0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2024-12-30 22:34:13 -05:00

fix: metrics endpoint must be secured behind authN (#1864)

Signed-off-by: Alexei Dodon <adodon@cisco.com>
This commit is contained in:
Alexei Dodon 2023-10-02 16:37:21 +03:00 committed by GitHub
parent 0eb984426e
commit 2fd7bfc37a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 216 additions and 84 deletions

View file

@ -408,7 +408,8 @@ run-blackbox-ci: check-blackbox-prerequisites binary binary-minimal cli
$(BATS) $(BATS_FLAGS) test/blackbox/sync_replica_cluster.bats && \ $(BATS) $(BATS_FLAGS) test/blackbox/sync_replica_cluster.bats && \
$(BATS) $(BATS_FLAGS) test/blackbox/scrub.bats && \ $(BATS) $(BATS_FLAGS) test/blackbox/scrub.bats && \
$(BATS) $(BATS_FLAGS) test/blackbox/garbage_collect.bats && \ $(BATS) $(BATS_FLAGS) test/blackbox/garbage_collect.bats && \
$(BATS) $(BATS_FLAGS) test/blackbox/metrics.bats $(BATS) $(BATS_FLAGS) test/blackbox/metrics.bats && \
$(BATS) $(BATS_FLAGS) test/blackbox/metrics_minimal.bats
.PHONY: run-blackbox-cloud-ci .PHONY: run-blackbox-cloud-ci
run-blackbox-cloud-ci: check-blackbox-prerequisites check-awslocal binary $(BATS) run-blackbox-cloud-ci: check-blackbox-prerequisites check-awslocal binary $(BATS)

View file

@ -2195,7 +2195,7 @@ func TestBearerAuth(t *testing.T) {
So(resp, ShouldNotBeNil) So(resp, ShouldNotBeNil)
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized) So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
authorizationHeader := authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate")) authorizationHeader := authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
resp, err = resty.R(). resp, err = resty.R().
SetQueryParam("service", authorizationHeader.Service). SetQueryParam("service", authorizationHeader.Service).
SetQueryParam("scope", authorizationHeader.Scope). SetQueryParam("scope", authorizationHeader.Scope).
@ -2225,7 +2225,7 @@ func TestBearerAuth(t *testing.T) {
So(resp, ShouldNotBeNil) So(resp, ShouldNotBeNil)
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized) So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate")) authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
resp, err = resty.R(). resp, err = resty.R().
SetQueryParam("service", authorizationHeader.Service). SetQueryParam("service", authorizationHeader.Service).
SetQueryParam("scope", authorizationHeader.Scope). SetQueryParam("scope", authorizationHeader.Scope).
@ -2254,7 +2254,7 @@ func TestBearerAuth(t *testing.T) {
So(resp, ShouldNotBeNil) So(resp, ShouldNotBeNil)
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized) So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate")) authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
resp, err = resty.R(). resp, err = resty.R().
SetQueryParam("service", authorizationHeader.Service). SetQueryParam("service", authorizationHeader.Service).
SetQueryParam("scope", authorizationHeader.Scope). SetQueryParam("scope", authorizationHeader.Scope).
@ -2283,7 +2283,7 @@ func TestBearerAuth(t *testing.T) {
So(resp, ShouldNotBeNil) So(resp, ShouldNotBeNil)
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized) So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate")) authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
resp, err = resty.R(). resp, err = resty.R().
SetQueryParam("service", authorizationHeader.Service). SetQueryParam("service", authorizationHeader.Service).
SetQueryParam("scope", authorizationHeader.Scope). SetQueryParam("scope", authorizationHeader.Scope).
@ -2307,7 +2307,7 @@ func TestBearerAuth(t *testing.T) {
So(resp, ShouldNotBeNil) So(resp, ShouldNotBeNil)
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized) So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate")) authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
resp, err = resty.R(). resp, err = resty.R().
SetQueryParam("service", authorizationHeader.Service). SetQueryParam("service", authorizationHeader.Service).
SetQueryParam("scope", authorizationHeader.Scope). SetQueryParam("scope", authorizationHeader.Scope).
@ -2392,7 +2392,7 @@ func TestBearerAuthWithAllowReadAccess(t *testing.T) {
So(resp, ShouldNotBeNil) So(resp, ShouldNotBeNil)
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized) So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
authorizationHeader := authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate")) authorizationHeader := authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
resp, err = resty.R(). resp, err = resty.R().
SetQueryParam("service", authorizationHeader.Service). SetQueryParam("service", authorizationHeader.Service).
SetQueryParam("scope", authorizationHeader.Scope). SetQueryParam("scope", authorizationHeader.Scope).
@ -2416,7 +2416,7 @@ func TestBearerAuthWithAllowReadAccess(t *testing.T) {
So(resp, ShouldNotBeNil) So(resp, ShouldNotBeNil)
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized) So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate")) authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
resp, err = resty.R(). resp, err = resty.R().
SetQueryParam("service", authorizationHeader.Service). SetQueryParam("service", authorizationHeader.Service).
SetQueryParam("scope", authorizationHeader.Scope). SetQueryParam("scope", authorizationHeader.Scope).
@ -2445,7 +2445,7 @@ func TestBearerAuthWithAllowReadAccess(t *testing.T) {
So(resp, ShouldNotBeNil) So(resp, ShouldNotBeNil)
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized) So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate")) authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
resp, err = resty.R(). resp, err = resty.R().
SetQueryParam("service", authorizationHeader.Service). SetQueryParam("service", authorizationHeader.Service).
SetQueryParam("scope", authorizationHeader.Scope). SetQueryParam("scope", authorizationHeader.Scope).
@ -2474,7 +2474,7 @@ func TestBearerAuthWithAllowReadAccess(t *testing.T) {
So(resp, ShouldNotBeNil) So(resp, ShouldNotBeNil)
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized) So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate")) authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
resp, err = resty.R(). resp, err = resty.R().
SetQueryParam("service", authorizationHeader.Service). SetQueryParam("service", authorizationHeader.Service).
SetQueryParam("scope", authorizationHeader.Scope). SetQueryParam("scope", authorizationHeader.Scope).
@ -2498,7 +2498,7 @@ func TestBearerAuthWithAllowReadAccess(t *testing.T) {
So(resp, ShouldNotBeNil) So(resp, ShouldNotBeNil)
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized) So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate")) authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
resp, err = resty.R(). resp, err = resty.R().
SetQueryParam("service", authorizationHeader.Service). SetQueryParam("service", authorizationHeader.Service).
SetQueryParam("scope", authorizationHeader.Scope). SetQueryParam("scope", authorizationHeader.Scope).

View file

@ -121,7 +121,7 @@ func NewError(code ErrorCode) *Error {
UNAUTHORIZED: { UNAUTHORIZED: {
Message: "authentication required", Message: "authentication required",
Description: "The access controller was unable to authenticate the client. " + Description: "The access controller was unable to authenticate the client. " +
"Often this will be accompanied by a Www-Authenticate HTTP response header " + "Often this will be accompanied by a WWW-Authenticate HTTP response header " +
"indicating how to authenticate.", "indicating how to authenticate.",
}, },

View file

@ -29,5 +29,6 @@ func SetupMetricsRoutes(conf *config.Config, router *mux.Router,
zcommon.WriteJSON(w, http.StatusOK, m) zcommon.WriteJSON(w, http.StatusOK, m)
} }
router.Use(authFunc)
router.HandleFunc("/metrics", getMetrics).Methods("GET") router.HandleFunc("/metrics", getMetrics).Methods("GET")
} }

View file

@ -799,7 +799,7 @@ func TestMgmtWithBearer(t *testing.T) {
So(resp, ShouldNotBeNil) So(resp, ShouldNotBeNil)
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized) So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
authorizationHeader := authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate")) authorizationHeader := authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
resp, err = resty.R(). resp, err = resty.R().
SetQueryParam("service", authorizationHeader.Service). SetQueryParam("service", authorizationHeader.Service).
SetQueryParam("scope", authorizationHeader.Scope). SetQueryParam("scope", authorizationHeader.Scope).
@ -829,7 +829,7 @@ func TestMgmtWithBearer(t *testing.T) {
So(resp, ShouldNotBeNil) So(resp, ShouldNotBeNil)
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized) So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate")) authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
resp, err = resty.R(). resp, err = resty.R().
SetQueryParam("service", authorizationHeader.Service). SetQueryParam("service", authorizationHeader.Service).
SetQueryParam("scope", authorizationHeader.Scope). SetQueryParam("scope", authorizationHeader.Scope).
@ -853,7 +853,7 @@ func TestMgmtWithBearer(t *testing.T) {
So(resp, ShouldNotBeNil) So(resp, ShouldNotBeNil)
So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized) So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("Www-Authenticate")) authorizationHeader = authutils.ParseBearerAuthHeader(resp.Header().Get("WWW-Authenticate"))
resp, err = resty.R(). resp, err = resty.R().
SetQueryParam("service", authorizationHeader.Service). SetQueryParam("service", authorizationHeader.Service).
SetQueryParam("scope", authorizationHeader.Scope). SetQueryParam("scope", authorizationHeader.Scope).

View file

@ -5,6 +5,11 @@
load helpers_zot load helpers_zot
function verify_prerequisites { function verify_prerequisites {
if [ ! $(command -v htpasswd) ]; then
echo "you need to install htpasswd as a prerequisite to running the tests" >&3
return 1
fi
return 0 return 0
} }
@ -15,15 +20,15 @@ function setup_file() {
fi fi
# Download test data to folder common for the entire suite, not just this file # Download test data to folder common for the entire suite, not just this file
skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20 skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/test-images/busybox:1.36 oci:${TEST_DATA_DIR}/busybox:1.36
# Setup zot server # Setup zot server
local zot_root_dir=${BATS_FILE_TMPDIR}/zot local zot_root_dir=${BATS_FILE_TMPDIR}/zot
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
local oci_data_dir=${BATS_FILE_TMPDIR}/oci local oci_data_dir=${BATS_FILE_TMPDIR}/oci
local htpasswordFile=${BATS_FILE_TMPDIR}/htpasswd local zot_htpasswd_file=${BATS_FILE_TMPDIR}/htpasswd
mkdir -p ${zot_root_dir} mkdir -p ${zot_root_dir}
mkdir -p ${oci_data_dir} mkdir -p ${oci_data_dir}
echo 'test:$2a$10$EIIoeCnvsIDAJeDL4T1sEOnL2fWOvsq7ACZbs3RT40BBBXg.Ih7V.' >> ${htpasswordFile} htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file}
cat > ${zot_config_file}<<EOF cat > ${zot_config_file}<<EOF
{ {
"distSpecVersion": "1.1.0-dev", "distSpecVersion": "1.1.0-dev",
@ -35,7 +40,7 @@ function setup_file() {
"port": "8080", "port": "8080",
"auth": { "auth": {
"htpasswd": { "htpasswd": {
"path": "${htpasswordFile}" "path": "${zot_htpasswd_file}"
} }
}, },
"accessControl": { "accessControl": {
@ -45,7 +50,7 @@ function setup_file() {
"policies": [ "policies": [
{ {
"users": [ "users": [
"test" "${AUTH_USER}"
], ],
"actions": [ "actions": [
"read", "read",
@ -78,23 +83,23 @@ function teardown_file() {
} }
@test "push image user policy" { @test "push image user policy" {
run skopeo --insecure-policy copy --dest-creds test:test --dest-tls-verify=false \ run skopeo --insecure-policy copy --dest-creds ${AUTH_USER}:${AUTH_PASS} --dest-tls-verify=false \
oci:${TEST_DATA_DIR}/golang:1.20 \ oci:${TEST_DATA_DIR}/busybox:1.36 \
docker://127.0.0.1:8080/golang:1.20 docker://127.0.0.1:8080/busybox:1.36
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
} }
@test "pull image anonymous policy" { @test "pull image anonymous policy" {
local oci_data_dir=${BATS_FILE_TMPDIR}/oci local oci_data_dir=${BATS_FILE_TMPDIR}/oci
run skopeo --insecure-policy copy --src-tls-verify=false \ run skopeo --insecure-policy copy --src-tls-verify=false \
docker://127.0.0.1:8080/golang:1.20 \ docker://127.0.0.1:8080/busybox:1.36 \
oci:${oci_data_dir}/golang:1.20 oci:${oci_data_dir}/busybox:1.36
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
} }
@test "push image anonymous policy" { @test "push image anonymous policy" {
run skopeo --insecure-policy copy --dest-tls-verify=false \ run skopeo --insecure-policy copy --dest-tls-verify=false \
oci:${TEST_DATA_DIR}/golang:1.20 \ oci:${TEST_DATA_DIR}/busybox:1.36 \
docker://127.0.0.1:8080/golang:1.20 docker://127.0.0.1:8080/busybox:1.36
[ "$status" -eq 1 ] [ "$status" -eq 1 ]
} }

View file

@ -5,6 +5,11 @@
load helpers_zot load helpers_zot
function verify_prerequisites { function verify_prerequisites {
if [ ! $(command -v htpasswd) ]; then
echo "you need to install htpasswd as a prerequisite to running the tests" >&3
return 1
fi
return 0 return 0
} }
@ -15,15 +20,16 @@ function setup_file() {
fi fi
# Download test data to folder common for the entire suite, not just this file # Download test data to folder common for the entire suite, not just this file
skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20 skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/test-images/busybox:1.36 oci:${TEST_DATA_DIR}/busybox:1.36
# Setup zot server # Setup zot server
local zot_root_dir=${BATS_FILE_TMPDIR}/zot local zot_root_dir=${BATS_FILE_TMPDIR}/zot
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
local oci_data_dir=${BATS_FILE_TMPDIR}/oci local oci_data_dir=${BATS_FILE_TMPDIR}/oci
local htpasswordFile=${BATS_FILE_TMPDIR}/htpasswd local zot_htpasswd_file=${BATS_FILE_TMPDIR}/htpasswd
mkdir -p ${zot_root_dir} mkdir -p ${zot_root_dir}
mkdir -p ${oci_data_dir} mkdir -p ${oci_data_dir}
echo 'test:$2a$10$EIIoeCnvsIDAJeDL4T1sEOnL2fWOvsq7ACZbs3RT40BBBXg.Ih7V.' >> ${htpasswordFile} htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file}
cat > ${zot_config_file}<<EOF cat > ${zot_config_file}<<EOF
{ {
"distSpecVersion": "1.1.0-dev", "distSpecVersion": "1.1.0-dev",
@ -35,7 +41,7 @@ function setup_file() {
"port": "8080", "port": "8080",
"auth": { "auth": {
"htpasswd": { "htpasswd": {
"path": "${htpasswordFile}" "path": "${zot_htpasswd_file}"
} }
}, },
"accessControl": { "accessControl": {
@ -50,7 +56,7 @@ function setup_file() {
"policies": [ "policies": [
{ {
"users": [ "users": [
"test" "${AUTH_USER}"
], ],
"actions": [ "actions": [
"read", "read",
@ -83,21 +89,21 @@ function teardown_file() {
} }
@test "push 2 images with same manifest with user policy" { @test "push 2 images with same manifest with user policy" {
run skopeo --insecure-policy copy --dest-creds test:test --dest-tls-verify=false \ run skopeo --insecure-policy copy --dest-creds ${AUTH_USER}:${AUTH_PASS} --dest-tls-verify=false \
oci:${TEST_DATA_DIR}/golang:1.20 \ oci:${TEST_DATA_DIR}/busybox:1.36 \
docker://127.0.0.1:8080/golang:1.20 docker://127.0.0.1:8080/busybox:1.36
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
run skopeo --insecure-policy copy --dest-creds test:test --dest-tls-verify=false \ run skopeo --insecure-policy copy --dest-creds ${AUTH_USER}:${AUTH_PASS} --dest-tls-verify=false \
oci:${TEST_DATA_DIR}/golang:1.20 \ oci:${TEST_DATA_DIR}/busybox:1.36 \
docker://127.0.0.1:8080/golang:latest docker://127.0.0.1:8080/busybox:latest
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
} }
@test "skopeo delete image with anonymous policy should fail" { @test "skopeo delete image with anonymous policy should fail" {
# skopeo deletes by digest, so it should fail with detectManifestCollision policy # skopeo deletes by digest, so it should fail with detectManifestCollision policy
run skopeo --insecure-policy delete --tls-verify=false \ run skopeo --insecure-policy delete --tls-verify=false \
docker://127.0.0.1:8080/golang:1.20 docker://127.0.0.1:8080/busybox:1.36
[ "$status" -eq 1 ] [ "$status" -eq 1 ]
# conflict status code # conflict status code
[[ "$output" == *"manifest invalid"* ]] [[ "$output" == *"manifest invalid"* ]]
@ -107,7 +113,7 @@ function teardown_file() {
run regctl registry set localhost:8080 --tls disabled run regctl registry set localhost:8080 --tls disabled
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
run regctl image delete localhost:8080/golang:1.20 --force-tag-dereference run regctl image delete localhost:8080/busybox:1.36 --force-tag-dereference
[ "$status" -eq 1 ] [ "$status" -eq 1 ]
# conflict status code # conflict status code
[[ "$output" == *"409"* ]] [[ "$output" == *"409"* ]]
@ -115,7 +121,7 @@ function teardown_file() {
@test "delete image with user policy should work" { @test "delete image with user policy should work" {
# should work without detectManifestCollision policy # should work without detectManifestCollision policy
run skopeo --insecure-policy delete --creds test:test --tls-verify=false \ run skopeo --insecure-policy delete --creds ${AUTH_USER}:${AUTH_PASS} --tls-verify=false \
docker://127.0.0.1:8080/golang:1.20 docker://127.0.0.1:8080/busybox:1.36
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
} }

View file

@ -0,0 +1,6 @@
function metrics_route_check () {
local servername="http://127.0.0.1:${1}/metrics"
status_code=$(curl --write-out '%{http_code}' ${2} --silent --output /dev/null ${servername})
[ "$status_code" -eq ${3} ]
}

View file

@ -6,6 +6,8 @@ ZOT_PATH=${ROOT_DIR}/bin/zot-${OS}-${ARCH}
ZLI_PATH=${ROOT_DIR}/bin/zli-${OS}-${ARCH} ZLI_PATH=${ROOT_DIR}/bin/zli-${OS}-${ARCH}
ZOT_MINIMAL_PATH=${ROOT_DIR}/bin/zot-${OS}-${ARCH}-minimal ZOT_MINIMAL_PATH=${ROOT_DIR}/bin/zot-${OS}-${ARCH}-minimal
ZB_PATH=${ROOT_DIR}/bin/zb-${OS}-${ARCH} ZB_PATH=${ROOT_DIR}/bin/zb-${OS}-${ARCH}
AUTH_USER=poweruser
AUTH_PASS=sup*rSecr9T
mkdir -p ${TEST_DATA_DIR} mkdir -p ${TEST_DATA_DIR}

View file

@ -15,6 +15,11 @@ function verify_prerequisites {
return 1 return 1
fi fi
if [ ! $(command -v htpasswd) ]; then
echo "you need to install htpasswd as a prerequisite to running the tests" >&3
return 1
fi
return 0 return 0
} }
@ -25,15 +30,16 @@ function setup_file() {
fi fi
# Download test data to folder common for the entire suite, not just this file # Download test data to folder common for the entire suite, not just this file
skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.18 oci:${TEST_DATA_DIR}/golang:1.18 skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/test-images/busybox:1.36 oci:${TEST_DATA_DIR}/busybox:1.36
# Setup zot server # Setup zot server
local zot_root_dir=${BATS_FILE_TMPDIR}/zot local zot_root_dir=${BATS_FILE_TMPDIR}/zot
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
local oci_data_dir=${BATS_FILE_TMPDIR}/oci local oci_data_dir=${BATS_FILE_TMPDIR}/oci
local htpasswordFile=${BATS_FILE_TMPDIR}/htpasswd local zot_htpasswd_file=${BATS_FILE_TMPDIR}/htpasswd
mkdir -p ${zot_root_dir} mkdir -p ${zot_root_dir}
mkdir -p ${oci_data_dir} mkdir -p ${oci_data_dir}
echo 'test:$2a$10$EIIoeCnvsIDAJeDL4T1sEOnL2fWOvsq7ACZbs3RT40BBBXg.Ih7V.' >> ${htpasswordFile} htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file}
cat > ${zot_config_file}<<EOF cat > ${zot_config_file}<<EOF
{ {
"distSpecVersion": "1.1.0-dev", "distSpecVersion": "1.1.0-dev",
@ -53,7 +59,7 @@ function setup_file() {
"port": "8080", "port": "8080",
"auth": { "auth": {
"htpasswd": { "htpasswd": {
"path": "${htpasswordFile}" "path": "${zot_htpasswd_file}"
} }
}, },
"accessControl": { "accessControl": {
@ -63,7 +69,7 @@ function setup_file() {
"policies": [ "policies": [
{ {
"users": [ "users": [
"test" "${AUTH_USER}"
], ],
"actions": [ "actions": [
"read", "read",
@ -97,64 +103,64 @@ function teardown_file() {
} }
@test "push image user policy" { @test "push image user policy" {
run skopeo --insecure-policy copy --dest-creds test:test --dest-tls-verify=false \ run skopeo --insecure-policy copy --dest-creds ${AUTH_USER}:${AUTH_PASS} --dest-tls-verify=false \
oci:${TEST_DATA_DIR}/golang:1.18 \ oci:${TEST_DATA_DIR}/busybox:1.36 \
docker://127.0.0.1:8080/golang:1.18 docker://127.0.0.1:8080/busybox:1.36
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
} }
@test "User metadata starredRepos" { @test "User metadata starredRepos" {
run skopeo --insecure-policy copy --dest-creds test:test --dest-tls-verify=false \ run skopeo --insecure-policy copy --dest-creds ${AUTH_USER}:${AUTH_PASS} --dest-tls-verify=false \
oci:${TEST_DATA_DIR}/golang:1.18 \ oci:${TEST_DATA_DIR}/busybox:1.36 \
docker://127.0.0.1:8080/golang:1.18 docker://127.0.0.1:8080/busybox:1.36
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
USER_STAR_REPOS_QUERY='{ "query": "{ StarredRepos { Results { Name } } }"}' USER_STAR_REPOS_QUERY='{ "query": "{ StarredRepos { Results { Name } } }"}'
run curl --user "test:test" -X POST -H "Content-Type: application/json" --data "${USER_STAR_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search run curl --user ${AUTH_USER}:${AUTH_PASS} -X POST -H "Content-Type: application/json" --data "${USER_STAR_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
[ $(echo "${lines[-1]}" | jq '.data.StarredRepos.Results') = '[]' ] [ $(echo "${lines[-1]}" | jq '.data.StarredRepos.Results') = '[]' ]
run curl --user "test:test" -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=golang&action=toggleStar" run curl --user ${AUTH_USER}:${AUTH_PASS} -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=busybox&action=toggleStar"
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
run curl --user "test:test" -X POST -H "Content-Type: application/json" --data "${USER_STAR_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search run curl --user ${AUTH_USER}:${AUTH_PASS} -X POST -H "Content-Type: application/json" --data "${USER_STAR_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
echo $(echo "${lines[-1]}" | jq '.data.StarredRepos.Results[0].Name') echo $(echo "${lines[-1]}" | jq '.data.StarredRepos.Results[0].Name')
[ $(echo "${lines[-1]}" | jq -r '.data.StarredRepos.Results[0].Name') = 'golang' ] [ $(echo "${lines[-1]}" | jq -r '.data.StarredRepos.Results[0].Name') = 'busybox' ]
run curl --user "test:test" -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=golang&action=toggleStar" run curl --user ${AUTH_USER}:${AUTH_PASS} -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=busybox&action=toggleStar"
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
run curl --user "test:test" -X POST -H "Content-Type: application/json" --data "${USER_STAR_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search run curl --user ${AUTH_USER}:${AUTH_PASS} -X POST -H "Content-Type: application/json" --data "${USER_STAR_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
echo $(echo "${lines[-1]}" | jq '.data.StarredRepos.Results') echo $(echo "${lines[-1]}" | jq '.data.StarredRepos.Results')
[ $(echo "${lines[-1]}" | jq -r '.data.StarredRepos.Results') = '[]' ] [ $(echo "${lines[-1]}" | jq -r '.data.StarredRepos.Results') = '[]' ]
} }
@test "User metadata bookmarkedRepos" { @test "User metadata bookmarkedRepos" {
run skopeo --insecure-policy copy --dest-creds test:test --dest-tls-verify=false \ run skopeo --insecure-policy copy --dest-creds ${AUTH_USER}:${AUTH_PASS} --dest-tls-verify=false \
oci:${TEST_DATA_DIR}/golang:1.18 \ oci:${TEST_DATA_DIR}/busybox:1.36 \
docker://127.0.0.1:8080/golang:1.18 docker://127.0.0.1:8080/busybox:1.36
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
USER_BOOKMARK_REPOS_QUERY='{ "query": "{ BookmarkedRepos { Results { Name } } }"}' USER_BOOKMARK_REPOS_QUERY='{ "query": "{ BookmarkedRepos { Results { Name } } }"}'
run curl --user "test:test" -X POST -H "Content-Type: application/json" --data "${USER_BOOKMARK_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search run curl --user ${AUTH_USER}:${AUTH_PASS} -X POST -H "Content-Type: application/json" --data "${USER_BOOKMARK_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
[ $(echo "${lines[-1]}" | jq '.data.BookmarkedRepos.Results') = '[]' ] [ $(echo "${lines[-1]}" | jq '.data.BookmarkedRepos.Results') = '[]' ]
run curl --user "test:test" -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=golang&action=toggleBookmark" run curl --user ${AUTH_USER}:${AUTH_PASS} -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=busybox&action=toggleBookmark"
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
run curl --user "test:test" -X POST -H "Content-Type: application/json" --data "${USER_BOOKMARK_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search run curl --user ${AUTH_USER}:${AUTH_PASS} -X POST -H "Content-Type: application/json" --data "${USER_BOOKMARK_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
[ $(echo "${lines[-1]}" | jq -r '.data.BookmarkedRepos.Results[0].Name') = 'golang' ] [ $(echo "${lines[-1]}" | jq -r '.data.BookmarkedRepos.Results[0].Name') = 'busybox' ]
run curl --user "test:test" -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=golang&action=toggleBookmark" run curl --user ${AUTH_USER}:${AUTH_PASS} -X PUT "http://127.0.0.1:8080/v2/_zot/ext/userprefs?repo=busybox&action=toggleBookmark"
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
run curl --user "test:test" -X POST -H "Content-Type: application/json" --data "${USER_BOOKMARK_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search run curl --user ${AUTH_USER}:${AUTH_PASS} -X POST -H "Content-Type: application/json" --data "${USER_BOOKMARK_REPOS_QUERY}" http://localhost:8080/v2/_zot/ext/search
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
[ $(echo "${lines[-1]}" | jq -r '.data.BookmarkedRepos.Results') = '[]' ] [ $(echo "${lines[-1]}" | jq -r '.data.BookmarkedRepos.Results') = '[]' ]
} }

View file

@ -3,6 +3,7 @@
# Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites() # Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()
load helpers_zot load helpers_zot
load helpers_metrics
function verify_prerequisites() { function verify_prerequisites() {
if [ ! $(command -v curl) ]; then if [ ! $(command -v curl) ]; then
@ -10,6 +11,11 @@ function verify_prerequisites() {
return 1 return 1
fi fi
if [ ! $(command -v htpasswd) ]; then
echo "you need to install htpasswd as a prerequisite to running the tests" >&3
return 1
fi
return 0 return 0
} }
@ -19,14 +25,14 @@ function setup_file() {
exit 1 exit 1
fi fi
# Download test data to folder common for the entire suite, not just this file
skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/golang:1.20 oci:${TEST_DATA_DIR}/golang:1.20
# Setup zot server # Setup zot server
zot_root_dir=${BATS_FILE_TMPDIR}/zot zot_root_dir=${BATS_FILE_TMPDIR}/zot
echo ${zot_root_dir} echo ${zot_root_dir} >&3
zot_log_file=${zot_root_dir}/zot-log.json zot_log_file=${zot_root_dir}/zot-log.json
zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
zot_htpasswd_file=${BATS_FILE_TMPDIR}/zot_htpasswd
htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file}
mkdir -p ${zot_root_dir} mkdir -p ${zot_root_dir}
touch ${zot_log_file} touch ${zot_log_file}
cat >${zot_config_file} <<EOF cat >${zot_config_file} <<EOF
@ -37,7 +43,12 @@ function setup_file() {
}, },
"http": { "http": {
"address": "0.0.0.0", "address": "0.0.0.0",
"port": "8080" "port": "8080",
"auth": {
"htpasswd": {
"path": "${zot_htpasswd_file}"
}
}
}, },
"log": { "log": {
"level": "debug", "level": "debug",
@ -68,8 +79,15 @@ function teardown_file() {
zot_stop_all zot_stop_all
} }
@test "metric enabled" { @test "unauthorized request to metrics" {
local servername="http://127.0.0.1:8080/metrics" run metrics_route_check 8080 "" 401
status_code=$(curl --write-out '%{http_code}' --silent --output /dev/null ${servername}) [ "$status" -eq 0 ]
[ "$status_code" -eq 200 ] run metrics_route_check 8080 "-u unlucky:wrongpass" 401
[ "$status" -eq 0 ]
} }
@test "authorized request: metrics enabled" {
run metrics_route_check 8080 "-u ${AUTH_USER}:${AUTH_PASS}" 200
[ "$status" -eq 0 ]
}

View file

@ -0,0 +1,84 @@
# Note: Intended to be run as "make run-blackbox-tests" or "make run-blackbox-ci"
# Makefile target installs & checks all necessary tooling
# Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()
load helpers_zot
load helpers_metrics
function verify_prerequisites() {
if [ ! $(command -v curl) ]; then
echo "you need to install curl as a prerequisite to running the tests" >&3
return 1
fi
if [ ! $(command -v htpasswd) ]; then
echo "you need to install htpasswd as a prerequisite to running the tests" >&3
return 1
fi
return 0
}
function setup_file() {
# verify prerequisites are available
if ! $(verify_prerequisites); then
exit 1
fi
# Setup zot server
zot_root_dir=${BATS_FILE_TMPDIR}/zot
echo ${zot_root_dir} >&3
zot_log_file=${zot_root_dir}/zot-log.json
zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
zot_htpasswd_file=${BATS_FILE_TMPDIR}/zot_htpasswd
htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file}
mkdir -p ${zot_root_dir}
touch ${zot_log_file}
cat >${zot_config_file} <<EOF
{
"distSpecVersion": "1.1.0-dev",
"storage": {
"rootDirectory": "${zot_root_dir}"
},
"http": {
"address": "0.0.0.0",
"port": "8080",
"auth": {
"htpasswd": {
"path": "${zot_htpasswd_file}"
}
}
},
"log": {
"level": "debug",
"output": "${zot_log_file}"
}
}
EOF
zot_serve ${ZOT_MINIMAL_PATH} ${zot_config_file}
wait_zot_reachable 8080
}
function teardown() {
# conditionally printing on failure is possible from teardown but not from from teardown_file
cat ${BATS_FILE_TMPDIR}/zot/zot-log.json
}
function teardown_file() {
zot_stop_all
}
@test "unauthorized request to metrics" {
run metrics_route_check 8080 "" 401
[ "$status" -eq 0 ]
run metrics_route_check 8080 "-u test:wrongpass" 401
[ "$status" -eq 0 ]
}
@test "authorized request: metrics enabled" {
run metrics_route_check 8080 "-u ${AUTH_USER}:${AUTH_PASS}" 200
[ "$status" -eq 0 ]
}

View file

@ -25,11 +25,14 @@ function setup_file() {
exit 1 exit 1
fi fi
# Download test data to folder common for the entire suite, not just this file
skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/test-images/busybox:1.36 oci:${TEST_DATA_DIR}/busybox:1.36
# Setup zot server # Setup zot server
local zot_root_dir=${BATS_FILE_TMPDIR}/zot local zot_root_dir=${BATS_FILE_TMPDIR}/zot
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
local zot_htpasswd_file=${BATS_FILE_TMPDIR}/zot_htpasswd local zot_htpasswd_file=${BATS_FILE_TMPDIR}/zot_htpasswd
htpasswd -Bbn test test123 >> ${zot_htpasswd_file} htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file}
echo ${zot_root_dir} >&3 echo ${zot_root_dir} >&3
@ -89,14 +92,14 @@ function teardown_file() {
@test "push image with regclient" { @test "push image with regclient" {
run regctl registry set localhost:8080 --tls disabled run regctl registry set localhost:8080 --tls disabled
run regctl registry login localhost:8080 -u test -p test123 run regctl registry login localhost:8080 -u ${AUTH_USER} -p ${AUTH_PASS}
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
run regctl image copy ocidir://${TEST_DATA_DIR}/golang:1.20 localhost:8080/test-regclient run regctl image copy ocidir://${TEST_DATA_DIR}/busybox:1.36 localhost:8080/test-regclient
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
} }
@test "pull image with regclient" { @test "pull image with regclient" {
run regctl image copy localhost:8080/test-regclient ocidir://${TEST_DATA_DIR}/golang:1.20 run regctl image copy localhost:8080/test-regclient ocidir://${TEST_DATA_DIR}/busybox:latest
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
} }