mirror of
https://github.com/project-zot/zot.git
synced 2024-12-16 21:56:37 -05:00
Check if auth config is provided when using access control
This commit is contained in:
parent
c8779d9e87
commit
62e724532a
5 changed files with 66 additions and 14 deletions
|
@ -237,6 +237,27 @@ func basicAuthHandler(c *Controller) mux.MiddlewareFunc {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func isAuthnEnabled(config *Config) bool {
|
||||||
|
if config.HTTP.Auth != nil &&
|
||||||
|
(config.HTTP.Auth.HTPasswd.Path != "" || config.HTTP.Auth.LDAP != nil) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
func isBearerAuthEnabled(config *Config) bool {
|
||||||
|
if config.HTTP.Auth != nil &&
|
||||||
|
config.HTTP.Auth.Bearer != nil &&
|
||||||
|
config.HTTP.Auth.Bearer.Cert != "" &&
|
||||||
|
config.HTTP.Auth.Bearer.Realm != "" &&
|
||||||
|
config.HTTP.Auth.Bearer.Service != "" {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
func authFail(w http.ResponseWriter, realm string, delay int) {
|
func authFail(w http.ResponseWriter, realm string, delay int) {
|
||||||
time.Sleep(time.Duration(delay) * time.Second)
|
time.Sleep(time.Duration(delay) * time.Second)
|
||||||
w.Header().Set("WWW-Authenticate", realm)
|
w.Header().Set("WWW-Authenticate", realm)
|
||||||
|
|
|
@ -216,18 +216,6 @@ func getUsername(r *http.Request) string {
|
||||||
return pair[0]
|
return pair[0]
|
||||||
}
|
}
|
||||||
|
|
||||||
func isBearerAuthEnabled(config *Config) bool {
|
|
||||||
if config.HTTP.Auth != nil &&
|
|
||||||
config.HTTP.Auth.Bearer != nil &&
|
|
||||||
config.HTTP.Auth.Bearer.Cert != "" &&
|
|
||||||
config.HTTP.Auth.Bearer.Realm != "" &&
|
|
||||||
config.HTTP.Auth.Bearer.Service != "" {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
func authzFail(w http.ResponseWriter, realm string, delay int) {
|
func authzFail(w http.ResponseWriter, realm string, delay int) {
|
||||||
time.Sleep(time.Duration(delay) * time.Second)
|
time.Sleep(time.Duration(delay) * time.Second)
|
||||||
w.Header().Set("WWW-Authenticate", realm)
|
w.Header().Set("WWW-Authenticate", realm)
|
||||||
|
|
|
@ -54,8 +54,9 @@ func NewRouteHandler(c *Controller) *RouteHandler {
|
||||||
|
|
||||||
func (rh *RouteHandler) SetupRoutes() {
|
func (rh *RouteHandler) SetupRoutes() {
|
||||||
rh.c.Router.Use(AuthHandler(rh.c))
|
rh.c.Router.Use(AuthHandler(rh.c))
|
||||||
|
// authz is being enabled because authn is found
|
||||||
if !isBearerAuthEnabled(rh.c.Config) && rh.c.Config.AccessControl != nil {
|
if rh.c.Config.AccessControl != nil && !isBearerAuthEnabled(rh.c.Config) && isAuthnEnabled(rh.c.Config) {
|
||||||
|
rh.c.Log.Info().Msg("access control is being enabled")
|
||||||
rh.c.Router.Use(AuthzHandler(rh.c))
|
rh.c.Router.Use(AuthzHandler(rh.c))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -164,6 +164,15 @@ func LoadConfiguration(config *api.Config, configPath string) {
|
||||||
panic(errors.ErrBadConfig)
|
panic(errors.ErrBadConfig)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// check authorization config, it should have basic auth enabled or ldap
|
||||||
|
if config.HTTP.RawAccessControl != nil {
|
||||||
|
if config.HTTP.Auth == nil || (config.HTTP.Auth.HTPasswd.Path == "" && config.HTTP.Auth.LDAP == nil) {
|
||||||
|
log.Error().Err(errors.ErrBadConfig).
|
||||||
|
Msg("access control config requires httpasswd or ldap authentication to be enabled")
|
||||||
|
panic(errors.ErrBadConfig)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
err := config.LoadAccessControlConfig()
|
err := config.LoadAccessControlConfig()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error().Err(errors.ErrBadConfig).Msg("Unable to unmarshal http.accessControl.key.policies")
|
log.Error().Err(errors.ErrBadConfig).Msg("Unable to unmarshal http.accessControl.key.policies")
|
||||||
|
|
|
@ -85,6 +85,39 @@ func TestVerify(t *testing.T) {
|
||||||
So(func() { _ = cli.NewRootCmd().Execute() }, ShouldPanic)
|
So(func() { _ = cli.NewRootCmd().Execute() }, ShouldPanic)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
Convey("Test verify w/ authorization and w/o authentication", t, func(c C) {
|
||||||
|
tmpfile, err := ioutil.TempFile("", "zot-test*.json")
|
||||||
|
So(err, ShouldBeNil)
|
||||||
|
defer os.Remove(tmpfile.Name()) // clean up
|
||||||
|
content := []byte(`{"storage":{"rootDirectory":"/tmp/zot"},
|
||||||
|
"http":{"address":"127.0.0.1","port":"8080","realm":"zot",
|
||||||
|
"accessControl":{"adminPolicy":{"users":["admin"],
|
||||||
|
"actions":["read","create","update","delete"]}}}}`)
|
||||||
|
_, err = tmpfile.Write(content)
|
||||||
|
So(err, ShouldBeNil)
|
||||||
|
err = tmpfile.Close()
|
||||||
|
So(err, ShouldBeNil)
|
||||||
|
os.Args = []string{"cli_test", "verify", tmpfile.Name()}
|
||||||
|
So(func() { _ = cli.NewRootCmd().Execute() }, ShouldPanic)
|
||||||
|
})
|
||||||
|
|
||||||
|
Convey("Test verify w/ authorization and w/ authentication", t, func(c C) {
|
||||||
|
tmpfile, err := ioutil.TempFile("", "zot-test*.json")
|
||||||
|
So(err, ShouldBeNil)
|
||||||
|
defer os.Remove(tmpfile.Name()) // clean up
|
||||||
|
content := []byte(`{"storage":{"rootDirectory":"/tmp/zot"},
|
||||||
|
"http":{"address":"127.0.0.1","port":"8080","realm":"zot",
|
||||||
|
"auth":{"htpasswd":{"path":"test/data/htpasswd"},"failDelay":1},
|
||||||
|
"accessControl":{"adminPolicy":{"users":["admin"],
|
||||||
|
"actions":["read","create","update","delete"]}}}}`)
|
||||||
|
_, err = tmpfile.Write(content)
|
||||||
|
So(err, ShouldBeNil)
|
||||||
|
err = tmpfile.Close()
|
||||||
|
So(err, ShouldBeNil)
|
||||||
|
os.Args = []string{"cli_test", "verify", tmpfile.Name()}
|
||||||
|
So(func() { _ = cli.NewRootCmd().Execute() }, ShouldNotPanic)
|
||||||
|
})
|
||||||
|
|
||||||
Convey("Test verify good config", t, func(c C) {
|
Convey("Test verify good config", t, func(c C) {
|
||||||
tmpfile, err := ioutil.TempFile("", "zot-test*.json")
|
tmpfile, err := ioutil.TempFile("", "zot-test*.json")
|
||||||
So(err, ShouldBeNil)
|
So(err, ShouldBeNil)
|
||||||
|
|
Loading…
Reference in a new issue