fix: metrics endpoint must be secured behind authN (#1864)

Signed-off-by: Alexei Dodon <adodon@cisco.com>

Makefile

@@ -408,7 +408,8 @@ run-blackbox-ci: check-blackbox-prerequisites binary binary-minimal cli
 	$(BATS) $(BATS_FLAGS) test/blackbox/sync_replica_cluster.bats && \
 	$(BATS) $(BATS_FLAGS) test/blackbox/scrub.bats && \
 	$(BATS) $(BATS_FLAGS) test/blackbox/garbage_collect.bats && \
-	$(BATS) $(BATS_FLAGS) test/blackbox/metrics.bats
+	$(BATS) $(BATS_FLAGS) test/blackbox/metrics.bats && \
+	$(BATS) $(BATS_FLAGS) test/blackbox/metrics_minimal.bats
 
 .PHONY: run-blackbox-cloud-ci
 run-blackbox-cloud-ci: check-blackbox-prerequisites check-awslocal binary $(BATS)

examples/config-policy.json

@@ -60,7 +60,7 @@
             }
           ],
           "defaultPolicy": ["read"]
-        }  
+        }
       },
       "adminPolicy": {
         "users": ["admin"],

pkg/api/controller_test.go

@@ -2195,7 +2195,7 @@ func TestBearerAuth(t *testing.T) {
 		So(resp, ShouldNotBeNil)
 		So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
 
-		authorizationHeader := authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
+		authorizationHeader := authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
 		resp, err = resty.R().
 			SetQueryParam("service", authorizationHeader.Service).
 			SetQueryParam("scope", authorizationHeader.Scope).
@@ -2225,7 +2225,7 @@ func TestBearerAuth(t *testing.T) {
 		So(resp, ShouldNotBeNil)
 		So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
 
-		authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
+		authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
 		resp, err = resty.R().
 			SetQueryParam("service", authorizationHeader.Service).
 			SetQueryParam("scope", authorizationHeader.Scope).
@@ -2254,7 +2254,7 @@ func TestBearerAuth(t *testing.T) {
 		So(resp, ShouldNotBeNil)
 		So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
 
-		authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
+		authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
 		resp, err = resty.R().
 			SetQueryParam("service", authorizationHeader.Service).
 			SetQueryParam("scope", authorizationHeader.Scope).
@@ -2283,7 +2283,7 @@ func TestBearerAuth(t *testing.T) {
 		So(resp, ShouldNotBeNil)
 		So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
 
-		authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
+		authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
 		resp, err = resty.R().
 			SetQueryParam("service", authorizationHeader.Service).
 			SetQueryParam("scope", authorizationHeader.Scope).
@@ -2307,7 +2307,7 @@ func TestBearerAuth(t *testing.T) {
 		So(resp, ShouldNotBeNil)
 		So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
 
-		authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
+		authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
 		resp, err = resty.R().
 			SetQueryParam("service", authorizationHeader.Service).
 			SetQueryParam("scope", authorizationHeader.Scope).
@@ -2392,7 +2392,7 @@ func TestBearerAuthWithAllowReadAccess(t *testing.T) {
 		So(resp, ShouldNotBeNil)
 		So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
 
-		authorizationHeader := authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
+		authorizationHeader := authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
 		resp, err = resty.R().
 			SetQueryParam("service", authorizationHeader.Service).
 			SetQueryParam("scope", authorizationHeader.Scope).
@@ -2416,7 +2416,7 @@ func TestBearerAuthWithAllowReadAccess(t *testing.T) {
 		So(resp, ShouldNotBeNil)
 		So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
 
-		authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
+		authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
 		resp, err = resty.R().
 			SetQueryParam("service", authorizationHeader.Service).
 			SetQueryParam("scope", authorizationHeader.Scope).
@@ -2445,7 +2445,7 @@ func TestBearerAuthWithAllowReadAccess(t *testing.T) {
 		So(resp, ShouldNotBeNil)
 		So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
 
-		authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
+		authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
 		resp, err = resty.R().
 			SetQueryParam("service", authorizationHeader.Service).
 			SetQueryParam("scope", authorizationHeader.Scope).
@@ -2474,7 +2474,7 @@ func TestBearerAuthWithAllowReadAccess(t *testing.T) {
 		So(resp, ShouldNotBeNil)
 		So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
 
-		authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
+		authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
 		resp, err = resty.R().
 			SetQueryParam("service", authorizationHeader.Service).
 			SetQueryParam("scope", authorizationHeader.Scope).
@@ -2498,7 +2498,7 @@ func TestBearerAuthWithAllowReadAccess(t *testing.T) {
 		So(resp, ShouldNotBeNil)
 		So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
 
-		authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
+		authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
 		resp, err = resty.R().
 			SetQueryParam("service", authorizationHeader.Service).
 			SetQueryParam("scope", authorizationHeader.Scope).

pkg/api/errors/errors.go

@@ -120,8 +120,8 @@ func NewError(code ErrorCode) *Error {
 
 		UNAUTHORIZED: {
 			Message: "authentication required",
-			Description: "The access controller was unable to authenticate the client." +
-				"Often this will be accompanied by a Www-Authenticate HTTP response header " +
+			Description: "The access controller was unable to authenticate the client. " +
+				"Often this will be accompanied by a WWW-Authenticate HTTP response header " +
 				"indicating how to authenticate.",
 		},
 

pkg/extensions/extension_metrics_disabled.go

@@ -29,5 +29,6 @@ func SetupMetricsRoutes(conf *config.Config, router *mux.Router,
 		zcommon.WriteJSON(w, http.StatusOK, m)
 	}
 
+	router.Use(authFunc)
 	router.HandleFunc("/metrics", getMetrics).Methods("GET")
 }

pkg/extensions/extensions_test.go

@@ -799,7 +799,7 @@ func TestMgmtWithBearer(t *testing.T) {
 		So(resp, ShouldNotBeNil)
 		So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
 
-		authorizationHeader := authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
+		authorizationHeader := authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
 		resp, err = resty.R().
 			SetQueryParam("service", authorizationHeader.Service).
 			SetQueryParam("scope", authorizationHeader.Scope).
@@ -829,7 +829,7 @@ func TestMgmtWithBearer(t *testing.T) {
 		So(resp, ShouldNotBeNil)
 		So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
 
-		authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
+		authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
 		resp, err = resty.R().
 			SetQueryParam("service", authorizationHeader.Service).
 			SetQueryParam("scope", authorizationHeader.Scope).
@@ -853,7 +853,7 @@ func TestMgmtWithBearer(t *testing.T) {
 		So(resp, ShouldNotBeNil)
 		So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
 
-		authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
+		authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
 		resp, err = resty.R().
 			SetQueryParam("service", authorizationHeader.Service).
 			SetQueryParam("scope", authorizationHeader.Scope).

test/blackbox/anonymous_policy.bats

@@ -5,6 +5,11 @@
 load helpers_zot
 
 function verify_prerequisites {
+    if [ ! $(command -v htpasswd) ]; then
+        echo "you need to install htpasswd as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
     return 0
 }
 
@@ -15,15 +20,15 @@ function setup_file() {
     fi
 
     # Download test data to folder common for the entire suite, not just this file
-    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
+    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/test-images/busybox:1.36 oci:${TEST_DATA_DIR}/busybox:1.36
     # Setup zot server
     local zot_root_dir=${BATS_FILE_TMPDIR}/zot
     local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
     local oci_data_dir=${BATS_FILE_TMPDIR}/oci
-    local htpasswordFile=${BATS_FILE_TMPDIR}/htpasswd
+    local zot_htpasswd_file=${BATS_FILE_TMPDIR}/htpasswd
     mkdir -p ${zot_root_dir}
     mkdir -p ${oci_data_dir}
-    echo 'test:$2a$10$EIIoeCnvsIDAJeDL4T1sEOnL2fWOvsq7ACZbs3RT40BBBXg.Ih7V.' >> ${htpasswordFile}
+    htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file}
     cat > ${zot_config_file}<<EOF
 {
     "distSpecVersion": "1.1.0-dev",
@@ -35,7 +40,7 @@ function setup_file() {
         "port": "8080",
         "auth": {
             "htpasswd": {
-                "path": "${htpasswordFile}"
+                "path": "${zot_htpasswd_file}"
             }
         },
         "accessControl": {
@@ -45,7 +50,7 @@ function setup_file() {
                     "policies": [
                         {
                             "users": [
-                                "test"
+                                "${AUTH_USER}"
                             ],
                             "actions": [
                                 "read",
@@ -78,23 +83,23 @@ function teardown_file() {
 }
 
 @test "push image user policy" {
-    run skopeo --insecure-policy copy --dest-creds test:test --dest-tls-verify=false \
-        oci:${TEST_DATA_DIR}/golang:1.20 \
-        docker://127.0.0.1:8080/golang:1.20
+    run skopeo --insecure-policy copy --dest-creds ${AUTH_USER}:${AUTH_PASS} --dest-tls-verify=false \
+        oci:${TEST_DATA_DIR}/busybox:1.36 \
+        docker://127.0.0.1:8080/busybox:1.36
     [ "$status" -eq 0 ]
 }
 
 @test "pull image anonymous policy" {
     local oci_data_dir=${BATS_FILE_TMPDIR}/oci
     run skopeo --insecure-policy copy --src-tls-verify=false \
-        docker://127.0.0.1:8080/golang:1.20 \
-        oci:${oci_data_dir}/golang:1.20
+        docker://127.0.0.1:8080/busybox:1.36 \
+        oci:${oci_data_dir}/busybox:1.36
     [ "$status" -eq 0 ]
 }
 
 @test "push image anonymous policy" {
     run skopeo --insecure-policy copy --dest-tls-verify=false \
-        oci:${TEST_DATA_DIR}/golang:1.20 \
-        docker://127.0.0.1:8080/golang:1.20
+        oci:${TEST_DATA_DIR}/busybox:1.36 \
+        docker://127.0.0.1:8080/busybox:1.36
     [ "$status" -eq 1 ]
 }

test/blackbox/detect_manifest_collision.bats

@@ -5,6 +5,11 @@
 load helpers_zot
 
 function verify_prerequisites {
+    if [ ! $(command -v htpasswd) ]; then
+        echo "you need to install htpasswd as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
     return 0
 }
 
@@ -15,15 +20,16 @@ function setup_file() {
     fi
 
     # Download test data to folder common for the entire suite, not just this file
-    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
+    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/test-images/busybox:1.36 oci:${TEST_DATA_DIR}/busybox:1.36
+
     # Setup zot server
     local zot_root_dir=${BATS_FILE_TMPDIR}/zot
     local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
     local oci_data_dir=${BATS_FILE_TMPDIR}/oci
-    local htpasswordFile=${BATS_FILE_TMPDIR}/htpasswd
+    local zot_htpasswd_file=${BATS_FILE_TMPDIR}/htpasswd
     mkdir -p ${zot_root_dir}
     mkdir -p ${oci_data_dir}
-    echo 'test:$2a$10$EIIoeCnvsIDAJeDL4T1sEOnL2fWOvsq7ACZbs3RT40BBBXg.Ih7V.' >> ${htpasswordFile}
+    htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file}
     cat > ${zot_config_file}<<EOF
 {
     "distSpecVersion": "1.1.0-dev",
@@ -35,7 +41,7 @@ function setup_file() {
         "port": "8080",
         "auth": {
             "htpasswd": {
-                "path": "${htpasswordFile}"
+                "path": "${zot_htpasswd_file}"
             }
         },
         "accessControl": {
@@ -50,7 +56,7 @@ function setup_file() {
                     "policies": [
                         {
                             "users": [
-                                "test"
+                                "${AUTH_USER}"
                             ],
                             "actions": [
                                 "read",
@@ -83,21 +89,21 @@ function teardown_file() {
 }
 
 @test "push 2 images with same manifest with user policy" {
-    run skopeo --insecure-policy copy --dest-creds test:test --dest-tls-verify=false \
-        oci:${TEST_DATA_DIR}/golang:1.20 \
-        docker://127.0.0.1:8080/golang:1.20
+    run skopeo --insecure-policy copy --dest-creds ${AUTH_USER}:${AUTH_PASS} --dest-tls-verify=false \
+        oci:${TEST_DATA_DIR}/busybox:1.36 \
+        docker://127.0.0.1:8080/busybox:1.36
     [ "$status" -eq 0 ]
 
-    run skopeo --insecure-policy copy --dest-creds test:test --dest-tls-verify=false \
-        oci:${TEST_DATA_DIR}/golang:1.20 \
-        docker://127.0.0.1:8080/golang:latest
+    run skopeo --insecure-policy copy --dest-creds ${AUTH_USER}:${AUTH_PASS} --dest-tls-verify=false \
+        oci:${TEST_DATA_DIR}/busybox:1.36 \
+        docker://127.0.0.1:8080/busybox:latest
     [ "$status" -eq 0 ]
 }
 
 @test "skopeo delete image with anonymous policy should fail" {
     # skopeo deletes by digest, so it should fail with detectManifestCollision policy
     run skopeo --insecure-policy delete --tls-verify=false \
-        docker://127.0.0.1:8080/golang:1.20
+        docker://127.0.0.1:8080/busybox:1.36
     [ "$status" -eq 1 ]
     # conflict status code
     [[ "$output" == *"manifest invalid"* ]]
@@ -107,7 +113,7 @@ function teardown_file() {
     run regctl registry set localhost:8080 --tls disabled
     [ "$status" -eq 0 ]
 
-    run regctl image delete localhost:8080/golang:1.20 --force-tag-dereference
+    run regctl image delete localhost:8080/busybox:1.36 --force-tag-dereference
     [ "$status" -eq 1 ]
     # conflict status code
     [[ "$output" == *"409"* ]]
@@ -115,7 +121,7 @@ function teardown_file() {
 
 @test "delete image with user policy should work" {
     # should work without detectManifestCollision policy
-    run skopeo --insecure-policy delete --creds test:test --tls-verify=false \
-        docker://127.0.0.1:8080/golang:1.20
+    run skopeo --insecure-policy delete --creds ${AUTH_USER}:${AUTH_PASS} --tls-verify=false \
+        docker://127.0.0.1:8080/busybox:1.36
     [ "$status" -eq 0 ]
 }

test/blackbox/helpers_metrics.bash

@@ -0,0 +1,6 @@
+function metrics_route_check () {
+    local servername="http://127.0.0.1:${1}/metrics"
+    status_code=$(curl --write-out '%{http_code}' ${2}  --silent --output /dev/null ${servername})
+
+    [ "$status_code" -eq ${3} ]
+}

test/blackbox/helpers_zot.bash

@@ -6,6 +6,8 @@ ZOT_PATH=${ROOT_DIR}/bin/zot-${OS}-${ARCH}
 ZLI_PATH=${ROOT_DIR}/bin/zli-${OS}-${ARCH}
 ZOT_MINIMAL_PATH=${ROOT_DIR}/bin/zot-${OS}-${ARCH}-minimal
 ZB_PATH=${ROOT_DIR}/bin/zb-${OS}-${ARCH}
+AUTH_USER=poweruser
+AUTH_PASS=sup*rSecr9T
 
 mkdir -p ${TEST_DATA_DIR}
 

test/blackbox/metadata.bats

@@ -15,6 +15,11 @@ function verify_prerequisites {
         return 1
     fi
 
+    if [ ! $(command -v htpasswd) ]; then
+        echo "you need to install htpasswd as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
     return 0
 }
 
@@ -25,15 +30,16 @@ function setup_file() {
     fi
 
     # Download test data to folder common for the entire suite, not just this file
-    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.18 oci:${TEST_DATA_DIR}/golang:1.18
+    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/test-images/busybox:1.36 oci:${TEST_DATA_DIR}/busybox:1.36
+
     # Setup zot server
     local zot_root_dir=${BATS_FILE_TMPDIR}/zot
     local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
     local oci_data_dir=${BATS_FILE_TMPDIR}/oci
-    local htpasswordFile=${BATS_FILE_TMPDIR}/htpasswd
+    local zot_htpasswd_file=${BATS_FILE_TMPDIR}/htpasswd
     mkdir -p ${zot_root_dir}
     mkdir -p ${oci_data_dir}
-    echo 'test:$2a$10$EIIoeCnvsIDAJeDL4T1sEOnL2fWOvsq7ACZbs3RT40BBBXg.Ih7V.' >> ${htpasswordFile}
+    htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file}
     cat > ${zot_config_file}<<EOF
 {
     "distSpecVersion": "1.1.0-dev",
@@ -53,7 +59,7 @@ function setup_file() {
         "port": "8080",
         "auth": {
             "htpasswd": {
-                "path": "${htpasswordFile}"
+                "path": "${zot_htpasswd_file}"
             }
         },
         "accessControl": {
@@ -63,7 +69,7 @@ function setup_file() {
                     "policies": [
                         {
                             "users": [
-                                "test"
+                                "${AUTH_USER}"
                             ],
                             "actions": [
                                 "read",
@@ -97,64 +103,64 @@ function teardown_file() {
 }
 
 @test "push image user policy" {
-    run skopeo --insecure-policy copy --dest-creds test:test --dest-tls-verify=false \
-        oci:${TEST_DATA_DIR}/golang:1.18 \
-        docker://127.0.0.1:8080/golang:1.18
+    run skopeo --insecure-policy copy --dest-creds ${AUTH_USER}:${AUTH_PASS} --dest-tls-verify=false \
+        oci:${TEST_DATA_DIR}/busybox:1.36 \
+        docker://127.0.0.1:8080/busybox:1.36
     [ "$status" -eq 0 ]
 }
 
 @test "User metadata starredRepos" {
-    run skopeo --insecure-policy copy --dest-creds test:test --dest-tls-verify=false \
-        oci:${TEST_DATA_DIR}/golang:1.18 \
-        docker://127.0.0.1:8080/golang:1.18
+    run skopeo --insecure-policy copy --dest-creds ${AUTH_USER}:${AUTH_PASS} --dest-tls-verify=false \
+        oci:${TEST_DATA_DIR}/busybox:1.36 \
+        docker://127.0.0.1:8080/busybox:1.36
     [ "$status" -eq 0 ]
 
     USER_STAR_REPOS_QUERY='{ "query": "{ StarredRepos { Results { Name } } }"}'
 
-    run curl --user "test:test" -X POST -H "Content-Type: application/json" --data "${USER_STAR_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
+    run curl --user ${AUTH_USER}:${AUTH_PASS} -X POST -H "Content-Type: application/json" --data "${USER_STAR_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
     [ "$status" -eq 0 ]
     [ $(echo "${lines[-1]}" | jq '.data.StarredRepos.Results') = '[]' ]
 
-    run curl --user "test:test" -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=golang&action=toggleStar"
+    run curl --user ${AUTH_USER}:${AUTH_PASS} -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=busybox&action=toggleStar"
     [ "$status" -eq 0 ]
 
-    run curl --user "test:test" -X POST -H "Content-Type: application/json" --data "${USER_STAR_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
+    run curl --user ${AUTH_USER}:${AUTH_PASS} -X POST -H "Content-Type: application/json" --data "${USER_STAR_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
     [ "$status" -eq 0 ]
     echo  $(echo "${lines[-1]}" | jq '.data.StarredRepos.Results[0].Name')
-    [ $(echo "${lines[-1]}" | jq -r '.data.StarredRepos.Results[0].Name') = 'golang' ]
+    [ $(echo "${lines[-1]}" | jq -r '.data.StarredRepos.Results[0].Name') = 'busybox' ]
 
-    run curl --user "test:test" -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=golang&action=toggleStar"
+    run curl --user ${AUTH_USER}:${AUTH_PASS} -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=busybox&action=toggleStar"
     [ "$status" -eq 0 ]
 
-        run curl --user "test:test" -X POST -H "Content-Type: application/json" --data "${USER_STAR_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
+        run curl --user ${AUTH_USER}:${AUTH_PASS} -X POST -H "Content-Type: application/json" --data "${USER_STAR_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
     [ "$status" -eq 0 ]
     echo  $(echo "${lines[-1]}" | jq '.data.StarredRepos.Results')
     [ $(echo "${lines[-1]}" | jq -r '.data.StarredRepos.Results') = '[]' ]
 }
 
 @test "User metadata bookmarkedRepos" {
-    run skopeo --insecure-policy copy --dest-creds test:test --dest-tls-verify=false \
-        oci:${TEST_DATA_DIR}/golang:1.18 \
-        docker://127.0.0.1:8080/golang:1.18
+    run skopeo --insecure-policy copy --dest-creds ${AUTH_USER}:${AUTH_PASS} --dest-tls-verify=false \
+        oci:${TEST_DATA_DIR}/busybox:1.36 \
+        docker://127.0.0.1:8080/busybox:1.36
     [ "$status" -eq 0 ]
 
     USER_BOOKMARK_REPOS_QUERY='{ "query": "{ BookmarkedRepos { Results { Name } } }"}'
 
-     run curl --user "test:test" -X POST -H "Content-Type: application/json" --data "${USER_BOOKMARK_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
+     run curl --user ${AUTH_USER}:${AUTH_PASS} -X POST -H "Content-Type: application/json" --data "${USER_BOOKMARK_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
     [ "$status" -eq 0 ]
     [ $(echo "${lines[-1]}" | jq '.data.BookmarkedRepos.Results') = '[]' ]
 
-    run curl --user "test:test" -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=golang&action=toggleBookmark"
+    run curl --user ${AUTH_USER}:${AUTH_PASS} -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=busybox&action=toggleBookmark"
     [ "$status" -eq 0 ]
 
-    run curl --user "test:test" -X POST -H "Content-Type: application/json" --data "${USER_BOOKMARK_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
+    run curl --user ${AUTH_USER}:${AUTH_PASS} -X POST -H "Content-Type: application/json" --data "${USER_BOOKMARK_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
     [ "$status" -eq 0 ]
-    [ $(echo "${lines[-1]}" | jq -r '.data.BookmarkedRepos.Results[0].Name') = 'golang' ]
+    [ $(echo "${lines[-1]}" | jq -r '.data.BookmarkedRepos.Results[0].Name') = 'busybox' ]
 
-    run curl --user "test:test" -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=golang&action=toggleBookmark"
+    run curl --user ${AUTH_USER}:${AUTH_PASS} -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=busybox&action=toggleBookmark"
     [ "$status" -eq 0 ]
 
-        run curl --user "test:test" -X POST -H "Content-Type: application/json" --data "${USER_BOOKMARK_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
+        run curl --user ${AUTH_USER}:${AUTH_PASS} -X POST -H "Content-Type: application/json" --data "${USER_BOOKMARK_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
     [ "$status" -eq 0 ]
     [ $(echo "${lines[-1]}" | jq -r '.data.BookmarkedRepos.Results') = '[]' ]
 }

test/blackbox/metrics.bats

@@ -3,6 +3,7 @@
 #       Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()
 
 load helpers_zot
+load helpers_metrics
 
 function verify_prerequisites() {
     if [ ! $(command -v curl) ]; then
@@ -10,6 +11,11 @@ function verify_prerequisites() {
         return 1
     fi
 
+    if [ ! $(command -v htpasswd) ]; then
+        echo "you need to install htpasswd as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
     return 0
 }
 
@@ -19,14 +25,14 @@ function setup_file() {
         exit 1
     fi
 
-    # Download test data to folder common for the entire suite, not just this file
-    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
-
     # Setup zot server
     zot_root_dir=${BATS_FILE_TMPDIR}/zot
-    echo ${zot_root_dir}
+    echo ${zot_root_dir} >&3
     zot_log_file=${zot_root_dir}/zot-log.json
     zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
+    zot_htpasswd_file=${BATS_FILE_TMPDIR}/zot_htpasswd
+    htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file}
+
     mkdir -p ${zot_root_dir}
     touch ${zot_log_file}
     cat >${zot_config_file} <<EOF
@@ -37,7 +43,12 @@ function setup_file() {
     },
     "http": {
         "address": "0.0.0.0",
-        "port": "8080"
+        "port": "8080",
+        "auth": {
+            "htpasswd": {
+                "path": "${zot_htpasswd_file}"
+            }
+        }
     },
     "log": {
         "level": "debug",
@@ -68,8 +79,15 @@ function teardown_file() {
     zot_stop_all
 }
 
-@test "metric enabled" {
-    local servername="http://127.0.0.1:8080/metrics"
-    status_code=$(curl --write-out '%{http_code}' --silent --output /dev/null ${servername})
-    [ "$status_code" -eq 200 ]
+@test "unauthorized request to metrics" {
+    run metrics_route_check 8080 "" 401
+    [ "$status" -eq 0 ]
+    run metrics_route_check 8080 "-u unlucky:wrongpass" 401
+    [ "$status" -eq 0 ]
 }
+
+@test "authorized request: metrics enabled" {
+    run metrics_route_check 8080 "-u ${AUTH_USER}:${AUTH_PASS}" 200
+    [ "$status" -eq 0 ]
+}
+

test/blackbox/metrics_minimal.bats

@@ -0,0 +1,84 @@
+# Note: Intended to be run as "make run-blackbox-tests" or "make run-blackbox-ci"
+#       Makefile target installs & checks all necessary tooling
+#       Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()
+
+load helpers_zot
+load helpers_metrics
+
+function verify_prerequisites() {
+    if [ ! $(command -v curl) ]; then
+        echo "you need to install curl as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    if [ ! $(command -v htpasswd) ]; then
+        echo "you need to install htpasswd as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    return 0
+}
+
+function setup_file() {
+    # verify prerequisites are available
+    if ! $(verify_prerequisites); then
+        exit 1
+    fi
+
+    # Setup zot server
+    zot_root_dir=${BATS_FILE_TMPDIR}/zot
+    echo ${zot_root_dir} >&3
+    zot_log_file=${zot_root_dir}/zot-log.json
+    zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
+    zot_htpasswd_file=${BATS_FILE_TMPDIR}/zot_htpasswd
+    htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file}
+
+    mkdir -p ${zot_root_dir}
+    touch ${zot_log_file}
+    cat >${zot_config_file} <<EOF
+{
+    "distSpecVersion": "1.1.0-dev",
+    "storage": {
+        "rootDirectory": "${zot_root_dir}"
+    },
+    "http": {
+        "address": "0.0.0.0",
+        "port": "8080",
+        "auth": {
+            "htpasswd": {
+                "path": "${zot_htpasswd_file}"
+            }
+        }
+    },
+    "log": {
+        "level": "debug",
+        "output": "${zot_log_file}"
+    }
+}
+EOF
+
+    zot_serve ${ZOT_MINIMAL_PATH} ${zot_config_file}
+    wait_zot_reachable 8080
+
+}
+
+function teardown() {
+    # conditionally printing on failure is possible from teardown but not from from teardown_file
+    cat ${BATS_FILE_TMPDIR}/zot/zot-log.json
+}
+
+function teardown_file() {
+    zot_stop_all
+}
+
+@test "unauthorized request to metrics" {
+    run metrics_route_check 8080 "" 401
+    [ "$status" -eq 0 ]
+    run metrics_route_check 8080 "-u test:wrongpass" 401
+    [ "$status" -eq 0 ]
+}
+
+@test "authorized request: metrics enabled" {
+    run metrics_route_check 8080 "-u ${AUTH_USER}:${AUTH_PASS}" 200
+    [ "$status" -eq 0 ]
+}

test/blackbox/pushpull_authn.bats

@@ -25,12 +25,15 @@ function setup_file() {
         exit 1
     fi
 
+    # Download test data to folder common for the entire suite, not just this file
+    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/test-images/busybox:1.36 oci:${TEST_DATA_DIR}/busybox:1.36
+
     # Setup zot server
     local zot_root_dir=${BATS_FILE_TMPDIR}/zot
     local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
     local zot_htpasswd_file=${BATS_FILE_TMPDIR}/zot_htpasswd
-    htpasswd -Bbn test test123 >> ${zot_htpasswd_file}
-    
+    htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file}
+
     echo ${zot_root_dir} >&3
 
     mkdir -p ${zot_root_dir}
@@ -89,14 +92,14 @@ function teardown_file() {
 
 @test "push image with regclient" {
     run regctl registry set localhost:8080 --tls disabled
-    run regctl registry login localhost:8080 -u test -p test123
+    run regctl registry login localhost:8080 -u ${AUTH_USER} -p ${AUTH_PASS}
     [ "$status" -eq 0 ]
-    run regctl image copy ocidir://${TEST_DATA_DIR}/golang:1.20 localhost:8080/test-regclient
+    run regctl image copy ocidir://${TEST_DATA_DIR}/busybox:1.36 localhost:8080/test-regclient
     [ "$status" -eq 0 ]
 }
 
 @test "pull image with regclient" {
-    run regctl image copy localhost:8080/test-regclient ocidir://${TEST_DATA_DIR}/golang:1.20
+    run regctl image copy localhost:8080/test-regclient ocidir://${TEST_DATA_DIR}/busybox:latest
     [ "$status" -eq 0 ]
 }