mirror of
https://github.com/project-zot/zot.git
synced 2026-06-16 04:17:55 +08:00
refactor(extensions)!: refactor the extensions URLs and errors (#1636)
BREAKING CHANGE: The functionality provided by the mgmt endpoint has beed redesigned - see details below BREAKING CHANGE: The API keys endpoint has been moved - see details below BREAKING CHANGE: The mgmt extension config has been removed - endpoint is now enabled by having both the search and the ui extensions enabled BREAKING CHANGE: The API keys configuration has been moved from extensions to http>auth>apikey mgmt and imagetrust extensions: - separate the _zot/ext/mgmt into 3 separate endpoints: _zot/ext/auth, _zot/ext/notation, _zot/ext/cosign - signature verification logic is in a separate `imagetrust` extension - better hanling or errors in case of signature uploads: logging and error codes (more 400 and less 500 errors) - add authz on signature uploads (and add a new middleware in common for this purpose) - remove the mgmt extension configuration - it is now enabled if the UI and the search extensions are enabled userprefs estension: - userprefs are enabled if both search and ui extensions are enabled (as opposed to just search) apikey extension is removed and logic moved into the api folder - Move apikeys code out of pkg/extensions and into pkg/api - Remove apikey configuration options from the extensions configuration and move it inside the http auth section - remove the build label apikeys other changes: - move most of the logic adding handlers to the extensions endpoints out of routes.go and into the extensions files. - add warnings in case the users are still using configurations with the obsolete settings for mgmt and api keys - add a new function in the extension package which could be a single point of starting backgroud tasks for all extensions - more clear methods for verifying specific extensions are enabled - fix http methods paired with the UI handlers - rebuild swagger docs Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
This commit is contained in:
Andrei Aaron
@@ -13,6 +13,7 @@ import (
|
||||
"zotregistry.io/zot/pkg/api/config"
|
||||
"zotregistry.io/zot/pkg/api/constants"
|
||||
apiErr "zotregistry.io/zot/pkg/api/errors"
|
||||
localCtx "zotregistry.io/zot/pkg/requestcontext"
|
||||
)
|
||||
|
||||
func AllowedMethods(methods ...string) []string {
|
||||
@@ -29,7 +30,7 @@ func AddExtensionSecurityHeaders() mux.MiddlewareFunc { //nolint:varnamelen
|
||||
}
|
||||
}
|
||||
|
||||
func ACHeadersHandler(config *config.Config, allowedMethods ...string) mux.MiddlewareFunc {
|
||||
func ACHeadersMiddleware(config *config.Config, allowedMethods ...string) mux.MiddlewareFunc {
|
||||
allowedMethodsValue := strings.Join(allowedMethods, ",")
|
||||
|
||||
return func(next http.Handler) http.Handler {
|
||||
@@ -50,6 +51,54 @@ func ACHeadersHandler(config *config.Config, allowedMethods ...string) mux.Middl
|
||||
}
|
||||
}
|
||||
|
||||
func CORSHeadersMiddleware(allowOrigin string) mux.MiddlewareFunc {
|
||||
return func(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
|
||||
AddCORSHeaders(allowOrigin, response)
|
||||
|
||||
next.ServeHTTP(response, request)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func AddCORSHeaders(allowOrigin string, response http.ResponseWriter) {
|
||||
if allowOrigin == "" {
|
||||
response.Header().Set("Access-Control-Allow-Origin", "*")
|
||||
} else {
|
||||
response.Header().Set("Access-Control-Allow-Origin", allowOrigin)
|
||||
}
|
||||
}
|
||||
|
||||
// AuthzOnlyAdminsMiddleware permits only admin user access if auth is enabled.
|
||||
func AuthzOnlyAdminsMiddleware(conf *config.Config) mux.MiddlewareFunc {
|
||||
return func(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
|
||||
if !conf.IsBasicAuthnEnabled() {
|
||||
next.ServeHTTP(response, request)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// get acCtx built in previous authn/authz middlewares
|
||||
acCtx, err := localCtx.GetAccessControlContext(request.Context())
|
||||
if err != nil { // should not happen as this has been previously checked for errors
|
||||
AuthzFail(response, request, conf.HTTP.Realm, conf.HTTP.Auth.FailDelay)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// reject non-admin access if authentication is enabled
|
||||
if acCtx != nil && !acCtx.IsAdmin {
|
||||
AuthzFail(response, request, conf.HTTP.Realm, conf.HTTP.Auth.FailDelay)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
next.ServeHTTP(response, request)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func AuthzFail(w http.ResponseWriter, r *http.Request, realm string, delay int) {
|
||||
time.Sleep(time.Duration(delay) * time.Second)
|
||||
|
||||
|
||||
@@ -52,6 +52,7 @@ type ImageSummary struct {
|
||||
Vendor string `json:"vendor"`
|
||||
Vulnerabilities ImageVulnerabilitySummary `json:"vulnerabilities"`
|
||||
Referrers []Referrer `json:"referrers"`
|
||||
SignatureInfo []SignatureSummary `json:"signatureInfo"`
|
||||
}
|
||||
|
||||
type ManifestSummary struct {
|
||||
@@ -67,6 +68,13 @@ type ManifestSummary struct {
|
||||
Vulnerabilities ImageVulnerabilitySummary `json:"vulnerabilities"`
|
||||
Referrers []Referrer `json:"referrers"`
|
||||
ArtifactType string `json:"artifactType"`
|
||||
SignatureInfo []SignatureSummary `json:"signatureInfo"`
|
||||
}
|
||||
|
||||
type SignatureSummary struct {
|
||||
Tool string `json:"tool"`
|
||||
IsTrusted bool `json:"isTrusted"`
|
||||
Author string `json:"author"`
|
||||
}
|
||||
|
||||
type Platform struct {
|
||||
|
||||
Reference in New Issue
Block a user