mirror of
https://github.com/project-zot/zot.git
synced 2025-01-20 22:52:51 -05:00
17d1338af1
This change introduces OpenID authn by using providers such as Github, Gitlab, Google and Dex. User sessions are now used for web clients to identify and persist an authenticated users session, thus not requiring every request to use credentials. Another change is apikey feature, users can create/revoke their api keys and use them to authenticate when using cli clients such as skopeo. eg: login: /auth/login?provider=github /auth/login?provider=gitlab and so on logout: /auth/logout redirectURL: /auth/callback/github /auth/callback/gitlab and so on If network policy doesn't allow inbound connections, this callback wont work! for more info read documentation added in this commit. Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> Co-authored-by: Alex Stan <alexandrustan96@yahoo.ro>
124 lines
3.7 KiB
Bash
124 lines
3.7 KiB
Bash
load helpers_cloud
|
|
|
|
function setup() {
|
|
# Verify prerequisites are available
|
|
if ! verify_prerequisites; then
|
|
exit 1
|
|
fi
|
|
|
|
# Setup zot server
|
|
local zot_root_dir=${BATS_FILE_TMPDIR}/zot
|
|
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
|
|
|
|
echo ${zot_root_dir} >&3
|
|
|
|
mkdir -p ${zot_root_dir}
|
|
|
|
cat > ${zot_config_file}<<EOF
|
|
{
|
|
"distSpecVersion": "1.1.0-dev",
|
|
"storage": {
|
|
"rootDirectory": "${zot_root_dir}",
|
|
"dedupe": true,
|
|
"remoteCache": true,
|
|
"storageDriver": {
|
|
"name": "s3",
|
|
"rootdirectory": "/zot",
|
|
"region": "us-east-2",
|
|
"regionendpoint": "localhost:4566",
|
|
"bucket": "zot-storage",
|
|
"secure": false,
|
|
"skipverify": false
|
|
},
|
|
"cacheDriver": {
|
|
"name": "dynamodb",
|
|
"endpoint": "http://localhost:4566",
|
|
"region": "us-east-2",
|
|
"cacheTablename": "BlobTable",
|
|
"repoMetaTablename": "RepoMetadataTable",
|
|
"manifestDataTablename": "ManifestDataTable",
|
|
"indexDataTablename": "IndexDataTable",
|
|
"userDataTablename": "UserDataTable",
|
|
"apiKeyTablename":"ApiKeyTable",
|
|
"versionTablename": "Version"
|
|
}
|
|
},
|
|
"http": {
|
|
"address": "127.0.0.1",
|
|
"port": "8080",
|
|
"realm": "zot",
|
|
"auth": {
|
|
"openid": {
|
|
"providers": {
|
|
"dex": {
|
|
"issuer": "http://127.0.0.1:5556/dex",
|
|
"clientid": "zot-client",
|
|
"clientsecret": "ZXhhbXBsZS1hcHAtc2VjcmV0",
|
|
"scopes": ["openid", "email", "groups"]
|
|
}
|
|
}
|
|
},
|
|
"failDelay": 5
|
|
},
|
|
"accessControl": {
|
|
"repositories": {
|
|
"**": {
|
|
"anonymousPolicy": ["read", "create"]
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"log": {
|
|
"level": "debug"
|
|
},
|
|
"extensions": {
|
|
"metrics": {
|
|
"enable": true,
|
|
"prometheus": {
|
|
"path": "/metrics"
|
|
}
|
|
},
|
|
"search": {
|
|
"enable": true
|
|
},
|
|
"scrub": {
|
|
"enable": true,
|
|
"interval": "24h"
|
|
}
|
|
}
|
|
}
|
|
EOF
|
|
awslocal s3 --region "us-east-2" mb s3://zot-storage
|
|
awslocal dynamodb --region "us-east-2" create-table --table-name "BlobTable" --attribute-definitions AttributeName=Digest,AttributeType=S --key-schema AttributeName=Digest,KeyType=HASH --provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=5
|
|
zot_serve_strace ${zot_config_file}
|
|
wait_zot_reachable "http://127.0.0.1:8080/v2/_catalog"
|
|
}
|
|
|
|
function teardown() {
|
|
local zot_root_dir=${BATS_FILE_TMPDIR}/zot
|
|
zot_stop
|
|
rm -rf ${zot_root_dir}
|
|
awslocal s3 rb s3://"zot-storage" --force
|
|
awslocal dynamodb --region "us-east-2" delete-table --table-name "BlobTable"
|
|
}
|
|
|
|
dex_session () {
|
|
STATE=$(curl -L -f -s http://localhost:8080/openid/auth/login?provider=dex | grep -m 1 -oP '(?<=state=)[^ ]*"' | cut -d \" -f1)
|
|
echo $STATE >&3
|
|
curl -L -f -s "http://127.0.0.1:5556/dex/auth/mock?client_id=zot-client&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2Fopenid%2Fauth%2Fcallback%2Fdex&response_type=code&scope=profile+email+groups+openid&state=$STATE"
|
|
}
|
|
|
|
@test "check dex is working" {
|
|
run dex_session
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "check for local disk writes" {
|
|
run skopeo --insecure-policy copy --dest-tls-verify=false \
|
|
docker://centos:centos8 docker://localhost:8080/centos:8
|
|
[ "$status" -eq 0 ]
|
|
cat strace.txt | grep openat | grep -v O_RDONLY | grep -Eo '\".*\"' | while read -r line ; do
|
|
echo ${line} >&3
|
|
[[ "$line" =~ .*metadata.* || "$line" =~ .*trivy.* ]]
|
|
done
|
|
}
|