refactor(authz): use a struct for user access control info operations (#1682)

fix(authz): fix isAdmin not using groups to determine if a user is admin. fix(authz): return 401 instead of 403 403 is correct as per HTTP spec However authz is not part of dist-spec and clients know only about 401 So this is a compromise. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2026-06-16 20:38:08 +08:00 · 2023-09-01 21:13:53 +03:00
parent b80deb9927
commit c6b822f3dd
28 changed files with 1052 additions and 889 deletions
@@ -0,0 +1,158 @@
+load helpers_zot
+
+function verify_prerequisites {
+    if [ ! $(command -v curl) ]; then
+        echo "you need to install curl as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    if [ ! $(command -v jq) ]; then
+        echo "you need to install jq as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    if [ ! $(command -v htpasswd) ]; then
+        echo "you need to install htpasswd as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    return 0
+}
+
+function setup_file() {
+    # Verify prerequisites are available
+    if ! $(verify_prerequisites); then
+        exit 1
+    fi
+
+    # Setup zot server
+    local zot_root_dir=${BATS_FILE_TMPDIR}/zot
+    local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
+    local zot_htpasswd_file=${BATS_FILE_TMPDIR}/zot_htpasswd
+    htpasswd -Bbn test test123 >> ${zot_htpasswd_file}
+    
+    echo ${zot_root_dir} >&3
+
+    mkdir -p ${zot_root_dir}
+
+    cat > ${zot_config_file}<<EOF
+{
+  "distSpecVersion":"1.1.0-dev",
+  "storage":{
+    "dedupe": true,
+    "gc": true,
+    "gcDelay": "1h",
+    "gcInterval": "6h",
+    "rootDirectory": "${zot_root_dir}"
+  },
+  "http": {
+		"address": "127.0.0.1",
+		"port": "8080",
+    "realm":"zot",
+    "auth": {
+      "htpasswd": {
+        "path": "${zot_htpasswd_file}"
+      },
+      "failDelay": 5
+    },
+    "accessControl": {
+      "repositories": {
+        "**": {
+          "anonymousPolicy": ["read"],
+          "defaultPolicy": ["read", "create"]
+        }
+      },
+      "adminPolicy": {
+        "users": ["admin"],
+        "actions": ["read", "create", "update", "delete"]
+      }
+    }
+  },
+  "log":{
+    "level":"debug"
+  }
+}
+EOF
+    zot_serve ${ZOT_PATH} ${zot_config_file}
+    wait_zot_reachable 8080
+}
+
+function teardown_file() {
+    zot_stop_all
+}
+
+@test "push image with regclient" {
+    run regctl registry set localhost:8080 --tls disabled
+    run regctl registry login localhost:8080 -u test -p test123
+    [ "$status" -eq 0 ]
+    run regctl image copy ocidir://${TEST_DATA_DIR}/golang:1.20 localhost:8080/test-regclient
+    [ "$status" -eq 0 ]
+}
+
+@test "pull image with regclient" {
+    run regctl image copy localhost:8080/test-regclient ocidir://${TEST_DATA_DIR}/golang:1.20
+    [ "$status" -eq 0 ]
+}
+
+@test "push OCI artifact with regclient" {
+    run regctl artifact put localhost:8080/artifact:demo <<EOF
+this is an artifact
+EOF
+    [ "$status" -eq 0 ]
+}
+
+@test "pull OCI artifact with regclient" {
+    run regctl manifest get localhost:8080/artifact:demo
+    [ "$status" -eq 0 ]
+    run regctl artifact get localhost:8080/artifact:demo
+    [ "$status" -eq 0 ]
+    [ "${lines[-1]}" == "this is an artifact" ]
+}
+
+@test "push OCI artifact references with regclient" {
+    run regctl artifact put localhost:8080/manifest-ref:demo <<EOF
+test artifact
+EOF
+    [ "$status" -eq 0 ]
+    run regctl artifact list localhost:8080/manifest-ref:demo --format raw-body
+    [ "$status" -eq 0 ]
+    [ $(echo "${lines[-1]}" | jq '.manifests | length') -eq 0 ]
+    run regctl artifact put --annotation  demo=true --annotation format=oci --artifact-type "application/vnd.example.icecream.v1" --subject localhost:8080/manifest-ref:demo << EOF
+test reference
+EOF
+    [ "$status" -eq 0 ]
+    # with artifact media-type
+    run regctl artifact put localhost:8080/artifact-ref:demo <<EOF
+test artifact
+EOF
+    [ "$status" -eq 0 ]
+    run regctl artifact list localhost:8080/artifact-ref:demo --format raw-body
+    [ "$status" -eq 0 ]
+    [ $(echo "${lines[-1]}" | jq '.manifests | length') -eq 0 ]
+    run regctl artifact put --annotation  demo=true --annotation format=oci --artifact-type "application/vnd.example.icecream.v1" --subject localhost:8080/artifact-ref:demo << EOF
+test reference
+EOF
+    [ "$status" -eq 0 ]
+}
+
+@test "list OCI artifact references with regclient" {
+    run regctl artifact list localhost:8080/manifest-ref:demo --format raw-body
+    [ "$status" -eq 0 ]
+    [ $(echo "${lines[-1]}" | jq '.manifests | length') -eq 1 ]
+    run regctl artifact list --filter-artifact-type "application/vnd.example.icecream.v1" localhost:8080/manifest-ref:demo --format raw-body
+    [ "$status" -eq 0 ]
+    [ $(echo "${lines[-1]}" | jq '.manifests | length') -eq 1 ]
+    run regctl artifact list --filter-artifact-type "application/invalid" localhost:8080/manifest-ref:demo --format raw-body
+    [ "$status" -eq 0 ]
+    [ $(echo "${lines[-1]}" | jq '.manifests | length') -eq 0 ]
+    # with artifact media-type
+    run regctl artifact list localhost:8080/artifact-ref:demo --format raw-body
+    [ "$status" -eq 0 ]
+    [ $(echo "${lines[-1]}" | jq '.manifests | length') -eq 1 ]
+    run regctl artifact list --filter-artifact-type "application/vnd.example.icecream.v1" localhost:8080/artifact-ref:demo --format raw-body
+    [ "$status" -eq 0 ]
+    [ $(echo "${lines[-1]}" | jq '.manifests | length') -eq 1 ]
+    run regctl artifact list --filter-artifact-type "application/invalid" localhost:8080/artifact-ref:demo --format raw-body
+    [ "$status" -eq 0 ]
+    [ $(echo "${lines[-1]}" | jq '.manifests | length') -eq 0 ]
+}