graphql: Apply authorization on /_search endpoint

- AccessControlContext now resides in a separate package from where it can be imported, along with the contextKey that will be used to set and retrieve this context value. - AccessControlContext has a new field called Username, that will be of use for future implementations in graphQL resolvers. - GlobalSearch resolver now uses this context to filter repos available to the logged user. - moved logic for uploading images in tests so that it can be used in every package - tests were added for multiple request scenarios, when zot-server requires authz on specific repos - added tests with injected errors for extended coverage - added tests for status code error injection utilities Closes https://github.com/project-zot/zot/issues/615 Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro>
2026-06-17 12:58:02 +08:00 · 2022-08-16 11:57:09 +03:00
parent 5450139ba1
commit 49e8167dbe
15 changed files with 763 additions and 165 deletions
@@ -4,14 +4,18 @@
 package test_test

 import (
+	"context"
 	"encoding/json"
 	"io/ioutil"
 	"os"
 	"path"
 	"testing"

+	"github.com/opencontainers/go-digest"
 	ispec "github.com/opencontainers/image-spec/specs-go/v1"
 	. "github.com/smartystreets/goconvey/convey"
+	"zotregistry.io/zot/pkg/api"
+	"zotregistry.io/zot/pkg/api/config"
 	"zotregistry.io/zot/pkg/test"
 )

@@ -122,3 +126,283 @@ func TestGetOciLayoutDigests(t *testing.T) {
 		}
 	})
 }
+
+func TestGetImageComponents(t *testing.T) {
+	Convey("Inject failures for unreachable lines", t, func() {
+		injected := test.InjectFailure(0)
+		if injected {
+			_, _, _, err := test.GetImageComponents(100)
+			So(err, ShouldNotBeNil)
+		}
+	})
+	Convey("finishes successfully", t, func() {
+		_, _, _, err := test.GetImageComponents(100)
+		So(err, ShouldBeNil)
+	})
+}
+
+func TestUploadImage(t *testing.T) {
+	Convey("Post request results in an error", t, func() {
+		port := test.GetFreePort()
+		baseURL := test.GetBaseURL(port)
+
+		conf := config.New()
+		conf.HTTP.Port = port
+		conf.Storage.RootDirectory = t.TempDir()
+
+		img := test.Image{
+			Layers: make([][]byte, 10),
+		}
+
+		err := test.UploadImage(img, baseURL, "test")
+		So(err, ShouldNotBeNil)
+	})
+
+	Convey("Post request status differs from accepted", t, func() {
+		port := test.GetFreePort()
+		baseURL := test.GetBaseURL(port)
+
+		tempDir := t.TempDir()
+		conf := config.New()
+		conf.HTTP.Port = port
+		conf.Storage.RootDirectory = tempDir
+
+		err := os.Chmod(tempDir, 0o400)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		ctlr := api.NewController(conf)
+		go startServer(ctlr)
+		defer stopServer(ctlr)
+
+		test.WaitTillServerReady(baseURL)
+
+		img := test.Image{
+			Layers: make([][]byte, 10),
+		}
+
+		err = test.UploadImage(img, baseURL, "test")
+		So(err, ShouldNotBeNil)
+	})
+
+	Convey("Put request results in an error", t, func() {
+		port := test.GetFreePort()
+		baseURL := test.GetBaseURL(port)
+
+		conf := config.New()
+		conf.HTTP.Port = port
+		conf.Storage.RootDirectory = t.TempDir()
+
+		ctlr := api.NewController(conf)
+		go startServer(ctlr)
+		defer stopServer(ctlr)
+
+		test.WaitTillServerReady(baseURL)
+
+		img := test.Image{
+			Layers: make([][]byte, 10), // invalid format that will result in an error
+			Config: ispec.Image{},
+		}
+
+		err := test.UploadImage(img, baseURL, "test")
+		So(err, ShouldNotBeNil)
+	})
+
+	Convey("Image uploaded successfully", t, func() {
+		port := test.GetFreePort()
+		baseURL := test.GetBaseURL(port)
+
+		conf := config.New()
+		conf.HTTP.Port = port
+		conf.Storage.RootDirectory = t.TempDir()
+
+		ctlr := api.NewController(conf)
+		go startServer(ctlr)
+		defer stopServer(ctlr)
+
+		test.WaitTillServerReady(baseURL)
+
+		layerBlob := []byte("test")
+
+		img := test.Image{
+			Layers: [][]byte{
+				layerBlob,
+			}, // invalid format that will result in an error
+			Config: ispec.Image{},
+		}
+
+		err := test.UploadImage(img, baseURL, "test")
+		So(err, ShouldBeNil)
+	})
+
+	Convey("Blob upload wrong response status code", t, func() {
+		port := test.GetFreePort()
+		baseURL := test.GetBaseURL(port)
+
+		tempDir := t.TempDir()
+		conf := config.New()
+		conf.HTTP.Port = port
+		conf.Storage.RootDirectory = tempDir
+
+		ctlr := api.NewController(conf)
+		go startServer(ctlr)
+		defer stopServer(ctlr)
+
+		test.WaitTillServerReady(baseURL)
+
+		layerBlob := []byte("test")
+		layerBlobDigest := digest.FromBytes(layerBlob)
+		layerPath := path.Join(tempDir, "test", "blobs", "sha256")
+
+		if _, err := os.Stat(layerPath); os.IsNotExist(err) {
+			err = os.MkdirAll(layerPath, 0o700)
+			if err != nil {
+				t.Fatal(err)
+			}
+			file, err := os.Create(path.Join(layerPath, layerBlobDigest.Encoded()))
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			err = os.Chmod(layerPath, 0o000)
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer func() {
+				err = os.Chmod(layerPath, 0o700)
+				if err != nil {
+					t.Fatal(err)
+				}
+				os.RemoveAll(file.Name())
+			}()
+		}
+
+		img := test.Image{
+			Layers: [][]byte{
+				layerBlob,
+			}, // invalid format that will result in an error
+			Config: ispec.Image{},
+		}
+
+		err := test.UploadImage(img, baseURL, "test")
+		So(err, ShouldNotBeNil)
+	})
+
+	Convey("CreateBlobUpload wrong response status code", t, func() {
+		port := test.GetFreePort()
+		baseURL := test.GetBaseURL(port)
+
+		tempDir := t.TempDir()
+		conf := config.New()
+		conf.HTTP.Port = port
+		conf.Storage.RootDirectory = tempDir
+
+		ctlr := api.NewController(conf)
+		go startServer(ctlr)
+		defer stopServer(ctlr)
+
+		test.WaitTillServerReady(baseURL)
+
+		layerBlob := []byte("test")
+
+		img := test.Image{
+			Layers: [][]byte{
+				layerBlob,
+			}, // invalid format that will result in an error
+			Config: ispec.Image{},
+		}
+
+		Convey("CreateBlobUpload", func() {
+			injected := test.InjectFailure(2)
+			if injected {
+				err := test.UploadImage(img, baseURL, "test")
+				So(err, ShouldNotBeNil)
+			}
+		})
+		Convey("UpdateBlobUpload", func() {
+			injected := test.InjectFailure(4)
+			if injected {
+				err := test.UploadImage(img, baseURL, "test")
+				So(err, ShouldNotBeNil)
+			}
+		})
+	})
+}
+
+func TestInjectUploadImage(t *testing.T) {
+	Convey("Inject failures for unreachable lines", t, func() {
+		port := test.GetFreePort()
+		baseURL := test.GetBaseURL(port)
+
+		tempDir := t.TempDir()
+		conf := config.New()
+		conf.HTTP.Port = port
+		conf.Storage.RootDirectory = tempDir
+
+		ctlr := api.NewController(conf)
+		go startServer(ctlr)
+		defer stopServer(ctlr)
+
+		test.WaitTillServerReady(baseURL)
+
+		layerBlob := []byte("test")
+		layerPath := path.Join(tempDir, "test", ".uploads")
+
+		if _, err := os.Stat(layerPath); os.IsNotExist(err) {
+			err = os.MkdirAll(layerPath, 0o700)
+			if err != nil {
+				t.Fatal(err)
+			}
+		}
+
+		img := test.Image{
+			Layers: [][]byte{
+				layerBlob,
+			}, // invalid format that will result in an error
+			Config: ispec.Image{},
+		}
+
+		Convey("first marshal", func() {
+			injected := test.InjectFailure(0)
+			if injected {
+				err := test.UploadImage(img, baseURL, "test")
+				So(err, ShouldNotBeNil)
+			}
+		})
+		Convey("CreateBlobUpload POST call", func() {
+			injected := test.InjectFailure(1)
+			if injected {
+				err := test.UploadImage(img, baseURL, "test")
+				So(err, ShouldNotBeNil)
+			}
+		})
+		Convey("UpdateBlobUpload PUT call", func() {
+			injected := test.InjectFailure(3)
+			if injected {
+				err := test.UploadImage(img, baseURL, "test")
+				So(err, ShouldNotBeNil)
+			}
+		})
+		Convey("second marshal", func() {
+			injected := test.InjectFailure(5)
+			if injected {
+				err := test.UploadImage(img, baseURL, "test")
+				So(err, ShouldNotBeNil)
+			}
+		})
+	})
+}
+
+func startServer(c *api.Controller) {
+	// this blocks
+	ctx := context.Background()
+	if err := c.Run(ctx); err != nil {
+		return
+	}
+}
+
+func stopServer(c *api.Controller) {
+	ctx := context.Background()
+	_ = c.Server.Shutdown(ctx)
+}