From d5487d53e39963e8c1e0eba569a991add11d2596 Mon Sep 17 00:00:00 2001 From: peusebiu Date: Wed, 21 Jun 2023 16:06:53 +0300 Subject: [PATCH] fix(authz): assign identity to authz context in tls mutual authentication (#1541) this causes a bug in extensions by not having the identity for the authenticated user and couldn't apply his permissions, just the default ones. Signed-off-by: Petu Eusebiu --- pkg/api/authz.go | 3 +++ pkg/api/controller_test.go | 11 +++++++++++ 2 files changed, 14 insertions(+) diff --git a/pkg/api/authz.go b/pkg/api/authz.go index 7b4abd30..77b4d956 100644 --- a/pkg/api/authz.go +++ b/pkg/api/authz.go @@ -279,6 +279,9 @@ func AuthzHandler(ctlr *Controller) mux.MiddlewareFunc { return } + + // assign identity to authz context, needed for extensions + acCtx.Username = identity } } diff --git a/pkg/api/controller_test.go b/pkg/api/controller_test.go index 0eb97d48..c352291d 100644 --- a/pkg/api/controller_test.go +++ b/pkg/api/controller_test.go @@ -1370,11 +1370,22 @@ func TestMutualTLSAuthWithUserPermissions(t *testing.T) { So(resp, ShouldNotBeNil) So(resp.StatusCode(), ShouldEqual, http.StatusOK) + resp, err = resty.R().Get(secureBaseURL + "/v2/_catalog") + So(err, ShouldBeNil) + So(resp, ShouldNotBeNil) + So(resp.StatusCode(), ShouldEqual, http.StatusOK) + // with creds, should get expected status code resp, _ = resty.R().Get(secureBaseURL) So(resp, ShouldNotBeNil) So(resp.StatusCode(), ShouldEqual, http.StatusNotFound) + // reading a repo should not get 403 + resp, err = resty.R().Get(secureBaseURL + "/v2/repo/tags/list") + So(err, ShouldBeNil) + So(resp, ShouldNotBeNil) + So(resp.StatusCode(), ShouldEqual, http.StatusNotFound) + // without creds, writes should fail resp, err = resty.R().Post(secureBaseURL + "/v2/repo/blobs/uploads/") So(err, ShouldBeNil)