mirror of
https://github.com/project-zot/zot.git
synced 2024-12-16 21:56:37 -05:00
77149aa85c
BREAKING CHANGE: The functionality provided by the mgmt endpoint has beed redesigned - see details below BREAKING CHANGE: The API keys endpoint has been moved - see details below BREAKING CHANGE: The mgmt extension config has been removed - endpoint is now enabled by having both the search and the ui extensions enabled BREAKING CHANGE: The API keys configuration has been moved from extensions to http>auth>apikey mgmt and imagetrust extensions: - separate the _zot/ext/mgmt into 3 separate endpoints: _zot/ext/auth, _zot/ext/notation, _zot/ext/cosign - signature verification logic is in a separate `imagetrust` extension - better hanling or errors in case of signature uploads: logging and error codes (more 400 and less 500 errors) - add authz on signature uploads (and add a new middleware in common for this purpose) - remove the mgmt extension configuration - it is now enabled if the UI and the search extensions are enabled userprefs estension: - userprefs are enabled if both search and ui extensions are enabled (as opposed to just search) apikey extension is removed and logic moved into the api folder - Move apikeys code out of pkg/extensions and into pkg/api - Remove apikey configuration options from the extensions configuration and move it inside the http auth section - remove the build label apikeys other changes: - move most of the logic adding handlers to the extensions endpoints out of routes.go and into the extensions files. - add warnings in case the users are still using configurations with the obsolete settings for mgmt and api keys - add a new function in the extension package which could be a single point of starting backgroud tasks for all extensions - more clear methods for verifying specific extensions are enabled - fix http methods paired with the UI handlers - rebuild swagger docs Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
94 lines
2.7 KiB
Go
94 lines
2.7 KiB
Go
//go:build search && ui
|
|
// +build search,ui
|
|
|
|
package extensions
|
|
|
|
import (
|
|
"embed"
|
|
"io/fs"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/gorilla/mux"
|
|
|
|
"zotregistry.io/zot/pkg/api/config"
|
|
zcommon "zotregistry.io/zot/pkg/common"
|
|
"zotregistry.io/zot/pkg/log"
|
|
)
|
|
|
|
// content is our static web server content.
|
|
//
|
|
//go:embed build/*
|
|
var content embed.FS
|
|
|
|
type uiHandler struct {
|
|
log log.Logger
|
|
}
|
|
|
|
func (uih uiHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
buf, _ := content.ReadFile("build/index.html")
|
|
|
|
_, err := w.Write(buf)
|
|
if err != nil {
|
|
uih.log.Error().Err(err).Msg("unable to serve index.html")
|
|
}
|
|
}
|
|
|
|
func addUISecurityHeaders(h http.Handler) http.HandlerFunc { //nolint:varnamelen
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
permissionsPolicy := "microphone=(), geolocation=(), battery=(), camera=(), autoplay=(), gyroscope=(), payment=()"
|
|
w.Header().Set("Permissions-Policy", permissionsPolicy)
|
|
w.Header().Set("X-Content-Type-Options", "nosniff")
|
|
w.Header().Set("X-Frame-Options", "DENY")
|
|
|
|
cspDirectives := []string{
|
|
"default-src 'none'",
|
|
"script-src 'self' 'unsafe-inline'",
|
|
"style-src 'self' 'unsafe-inline'",
|
|
"font-src 'self'",
|
|
"connect-src 'self'",
|
|
"img-src 'self'",
|
|
"manifest-src 'self'",
|
|
"base-uri 'self'",
|
|
}
|
|
w.Header().Set("Content-Security-Policy", strings.Join(cspDirectives, "; "))
|
|
|
|
h.ServeHTTP(w, r)
|
|
}
|
|
}
|
|
|
|
func SetupUIRoutes(conf *config.Config, router *mux.Router,
|
|
log log.Logger,
|
|
) {
|
|
if !conf.IsUIEnabled() {
|
|
log.Info().Msg("skip enabling the ui route as the config prerequisites are not met")
|
|
|
|
return
|
|
}
|
|
|
|
log.Info().Msg("setting up ui routes")
|
|
|
|
fsub, _ := fs.Sub(content, "build")
|
|
uih := uiHandler{log: log}
|
|
|
|
// See https://go-review.googlesource.com/c/go/+/482635/2/src/net/http/fs.go
|
|
// See https://github.com/golang/go/issues/59469
|
|
// In go 1.20.4 they decided to allow any method in the FileServer handler.
|
|
// In order to be consistent with the status codes returned when the UI is disabled
|
|
// we need to be explicit about the methods we allow on UI routes.
|
|
// If we don't add this, all unmatched http methods on any urls would match the UI routes.
|
|
allowedMethods := zcommon.AllowedMethods(http.MethodGet)
|
|
|
|
router.PathPrefix("/login").Methods(allowedMethods...).
|
|
Handler(addUISecurityHeaders(uih))
|
|
router.PathPrefix("/home").Methods(allowedMethods...).
|
|
Handler(addUISecurityHeaders(uih))
|
|
router.PathPrefix("/explore").Methods(allowedMethods...).
|
|
Handler(addUISecurityHeaders(uih))
|
|
router.PathPrefix("/image").Methods(allowedMethods...).
|
|
Handler(addUISecurityHeaders(uih))
|
|
router.PathPrefix("/").Methods(allowedMethods...).
|
|
Handler(addUISecurityHeaders(http.FileServer(http.FS(fsub))))
|
|
|
|
log.Info().Msg("finished setting up ui routes")
|
|
}
|