Infrastructure/zot
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2024-12-16 21:56:37 -05:00
Code Issues Activity

fix(apikey): show api key configuration in mgmt API (#2138)

Browse source 
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
This commit is contained in:
Andrei Aaron 2023-12-14 19:54:51 +02:00 committed by GitHub
parent 18aa975ae2
commit cff74578be
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 111 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
pkg/extensions/extension_mgmt.go
View file

@ -39,6 +39,7 @@ type Auth struct {
Address string `json:"address,omitempty" mapstructure:"address"`
} `json:"ldap,omitempty" mapstructure:"ldap"`
OpenID *OpenIDConfig `json:"openid,omitempty" mapstructure:"openid"`
APIKey bool `json:"apikey,omitempty" mapstructure:"apikey"`
}
type StrippedConfig struct {

106
pkg/extensions/extensions_test.go
View file

@ -143,6 +143,12 @@ func TestMgmtExtension(t *testing.T) {
username, seedUser := test.GenerateRandomString()
password, seedPass := test.GenerateRandomString()
htpasswdPath := test.MakeHtpasswdFileFromString(test.GetCredString(username, password))
defer func() {
conf.HTTP.Auth.HTPasswd.Path = ""
os.Remove(htpasswdPath)
}()
conf.HTTP.Auth.HTPasswd.Path = htpasswdPath
conf.Extensions = &extconf.ExtensionConfig{}
@ -203,6 +209,7 @@ func TestMgmtExtension(t *testing.T) {
So(mgmtResp.HTTP.Auth.HTPasswd.Path, ShouldEqual, "")
So(mgmtResp.HTTP.Auth.Bearer, ShouldBeNil)
So(mgmtResp.HTTP.Auth.LDAP, ShouldBeNil)
So(mgmtResp.HTTP.Auth.APIKey, ShouldBeFalse)
// with credentials
resp, err = resty.R().SetBasicAuth(username, password).Get(baseURL + constants.FullMgmt)
@ -216,6 +223,7 @@ func TestMgmtExtension(t *testing.T) {
So(mgmtResp.HTTP.Auth.HTPasswd.Path, ShouldEqual, "")
So(mgmtResp.HTTP.Auth.Bearer, ShouldBeNil)
So(mgmtResp.HTTP.Auth.LDAP, ShouldBeNil)
So(mgmtResp.HTTP.Auth.APIKey, ShouldBeFalse)
// with wrong credentials
resp, err = resty.R().SetBasicAuth(username, "wrong").Get(baseURL + constants.FullMgmt)
@ -224,7 +232,6 @@ func TestMgmtExtension(t *testing.T) {
})
Convey("Verify mgmt auth info route enabled with ldap", t, func() {
defer os.Remove(conf.HTTP.Auth.HTPasswd.Path) // cleanup of a file created in previous Convey
conf.HTTP.Auth.LDAP = (&config.LDAPConfig{
BaseDN: "basedn",
Address: "ldapexample",
@ -281,13 +288,84 @@ func TestMgmtExtension(t *testing.T) {
// ldap is always nil, htpasswd should be populated when ldap is used
So(mgmtResp.HTTP.Auth.LDAP, ShouldBeNil)
So(mgmtResp.HTTP.Auth.Bearer, ShouldBeNil)
So(mgmtResp.HTTP.Auth.APIKey, ShouldBeFalse)
})
Convey("Verify mgmt auth info route enabled with ldap + apikey", t, func() {
conf.HTTP.Auth.LDAP = (&config.LDAPConfig{
BaseDN: "basedn",
Address: "ldapexample",
}).SetBindDN("binddn")
conf.HTTP.Auth.APIKey = true
defer func() {
conf.HTTP.Auth.APIKey = false
}()
conf.Extensions = &extconf.ExtensionConfig{}
conf.Extensions.Search = &extconf.SearchConfig{}
conf.Extensions.Search.Enable = &defaultValue
conf.Extensions.Search.CVE = nil
conf.Extensions.UI = &extconf.UIConfig{}
conf.Extensions.UI.Enable = &defaultValue
conf.Log.Output = logFile.Name()
defer os.Remove(logFile.Name()) // cleanup
ctlr := api.NewController(conf)
subPaths := make(map[string]config.StorageConfig)
subPaths["/a"] = config.StorageConfig{RootDirectory: t.TempDir()}
ctlr.Config.Storage.RootDirectory = t.TempDir()
ctlr.Config.Storage.SubPaths = subPaths
ctlrManager := test.NewControllerManager(ctlr)
ctlrManager.StartAndWait(port)
defer ctlrManager.StopServer()
found, err := test.ReadLogFileAndSearchString(logFile.Name(),
"setting up mgmt routes", mgmtReadyTimeout)
defer func() {
if !found {
data, err := os.ReadFile(logFile.Name())
So(err, ShouldBeNil)
t.Log(string(data))
}
}()
So(found, ShouldBeTrue)
So(err, ShouldBeNil)
found, err = test.ReadLogFileAndSearchString(logFile.Name(),
"finished setting up mgmt routes", mgmtReadyTimeout)
So(found, ShouldBeTrue)
So(err, ShouldBeNil)
// without credentials
resp, err := resty.R().Get(baseURL + constants.FullMgmt)
So(err, ShouldBeNil)
So(resp.StatusCode(), ShouldEqual, http.StatusOK)
mgmtResp := extensions.StrippedConfig{}
err = json.Unmarshal(resp.Body(), &mgmtResp)
So(err, ShouldBeNil)
So(mgmtResp.HTTP.Auth.HTPasswd.Path, ShouldEqual, "")
// ldap is always nil, htpasswd should be populated when ldap is used
So(mgmtResp.HTTP.Auth.LDAP, ShouldBeNil)
So(mgmtResp.HTTP.Auth.Bearer, ShouldBeNil)
So(mgmtResp.HTTP.Auth.APIKey, ShouldBeTrue)
})
Convey("Verify mgmt auth info route enabled with htpasswd + ldap", t, func() {
username, seedUser := test.GenerateRandomString()
password, seedPass := test.GenerateRandomString()
htpasswdPath := test.MakeHtpasswdFileFromString(test.GetCredString(username, password))
defer os.Remove(htpasswdPath)
defer func() {
conf.HTTP.Auth.HTPasswd.Path = ""
os.Remove(htpasswdPath)
}()
conf.HTTP.Auth.HTPasswd.Path = htpasswdPath
conf.HTTP.Auth.LDAP = (&config.LDAPConfig{
BaseDN: "basedn",
@ -346,6 +424,7 @@ func TestMgmtExtension(t *testing.T) {
So(mgmtResp.HTTP.Auth.HTPasswd.Path, ShouldEqual, "")
So(mgmtResp.HTTP.Auth.LDAP, ShouldBeNil)
So(mgmtResp.HTTP.Auth.Bearer, ShouldBeNil)
So(mgmtResp.HTTP.Auth.APIKey, ShouldBeFalse)
// with credentials
resp, err = resty.R().SetBasicAuth(username, password).Get(baseURL + constants.FullMgmt)
@ -359,13 +438,19 @@ func TestMgmtExtension(t *testing.T) {
So(mgmtResp.HTTP.Auth.HTPasswd.Path, ShouldEqual, "")
So(mgmtResp.HTTP.Auth.LDAP, ShouldBeNil)
So(mgmtResp.HTTP.Auth.Bearer, ShouldBeNil)
So(mgmtResp.HTTP.Auth.APIKey, ShouldBeFalse)
})
Convey("Verify mgmt auth info route enabled with htpasswd + ldap + bearer", t, func() {
username, seedUser := test.GenerateRandomString()
password, seedPass := test.GenerateRandomString()
htpasswdPath := test.MakeHtpasswdFileFromString(test.GetCredString(username, password))
defer os.Remove(htpasswdPath)
defer func() {
conf.HTTP.Auth.HTPasswd.Path = ""
os.Remove(htpasswdPath)
}()
conf.HTTP.Auth.HTPasswd.Path = htpasswdPath
conf.HTTP.Auth.LDAP = (&config.LDAPConfig{
BaseDN: "basedn",
@ -427,6 +512,7 @@ func TestMgmtExtension(t *testing.T) {
So(mgmtResp.HTTP.Auth.Bearer, ShouldNotBeNil)
So(mgmtResp.HTTP.Auth.Bearer.Realm, ShouldEqual, "realm")
So(mgmtResp.HTTP.Auth.Bearer.Service, ShouldEqual, "service")
So(mgmtResp.HTTP.Auth.APIKey, ShouldBeFalse)
// with credentials
resp, err = resty.R().SetBasicAuth(username, password).Get(baseURL + constants.FullMgmt)
@ -442,6 +528,7 @@ func TestMgmtExtension(t *testing.T) {
So(mgmtResp.HTTP.Auth.Bearer, ShouldNotBeNil)
So(mgmtResp.HTTP.Auth.Bearer.Realm, ShouldEqual, "realm")
So(mgmtResp.HTTP.Auth.Bearer.Service, ShouldEqual, "service")
So(mgmtResp.HTTP.Auth.APIKey, ShouldBeFalse)
})
Convey("Verify mgmt auth info route enabled with ldap + bearer", t, func() {
@ -509,6 +596,7 @@ func TestMgmtExtension(t *testing.T) {
So(mgmtResp.HTTP.Auth.Bearer, ShouldNotBeNil)
So(mgmtResp.HTTP.Auth.Bearer.Realm, ShouldEqual, "realm")
So(mgmtResp.HTTP.Auth.Bearer.Service, ShouldEqual, "service")
So(mgmtResp.HTTP.Auth.APIKey, ShouldBeFalse)
})
Convey("Verify mgmt auth info route enabled with bearer", t, func() {
@ -567,6 +655,7 @@ func TestMgmtExtension(t *testing.T) {
So(mgmtResp.HTTP.Auth.Bearer, ShouldNotBeNil)
So(mgmtResp.HTTP.Auth.Bearer.Realm, ShouldEqual, "realm")
So(mgmtResp.HTTP.Auth.Bearer.Service, ShouldEqual, "service")
So(mgmtResp.HTTP.Auth.APIKey, ShouldBeFalse)
})
Convey("Verify mgmt auth info route enabled with openID", t, func() {
@ -634,13 +723,18 @@ func TestMgmtExtension(t *testing.T) {
So(mgmtResp.HTTP.Auth.Bearer, ShouldBeNil)
So(mgmtResp.HTTP.Auth.OpenID, ShouldNotBeNil)
So(mgmtResp.HTTP.Auth.OpenID.Providers, ShouldNotBeEmpty)
So(mgmtResp.HTTP.Auth.APIKey, ShouldBeFalse)
})
Convey("Verify mgmt auth info route enabled with empty openID provider list", t, func() {
username, seedUser := test.GenerateRandomString()
password, seedPass := test.GenerateRandomString()
htpasswdPath := test.MakeHtpasswdFileFromString(test.GetCredString(username, password))
defer os.Remove(htpasswdPath)
defer func() {
conf.HTTP.Auth.HTPasswd.Path = ""
os.Remove(htpasswdPath)
}()
conf.HTTP.Auth.HTPasswd.Path = htpasswdPath
conf.HTTP.Auth.LDAP = nil
@ -701,6 +795,7 @@ func TestMgmtExtension(t *testing.T) {
So(mgmtResp.HTTP.Auth.LDAP, ShouldBeNil)
So(mgmtResp.HTTP.Auth.Bearer, ShouldBeNil)
So(mgmtResp.HTTP.Auth.OpenID, ShouldBeNil)
So(mgmtResp.HTTP.Auth.APIKey, ShouldBeFalse)
})
Convey("Verify mgmt auth info route enabled without any auth", t, func() {
@ -745,6 +840,7 @@ func TestMgmtExtension(t *testing.T) {
So(mgmtResp.HTTP.Auth.Bearer, ShouldBeNil)
So(mgmtResp.HTTP.Auth.HTPasswd, ShouldBeNil)
So(mgmtResp.HTTP.Auth.LDAP, ShouldBeNil)
So(mgmtResp.HTTP.Auth.APIKey, ShouldBeFalse)
found, err := test.ReadLogFileAndSearchString(logFile.Name(),
"setting up mgmt routes", mgmtReadyTimeout)
@ -898,6 +994,7 @@ func TestMgmtWithBearer(t *testing.T) {
So(mgmtResp.HTTP.Auth.Bearer.Service, ShouldEqual, conf.HTTP.Auth.Bearer.Service)
So(mgmtResp.HTTP.Auth.HTPasswd, ShouldBeNil)
So(mgmtResp.HTTP.Auth.LDAP, ShouldBeNil)
So(mgmtResp.HTTP.Auth.APIKey, ShouldBeFalse)
resp, err = resty.R().SetBasicAuth("", "").Get(baseURL + constants.FullMgmt)
So(err, ShouldBeNil)
@ -912,6 +1009,7 @@ func TestMgmtWithBearer(t *testing.T) {
So(mgmtResp.HTTP.Auth.Bearer.Service, ShouldEqual, conf.HTTP.Auth.Bearer.Service)
So(mgmtResp.HTTP.Auth.HTPasswd, ShouldBeNil)
So(mgmtResp.HTTP.Auth.LDAP, ShouldBeNil)
So(mgmtResp.HTTP.Auth.APIKey, ShouldBeFalse)
})
}

3
swagger/docs.go
View file

@ -1308,6 +1308,9 @@ const docTemplate = `{
"extensions.Auth": {
"type": "object",
"properties": {
"apikey": {
"type": "boolean"
},
"bearer": {
"$ref": "#/definitions/extensions.BearerConfig"
},

3
swagger/swagger.json
View file

@ -1299,6 +1299,9 @@
"extensions.Auth": {
"type": "object",
"properties": {
"apikey": {
"type": "boolean"
},
"bearer": {
"$ref": "#/definitions/extensions.BearerConfig"
},

2
swagger/swagger.yaml
View file

@ -101,6 +101,8 @@ definitions:
type: object
extensions.Auth:
properties:
apikey:
type: boolean
bearer:
$ref: '#/definitions/extensions.BearerConfig'
htpasswd: