github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-16 20:38:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

refactor(authz): use a struct for user access control info operations (#1682)

Browse Source 
fix(authz): fix isAdmin not using groups to determine if a user is admin.
fix(authz): return 401 instead of 403

403 is correct as per HTTP spec
However authz is not part of dist-spec and clients know only about 401
So this is a compromise.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
This commit is contained in:
peusebiu
2023-09-01 21:13:53 +03:00
committed by GitHub
parent b80deb9927
commit c6b822f3dd
28 changed files with 1052 additions and 889 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/extensions/search/resolver.go
+2 -2
View File
@@ -26,7 +26,7 @@ import (
"zotregistry.io/zot/pkg/extensions/search/pagination"
"zotregistry.io/zot/pkg/log"
mTypes "zotregistry.io/zot/pkg/meta/types"
localCtx "zotregistry.io/zot/pkg/requestcontext"
reqCtx "zotregistry.io/zot/pkg/requestcontext"
"zotregistry.io/zot/pkg/storage"
)
@@ -1108,7 +1108,7 @@ func deleteElementAt(slice []*string, i int) []*string {
func expandedRepoInfo(ctx context.Context, repo string, metaDB mTypes.MetaDB, cveInfo cveinfo.CveInfo, log log.Logger,
) (*gql_generated.RepoInfo, error) {
if ok, err := localCtx.RepoIsUserAvailable(ctx, repo); !ok || err != nil {
if ok, err := reqCtx.RepoIsUserAvailable(ctx, repo); !ok || err != nil {
log.Info().Err(err).Str("repository", repo).Bool("availability", ok).Msg("resolver: repo user availability")
return &gql_generated.RepoInfo{}, nil //nolint:nilerr // don't give details to a potential attacker
pkg/extensions/search/resolver_test.go
+7 -9
View File
@@ -22,7 +22,7 @@ import (
"zotregistry.io/zot/pkg/log"
"zotregistry.io/zot/pkg/meta/boltdb"
mTypes "zotregistry.io/zot/pkg/meta/types"
localCtx "zotregistry.io/zot/pkg/requestcontext"
reqCtx "zotregistry.io/zot/pkg/requestcontext"
"zotregistry.io/zot/pkg/storage"
"zotregistry.io/zot/pkg/test/mocks"
)
@@ -3584,15 +3584,13 @@ func TestExpandedRepoInfo(t *testing.T) {
})
Convey("Access error", t, func() {
authzCtxKey := localCtx.GetContextKey()
acCtxUser := localCtx.AccessControlContext{
ReadGlobPatterns: map[string]bool{
"repo": false,
},
Username: "user",
}
userAc := reqCtx.NewUserAccessControl()
userAc.SetUsername("user")
userAc.SetGlobPatterns("read", map[string]bool{
"repo": false,
})
ctx := context.WithValue(context.Background(), authzCtxKey, acCtxUser)
ctx := userAc.DeriveContext(context.Background())
responseContext := graphql.WithResponseContext(ctx, graphql.DefaultErrorPresenter,
graphql.DefaultRecover)