From b636ce2da12a2af8f613551a47c5388b2dd085f7 Mon Sep 17 00:00:00 2001 From: Peter Engelbert Date: Fri, 31 Jan 2020 16:46:03 -0600 Subject: [PATCH] Fix auth scope on endpoints without repo name Resolves #71 Signed-off-by: Peter Engelbert --- WORKSPACE | 4 ++-- go.mod | 2 +- go.sum | 4 ++-- pkg/api/auth.go | 9 +++++---- pkg/api/controller_test.go | 25 ++++++++++++++++++++++++- 5 files changed, 34 insertions(+), 10 deletions(-) diff --git a/WORKSPACE b/WORKSPACE index 1107ae9e..40ba6f80 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -137,8 +137,8 @@ go_repository( go_repository( name = "com_github_chartmuseum_auth", importpath = "github.com/chartmuseum/auth", - sum = "h1:76rqyKtBdQAnC/YuT9ftL7OpLTDwfrfk8Ee8rD9OVOw=", - version = "v0.3.1", + sum = "h1:CkCJPO/daho9iN9t6ztK4cJRjHkQoom5/n5ndAS3OyM=", + version = "v0.4.0", ) go_repository( diff --git a/go.mod b/go.mod index a8a55d4e..8ea91718 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.13 require ( github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 - github.com/chartmuseum/auth v0.3.1 + github.com/chartmuseum/auth v0.4.0 github.com/getlantern/deepcopy v0.0.0-20160317154340-7f45deb8130a github.com/go-chi/chi v4.0.2+incompatible // indirect github.com/go-ldap/ldap/v3 v3.1.3 diff --git a/go.sum b/go.sum index cfdbbbde..b4f6d719 100644 --- a/go.sum +++ b/go.sum @@ -16,8 +16,8 @@ github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= -github.com/chartmuseum/auth v0.3.1 h1:76rqyKtBdQAnC/YuT9ftL7OpLTDwfrfk8Ee8rD9OVOw= -github.com/chartmuseum/auth v0.3.1/go.mod h1:hk7ENYpPKy5sEMkooBAuxBBtrsQjQtv9BNTLj7xZW2E= +github.com/chartmuseum/auth v0.4.0 h1:CkCJPO/daho9iN9t6ztK4cJRjHkQoom5/n5ndAS3OyM= +github.com/chartmuseum/auth v0.4.0/go.mod h1:hk7ENYpPKy5sEMkooBAuxBBtrsQjQtv9BNTLj7xZW2E= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= diff --git a/pkg/api/auth.go b/pkg/api/auth.go index bc9a44ac..2efaa4fe 100644 --- a/pkg/api/auth.go +++ b/pkg/api/auth.go @@ -36,10 +36,11 @@ func AuthHandler(c *Controller) mux.MiddlewareFunc { func bearerAuthHandler(c *Controller) mux.MiddlewareFunc { authorizer, err := auth.NewAuthorizer(&auth.AuthorizerOptions{ - Realm: c.Config.HTTP.Auth.Bearer.Realm, - Service: c.Config.HTTP.Auth.Bearer.Service, - PublicKeyPath: c.Config.HTTP.Auth.Bearer.Cert, - AccessEntryType: bearerAuthDefaultAccessEntryType, + Realm: c.Config.HTTP.Auth.Bearer.Realm, + Service: c.Config.HTTP.Auth.Bearer.Service, + PublicKeyPath: c.Config.HTTP.Auth.Bearer.Cert, + AccessEntryType: bearerAuthDefaultAccessEntryType, + EmptyDefaultNamespace: true, }) if err != nil { c.Log.Panic().Err(err).Msg("error creating bearer authorizer") diff --git a/pkg/api/controller_test.go b/pkg/api/controller_test.go index bda87dab..afae73f9 100644 --- a/pkg/api/controller_test.go +++ b/pkg/api/controller_test.go @@ -854,7 +854,7 @@ func TestBearerAuth(t *testing.T) { blob := []byte("hello, blob!") digest := godigest.FromBytes(blob).String() - resp, err := resty.R().Post(BaseURL3 + "/v2/" + AuthorizedNamespace + "/blobs/uploads/") + resp, err := resty.R().Get(BaseURL3 + "/v2/") So(err, ShouldBeNil) So(resp, ShouldNotBeNil) So(resp.StatusCode(), ShouldEqual, 401) @@ -871,6 +871,29 @@ func TestBearerAuth(t *testing.T) { err = json.Unmarshal(resp.Body(), &goodToken) So(err, ShouldBeNil) + resp, err = resty.R(). + SetHeader("Authorization", fmt.Sprintf("Bearer %s", goodToken.AccessToken)). + Get(BaseURL3 + "/v2/") + So(err, ShouldBeNil) + So(resp, ShouldNotBeNil) + So(resp.StatusCode(), ShouldEqual, 200) + + resp, err = resty.R().Post(BaseURL3 + "/v2/" + AuthorizedNamespace + "/blobs/uploads/") + So(err, ShouldBeNil) + So(resp, ShouldNotBeNil) + So(resp.StatusCode(), ShouldEqual, 401) + + authorizationHeader = parseBearerAuthHeader(resp.Header().Get("Www-Authenticate")) + resp, err = resty.R(). + SetQueryParam("service", authorizationHeader.Service). + SetQueryParam("scope", authorizationHeader.Scope). + Get(authorizationHeader.Realm) + So(err, ShouldBeNil) + So(resp, ShouldNotBeNil) + So(resp.StatusCode(), ShouldEqual, 200) + err = json.Unmarshal(resp.Body(), &goodToken) + So(err, ShouldBeNil) + resp, err = resty.R(). SetHeader("Authorization", fmt.Sprintf("Bearer %s", goodToken.AccessToken)). Post(BaseURL3 + "/v2/" + AuthorizedNamespace + "/blobs/uploads/")