github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-17 21:17:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: make config read/write thread safe (#3432)

Browse Source 
* fix: make config read/write thread safe and fix some other similar issues

1. The config config has a lock, and safe methods to update and read the attributes
2. The config has methods to retrieve copies of specific attributes, such as the extyensions config, the auth config, and the authz config.
These are needed, as the config object may mutate in the middle of an auth/authz requests, and we avoid partial configuration being applied for that request.
3. Fix an issue with the monitoring server not stopping when the controller is shut down.
4. Fix an issue with the HTPasswdWatcher not stopping when the background tasks are supposed to finish.
5. Fix some tests using hardcoded ports.

Moved some of the methods which were on the main config to the auth, access control and extension configs

Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com>
This commit is contained in:
Andrei Aaron
2025-10-18 11:20:58 +03:00
committed by GitHub
parent 2402296e9a
commit dfb5d1df54
41 changed files with 6029 additions and 661 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/common/http_server.go
+11 -4
View File
@@ -38,7 +38,9 @@ func ACHeadersMiddleware(config *config.Config, allowedMethods ...string) mux.Mi
resp.Header().Set("Access-Control-Allow-Methods", allowedMethodsValue)
resp.Header().Set("Access-Control-Allow-Headers", "Authorization,content-type,"+constants.SessionClientHeaderName)
if config.IsBasicAuthnEnabled() {
// Get auth config safely
authConfig := config.CopyAuthConfig()
if authConfig.IsBasicAuthnEnabled() {
resp.Header().Set("Access-Control-Allow-Credentials", "true")
}
@@ -73,23 +75,28 @@ func AddCORSHeaders(allowOrigin string, response http.ResponseWriter) {
func AuthzOnlyAdminsMiddleware(conf *config.Config) mux.MiddlewareFunc {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
if !conf.IsBasicAuthnEnabled() {
// Get auth config safely
authConfig := conf.CopyAuthConfig()
if !authConfig.IsBasicAuthnEnabled() {
next.ServeHTTP(response, request)
return
}
realm := conf.GetRealm()
failDelay := authConfig.GetFailDelay()
// get userAccessControl built in previous authn/authz middlewares
userAc, err := reqCtx.UserAcFromContext(request.Context())
if err != nil { // should not happen as this has been previously checked for errors
AuthzFail(response, request, userAc.GetUsername(), conf.HTTP.Realm, conf.HTTP.Auth.FailDelay)
AuthzFail(response, request, userAc.GetUsername(), realm, failDelay)
return
}
// reject non-admin access if authentication is enabled
if userAc != nil && !userAc.IsAdmin() {
AuthzFail(response, request, userAc.GetUsername(), conf.HTTP.Realm, conf.HTTP.Auth.FailDelay)
AuthzFail(response, request, userAc.GetUsername(), realm, failDelay)
return
}