0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2025-01-13 22:50:38 -05:00

Fix auth scope on endpoints without repo name

Resolves #71

Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
This commit is contained in:
Peter Engelbert 2020-01-31 16:46:03 -06:00
parent 92241d17cb
commit b636ce2da1
5 changed files with 34 additions and 10 deletions

View file

@ -137,8 +137,8 @@ go_repository(
go_repository( go_repository(
name = "com_github_chartmuseum_auth", name = "com_github_chartmuseum_auth",
importpath = "github.com/chartmuseum/auth", importpath = "github.com/chartmuseum/auth",
sum = "h1:76rqyKtBdQAnC/YuT9ftL7OpLTDwfrfk8Ee8rD9OVOw=", sum = "h1:CkCJPO/daho9iN9t6ztK4cJRjHkQoom5/n5ndAS3OyM=",
version = "v0.3.1", version = "v0.4.0",
) )
go_repository( go_repository(

2
go.mod
View file

@ -4,7 +4,7 @@ go 1.13
require ( require (
github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751
github.com/chartmuseum/auth v0.3.1 github.com/chartmuseum/auth v0.4.0
github.com/getlantern/deepcopy v0.0.0-20160317154340-7f45deb8130a github.com/getlantern/deepcopy v0.0.0-20160317154340-7f45deb8130a
github.com/go-chi/chi v4.0.2+incompatible // indirect github.com/go-chi/chi v4.0.2+incompatible // indirect
github.com/go-ldap/ldap/v3 v3.1.3 github.com/go-ldap/ldap/v3 v3.1.3

4
go.sum
View file

@ -16,8 +16,8 @@ github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
github.com/chartmuseum/auth v0.3.1 h1:76rqyKtBdQAnC/YuT9ftL7OpLTDwfrfk8Ee8rD9OVOw= github.com/chartmuseum/auth v0.4.0 h1:CkCJPO/daho9iN9t6ztK4cJRjHkQoom5/n5ndAS3OyM=
github.com/chartmuseum/auth v0.3.1/go.mod h1:hk7ENYpPKy5sEMkooBAuxBBtrsQjQtv9BNTLj7xZW2E= github.com/chartmuseum/auth v0.4.0/go.mod h1:hk7ENYpPKy5sEMkooBAuxBBtrsQjQtv9BNTLj7xZW2E=
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=

View file

@ -36,10 +36,11 @@ func AuthHandler(c *Controller) mux.MiddlewareFunc {
func bearerAuthHandler(c *Controller) mux.MiddlewareFunc { func bearerAuthHandler(c *Controller) mux.MiddlewareFunc {
authorizer, err := auth.NewAuthorizer(&auth.AuthorizerOptions{ authorizer, err := auth.NewAuthorizer(&auth.AuthorizerOptions{
Realm: c.Config.HTTP.Auth.Bearer.Realm, Realm: c.Config.HTTP.Auth.Bearer.Realm,
Service: c.Config.HTTP.Auth.Bearer.Service, Service: c.Config.HTTP.Auth.Bearer.Service,
PublicKeyPath: c.Config.HTTP.Auth.Bearer.Cert, PublicKeyPath: c.Config.HTTP.Auth.Bearer.Cert,
AccessEntryType: bearerAuthDefaultAccessEntryType, AccessEntryType: bearerAuthDefaultAccessEntryType,
EmptyDefaultNamespace: true,
}) })
if err != nil { if err != nil {
c.Log.Panic().Err(err).Msg("error creating bearer authorizer") c.Log.Panic().Err(err).Msg("error creating bearer authorizer")

View file

@ -854,7 +854,7 @@ func TestBearerAuth(t *testing.T) {
blob := []byte("hello, blob!") blob := []byte("hello, blob!")
digest := godigest.FromBytes(blob).String() digest := godigest.FromBytes(blob).String()
resp, err := resty.R().Post(BaseURL3 + "/v2/" + AuthorizedNamespace + "/blobs/uploads/") resp, err := resty.R().Get(BaseURL3 + "/v2/")
So(err, ShouldBeNil) So(err, ShouldBeNil)
So(resp, ShouldNotBeNil) So(resp, ShouldNotBeNil)
So(resp.StatusCode(), ShouldEqual, 401) So(resp.StatusCode(), ShouldEqual, 401)
@ -871,6 +871,29 @@ func TestBearerAuth(t *testing.T) {
err = json.Unmarshal(resp.Body(), &goodToken) err = json.Unmarshal(resp.Body(), &goodToken)
So(err, ShouldBeNil) So(err, ShouldBeNil)
resp, err = resty.R().
SetHeader("Authorization", fmt.Sprintf("Bearer %s", goodToken.AccessToken)).
Get(BaseURL3 + "/v2/")
So(err, ShouldBeNil)
So(resp, ShouldNotBeNil)
So(resp.StatusCode(), ShouldEqual, 200)
resp, err = resty.R().Post(BaseURL3 + "/v2/" + AuthorizedNamespace + "/blobs/uploads/")
So(err, ShouldBeNil)
So(resp, ShouldNotBeNil)
So(resp.StatusCode(), ShouldEqual, 401)
authorizationHeader = parseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
resp, err = resty.R().
SetQueryParam("service", authorizationHeader.Service).
SetQueryParam("scope", authorizationHeader.Scope).
Get(authorizationHeader.Realm)
So(err, ShouldBeNil)
So(resp, ShouldNotBeNil)
So(resp.StatusCode(), ShouldEqual, 200)
err = json.Unmarshal(resp.Body(), &goodToken)
So(err, ShouldBeNil)
resp, err = resty.R(). resp, err = resty.R().
SetHeader("Authorization", fmt.Sprintf("Bearer %s", goodToken.AccessToken)). SetHeader("Authorization", fmt.Sprintf("Bearer %s", goodToken.AccessToken)).
Post(BaseURL3 + "/v2/" + AuthorizedNamespace + "/blobs/uploads/") Post(BaseURL3 + "/v2/" + AuthorizedNamespace + "/blobs/uploads/")