github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-17 12:58:02 +08:00
Code Issues Packages Projects Releases Wiki Activity

Get identity when using TLS certificates

Browse Source 
Signed-off-by: Nicol Draghici <idraghic@cisco.com>
This commit is contained in:
Nicol Draghici
2022-08-12 15:18:41 +03:00
committed by Andrei Aaron
parent f9f388f32e
commit 5450139ba1
4 changed files with 208 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/api/authz.go
+22 -8
View File
@@ -189,22 +189,36 @@ func AuthzHandler(ctlr *Controller) mux.MiddlewareFunc {
acCtrlr := NewAccessController(ctlr.Config)
// allow anonymous authz if no authn present and only default policies are present
var username string
var identity string
var err error
/* To be implemented: verify client certs and get its username(subject DN)
if request.TLS.VerifiedChains != nil, then get subject DN
issue: https: //github.com/project-zot/zot/issues/614 */
// allow anonymous authz if no authn present and only default policies are present
identity = ""
if isAuthnEnabled(ctlr.Config) && request.Header.Get("Authorization") != "" {
username, _, err = getUsernamePasswordBasicAuth(request)
identity, _, err = getUsernamePasswordBasicAuth(request)
if err != nil {
authFail(response, ctlr.Config.HTTP.Realm, ctlr.Config.HTTP.Auth.FailDelay)
}
}
ctx := acCtrlr.getContext(username, request)
if request.TLS != nil {
verifiedChains := request.TLS.VerifiedChains
// still no identity, get it from TLS certs
if identity == "" && verifiedChains != nil &&
len(verifiedChains) > 0 && len(verifiedChains[0]) > 0 {
for _, cert := range request.TLS.PeerCertificates {
identity = cert.Subject.CommonName
}
// if we still don't have an identity
if identity == "" {
acCtrlr.Log.Info().Msg("couldn't get identity from TLS certificate")
authFail(response, ctlr.Config.HTTP.Realm, ctlr.Config.HTTP.Auth.FailDelay)
}
}
}
ctx := acCtrlr.getContext(identity, request)
// will return only repos on which client is authorized to read
if request.RequestURI == fmt.Sprintf("%s%s", constants.RoutePrefix, constants.ExtCatalogPrefix) {
@@ -236,7 +250,7 @@ func AuthzHandler(ctlr *Controller) mux.MiddlewareFunc {
action = DELETE
}
can := acCtrlr.can(username, action, resource)
can := acCtrlr.can(identity, action, resource)
if !can {
authzFail(response, ctlr.Config.HTTP.Realm, ctlr.Config.HTTP.Auth.FailDelay)
} else {