == "" {
|
2021-05-13 13:59:12 -05:00
|
|
|
result = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return result
|
|
|
|
}
|
|
|
|
|
2021-12-13 14:23:31 -05:00
|
|
|
func AuthzHandler(ctlr *Controller) mux.MiddlewareFunc {
|
2021-05-13 13:59:12 -05:00
|
|
|
return func(next http.Handler) http.Handler {
|
2021-12-13 14:23:31 -05:00
|
|
|
return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
|
|
|
|
vars := mux.Vars(request)
|
2021-05-13 13:59:12 -05:00
|
|
|
resource := vars["name"]
|
|
|
|
reference, ok := vars["reference"]
|
|
|
|
|
2021-09-10 10:23:26 -05:00
|
|
|
// bypass authz for /v2/ route
|
|
|
|
if request.RequestURI == "/v2/" {
|
|
|
|
next.ServeHTTP(response, request)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-03-09 13:43:26 -05:00
|
|
|
/* we want to bypass auth/authz for mgmt in case of authFail() authzFail()
|
|
|
|
unauthenticated users should have access to this route, but we also need to know if the user is an admin
|
|
|
|
*/
|
|
|
|
isMgmtRequested := request.RequestURI == constants.FullMgmtPrefix
|
|
|
|
|
2021-12-13 14:23:31 -05:00
|
|
|
acCtrlr := NewAccessController(ctlr.Config)
|
2022-03-10 07:25:15 -05:00
|
|
|
|
2022-08-12 07:18:41 -05:00
|
|
|
var identity string
|
2022-07-14 10:13:46 -05:00
|
|
|
var err error
|
2022-03-10 07:25:15 -05:00
|
|
|
|
2022-08-12 07:18:41 -05:00
|
|
|
// allow anonymous authz if no authn present and only default policies are present
|
|
|
|
identity = ""
|
2022-07-14 10:13:46 -05:00
|
|
|
if isAuthnEnabled(ctlr.Config) && request.Header.Get("Authorization") != "" {
|
2022-08-12 07:18:41 -05:00
|
|
|
identity, _, err = getUsernamePasswordBasicAuth(request)
|
2022-07-14 10:13:46 -05:00
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
authFail(response, ctlr.Config.HTTP.Realm, ctlr.Config.HTTP.Auth.FailDelay)
|
|
|
|
}
|
2022-03-10 07:25:15 -05:00
|
|
|
}
|
|
|
|
|
2022-08-12 07:18:41 -05:00
|
|
|
if request.TLS != nil {
|
|
|
|
verifiedChains := request.TLS.VerifiedChains
|
|
|
|
// still no identity, get it from TLS certs
|
|
|
|
if identity == "" && verifiedChains != nil &&
|
|
|
|
len(verifiedChains) > 0 && len(verifiedChains[0]) > 0 {
|
|
|
|
for _, cert := range request.TLS.PeerCertificates {
|
|
|
|
identity = cert.Subject.CommonName
|
|
|
|
}
|
2023-03-09 13:43:26 -05:00
|
|
|
|
2022-08-12 07:18:41 -05:00
|
|
|
// if we still don't have an identity
|
|
|
|
if identity == "" {
|
|
|
|
acCtrlr.Log.Info().Msg("couldn't get identity from TLS certificate")
|
|
|
|
authFail(response, ctlr.Config.HTTP.Realm, ctlr.Config.HTTP.Auth.FailDelay)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
ctx := acCtrlr.getContext(identity, request)
|
2021-12-13 14:23:31 -05:00
|
|
|
|
2023-03-09 13:43:26 -05:00
|
|
|
// for extensions we only need to know if the user is admin and what repos he can read, so run next()
|
|
|
|
if request.RequestURI == fmt.Sprintf("%s%s", constants.RoutePrefix, constants.ExtCatalogPrefix) ||
|
|
|
|
strings.Contains(request.RequestURI, constants.FullSearchPrefix) ||
|
|
|
|
isMgmtRequested {
|
2022-10-05 05:21:14 -05:00
|
|
|
next.ServeHTTP(response, request.WithContext(ctx)) //nolint:contextcheck
|
2022-08-16 03:57:09 -05:00
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-05-13 13:59:12 -05:00
|
|
|
var action string
|
2021-12-13 14:23:31 -05:00
|
|
|
if request.Method == http.MethodGet || request.Method == http.MethodHead {
|
2022-11-18 12:35:28 -05:00
|
|
|
action = Read
|
2021-05-13 13:59:12 -05:00
|
|
|
}
|
|
|
|
|
2021-12-13 14:23:31 -05:00
|
|
|
if request.Method == http.MethodPut || request.Method == http.MethodPatch || request.Method == http.MethodPost {
|
2021-05-13 13:59:12 -05:00
|
|
|
// assume user wants to create
|
2022-11-18 12:35:28 -05:00
|
|
|
action = Create
|
2021-05-13 13:59:12 -05:00
|
|
|
// if we get a reference (tag)
|
|
|
|
if ok {
|
2021-12-13 14:23:31 -05:00
|
|
|
is := ctlr.StoreController.GetImageStore(resource)
|
2021-05-13 13:59:12 -05:00
|
|
|
tags, err := is.GetImageTags(resource)
|
2022-03-10 07:25:15 -05:00
|
|
|
// if repo exists and request's tag exists then action is UPDATE
|
2021-12-29 10:14:56 -05:00
|
|
|
if err == nil && common.Contains(tags, reference) && reference != "latest" {
|
2022-11-18 12:35:28 -05:00
|
|
|
action = Update
|
2021-05-13 13:59:12 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-12-13 14:23:31 -05:00
|
|
|
if request.Method == http.MethodDelete {
|
2022-11-18 12:35:28 -05:00
|
|
|
action = Delete
|
2021-05-13 13:59:12 -05:00
|
|
|
}
|
|
|
|
|
2023-03-08 14:47:15 -05:00
|
|
|
can := acCtrlr.can(ctx, identity, action, resource) //nolint:contextcheck
|
2021-05-13 13:59:12 -05:00
|
|
|
if !can {
|
2021-12-13 14:23:31 -05:00
|
|
|
authzFail(response, ctlr.Config.HTTP.Realm, ctlr.Config.HTTP.Auth.FailDelay)
|
2021-05-13 13:59:12 -05:00
|
|
|
} else {
|
2022-10-05 05:21:14 -05:00
|
|
|
next.ServeHTTP(response, request.WithContext(ctx)) //nolint:contextcheck
|
2021-05-13 13:59:12 -05:00
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func authzFail(w http.ResponseWriter, realm string, delay int) {
|
|
|
|
time.Sleep(time.Duration(delay) * time.Second)
|
|
|
|
w.Header().Set("WWW-Authenticate", realm)
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
WriteJSON(w, http.StatusForbidden, NewErrorList(NewError(DENIED)))
|
|
|
|
}
|
2022-07-14 10:13:46 -05:00
|
|
|
|
|
|
|
func anonymousPolicyExists(config *config.AccessControlConfig) bool {
|
|
|
|
if config == nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, repository := range config.Repositories {
|
|
|
|
if len(repository.AnonymousPolicy) > 0 {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false
|
|
|
|
}
|