github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-15 20:07:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

lint: upgrade golangci-lint

Browse Source 
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
This commit is contained in:
Ramkumar Chinchani
2021-12-13 19:23:31 +00:00
committed by Ravi Chamarthy
parent 5f04092e71
commit ac3801ea2d
71 changed files with 3038 additions and 2575 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/api/authn.go
+82 -69
View File
@@ -31,46 +31,50 @@ func AuthHandler(c *Controller) mux.MiddlewareFunc {
return basicAuthHandler(c)
}
func bearerAuthHandler(c *Controller) mux.MiddlewareFunc {
func bearerAuthHandler(ctlr *Controller) mux.MiddlewareFunc {
authorizer, err := auth.NewAuthorizer(&auth.AuthorizerOptions{
Realm: c.Config.HTTP.Auth.Bearer.Realm,
Service: c.Config.HTTP.Auth.Bearer.Service,
PublicKeyPath: c.Config.HTTP.Auth.Bearer.Cert,
Realm: ctlr.Config.HTTP.Auth.Bearer.Realm,
Service: ctlr.Config.HTTP.Auth.Bearer.Service,
PublicKeyPath: ctlr.Config.HTTP.Auth.Bearer.Cert,
AccessEntryType: bearerAuthDefaultAccessEntryType,
EmptyDefaultNamespace: true,
})
if err != nil {
c.Log.Panic().Err(err).Msg("error creating bearer authorizer")
ctlr.Log.Panic().Err(err).Msg("error creating bearer authorizer")
}
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
vars := mux.Vars(r)
return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
vars := mux.Vars(request)
name := vars["name"]
header := r.Header.Get("Authorization")
header := request.Header.Get("Authorization")
action := auth.PullAction
if m := r.Method; m != http.MethodGet && m != http.MethodHead {
if m := request.Method; m != http.MethodGet && m != http.MethodHead {
action = auth.PushAction
}
permissions, err := authorizer.Authorize(header, action, name)
if err != nil {
c.Log.Error().Err(err).Msg("issue parsing Authorization header")
w.Header().Set("Content-Type", "application/json")
WriteJSON(w, http.StatusInternalServerError, NewErrorList(NewError(UNSUPPORTED)))
ctlr.Log.Error().Err(err).Msg("issue parsing Authorization header")
response.Header().Set("Content-Type", "application/json")
WriteJSON(response, http.StatusInternalServerError, NewErrorList(NewError(UNSUPPORTED)))
return
}
if !permissions.Allowed {
authFail(w, permissions.WWWAuthenticateHeader, 0)
authFail(response, permissions.WWWAuthenticateHeader, 0)
return
}
next.ServeHTTP(w, r)
next.ServeHTTP(response, request)
})
}
}
// nolint:gocyclo // we use closure making this a complex subroutine
func basicAuthHandler(c *Controller) mux.MiddlewareFunc {
realm := c.Config.HTTP.Realm
func basicAuthHandler(ctlr *Controller) mux.MiddlewareFunc {
realm := ctlr.Config.HTTP.Realm
if realm == "" {
realm = "Authorization Required"
}
@@ -78,55 +82,58 @@ func basicAuthHandler(c *Controller) mux.MiddlewareFunc {
realm = "Basic realm=" + strconv.Quote(realm)
// no password based authN, if neither LDAP nor HTTP BASIC is enabled
if c.Config.HTTP.Auth == nil || (c.Config.HTTP.Auth.HTPasswd.Path == "" && c.Config.HTTP.Auth.LDAP == nil) {
if ctlr.Config.HTTP.Auth == nil ||
(ctlr.Config.HTTP.Auth.HTPasswd.Path == "" && ctlr.Config.HTTP.Auth.LDAP == nil) {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if c.Config.HTTP.AllowReadAccess &&
c.Config.HTTP.TLS.CACert != "" &&
r.TLS.VerifiedChains == nil &&
r.Method != http.MethodGet && r.Method != http.MethodHead {
authFail(w, realm, 5)
return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
if ctlr.Config.HTTP.AllowReadAccess &&
ctlr.Config.HTTP.TLS.CACert != "" &&
request.TLS.VerifiedChains == nil &&
request.Method != http.MethodGet && request.Method != http.MethodHead {
authFail(response, realm, 5) //nolint:gomnd
return
}
if (r.Method != http.MethodGet && r.Method != http.MethodHead) && c.Config.HTTP.ReadOnly {
if (request.Method != http.MethodGet && request.Method != http.MethodHead) && ctlr.Config.HTTP.ReadOnly {
// Reject modification requests in read-only mode
w.WriteHeader(http.StatusMethodNotAllowed)
response.WriteHeader(http.StatusMethodNotAllowed)
return
}
// Process request
next.ServeHTTP(w, r)
next.ServeHTTP(response, request)
})
}
}
credMap := make(map[string]string)
delay := c.Config.HTTP.Auth.FailDelay
delay := ctlr.Config.HTTP.Auth.FailDelay
var ldapClient *LDAPClient
if c.Config.HTTP.Auth != nil {
if c.Config.HTTP.Auth.LDAP != nil {
l := c.Config.HTTP.Auth.LDAP
if ctlr.Config.HTTP.Auth != nil {
if ctlr.Config.HTTP.Auth.LDAP != nil {
ldapConfig := ctlr.Config.HTTP.Auth.LDAP
ldapClient = &LDAPClient{
Host: l.Address,
Port: l.Port,
UseSSL: !l.Insecure,
SkipTLS: !l.StartTLS,
Base: l.BaseDN,
BindDN: l.BindDN,
BindPassword: l.BindPassword,
UserFilter: fmt.Sprintf("(%s=%%s)", l.UserAttribute),
InsecureSkipVerify: l.SkipVerify,
ServerName: l.Address,
Log: c.Log,
SubtreeSearch: l.SubtreeSearch,
Host: ldapConfig.Address,
Port: ldapConfig.Port,
UseSSL: !ldapConfig.Insecure,
SkipTLS: !ldapConfig.StartTLS,
Base: ldapConfig.BaseDN,
BindDN: ldapConfig.BindDN,
BindPassword: ldapConfig.BindPassword,
UserFilter: fmt.Sprintf("(%s=%%s)", ldapConfig.UserAttribute),
InsecureSkipVerify: ldapConfig.SkipVerify,
ServerName: ldapConfig.Address,
Log: ctlr.Log,
SubtreeSearch: ldapConfig.SubtreeSearch,
}
if c.Config.HTTP.Auth.LDAP.CACert != "" {
caCert, err := ioutil.ReadFile(c.Config.HTTP.Auth.LDAP.CACert)
if ctlr.Config.HTTP.Auth.LDAP.CACert != "" {
caCert, err := ioutil.ReadFile(ctlr.Config.HTTP.Auth.LDAP.CACert)
if err != nil {
panic(err)
}
@@ -141,7 +148,6 @@ func basicAuthHandler(c *Controller) mux.MiddlewareFunc {
} else {
// default to system cert pool
caCertPool, err := x509.SystemCertPool()
if err != nil {
panic(errors.ErrBadCACert)
}
@@ -150,15 +156,14 @@ func basicAuthHandler(c *Controller) mux.MiddlewareFunc {
}
}
if c.Config.HTTP.Auth.HTPasswd.Path != "" {
f, err := os.Open(c.Config.HTTP.Auth.HTPasswd.Path)
if ctlr.Config.HTTP.Auth.HTPasswd.Path != "" {
credsFile, err := os.Open(ctlr.Config.HTTP.Auth.HTPasswd.Path)
if err != nil {
panic(err)
}
defer f.Close()
defer credsFile.Close()
scanner := bufio.NewScanner(f)
scanner := bufio.NewScanner(credsFile)
for scanner.Scan() {
line := scanner.Text()
@@ -171,42 +176,48 @@ func basicAuthHandler(c *Controller) mux.MiddlewareFunc {
}
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if (r.Method == http.MethodGet || r.Method == http.MethodHead) && c.Config.HTTP.AllowReadAccess {
return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
if (request.Method == http.MethodGet || request.Method == http.MethodHead) && ctlr.Config.HTTP.AllowReadAccess {
// Process request
next.ServeHTTP(w, r)
next.ServeHTTP(response, request)
return
}
if (r.Method != http.MethodGet && r.Method != http.MethodHead) && c.Config.HTTP.ReadOnly {
if (request.Method != http.MethodGet && request.Method != http.MethodHead) && ctlr.Config.HTTP.ReadOnly {
// Reject modification requests in read-only mode
w.WriteHeader(http.StatusMethodNotAllowed)
response.WriteHeader(http.StatusMethodNotAllowed)
return
}
basicAuth := r.Header.Get("Authorization")
basicAuth := request.Header.Get("Authorization")
if basicAuth == "" {
authFail(w, realm, delay)
authFail(response, realm, delay)
return
}
s := strings.SplitN(basicAuth, " ", 2)
splitStr := strings.SplitN(basicAuth, " ", 2) //nolint:gomnd
if len(splitStr) != 2 || strings.ToLower(splitStr[0]) != "basic" {
authFail(response, realm, delay)
if len(s) != 2 || strings.ToLower(s[0]) != "basic" {
authFail(w, realm, delay)
return
}
b, err := base64.StdEncoding.DecodeString(s[1])
decodedStr, err := base64.StdEncoding.DecodeString(splitStr[1])
if err != nil {
authFail(w, realm, delay)
authFail(response, realm, delay)
return
}
pair := strings.SplitN(string(b), ":", 2)
pair := strings.SplitN(string(decodedStr), ":", 2) //nolint:gomnd
// nolint:gomnd
if len(pair) != 2 {
authFail(w, realm, delay)
authFail(response, realm, delay)
return
}
@@ -218,22 +229,24 @@ func basicAuthHandler(c *Controller) mux.MiddlewareFunc {
if ok {
if err := bcrypt.CompareHashAndPassword([]byte(passphraseHash), []byte(passphrase)); err == nil {
// Process request
next.ServeHTTP(w, r)
next.ServeHTTP(response, request)
return
}
}
// next, LDAP if configured (network-based which can lose connectivity)
if c.Config.HTTP.Auth != nil && c.Config.HTTP.Auth.LDAP != nil {
if ctlr.Config.HTTP.Auth != nil && ctlr.Config.HTTP.Auth.LDAP != nil {
ok, _, err := ldapClient.Authenticate(username, passphrase)
if ok && err == nil {
// Process request
next.ServeHTTP(w, r)
next.ServeHTTP(response, request)
return
}
}
authFail(w, realm, delay)
authFail(response, realm, delay)
})
}
}
pkg/api/authz.go
+25 -23
View File
@@ -69,7 +69,7 @@ func (ac *AccessController) can(username, action, repository string) bool {
can = isPermitted(username, action, pg)
}
//check admins based policy
// check admins based policy
if !can {
if ac.isAdmin(username) && contains(ac.Config.AdminPolicy.Actions, action) {
can = true
@@ -85,7 +85,7 @@ func (ac *AccessController) isAdmin(username string) bool {
}
// getContext builds ac context(allowed to read repos and if user is admin) and returns it.
func (ac *AccessController) getContext(username string, r *http.Request) context.Context {
func (ac *AccessController) getContext(username string, request *http.Request) context.Context {
userAllowedRepos := ac.getReadRepos(username)
acCtx := AccessControlContext{userAllowedRepos: userAllowedRepos}
@@ -95,25 +95,26 @@ func (ac *AccessController) getContext(username string, r *http.Request) context
acCtx.isAdmin = false
}
ctx := context.WithValue(r.Context(), authzCtxKey, acCtx)
ctx := context.WithValue(request.Context(), authzCtxKey, acCtx)
return ctx
}
// isPermitted returns true if username can do action on a repository policy.
func isPermitted(username, action string, pg config.PolicyGroup) bool {
func isPermitted(username, action string, policyGroup config.PolicyGroup) bool {
var result bool
// check repo/system based policies
for _, p := range pg.Policies {
for _, p := range policyGroup.Policies {
if contains(p.Users, username) && contains(p.Actions, action) {
result = true
break
}
}
// check defaultPolicy
if !result {
if contains(pg.DefaultPolicy, action) {
if contains(policyGroup.DefaultPolicy, action) {
result = true
}
}
@@ -141,33 +142,34 @@ func containsRepo(slice []string, item string) bool {
return false
}
func AuthzHandler(c *Controller) mux.MiddlewareFunc {
func AuthzHandler(ctlr *Controller) mux.MiddlewareFunc {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
vars := mux.Vars(r)
return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
vars := mux.Vars(request)
resource := vars["name"]
reference, ok := vars["reference"]
ac := NewAccessController(c.Config)
username := getUsername(r)
ctx := ac.getContext(username, r)
acCtrlr := NewAccessController(ctlr.Config)
username := getUsername(request)
ctx := acCtrlr.getContext(username, request)
if request.RequestURI == "/v2/_catalog" || request.RequestURI == "/v2/" {
next.ServeHTTP(response, request.WithContext(ctx))
if r.RequestURI == "/v2/_catalog" || r.RequestURI == "/v2/" {
next.ServeHTTP(w, r.WithContext(ctx))
return
}
var action string
if r.Method == http.MethodGet || r.Method == http.MethodHead {
if request.Method == http.MethodGet || request.Method == http.MethodHead {
action = READ
}
if r.Method == http.MethodPut || r.Method == http.MethodPatch || r.Method == http.MethodPost {
if request.Method == http.MethodPut || request.Method == http.MethodPatch || request.Method == http.MethodPost {
// assume user wants to create
action = CREATE
// if we get a reference (tag)
if ok {
is := c.StoreController.GetImageStore(resource)
is := ctlr.StoreController.GetImageStore(resource)
tags, err := is.GetImageTags(resource)
// if repo exists and request's tag doesn't exist yet then action is UPDATE
if err == nil && contains(tags, reference) && reference != "latest" {
@@ -176,15 +178,15 @@ func AuthzHandler(c *Controller) mux.MiddlewareFunc {
}
}
if r.Method == http.MethodDelete {
if request.Method == http.MethodDelete {
action = DELETE
}
can := ac.can(username, action, resource)
can := acCtrlr.can(username, action, resource)
if !can {
authzFail(w, c.Config.HTTP.Realm, c.Config.HTTP.Auth.FailDelay)
authzFail(response, ctlr.Config.HTTP.Realm, ctlr.Config.HTTP.Auth.FailDelay)
} else {
next.ServeHTTP(w, r.WithContext(ctx))
next.ServeHTTP(response, request.WithContext(ctx))
}
})
}
@@ -193,9 +195,9 @@ func AuthzHandler(c *Controller) mux.MiddlewareFunc {
func getUsername(r *http.Request) string {
// this should work because it worked in auth middleware
basicAuth := r.Header.Get("Authorization")
s := strings.SplitN(basicAuth, " ", 2)
s := strings.SplitN(basicAuth, " ", 2) //nolint:gomnd
b, _ := base64.StdEncoding.DecodeString(s[1])
pair := strings.SplitN(string(b), ":", 2)
pair := strings.SplitN(string(b), ":", 2) //nolint:gomnd
return pair[0]
}
pkg/api/config/config.go
+12 -11
View File
@@ -129,22 +129,22 @@ func New() *Config {
// Sanitize makes a sanitized copy of the config removing any secrets.
func (c *Config) Sanitize() *Config {
s := &Config{}
if err := deepcopy.Copy(s, c); err != nil {
sanitizedConfig := &Config{}
if err := deepcopy.Copy(sanitizedConfig, c); err != nil {
panic(err)
}
if c.HTTP.Auth != nil && c.HTTP.Auth.LDAP != nil && c.HTTP.Auth.LDAP.BindPassword != "" {
s.HTTP.Auth.LDAP = &LDAPConfig{}
sanitizedConfig.HTTP.Auth.LDAP = &LDAPConfig{}
if err := deepcopy.Copy(s.HTTP.Auth.LDAP, c.HTTP.Auth.LDAP); err != nil {
if err := deepcopy.Copy(sanitizedConfig.HTTP.Auth.LDAP, c.HTTP.Auth.LDAP); err != nil {
panic(err)
}
s.HTTP.Auth.LDAP.BindPassword = "******"
sanitizedConfig.HTTP.Auth.LDAP.BindPassword = "******"
}
return s
return sanitizedConfig
}
func (c *Config) Validate(log log.Logger) error {
@@ -153,6 +153,7 @@ func (c *Config) Validate(log log.Logger) error {
l := c.HTTP.Auth.LDAP
if l.UserAttribute == "" {
log.Error().Str("userAttribute", l.UserAttribute).Msg("invalid LDAP configuration")
return errors.ErrLDAPConfig
}
}
@@ -169,12 +170,12 @@ func (c *Config) LoadAccessControlConfig() error {
c.AccessControl = &AccessControlConfig{}
c.AccessControl.Repositories = make(map[string]PolicyGroup)
for k := range c.HTTP.RawAccessControl {
for policy := range c.HTTP.RawAccessControl {
var policies []Policy
var policyGroup PolicyGroup
if k == "adminpolicy" {
if policy == "adminpolicy" {
adminPolicy := viper.GetStringMapStringSlice("http.accessControl.adminPolicy")
c.AccessControl.AdminPolicy.Actions = adminPolicy["actions"]
c.AccessControl.AdminPolicy.Users = adminPolicy["users"]
@@ -182,15 +183,15 @@ func (c *Config) LoadAccessControlConfig() error {
continue
}
err := viper.UnmarshalKey(fmt.Sprintf("http.accessControl.%s.policies", k), &policies)
err := viper.UnmarshalKey(fmt.Sprintf("http.accessControl.%s.policies", policy), &policies)
if err != nil {
return err
}
defaultPolicy := viper.GetStringSlice(fmt.Sprintf("http.accessControl.%s.defaultPolicy", k))
defaultPolicy := viper.GetStringSlice(fmt.Sprintf("http.accessControl.%s.defaultPolicy", policy))
policyGroup.Policies = policies
policyGroup.DefaultPolicy = defaultPolicy
c.AccessControl.Repositories[k] = policyGroup
c.AccessControl.Repositories[policy] = policyGroup
}
return nil
pkg/api/controller.go
+12 -10
View File
@@ -11,6 +11,7 @@ import (
goSync "sync"
"time"
"github.com/docker/distribution/registry/storage/driver/factory"
"github.com/gorilla/handlers"
"github.com/gorilla/mux"
"zotregistry.io/zot/errors"
@@ -20,8 +21,6 @@ import (
"zotregistry.io/zot/pkg/log"
"zotregistry.io/zot/pkg/storage"
"zotregistry.io/zot/pkg/storage/s3"
"github.com/docker/distribution/registry/storage/driver/factory"
)
const (
@@ -58,13 +57,13 @@ func NewController(config *config.Config) *Controller {
func DefaultHeaders() mux.MiddlewareFunc {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
// CORS
w.Header().Set("Access-Control-Allow-Origin", "*")
w.Header().Set("Access-Control-Allow-Methods", "POST, GET, OPTIONS")
response.Header().Set("Access-Control-Allow-Origin", "*")
response.Header().Set("Access-Control-Allow-Methods", "POST, GET, OPTIONS")
// handle the request
next.ServeHTTP(w, r)
next.ServeHTTP(response, request)
})
}
}
@@ -73,6 +72,7 @@ func (c *Controller) Run() error {
// validate configuration
if err := c.Config.Validate(c.Log); err != nil {
c.Log.Error().Err(err).Msg("configuration validation failed")
return err
}
@@ -118,7 +118,7 @@ func (c *Controller) Run() error {
c.Server = server
// Create the listener
l, err := net.Listen("tcp", addr)
listener, err := net.Listen("tcp", addr)
if err != nil {
return err
}
@@ -147,13 +147,13 @@ func (c *Controller) Run() error {
PreferServerCipherSuites: true,
MinVersion: tls.VersionTLS12,
}
server.TLSConfig.BuildNameToCertificate() // nolint: staticcheck
server.TLSConfig.BuildNameToCertificate()
}
return server.ServeTLS(l, c.Config.HTTP.TLS.Cert, c.Config.HTTP.TLS.Key)
return server.ServeTLS(listener, c.Config.HTTP.TLS.Cert, c.Config.HTTP.TLS.Key)
}
return server.Serve(l)
return server.Serve(listener)
}
func (c *Controller) InitImageStore() error {
@@ -184,6 +184,7 @@ func (c *Controller) InitImageStore() error {
store, err := factory.Create(storeName, c.Config.Storage.StorageDriver)
if err != nil {
c.Log.Error().Err(err).Str("rootDir", c.Config.Storage.RootDirectory).Msg("unable to create s3 service")
return err
}
@@ -235,6 +236,7 @@ func (c *Controller) InitImageStore() error {
store, err := factory.Create(storeName, storageConfig.StorageDriver)
if err != nil {
c.Log.Error().Err(err).Str("rootDir", storageConfig.RootDirectory).Msg("Unable to create s3 service")
return err
}
pkg/api/controller_test.go
+212 -201
View File
File diff suppressed because it is too large Load Diff
pkg/api/errors.go
+13 -13
View File
@@ -17,7 +17,7 @@ type ErrorList struct {
type ErrorCode int
// nolint: golint, stylecheck
// nolint: golint, stylecheck, revive
const (
BLOB_UNKNOWN ErrorCode = iota
BLOB_UPLOAD_INVALID
@@ -37,7 +37,7 @@ const (
)
func (e ErrorCode) String() string {
m := map[ErrorCode]string{
errMap := map[ErrorCode]string{
BLOB_UNKNOWN: "BLOB_UNKNOWN",
BLOB_UPLOAD_INVALID: "BLOB_UPLOAD_INVALID",
BLOB_UPLOAD_UNKNOWN: "BLOB_UPLOAD_UNKNOWN",
@@ -55,11 +55,11 @@ func (e ErrorCode) String() string {
UNSUPPORTED: "UNSUPPORTED",
}
return m[e]
return errMap[e]
}
func NewError(code ErrorCode, detail ...interface{}) Error { //nolint: interfacer
var errMap = map[ErrorCode]Error{
errMap := map[ErrorCode]Error{
BLOB_UNKNOWN: {
Message: "blob unknown to registry",
Description: "blob unknown to registry This error MAY be returned when a blob is unknown " +
@@ -154,25 +154,25 @@ func NewError(code ErrorCode, detail ...interface{}) Error { //nolint: interface
},
}
e, ok := errMap[code]
err, ok := errMap[code]
if !ok {
panic(errors.ErrUnknownCode)
}
e.Code = code.String()
e.Detail = detail
err.Code = code.String()
err.Detail = detail
return e
return err
}
func NewErrorList(errors ...Error) ErrorList {
el := make([]*Error, 0)
er := Error{}
errList := make([]*Error, 0)
err := Error{}
for _, e := range errors {
er = e
el = append(el, &er)
err = e
errList = append(errList, &err)
}
return ErrorList{el}
return ErrorList{errList}
}
pkg/api/ldap.go
+26 -21
View File
@@ -3,17 +3,14 @@
package api
import (
"sync"
"time"
"crypto/tls"
"crypto/x509"
"fmt"
goldap "github.com/go-ldap/ldap/v3"
"zotregistry.io/zot/errors"
"sync"
"time"
"github.com/go-ldap/ldap/v3"
"zotregistry.io/zot/errors"
"zotregistry.io/zot/pkg/log"
)
@@ -41,16 +38,17 @@ type LDAPClient struct {
// Connect connects to the ldap backend.
func (lc *LDAPClient) Connect() error {
if lc.Conn == nil {
var l *goldap.Conn
var l *ldap.Conn
var err error
address := fmt.Sprintf("%s:%d", lc.Host, lc.Port)
if !lc.UseSSL {
l, err = goldap.Dial("tcp", address)
l, err = ldap.Dial("tcp", address)
if err != nil {
lc.Log.Error().Err(err).Str("address", address).Msg("non-TLS connection failed")
return err
}
@@ -60,15 +58,17 @@ func (lc *LDAPClient) Connect() error {
InsecureSkipVerify: lc.InsecureSkipVerify, // nolint: gosec // InsecureSkipVerify is not true by default
RootCAs: lc.ClientCAs,
}
if lc.ClientCertificates != nil && len(lc.ClientCertificates) > 0 {
config.Certificates = lc.ClientCertificates
config.BuildNameToCertificate() // nolint: staticcheck
config.BuildNameToCertificate()
}
err = l.StartTLS(config)
if err != nil {
lc.Log.Error().Err(err).Str("address", address).Msg("TLS connection failed")
return err
}
}
@@ -80,11 +80,12 @@ func (lc *LDAPClient) Connect() error {
}
if lc.ClientCertificates != nil && len(lc.ClientCertificates) > 0 {
config.Certificates = lc.ClientCertificates
config.BuildNameToCertificate() // nolint: staticcheck
config.BuildNameToCertificate()
}
l, err = goldap.DialTLS("tcp", address, config)
l, err = ldap.DialTLS("tcp", address, config)
if err != nil {
lc.Log.Error().Err(err).Str("address", address).Msg("TLS connection failed")
return err
}
}
@@ -112,6 +113,7 @@ func sleepAndRetry(retries, maxRetries int) bool {
if retries < maxRetries {
time.Sleep(time.Duration(retries) * time.Second) // gradually backoff
return true
}
@@ -155,25 +157,27 @@ func (lc *LDAPClient) Authenticate(username, password string) (bool, map[string]
// exhausted all retries?
if !connected {
lc.Log.Error().Err(errors.ErrLDAPBadConn).Msg("exhausted all retries")
return false, nil, errors.ErrLDAPBadConn
}
attributes := append(lc.Attributes, "dn")
searchScope := goldap.ScopeSingleLevel
attributes := lc.Attributes
attributes = append(attributes, "dn")
searchScope := ldap.ScopeSingleLevel
if lc.SubtreeSearch {
searchScope = goldap.ScopeWholeSubtree
searchScope = ldap.ScopeWholeSubtree
}
// Search for the given username
searchRequest := goldap.NewSearchRequest(
searchRequest := ldap.NewSearchRequest(
lc.Base,
searchScope, goldap.NeverDerefAliases, 0, 0, false,
searchScope, ldap.NeverDerefAliases, 0, 0, false,
fmt.Sprintf(lc.UserFilter, username),
attributes,
nil,
)
sr, err := lc.Conn.Search(searchRequest)
search, err := lc.Conn.Search(searchRequest)
if err != nil {
fmt.Printf("%v\n", err)
lc.Log.Error().Err(err).Str("bindDN", lc.BindDN).Str("username", username).
@@ -182,7 +186,7 @@ func (lc *LDAPClient) Authenticate(username, password string) (bool, map[string]
return false, nil, err
}
if len(sr.Entries) < 1 {
if len(search.Entries) < 1 {
err := errors.ErrBadUser
lc.Log.Error().Err(err).Str("bindDN", lc.BindDN).Str("username", username).
Str("baseDN", lc.Base).Msg("entries not found")
@@ -190,7 +194,7 @@ func (lc *LDAPClient) Authenticate(username, password string) (bool, map[string]
return false, nil, err
}
if len(sr.Entries) > 1 {
if len(search.Entries) > 1 {
err := errors.ErrEntriesExceeded
lc.Log.Error().Err(err).Str("bindDN", lc.BindDN).Str("username", username).
Str("baseDN", lc.Base).Msg("too many entries")
@@ -198,17 +202,18 @@ func (lc *LDAPClient) Authenticate(username, password string) (bool, map[string]
return false, nil, err
}
userDN := sr.Entries[0].DN
userDN := search.Entries[0].DN
user := map[string]string{}
for _, attr := range lc.Attributes {
user[attr] = sr.Entries[0].GetAttributeValue(attr)
user[attr] = search.Entries[0].GetAttributeValue(attr)
}
// Bind as the user to verify their password
err = lc.Conn.Bind(userDN, password)
if err != nil {
lc.Log.Error().Err(err).Str("bindDN", userDN).Msg("user bind failed")
return false, user, err
}
pkg/api/regexp.go
+4 -4
View File
@@ -29,19 +29,19 @@ var (
)
// match compiles the string to a regular expression.
// nolint (gochecknoglobals)
// nolint: gochecknoglobals
var match = regexp.MustCompile
// literal compiles s into a literal regular expression, escaping any regexp
// reserved characters.
func literal(s string) *regexp.Regexp {
re := match(regexp.QuoteMeta(s))
regx := match(regexp.QuoteMeta(s))
if _, complete := re.LiteralPrefix(); !complete {
if _, complete := regx.LiteralPrefix(); !complete {
panic("must be a literal")
}
return re
return regx
}
// expression defines a full expression, where each regular expression must
pkg/api/routes.go
+448 -385
View File
File diff suppressed because it is too large Load Diff
pkg/api/session.go
+31 -34
View File
@@ -35,20 +35,20 @@ func (w *statusWriter) Write(b []byte) (int, error) {
}
// SessionLogger logs session details.
func SessionLogger(c *Controller) mux.MiddlewareFunc {
l := c.Log.With().Str("module", "http").Logger()
func SessionLogger(ctlr *Controller) mux.MiddlewareFunc {
logger := ctlr.Log.With().Str("module", "http").Logger()
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
// Start timer
start := time.Now()
path := r.URL.Path
raw := r.URL.RawQuery
path := request.URL.Path
raw := request.URL.RawQuery
sw := statusWriter{ResponseWriter: w}
stwr := statusWriter{ResponseWriter: response}
// Process request
next.ServeHTTP(&sw, r)
next.ServeHTTP(&stwr, request)
// Stop timer
end := time.Now()
@@ -57,22 +57,20 @@ func SessionLogger(c *Controller) mux.MiddlewareFunc {
// Truncate in a golang < 1.8 safe way
latency -= latency % time.Second
}
clientIP := r.RemoteAddr
method := r.Method
clientIP := request.RemoteAddr
method := request.Method
headers := map[string][]string{}
username := ""
log := l.Info()
for key, value := range r.Header {
log := logger.Info()
for key, value := range request.Header {
if key == "Authorization" { // anonymize from logs
s := strings.SplitN(value[0], " ", 2)
s := strings.SplitN(value[0], " ", 2) //nolint:gomnd
if len(s) == 2 && strings.EqualFold(s[0], "basic") {
b, err := base64.StdEncoding.DecodeString(s[1])
if err == nil {
pair := strings.SplitN(string(b), ":", 2)
pair := strings.SplitN(string(b), ":", 2) //nolint:gomnd
// nolint:gomnd
if len(pair) == 2 {
username = pair[0]
log = log.Str("username", username)
log = log.Str("username", pair[0])
}
}
}
@@ -80,8 +78,8 @@ func SessionLogger(c *Controller) mux.MiddlewareFunc {
}
headers[key] = value
}
statusCode := sw.status
bodySize := sw.length
statusCode := stwr.status
bodySize := stwr.length
if raw != "" {
path = path + "?" + raw
}
@@ -89,9 +87,9 @@ func SessionLogger(c *Controller) mux.MiddlewareFunc {
if path != "/v2/metrics" {
// In order to test metrics feture,the instrumentation related to node exporter
// should be handled by node exporter itself (ex: latency)
monitoring.IncHTTPConnRequests(c.Metrics, method, strconv.Itoa(statusCode))
monitoring.ObserveHTTPRepoLatency(c.Metrics, path, latency) // summary
monitoring.ObserveHTTPMethodLatency(c.Metrics, method, latency) // histogram
monitoring.IncHTTPConnRequests(ctlr.Metrics, method, strconv.Itoa(statusCode))
monitoring.ObserveHTTPRepoLatency(ctlr.Metrics, path, latency) // summary
monitoring.ObserveHTTPMethodLatency(ctlr.Metrics, method, latency) // histogram
}
log.Str("clientIP", clientIP).
@@ -108,28 +106,27 @@ func SessionLogger(c *Controller) mux.MiddlewareFunc {
func SessionAuditLogger(audit *log.Logger) mux.MiddlewareFunc {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
path := r.URL.Path
raw := r.URL.RawQuery
return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
path := request.URL.Path
raw := request.URL.RawQuery
sw := statusWriter{ResponseWriter: w}
statusWr := statusWriter{ResponseWriter: response}
// Process request
next.ServeHTTP(&sw, r)
next.ServeHTTP(&statusWr, request)
clientIP := r.RemoteAddr
method := r.Method
clientIP := request.RemoteAddr
method := request.Method
username := ""
for key, value := range r.Header {
for key, value := range request.Header {
if key == "Authorization" { // anonymize from logs
s := strings.SplitN(value[0], " ", 2)
s := strings.SplitN(value[0], " ", 2) //nolint:gomnd
if len(s) == 2 && strings.EqualFold(s[0], "basic") {
b, err := base64.StdEncoding.DecodeString(s[1])
if err == nil {
pair := strings.SplitN(string(b), ":", 2)
// nolint:gomnd
if len(pair) == 2 {
pair := strings.SplitN(string(b), ":", 2) //nolint:gomnd
if len(pair) == 2 { //nolint:gomnd
username = pair[0]
}
}
@@ -137,7 +134,7 @@ func SessionAuditLogger(audit *log.Logger) mux.MiddlewareFunc {
}
}
statusCode := sw.status
statusCode := statusWr.status
if raw != "" {
path = path + "?" + raw
}