0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2024-12-16 21:56:37 -05:00

Check if auth config is provided when using access control

This commit is contained in:
Petu Eusebiu 2021-09-01 12:15:00 +03:00 committed by Ramkumar Chinchani
parent c8779d9e87
commit 62e724532a
5 changed files with 66 additions and 14 deletions

View file

@ -237,6 +237,27 @@ func basicAuthHandler(c *Controller) mux.MiddlewareFunc {
} }
} }
func isAuthnEnabled(config *Config) bool {
if config.HTTP.Auth != nil &&
(config.HTTP.Auth.HTPasswd.Path != "" || config.HTTP.Auth.LDAP != nil) {
return true
}
return false
}
func isBearerAuthEnabled(config *Config) bool {
if config.HTTP.Auth != nil &&
config.HTTP.Auth.Bearer != nil &&
config.HTTP.Auth.Bearer.Cert != "" &&
config.HTTP.Auth.Bearer.Realm != "" &&
config.HTTP.Auth.Bearer.Service != "" {
return true
}
return false
}
func authFail(w http.ResponseWriter, realm string, delay int) { func authFail(w http.ResponseWriter, realm string, delay int) {
time.Sleep(time.Duration(delay) * time.Second) time.Sleep(time.Duration(delay) * time.Second)
w.Header().Set("WWW-Authenticate", realm) w.Header().Set("WWW-Authenticate", realm)

View file

@ -216,18 +216,6 @@ func getUsername(r *http.Request) string {
return pair[0] return pair[0]
} }
func isBearerAuthEnabled(config *Config) bool {
if config.HTTP.Auth != nil &&
config.HTTP.Auth.Bearer != nil &&
config.HTTP.Auth.Bearer.Cert != "" &&
config.HTTP.Auth.Bearer.Realm != "" &&
config.HTTP.Auth.Bearer.Service != "" {
return true
}
return false
}
func authzFail(w http.ResponseWriter, realm string, delay int) { func authzFail(w http.ResponseWriter, realm string, delay int) {
time.Sleep(time.Duration(delay) * time.Second) time.Sleep(time.Duration(delay) * time.Second)
w.Header().Set("WWW-Authenticate", realm) w.Header().Set("WWW-Authenticate", realm)

View file

@ -54,8 +54,9 @@ func NewRouteHandler(c *Controller) *RouteHandler {
func (rh *RouteHandler) SetupRoutes() { func (rh *RouteHandler) SetupRoutes() {
rh.c.Router.Use(AuthHandler(rh.c)) rh.c.Router.Use(AuthHandler(rh.c))
// authz is being enabled because authn is found
if !isBearerAuthEnabled(rh.c.Config) && rh.c.Config.AccessControl != nil { if rh.c.Config.AccessControl != nil && !isBearerAuthEnabled(rh.c.Config) && isAuthnEnabled(rh.c.Config) {
rh.c.Log.Info().Msg("access control is being enabled")
rh.c.Router.Use(AuthzHandler(rh.c)) rh.c.Router.Use(AuthzHandler(rh.c))
} }

View file

@ -164,6 +164,15 @@ func LoadConfiguration(config *api.Config, configPath string) {
panic(errors.ErrBadConfig) panic(errors.ErrBadConfig)
} }
// check authorization config, it should have basic auth enabled or ldap
if config.HTTP.RawAccessControl != nil {
if config.HTTP.Auth == nil || (config.HTTP.Auth.HTPasswd.Path == "" && config.HTTP.Auth.LDAP == nil) {
log.Error().Err(errors.ErrBadConfig).
Msg("access control config requires httpasswd or ldap authentication to be enabled")
panic(errors.ErrBadConfig)
}
}
err := config.LoadAccessControlConfig() err := config.LoadAccessControlConfig()
if err != nil { if err != nil {
log.Error().Err(errors.ErrBadConfig).Msg("Unable to unmarshal http.accessControl.key.policies") log.Error().Err(errors.ErrBadConfig).Msg("Unable to unmarshal http.accessControl.key.policies")

View file

@ -85,6 +85,39 @@ func TestVerify(t *testing.T) {
So(func() { _ = cli.NewRootCmd().Execute() }, ShouldPanic) So(func() { _ = cli.NewRootCmd().Execute() }, ShouldPanic)
}) })
Convey("Test verify w/ authorization and w/o authentication", t, func(c C) {
tmpfile, err := ioutil.TempFile("", "zot-test*.json")
So(err, ShouldBeNil)
defer os.Remove(tmpfile.Name()) // clean up
content := []byte(`{"storage":{"rootDirectory":"/tmp/zot"},
"http":{"address":"127.0.0.1","port":"8080","realm":"zot",
"accessControl":{"adminPolicy":{"users":["admin"],
"actions":["read","create","update","delete"]}}}}`)
_, err = tmpfile.Write(content)
So(err, ShouldBeNil)
err = tmpfile.Close()
So(err, ShouldBeNil)
os.Args = []string{"cli_test", "verify", tmpfile.Name()}
So(func() { _ = cli.NewRootCmd().Execute() }, ShouldPanic)
})
Convey("Test verify w/ authorization and w/ authentication", t, func(c C) {
tmpfile, err := ioutil.TempFile("", "zot-test*.json")
So(err, ShouldBeNil)
defer os.Remove(tmpfile.Name()) // clean up
content := []byte(`{"storage":{"rootDirectory":"/tmp/zot"},
"http":{"address":"127.0.0.1","port":"8080","realm":"zot",
"auth":{"htpasswd":{"path":"test/data/htpasswd"},"failDelay":1},
"accessControl":{"adminPolicy":{"users":["admin"],
"actions":["read","create","update","delete"]}}}}`)
_, err = tmpfile.Write(content)
So(err, ShouldBeNil)
err = tmpfile.Close()
So(err, ShouldBeNil)
os.Args = []string{"cli_test", "verify", tmpfile.Name()}
So(func() { _ = cli.NewRootCmd().Execute() }, ShouldNotPanic)
})
Convey("Test verify good config", t, func(c C) { Convey("Test verify good config", t, func(c C) {
tmpfile, err := ioutil.TempFile("", "zot-test*.json") tmpfile, err := ioutil.TempFile("", "zot-test*.json")
So(err, ShouldBeNil) So(err, ShouldBeNil)