Remove AllowReadOnly and ReadOnly

Signed-off-by: Nicol Draghici <idraghic@cisco.com> Remove check and set header every time Signed-off-by: Nicol Draghici <idraghic@cisco.com>
2026-06-16 04:17:55 +08:00 · 2022-07-14 18:13:46 +03:00
parent a5ed99178e
commit a702a2377e
33 changed files with 509 additions and 170 deletions
@@ -217,9 +217,9 @@ func validateConfiguration(config *config.Config) error {

 	// check authorization config, it should have basic auth enabled or ldap
 	if config.HTTP.RawAccessControl != nil {
-		if config.HTTP.Auth == nil || (config.HTTP.Auth.HTPasswd.Path == "" && config.HTTP.Auth.LDAP == nil) {
-			// checking for default policy only authorization config: no users, no policies but default policy
-			checkForDefaultPolicyConfig(config)
+		// checking for anonymous policy only authorization config: no users, no policies but anonymous policy
+		if err := validateAuthzPolicies(config); err != nil {
+			return err
 		}
 	}

@@ -272,13 +272,17 @@ func validateConfiguration(config *config.Config) error {
 	return nil
 }

-func checkForDefaultPolicyConfig(config *config.Config) {
-	if !isDefaultPolicyConfig(config) {
+func validateAuthzPolicies(config *config.Config) error {
+	if (config.HTTP.Auth == nil || (config.HTTP.Auth.HTPasswd.Path == "" && config.HTTP.Auth.LDAP == nil)) &&
+		!authzContainsOnlyAnonymousPolicy(config) {
 		log.Error().Err(errors.ErrBadConfig).
 			Msg("access control config requires httpasswd, ldap authentication " +
-				"or using only 'defaultPolicy' policies")
-		panic(errors.ErrBadConfig)
+				"or using only 'anonymousPolicy' policies")
+
+		return errors.ErrBadConfig
 	}
+
+	return nil
 }

 func applyDefaultValues(config *config.Config, viperInstance *viper.Viper) {
@@ -408,31 +412,44 @@ func LoadConfiguration(config *config.Config, configPath string) error {
 	return nil
 }

-func isDefaultPolicyConfig(cfg *config.Config) bool {
+func authzContainsOnlyAnonymousPolicy(cfg *config.Config) bool {
 	adminPolicy := cfg.AccessControl.AdminPolicy
+	anonymousPolicyPresent := false

-	log.Info().Msg("checking if default authorization is possible")
+	log.Info().Msg("checking if anonymous authorization is the only type of authorization policy configured")

 	if len(adminPolicy.Actions)+len(adminPolicy.Users) > 0 {
-		log.Info().Msg("admin policy detected, default authorization disabled")
+		log.Info().Msg("admin policy detected, anonymous authorization is not the only authorization policy configured")

 		return false
 	}

 	for _, repository := range cfg.AccessControl.Repositories {
+		if len(repository.DefaultPolicy) > 0 {
+			log.Info().Interface("repository", repository).
+				Msg("default policy detected, anonymous authorization is not the only authorization policy configured")
+
+			return false
+		}
+
+		if len(repository.AnonymousPolicy) > 0 {
+			log.Info().Msg("anonymous authorization detected")
+
+			anonymousPolicyPresent = true
+		}
+
 		for _, policy := range repository.Policies {
 			if len(policy.Actions)+len(policy.Users) > 0 {
 				log.Info().Interface("repository", repository).
-					Msg("repository with non-empty policy detected, default authorization disabled")
+					Msg("repository with non-empty policy detected, " +
+						"anonymous authorization is not the only authorization policy configured")

 				return false
 			}
 		}
 	}

-	log.Info().Msg("default authorization detected")
-
-	return true
+	return anonymousPolicyPresent
 }

 func validateLDAP(config *config.Config) error {
@@ -174,14 +174,14 @@ func TestVerify(t *testing.T) {
 		So(func() { _ = cli.NewServerRootCmd().Execute() }, ShouldNotPanic)
 	})

-	Convey("Test verify default authorization", t, func(c C) {
+	Convey("Test verify anonymous authorization", t, func(c C) {
 		tmpfile, err := ioutil.TempFile("", "zot-test*.json")
 		So(err, ShouldBeNil)
 		defer os.Remove(tmpfile.Name()) // clean up
 		content := []byte(`{"storage":{"rootDirectory":"/tmp/zot"},
 		 					"http":{"address":"127.0.0.1","port":"8080","realm":"zot",
-							 "accessControl":{"**":{"defaultPolicy": ["read", "create"]},
-							 "/repo":{"defaultPolicy": ["read", "create"]}
+							 "accessControl":{"**":{"anonymousPolicy": ["read", "create"]},
+							 "/repo":{"anonymousPolicy": ["read", "create"]}
 							 }}}`)
 		_, err = tmpfile.Write(content)
 		So(err, ShouldBeNil)
@@ -198,7 +198,7 @@ func TestVerify(t *testing.T) {
 		content := []byte(`{"storage":{"rootDirectory":"/tmp/zot"},
 		 					"http":{"address":"127.0.0.1","port":"8080","realm":"zot",
 							 "accessControl":{"**":{"defaultPolicy": ["read", "create"]},
-							 "/repo":{"defaultPolicy": ["read", "create"]},
+							 "/repo":{"anonymousPolicy": ["read", "create"]},
 							 "adminPolicy":{"users":["admin"],
 							 "actions":["read","create","update","delete"]}
 							 }}}`)
@@ -217,7 +217,7 @@ func TestVerify(t *testing.T) {
 		content := []byte(`{"storage":{"rootDirectory":"/tmp/zot"},
 							"http":{"address":"127.0.0.1","port":"8080","realm":"zot",
 							"accessControl":{"**":{"defaultPolicy": ["read", "create"]},
-							"/repo":{"defaultPolicy": ["read", "create"]},
+							"/repo":{"anonymousPolicy": ["read", "create"]},
 							"/repo2":{"policies": [{
 								 "users": ["charlie"],
 								 "actions": ["read", "create", "update"]}]}
@@ -289,7 +289,7 @@ func TestVerify(t *testing.T) {
 		content := []byte(`{"storage":{"rootDirectory":"/tmp/zot"},
 							"http":{"address":"127.0.0.1","port":"8080","realm":"zot",
 							"auth":{"htpasswd":{"path":"test/data/htpasswd"},"failDelay":1},
-							"accessControl":{"[":{"policies":[],"defaultPolicy":[]}}}}`)
+							"accessControl":{"[":{"policies":[],"anonymousPolicy":[]}}}}`)
 		_, err = tmpfile.Write(content)
 		So(err, ShouldBeNil)
 		err = tmpfile.Close()
@@ -339,7 +339,7 @@ func TestVerify(t *testing.T) {
 		So(err, ShouldBeNil)
 		defer os.Remove(tmpfile.Name()) // clean up
 		content := []byte(`{"distSpecVersion": "1.0.0", "storage": {"rootDirectory": "/tmp/zot"},
-							"http": {"url": "127.0.0.1", "port": "8080", "ReadOnly": false},
+							"http": {"url": "127.0.0.1", "port": "8080"},
 							"log": {"level": "debug"}}`)
 		_, err = tmpfile.Write(content)
 		So(err, ShouldBeNil)
@@ -355,7 +355,7 @@ func TestVerify(t *testing.T) {
 		defer os.Remove(tmpfile.Name()) // clean up
 		content := []byte(`{"distSpecVersion": "1.0.0", "storage": {"rootDirectory": "/tmp/zot"},
 							"http": {"auth": {"ldap": {"address": "ldap", "userattribute": "uid"}},
-							"address": "127.0.0.1", "port": "8080", "ReadOnly": false},
+							"address": "127.0.0.1", "port": "8080"},
 							"log": {"level": "debug"}}`)
 		_, err = tmpfile.Write(content)
 		So(err, ShouldBeNil)
@@ -371,7 +371,7 @@ func TestVerify(t *testing.T) {
 		defer os.Remove(tmpfile.Name()) // clean up
 		content := []byte(`{"distSpecVersion": "1.0.0", "storage": {"rootDirectory": "/tmp/zot"},
 							"http": {"auth": {"ldap": {"basedn": "ou=Users,dc=example,dc=org", "userattribute": "uid"}},
-							"address": "127.0.0.1", "port": "8080", "ReadOnly": false},
+							"address": "127.0.0.1", "port": "8080"},
 							"log": {"level": "debug"}}`)
 		_, err = tmpfile.Write(content)
 		So(err, ShouldBeNil)
@@ -387,7 +387,7 @@ func TestVerify(t *testing.T) {
 		defer os.Remove(tmpfile.Name()) // clean up
 		content := []byte(`{"distSpecVersion": "1.0.0", "storage": {"rootDirectory": "/tmp/zot"},
 							"http": {"auth": {"ldap": {"basedn": "ou=Users,dc=example,dc=org", "address": "ldap"}},
-							"address": "127.0.0.1", "port": "8080", "ReadOnly": false},
+							"address": "127.0.0.1", "port": "8080"},
 							"log": {"level": "debug"}}`)
 		_, err = tmpfile.Write(content)
 		So(err, ShouldBeNil)
@@ -402,7 +402,7 @@ func TestVerify(t *testing.T) {
 		So(err, ShouldBeNil)
 		defer os.Remove(tmpfile.Name()) // clean up
 		content := []byte(`{"distSpecVersion": "1.0.0", "storage": {"rootDirectory": "/tmp/zot"},
-							"http": {"address": "127.0.0.1", "port": "8080", "ReadOnly": false},
+							"http": {"address": "127.0.0.1", "port": "8080"},
 							"log": {"level": "debug"}}`)
 		_, err = tmpfile.Write(content)
 		So(err, ShouldBeNil)
@@ -503,7 +503,7 @@ func TestGC(t *testing.T) {
 			defer os.Remove(file.Name())

 			content := []byte(`{"distSpecVersion": "1.0.0", "storage": {"rootDirectory": "/tmp/zot",
-			"gc": false}, "http": {"address": "127.0.0.1", "port": "8080", "ReadOnly": false},
+			"gc": false}, "http": {"address": "127.0.0.1", "port": "8080"},
 			"log": {"level": "debug"}}`)

 			err = ioutil.WriteFile(file.Name(), content, 0o600)