github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-17 12:58:02 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: support mTLS-only authn/authz with AccessControl and allow combining mTLS with other auth mechanisms (#3624)

Browse Source 
* feat: support mTLS-only authn/authz with AccessControl and allow combining mTLS with other auth mechanisms

Signed-off-by: Ivan Arkhipov <me@endevir.ru>

* refactor: improve authentication logic and TLS certificate generation

- Fix mTLS authentication to use only leaf certificate instead of iterating
  through all certificates in the chain
- Reject Authorization headers when corresponding auth method is disabled,
  regardless of mTLS status (security improvement)
- Simplify authentication switch statement ordering and logic
- Move ErrUserDataNotFound error handling into sessionAuthn method
- Refactor TLS certificate generation to use Options pattern with
  CertificateOptions struct for better extensibility
- Consolidate duplicate certificate generation code into helper functions
  (generateCertificate, parseCA, initializeTemplate, applyOptions)
- Rename certificate generation functions for clarity:
  - GenerateCertWithCN -> GenerateClientCert
  - GenerateSelfSignedCertWithCN -> GenerateClientSelfSignedCert
- Add support for SAN settings including email addresses in certificates
- Update tests to reflect new authentication behavior and certificate API

This commit improves both the security posture (rejecting disabled auth
methods) and code maintainability (consolidated certificate generation).

Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com>

* fix: guard against multiple Authorization headers

Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com>

---------

Signed-off-by: Ivan Arkhipov <me@endevir.ru>
Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com>
Co-authored-by: Ivan Arkhipov <me@endevir.ru>
This commit is contained in:
Andrei Aaron
2025-12-11 20:08:32 +02:00
committed by GitHub
parent e7b73b6c2d
commit 08fae9104d
11 changed files with 2066 additions and 536 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/cli/client/client_test.go
+2 -1
View File
@@ -102,7 +102,8 @@ func TestTLSWithAuth(t *testing.T) {
So(err, ShouldNotBeNil)
So(imageBuff.String(), ShouldContainSubstring, "scheme not provided")
args = []string{"list", "--config", "imagetest"}
invalidUser := fmt.Sprintf("%s:%s", "wrong_username", "wrong_password")
args = []string{"-u", invalidUser, "list", "--config", "imagetest"}
_ = makeConfigFile(t,
fmt.Sprintf(`{"configs":[{"_name":"imagetest","url":"%s%s%s","showspinner":false}]}`,
pkg/cli/server/root.go
+3 -2
View File
@@ -708,8 +708,9 @@ func validateAuthzPolicies(config *config.Config, logger zlog.Logger) error {
logger.Info().Msg("checking if anonymous authorization is the only type of authorization policy configured")
if !authConfig.IsBasicAuthnEnabled() && !accessControlConfig.ContainsOnlyAnonymousPolicy() {
msg := "access control config requires one of httpasswd, ldap or openid authentication " +
if !authConfig.IsBasicAuthnEnabled() && !config.IsMTLSAuthEnabled() &&
!accessControlConfig.ContainsOnlyAnonymousPolicy() {
msg := "access control config requires one of htpasswd, ldap, openid or mTLS authentication " +
"or using only 'anonymousPolicy' policies"
logger.Error().Err(zerr.ErrBadConfig).Msg(msg)