Fix auth scope on endpoints without repo name

Resolves #71 Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
2024-12-16 21:56:37 -05:00 · 2020-01-31 16:46:03 -06:00 · 2020-01-31 16:46:03 -06:00 · b636ce2da1
commit b636ce2da1
parent 92241d17cb
5 changed files with 34 additions and 10 deletions
--- a/4
+++ b/4
@ -137,8 +137,8 @@ go_repository(
 go_repository(
    name = "com_github_chartmuseum_auth",
    importpath = "github.com/chartmuseum/auth",
-    sum = "h1:76rqyKtBdQAnC/YuT9ftL7OpLTDwfrfk8Ee8rD9OVOw=",
-    version = "v0.3.1",
+    sum = "h1:CkCJPO/daho9iN9t6ztK4cJRjHkQoom5/n5ndAS3OyM=",
+    version = "v0.4.0",
 )

 go_repository(
--- a/go.mod
+++ b/go.mod
@ -4,7 +4,7 @@ go 1.13

 require (
 	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751
-	github.com/chartmuseum/auth v0.3.1
+	github.com/chartmuseum/auth v0.4.0
 	github.com/getlantern/deepcopy v0.0.0-20160317154340-7f45deb8130a
 	github.com/go-chi/chi v4.0.2+incompatible // indirect
 	github.com/go-ldap/ldap/v3 v3.1.3
--- a/go.sum
+++ b/go.sum
@ -16,8 +16,8 @@ github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
-github.com/chartmuseum/auth v0.3.1 h1:76rqyKtBdQAnC/YuT9ftL7OpLTDwfrfk8Ee8rD9OVOw=
-github.com/chartmuseum/auth v0.3.1/go.mod h1:hk7ENYpPKy5sEMkooBAuxBBtrsQjQtv9BNTLj7xZW2E=
+github.com/chartmuseum/auth v0.4.0 h1:CkCJPO/daho9iN9t6ztK4cJRjHkQoom5/n5ndAS3OyM=
+github.com/chartmuseum/auth v0.4.0/go.mod h1:hk7ENYpPKy5sEMkooBAuxBBtrsQjQtv9BNTLj7xZW2E=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
--- a/pkg/api/auth.go
+++ b/pkg/api/auth.go
@ -36,10 +36,11 @@ func AuthHandler(c *Controller) mux.MiddlewareFunc {

 func bearerAuthHandler(c *Controller) mux.MiddlewareFunc {
 	authorizer, err := auth.NewAuthorizer(&auth.AuthorizerOptions{
-		Realm:           c.Config.HTTP.Auth.Bearer.Realm,
-		Service:         c.Config.HTTP.Auth.Bearer.Service,
-		PublicKeyPath:   c.Config.HTTP.Auth.Bearer.Cert,
-		AccessEntryType: bearerAuthDefaultAccessEntryType,
+		Realm:                 c.Config.HTTP.Auth.Bearer.Realm,
+		Service:               c.Config.HTTP.Auth.Bearer.Service,
+		PublicKeyPath:         c.Config.HTTP.Auth.Bearer.Cert,
+		AccessEntryType:       bearerAuthDefaultAccessEntryType,
+		EmptyDefaultNamespace: true,
 	})
 	if err != nil {
 		c.Log.Panic().Err(err).Msg("error creating bearer authorizer")
--- a/pkg/api/controller_test.go
+++ b/pkg/api/controller_test.go
@ -854,7 +854,7 @@ func TestBearerAuth(t *testing.T) {
 		blob := []byte("hello, blob!")
 		digest := godigest.FromBytes(blob).String()

-		resp, err := resty.R().Post(BaseURL3 + "/v2/" + AuthorizedNamespace + "/blobs/uploads/")
+		resp, err := resty.R().Get(BaseURL3 + "/v2/")
 		So(err, ShouldBeNil)
 		So(resp, ShouldNotBeNil)
 		So(resp.StatusCode(), ShouldEqual, 401)
@ -871,6 +871,29 @@ func TestBearerAuth(t *testing.T) {
 		err = json.Unmarshal(resp.Body(), &goodToken)
 		So(err, ShouldBeNil)

+		resp, err = resty.R().
+			SetHeader("Authorization", fmt.Sprintf("Bearer %s", goodToken.AccessToken)).
+			Get(BaseURL3 + "/v2/")
+		So(err, ShouldBeNil)
+		So(resp, ShouldNotBeNil)
+		So(resp.StatusCode(), ShouldEqual, 200)
+
+		resp, err = resty.R().Post(BaseURL3 + "/v2/" + AuthorizedNamespace + "/blobs/uploads/")
+		So(err, ShouldBeNil)
+		So(resp, ShouldNotBeNil)
+		So(resp.StatusCode(), ShouldEqual, 401)
+
+		authorizationHeader = parseBearerAuthHeader(resp.Header().Get("Www-Authenticate"))
+		resp, err = resty.R().
+			SetQueryParam("service", authorizationHeader.Service).
+			SetQueryParam("scope", authorizationHeader.Scope).
+			Get(authorizationHeader.Realm)
+		So(err, ShouldBeNil)
+		So(resp, ShouldNotBeNil)
+		So(resp.StatusCode(), ShouldEqual, 200)
+		err = json.Unmarshal(resp.Body(), &goodToken)
+		So(err, ShouldBeNil)
+
 		resp, err = resty.R().
 			SetHeader("Authorization", fmt.Sprintf("Bearer %s", goodToken.AccessToken)).
 			Post(BaseURL3 + "/v2/" + AuthorizedNamespace + "/blobs/uploads/")