mirror of
https://github.com/project-zot/zot.git
synced 2025-01-13 22:50:38 -05:00
Fix auth scope on endpoints without repo name
Resolves #71 Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
This commit is contained in:
parent
92241d17cb
commit
b636ce2da1
5 changed files with 34 additions and 10 deletions
|
@ -137,8 +137,8 @@ go_repository(
|
||||||
go_repository(
|
go_repository(
|
||||||
name = "com_github_chartmuseum_auth",
|
name = "com_github_chartmuseum_auth",
|
||||||
importpath = "github.com/chartmuseum/auth",
|
importpath = "github.com/chartmuseum/auth",
|
||||||
sum = "h1:76rqyKtBdQAnC/YuT9ftL7OpLTDwfrfk8Ee8rD9OVOw=",
|
sum = "h1:CkCJPO/daho9iN9t6ztK4cJRjHkQoom5/n5ndAS3OyM=",
|
||||||
version = "v0.3.1",
|
version = "v0.4.0",
|
||||||
)
|
)
|
||||||
|
|
||||||
go_repository(
|
go_repository(
|
||||||
|
|
2
go.mod
2
go.mod
|
@ -4,7 +4,7 @@ go 1.13
|
||||||
|
|
||||||
require (
|
require (
|
||||||
github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751
|
github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751
|
||||||
github.com/chartmuseum/auth v0.3.1
|
github.com/chartmuseum/auth v0.4.0
|
||||||
github.com/getlantern/deepcopy v0.0.0-20160317154340-7f45deb8130a
|
github.com/getlantern/deepcopy v0.0.0-20160317154340-7f45deb8130a
|
||||||
github.com/go-chi/chi v4.0.2+incompatible // indirect
|
github.com/go-chi/chi v4.0.2+incompatible // indirect
|
||||||
github.com/go-ldap/ldap/v3 v3.1.3
|
github.com/go-ldap/ldap/v3 v3.1.3
|
||||||
|
|
4
go.sum
4
go.sum
|
@ -16,8 +16,8 @@ github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5
|
||||||
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
|
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
|
||||||
github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
|
github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
|
||||||
github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
|
github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
|
||||||
github.com/chartmuseum/auth v0.3.1 h1:76rqyKtBdQAnC/YuT9ftL7OpLTDwfrfk8Ee8rD9OVOw=
|
github.com/chartmuseum/auth v0.4.0 h1:CkCJPO/daho9iN9t6ztK4cJRjHkQoom5/n5ndAS3OyM=
|
||||||
github.com/chartmuseum/auth v0.3.1/go.mod h1:hk7ENYpPKy5sEMkooBAuxBBtrsQjQtv9BNTLj7xZW2E=
|
github.com/chartmuseum/auth v0.4.0/go.mod h1:hk7ENYpPKy5sEMkooBAuxBBtrsQjQtv9BNTLj7xZW2E=
|
||||||
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
|
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
|
||||||
github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
|
github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
|
||||||
github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
|
github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
|
||||||
|
|
|
@ -36,10 +36,11 @@ func AuthHandler(c *Controller) mux.MiddlewareFunc {
|
||||||
|
|
||||||
func bearerAuthHandler(c *Controller) mux.MiddlewareFunc {
|
func bearerAuthHandler(c *Controller) mux.MiddlewareFunc {
|
||||||
authorizer, err := auth.NewAuthorizer(&auth.AuthorizerOptions{
|
authorizer, err := auth.NewAuthorizer(&auth.AuthorizerOptions{
|
||||||
Realm: c.Config.HTTP.Auth.Bearer.Realm,
|
Realm: c.Config.HTTP.Auth.Bearer.Realm,
|
||||||
Service: c.Config.HTTP.Auth.Bearer.Service,
|
Service: c.Config.HTTP.Auth.Bearer.Service,
|
||||||
PublicKeyPath: c.Config.HTTP.Auth.Bearer.Cert,
|
PublicKeyPath: c.Config.HTTP.Auth.Bearer.Cert,
|
||||||
AccessEntryType: bearerAuthDefaultAccessEntryType,
|
AccessEntryType: bearerAuthDefaultAccessEntryType,
|
||||||
|
EmptyDefaultNamespace: true,
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
c.Log.Panic().Err(err).Msg("error creating bearer authorizer")
|
c.Log.Panic().Err(err).Msg("error creating bearer authorizer")
|
||||||
|
|
|
@ -854,7 +854,7 @@ func TestBearerAuth(t *testing.T) {
|
||||||
blob := []byte("hello, blob!")
|
blob := []byte("hello, blob!")
|
||||||
digest := godigest.FromBytes(blob).String()
|
digest := godigest.FromBytes(blob).String()
|
||||||
|
|
||||||
resp, err := resty.R().Post(BaseURL3 + "/v2/" + AuthorizedNamespace + "/blobs/uploads/")
|
resp, err := resty.R().Get(BaseURL3 + "/v2/")
|
||||||
So(err, ShouldBeNil)
|
So(err, ShouldBeNil)
|
||||||
So(resp, ShouldNotBeNil)
|
So(resp, ShouldNotBeNil)
|
||||||
So(resp.StatusCode(), ShouldEqual, 401)
|
So(resp.StatusCode(), ShouldEqual, 401)
|
||||||
|
@ -871,6 +871,29 @@ func TestBearerAuth(t *testing.T) {
|
||||||
err = json.Unmarshal(resp.Body(), &goodToken)
|
err = json.Unmarshal(resp.Body(), &goodToken)
|
||||||
So(err, ShouldBeNil)
|
So(err, ShouldBeNil)
|
||||||
|
|
||||||
|
resp, err = resty.R().
|
||||||
|
SetHeader("Authorization", fmt.Sprintf("Bearer %s", goodToken.AccessToken)).
|
||||||
|
Get(BaseURL3 + "/v2/")
|
||||||
|
So(err, ShouldBeNil)
|
||||||
|
So(resp, ShouldNotBeNil)
|
||||||
|
So(resp.StatusCode(), ShouldEqual, 200)
|
||||||
|
|
||||||
|
resp, err = resty.R().Post(BaseURL3 + "/v2/" + AuthorizedNamespace + "/blobs/uploads/")
|
||||||
|
So(err, ShouldBeNil)
|
||||||
|
So(resp, ShouldNotBeNil)
|
||||||
|
So(resp.StatusCode(), ShouldEqual, 401)
|
||||||
|
|
||||||
|
authorizationHeader = parseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
|
||||||
|
resp, err = resty.R().
|
||||||
|
SetQueryParam("service", authorizationHeader.Service).
|
||||||
|
SetQueryParam("scope", authorizationHeader.Scope).
|
||||||
|
Get(authorizationHeader.Realm)
|
||||||
|
So(err, ShouldBeNil)
|
||||||
|
So(resp, ShouldNotBeNil)
|
||||||
|
So(resp.StatusCode(), ShouldEqual, 200)
|
||||||
|
err = json.Unmarshal(resp.Body(), &goodToken)
|
||||||
|
So(err, ShouldBeNil)
|
||||||
|
|
||||||
resp, err = resty.R().
|
resp, err = resty.R().
|
||||||
SetHeader("Authorization", fmt.Sprintf("Bearer %s", goodToken.AccessToken)).
|
SetHeader("Authorization", fmt.Sprintf("Bearer %s", goodToken.AccessToken)).
|
||||||
Post(BaseURL3 + "/v2/" + AuthorizedNamespace + "/blobs/uploads/")
|
Post(BaseURL3 + "/v2/" + AuthorizedNamespace + "/blobs/uploads/")
|
||||||
|
|
Loading…
Add table
Reference in a new issue