mirror of
https://github.com/project-zot/zot.git
synced 2026-06-16 20:38:08 +08:00
default policy only authorization
unit tests for manifest integrity when updating Signed-off-by: laurentiuNiculae <themelopeus@gmail.com>
This commit is contained in:
laurentiuNiculae
committed by
Ramkumar Chinchani
Ramkumar Chinchani
parent
e1a1bdff1a
commit
bb95af5b4d
+38
-4
@@ -231,10 +231,8 @@ func validateConfiguration(config *config.Config) error {
|
||||
// check authorization config, it should have basic auth enabled or ldap
|
||||
if config.HTTP.RawAccessControl != nil {
|
||||
if config.HTTP.Auth == nil || (config.HTTP.Auth.HTPasswd.Path == "" && config.HTTP.Auth.LDAP == nil) {
|
||||
log.Error().Err(errors.ErrBadConfig).
|
||||
Msg("access control config requires httpasswd or ldap authentication to be enabled")
|
||||
|
||||
return errors.ErrBadConfig
|
||||
// checking for default policy only authorization config: no users, no policies but default policy
|
||||
checkForDefaultPolicyConfig(config)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -311,6 +309,15 @@ func validateConfiguration(config *config.Config) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func checkForDefaultPolicyConfig(config *config.Config) {
|
||||
if !isDefaultPolicyConfig(config) {
|
||||
log.Error().Err(errors.ErrBadConfig).
|
||||
Msg("access control config requires httpasswd, ldap authentication " +
|
||||
"or using only 'defaultPolicy' policies")
|
||||
panic(errors.ErrBadConfig)
|
||||
}
|
||||
}
|
||||
|
||||
func applyDefaultValues(config *config.Config, viperInstance *viper.Viper) {
|
||||
defaultVal := true
|
||||
|
||||
@@ -431,3 +438,30 @@ func LoadConfiguration(config *config.Config, configPath string) error {
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func isDefaultPolicyConfig(cfg *config.Config) bool {
|
||||
adminPolicy := cfg.AccessControl.AdminPolicy
|
||||
|
||||
log.Info().Msg("checking if default authorization is possible")
|
||||
|
||||
if len(adminPolicy.Actions)+len(adminPolicy.Users) > 0 {
|
||||
log.Info().Msg("admin policy detected, default authorization disabled")
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
for _, repository := range cfg.AccessControl.Repositories {
|
||||
for _, policy := range repository.Policies {
|
||||
if len(policy.Actions)+len(policy.Users) > 0 {
|
||||
log.Info().Interface("repository", repository).
|
||||
Msg("repository with non-empty policy detected, default authorization disabled")
|
||||
|
||||
return false
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
log.Info().Msg("default authorization detected")
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user