Fix metrics authorization middleware bleed (#3183)

fix: metrics authorization middleware bleed (#3182)

Fixes `extension_metrics_disabled.go` to correctly isolate the authz
middleware when the metrics extension is disabled.

Signed-off-by: Matthieu Mottet <m.mottet@outlook.com>

pkg/extensions/extension_metrics_disabled.go

@@ -29,7 +29,8 @@ func SetupMetricsRoutes(conf *config.Config, router *mux.Router,
 		zcommon.WriteJSON(w, http.StatusOK, m)
 	}
 
-	router.Use(authnFunc)
-	router.Use(authzFunc)
-	router.HandleFunc("/metrics", getMetrics).Methods("GET")
+	extRouter := router.PathPrefix("/metrics").Subrouter()
+	extRouter.Use(authnFunc)
+	extRouter.Use(authzFunc)
+	extRouter.Methods("GET").Handler(http.HandlerFunc(getMetrics))
 }

test/blackbox/helpers_dist.bash

@@ -0,0 +1,6 @@
+function dist_route_check () {
+    local servername="http://127.0.0.1:${1}/v2/"
+    status_code=$(curl --write-out '%{http_code}' ${2}  --silent --output /dev/null ${servername})
+
+    [ "$status_code" -eq ${3} ]
+}

test/blackbox/metrics_minimal.bats

@@ -4,6 +4,7 @@
 
 load helpers_zot
 load helpers_metrics
+load helpers_dist
 
 function verify_prerequisites() {
     if [ ! $(command -v curl) ]; then
@@ -107,4 +108,9 @@ function teardown_file() {
     zot_port=`cat ${BATS_FILE_TMPDIR}/zot.port`
     run metrics_route_check ${zot_port} "-u ${METRICS_USER}:${METRICS_PASS}" 200
     [ "$status" -eq 0 ]
+# anonymous policy: /v2/ endpoint should be available
+# 200 - http.StatusOK
+    zot_port=`cat ${BATS_FILE_TMPDIR}/zot.port`
+    run dist_route_check ${zot_port} "" 200
+    [ "$status" -eq 0 ]
 }