github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-18 05:28:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

Introduce support for OIDC workload identity federation (#3711)

Browse Source 
* feat(oidc): introduce support for OIDC workload identity federation

Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>

* feat(oidc): add e2e test for bearer OIDC and a kind cluster

Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>

* feat(oidc): make OIDC workload identity federation its own feature

Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>

* feat(oidc): move errors to the errors package

Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>

* feat(oidc): fix race in cel package

Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>

* feat(oidc): compile cel expressions

Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>

---------

Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
This commit is contained in:
Matheus Pimenta
2026-01-25 05:03:53 +00:00
committed by GitHub
parent ba3436c57e
commit bf619c570e
25 changed files with 5151 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/api/authz.go
+8 -5
View File
@@ -17,9 +17,10 @@ import (
)
const (
BASIC = "Basic"
BEARER = "Bearer"
OPENID = "OpenID"
BASIC = "Basic"
BEARER = "Bearer"
BEARER_OIDC = "BearerOIDC" // OIDC bearer tokens use accessControl config for authorization
OPENID = "OpenID"
)
func AuthzFilterFunc(userAc *reqCtx.UserAccessControl) storageTypes.FilterRepoFunc {
@@ -264,7 +265,8 @@ func BaseAuthzHandler(ctlr *Controller) mux.MiddlewareFunc {
return
}
// request comes from bearer authn, bypass it
// request comes from bearer authn, bypass it. note: we don't bypass for BEARER_OIDC
// tokens since they use accessControl config for authorization
authnMwCtx, err := reqCtx.GetAuthnMiddlewareContext(request.Context())
if err != nil || (authnMwCtx != nil && authnMwCtx.AuthnType == BEARER) {
next.ServeHTTP(response, request)
@@ -311,7 +313,8 @@ func DistSpecAuthzHandler(ctlr *Controller) mux.MiddlewareFunc {
return
}
// request comes from bearer authn, bypass it
// request comes from bearer authn, bypass it. note: we don't bypass for BEARER_OIDC
// tokens since they use accessControl config for authorization
authnMwCtx, err := reqCtx.GetAuthnMiddlewareContext(request.Context())
if err != nil || (authnMwCtx != nil && authnMwCtx.AuthnType == BEARER) {
next.ServeHTTP(response, request)