github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-17 21:17:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: add configurable mTLS identity extraction with fallback chain (#3640)

Browse Source 
Add support for configurable identity attributes in mTLS authentication,
allowing identity extraction from CommonName, Subject DN, Email SAN,
URI SAN, or DNSName SAN with fallback chain support. Includes regex
pattern matching for URI SANs (e.g., SPIFFE workload IDs).

- Add MTLSConfig with identity attributes, URISANPattern, and index fields
- Implement extractMTLSIdentity with fallback chain logic
- Move the mtls tests in the api package to pkg/api/mtls_test.go

Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com>
This commit is contained in:
Andrei Aaron
2025-12-18 19:10:47 +02:00
committed by GitHub
parent f2064c9af0
commit 79439bbf63
14 changed files with 2788 additions and 1435 deletions
Download Patch File Download Diff File Expand all files Collapse all files
errors/errors.go
+10
View File
@@ -186,4 +186,14 @@ var (
ErrInvalidEventSinkType = errors.New("invalid sink type")
ErrEventSinkAddressEmpty = errors.New("address field cannot be empty")
ErrCouldNotCreateHTTPEventTransport = errors.New("default transport is not *http.Transport")
ErrNoIdentityInCommonName = errors.New("no identity found in CommonName")
ErrNoURISANFound = errors.New("no URI SAN found")
ErrURISANIndexOutOfRange = errors.New("URI SAN index out of range")
ErrURISANPatternDidNotMatch = errors.New("URI SAN pattern did not match")
ErrInvalidURISANPattern = errors.New("invalid URI SAN pattern")
ErrNoDNSANFound = errors.New("no DNS SAN found")
ErrDNSANIndexOutOfRange = errors.New("DNS SAN index out of range")
ErrNoEmailSANFound = errors.New("no Email SAN found")
ErrEmailSANIndexOutOfRange = errors.New("Email SAN index out of range")
ErrUnsupportedIdentityAttribute = errors.New("unsupported identity attribute")
)