mirror of
https://github.com/project-zot/zot.git
synced 2026-06-16 04:17:55 +08:00
default policy only authorization
unit tests for manifest integrity when updating Signed-off-by: laurentiuNiculae <themelopeus@gmail.com>
This commit is contained in:
laurentiuNiculae
committed by
Ramkumar Chinchani
Ramkumar Chinchani
parent
e1a1bdff1a
commit
bb95af5b4d
+38
-4
@@ -231,10 +231,8 @@ func validateConfiguration(config *config.Config) error {
|
||||
// check authorization config, it should have basic auth enabled or ldap
|
||||
if config.HTTP.RawAccessControl != nil {
|
||||
if config.HTTP.Auth == nil || (config.HTTP.Auth.HTPasswd.Path == "" && config.HTTP.Auth.LDAP == nil) {
|
||||
log.Error().Err(errors.ErrBadConfig).
|
||||
Msg("access control config requires httpasswd or ldap authentication to be enabled")
|
||||
|
||||
return errors.ErrBadConfig
|
||||
// checking for default policy only authorization config: no users, no policies but default policy
|
||||
checkForDefaultPolicyConfig(config)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -311,6 +309,15 @@ func validateConfiguration(config *config.Config) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func checkForDefaultPolicyConfig(config *config.Config) {
|
||||
if !isDefaultPolicyConfig(config) {
|
||||
log.Error().Err(errors.ErrBadConfig).
|
||||
Msg("access control config requires httpasswd, ldap authentication " +
|
||||
"or using only 'defaultPolicy' policies")
|
||||
panic(errors.ErrBadConfig)
|
||||
}
|
||||
}
|
||||
|
||||
func applyDefaultValues(config *config.Config, viperInstance *viper.Viper) {
|
||||
defaultVal := true
|
||||
|
||||
@@ -431,3 +438,30 @@ func LoadConfiguration(config *config.Config, configPath string) error {
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func isDefaultPolicyConfig(cfg *config.Config) bool {
|
||||
adminPolicy := cfg.AccessControl.AdminPolicy
|
||||
|
||||
log.Info().Msg("checking if default authorization is possible")
|
||||
|
||||
if len(adminPolicy.Actions)+len(adminPolicy.Users) > 0 {
|
||||
log.Info().Msg("admin policy detected, default authorization disabled")
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
for _, repository := range cfg.AccessControl.Repositories {
|
||||
for _, policy := range repository.Policies {
|
||||
if len(policy.Actions)+len(policy.Users) > 0 {
|
||||
log.Info().Interface("repository", repository).
|
||||
Msg("repository with non-empty policy detected, default authorization disabled")
|
||||
|
||||
return false
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
log.Info().Msg("default authorization detected")
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
@@ -174,6 +174,62 @@ func TestVerify(t *testing.T) {
|
||||
So(func() { _ = cli.NewServerRootCmd().Execute() }, ShouldNotPanic)
|
||||
})
|
||||
|
||||
Convey("Test verify default authorization", t, func(c C) {
|
||||
tmpfile, err := ioutil.TempFile("", "zot-test*.json")
|
||||
So(err, ShouldBeNil)
|
||||
defer os.Remove(tmpfile.Name()) // clean up
|
||||
content := []byte(`{"storage":{"rootDirectory":"/tmp/zot"},
|
||||
"http":{"address":"127.0.0.1","port":"8080","realm":"zot",
|
||||
"accessControl":{"**":{"defaultPolicy": ["read", "create"]},
|
||||
"/repo":{"defaultPolicy": ["read", "create"]}
|
||||
}}}`)
|
||||
_, err = tmpfile.Write(content)
|
||||
So(err, ShouldBeNil)
|
||||
err = tmpfile.Close()
|
||||
So(err, ShouldBeNil)
|
||||
os.Args = []string{"cli_test", "verify", tmpfile.Name()}
|
||||
So(func() { _ = cli.NewServerRootCmd().Execute() }, ShouldNotPanic)
|
||||
})
|
||||
|
||||
Convey("Test verify default authorization fail", t, func(c C) {
|
||||
tmpfile, err := ioutil.TempFile("", "zot-test*.json")
|
||||
So(err, ShouldBeNil)
|
||||
defer os.Remove(tmpfile.Name()) // clean up
|
||||
content := []byte(`{"storage":{"rootDirectory":"/tmp/zot"},
|
||||
"http":{"address":"127.0.0.1","port":"8080","realm":"zot",
|
||||
"accessControl":{"**":{"defaultPolicy": ["read", "create"]},
|
||||
"/repo":{"defaultPolicy": ["read", "create"]},
|
||||
"adminPolicy":{"users":["admin"],
|
||||
"actions":["read","create","update","delete"]}
|
||||
}}}`)
|
||||
_, err = tmpfile.Write(content)
|
||||
So(err, ShouldBeNil)
|
||||
err = tmpfile.Close()
|
||||
So(err, ShouldBeNil)
|
||||
os.Args = []string{"cli_test", "verify", tmpfile.Name()}
|
||||
So(func() { _ = cli.NewServerRootCmd().Execute() }, ShouldPanic)
|
||||
})
|
||||
|
||||
Convey("Test verify default authorization fail", t, func(c C) {
|
||||
tmpfile, err := ioutil.TempFile("", "zot-test*.json")
|
||||
So(err, ShouldBeNil)
|
||||
defer os.Remove(tmpfile.Name()) // clean up
|
||||
content := []byte(`{"storage":{"rootDirectory":"/tmp/zot"},
|
||||
"http":{"address":"127.0.0.1","port":"8080","realm":"zot",
|
||||
"accessControl":{"**":{"defaultPolicy": ["read", "create"]},
|
||||
"/repo":{"defaultPolicy": ["read", "create"]},
|
||||
"/repo2":{"policies": [{
|
||||
"users": ["charlie"],
|
||||
"actions": ["read", "create", "update"]}]}
|
||||
}}}`)
|
||||
_, err = tmpfile.Write(content)
|
||||
So(err, ShouldBeNil)
|
||||
err = tmpfile.Close()
|
||||
So(err, ShouldBeNil)
|
||||
os.Args = []string{"cli_test", "verify", tmpfile.Name()}
|
||||
So(func() { _ = cli.NewServerRootCmd().Execute() }, ShouldPanic)
|
||||
})
|
||||
|
||||
Convey("Test verify w/ sync and w/o filesystem storage", t, func(c C) {
|
||||
tmpfile, err := ioutil.TempFile("", "zot-test*.json")
|
||||
So(err, ShouldBeNil)
|
||||
|
||||
Reference in New Issue
Block a user