feat(mgmt): added mgmt extension which returns current zot configuration (#1198)

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>

pkg/extensions/_zot.md

@@ -6,6 +6,7 @@
 Component | Endpoint | Description
 --- | --- | ---
 [`search`](search/search.md) | `/v2/_zot/ext/search` | efficient and enhanced registry search capabilities using graphQL backend
+[`mgmt`](mgmt.md) | `/v2/_zot/ext/mgmt` | config management
 
 
 # References

pkg/extensions/config/config.go

@@ -18,6 +18,11 @@ type ExtensionConfig struct {
 	Scrub   *ScrubConfig
 	Lint    *LintConfig
 	UI      *UIConfig
+	Mgmt    *MgmtConfig
+}
+
+type MgmtConfig struct {
+	BaseConfig `mapstructure:",squash"`
 }
 
 type LintConfig struct {

pkg/extensions/extension_mgmt.go

@@ -0,0 +1,90 @@
+//go:build mgmt
+// +build mgmt
+
+package extensions
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/gorilla/mux"
+
+	"zotregistry.io/zot/pkg/api/config"
+	"zotregistry.io/zot/pkg/api/constants"
+	"zotregistry.io/zot/pkg/common"
+	"zotregistry.io/zot/pkg/log"
+)
+
+type HTPasswd struct {
+	Path string `json:"path,omitempty"`
+}
+
+type BearerConfig struct {
+	Realm   string `json:"realm,omitempty"`
+	Service string `json:"service,omitempty"`
+}
+
+type Auth struct {
+	HTPasswd *HTPasswd     `json:"htpasswd,omitempty" mapstructure:"htpasswd"`
+	Bearer   *BearerConfig `json:"bearer,omitempty" mapstructure:"bearer"`
+	LDAP     *struct {
+		Address string `json:"address,omitempty" mapstructure:"address"`
+	} `json:"ldap,omitempty" mapstructure:"ldap"`
+}
+
+type StrippedConfig struct {
+	DistSpecVersion string `json:"distSpecVersion" mapstructure:"distSpecVersion"`
+	BinaryType      string `json:"binaryType" mapstructure:"binaryType"`
+	HTTP            struct {
+		Auth *Auth `json:"auth,omitempty" mapstructure:"auth"`
+	} `json:"http" mapstructure:"http"`
+}
+
+func (auth Auth) MarshalJSON() ([]byte, error) {
+	type localAuth Auth
+
+	if auth.Bearer == nil && auth.LDAP == nil &&
+		auth.HTPasswd.Path == "" {
+		auth.HTPasswd = nil
+
+		return json.Marshal((localAuth)(auth))
+	}
+
+	if auth.HTPasswd.Path == "" && auth.LDAP == nil {
+		auth.HTPasswd = nil
+	} else {
+		auth.HTPasswd.Path = ""
+	}
+
+	auth.LDAP = nil
+
+	return json.Marshal((localAuth)(auth))
+}
+
+type mgmt struct {
+	config *config.Config
+	log    log.Logger
+}
+
+func (mgmt *mgmt) handler(response http.ResponseWriter, request *http.Request) {
+	sanitizedConfig := mgmt.config.Sanitize()
+
+	buf, err := common.MarshalThroughStruct(sanitizedConfig, &StrippedConfig{})
+	if err != nil {
+		mgmt.log.Error().Err(err).Msg("mgmt: couldn't marshal config response")
+
+		response.WriteHeader(http.StatusInternalServerError)
+	}
+
+	_, _ = response.Write(buf)
+}
+
+func SetupMgmtRoutes(config *config.Config, router *mux.Router, log log.Logger) {
+	if config.Extensions.Mgmt != nil && *config.Extensions.Mgmt.Enable {
+		log.Info().Msg("setting up mgmt routes")
+
+		mgmt := mgmt{config: config, log: log}
+
+		router.PathPrefix(constants.ExtMgmtPrefix).Methods("GET").HandlerFunc(mgmt.handler)
+	}
+}

pkg/extensions/extension_mgmt_disabled.go

@@ -0,0 +1,16 @@
+//go:build !mgmt
+// +build !mgmt
+
+package extensions
+
+import (
+	"github.com/gorilla/mux"
+
+	"zotregistry.io/zot/pkg/api/config"
+	"zotregistry.io/zot/pkg/log"
+)
+
+func SetupMgmtRoutes(config *config.Config, router *mux.Router, log log.Logger) {
+	log.Warn().Msg("skipping setting up mgmt routes because given zot binary doesn't include this feature," +
+		"please build a binary that does so")
+}

pkg/extensions/extension_search.go

@@ -197,6 +197,16 @@ func GetExtensions(config *config.Config) distext.ExtensionList {
 		extensions = append(extensions, searchExt)
 	}
 
+	if config.Extensions != nil && config.Extensions.Mgmt != nil {
+		endpoints := []string{constants.FullMgmtPrefix}
+		mgmtExt := getExtension("_zot",
+			"https://github.com/project-zot/zot/blob/"+config.ReleaseTag+"/pkg/extensions/_zot.md",
+			"zot registry extensions",
+			endpoints)
+
+		extensions = append(extensions, mgmtExt)
+	}
+
 	extensionList.Extensions = extensions
 
 	return extensionList

pkg/extensions/extensions_test.go

@@ -1,16 +1,21 @@
-//go:build sync || metrics
-// +build sync metrics
+//go:build sync || metrics || mgmt
+// +build sync metrics mgmt
 
 package extensions_test
 
 import (
+	"encoding/json"
+	"net/http"
 	"os"
 	"testing"
 
 	. "github.com/smartystreets/goconvey/convey"
+	"gopkg.in/resty.v1"
 
 	"zotregistry.io/zot/pkg/api"
 	"zotregistry.io/zot/pkg/api/config"
+	"zotregistry.io/zot/pkg/api/constants"
+	"zotregistry.io/zot/pkg/extensions"
 	extconf "zotregistry.io/zot/pkg/extensions/config"
 	syncconf "zotregistry.io/zot/pkg/extensions/config/sync"
 	"zotregistry.io/zot/pkg/test"
@@ -92,3 +97,415 @@ func TestMetricsExtension(t *testing.T) {
 			"Prometheus instrumentation Path not set, changing to '/metrics'.")
 	})
 }
+
+func TestMgmtExtension(t *testing.T) {
+	globalDir := t.TempDir()
+	conf := config.New()
+	port := test.GetFreePort()
+	conf.HTTP.Port = port
+	baseURL := test.GetBaseURL(port)
+
+	logFile, err := os.CreateTemp(globalDir, "zot-log*.txt")
+	if err != nil {
+		panic(err)
+	}
+
+	defaultValue := true
+
+	Convey("Verify mgmt route enabled with htpasswd", t, func() {
+		htpasswdPath := test.MakeHtpasswdFile()
+		conf.HTTP.Auth.HTPasswd.Path = htpasswdPath
+
+		conf.Extensions = &extconf.ExtensionConfig{}
+		conf.Extensions.Mgmt = &extconf.MgmtConfig{
+			BaseConfig: extconf.BaseConfig{
+				Enable: &defaultValue,
+			},
+		}
+
+		conf.Log.Output = logFile.Name()
+		defer os.Remove(logFile.Name()) // cleanup
+
+		ctlr := api.NewController(conf)
+
+		subPaths := make(map[string]config.StorageConfig)
+		subPaths["/a"] = config.StorageConfig{}
+
+		ctlr.Config.Storage.RootDirectory = globalDir
+		ctlr.Config.Storage.SubPaths = subPaths
+
+		ctlrManager := test.NewControllerManager(ctlr)
+		ctlrManager.StartAndWait(port)
+		defer ctlrManager.StopServer()
+
+		data, _ := os.ReadFile(logFile.Name())
+
+		So(string(data), ShouldContainSubstring, "setting up mgmt routes")
+
+		// without credentials
+		resp, err := resty.R().Get(baseURL + constants.FullMgmtPrefix)
+		So(err, ShouldBeNil)
+		So(resp.StatusCode(), ShouldEqual, http.StatusOK)
+
+		mgmtResp := extensions.StrippedConfig{}
+		err = json.Unmarshal(resp.Body(), &mgmtResp)
+		So(err, ShouldBeNil)
+		So(mgmtResp.HTTP.Auth.HTPasswd, ShouldNotBeNil)
+		So(mgmtResp.HTTP.Auth.HTPasswd.Path, ShouldEqual, "")
+		So(mgmtResp.HTTP.Auth.Bearer, ShouldBeNil)
+		So(mgmtResp.HTTP.Auth.LDAP, ShouldBeNil)
+
+		// with credentials
+		resp, err = resty.R().SetBasicAuth("test", "test").Get(baseURL + constants.FullMgmtPrefix)
+		So(err, ShouldBeNil)
+		So(resp.StatusCode(), ShouldEqual, http.StatusOK)
+
+		mgmtResp = extensions.StrippedConfig{}
+		err = json.Unmarshal(resp.Body(), &mgmtResp)
+		So(err, ShouldBeNil)
+		So(mgmtResp.HTTP.Auth.HTPasswd, ShouldNotBeNil)
+		So(mgmtResp.HTTP.Auth.HTPasswd.Path, ShouldEqual, "")
+		So(mgmtResp.HTTP.Auth.Bearer, ShouldBeNil)
+		So(mgmtResp.HTTP.Auth.LDAP, ShouldBeNil)
+
+		// with wrong credentials
+		resp, err = resty.R().SetBasicAuth("test", "wrong").Get(baseURL + constants.FullMgmtPrefix)
+		So(err, ShouldBeNil)
+		So(resp.StatusCode(), ShouldEqual, http.StatusUnauthorized)
+	})
+
+	Convey("Verify mgmt route enabled with ldap", t, func() {
+		conf.HTTP.Auth.LDAP = &config.LDAPConfig{
+			BindDN:  "binddn",
+			BaseDN:  "basedn",
+			Address: "ldapexample",
+		}
+
+		conf.Extensions = &extconf.ExtensionConfig{}
+		conf.Extensions.Mgmt = &extconf.MgmtConfig{
+			BaseConfig: extconf.BaseConfig{
+				Enable: &defaultValue,
+			},
+		}
+
+		conf.Log.Output = logFile.Name()
+		defer os.Remove(logFile.Name()) // cleanup
+
+		ctlr := api.NewController(conf)
+
+		subPaths := make(map[string]config.StorageConfig)
+		subPaths["/a"] = config.StorageConfig{}
+
+		ctlr.Config.Storage.RootDirectory = globalDir
+		ctlr.Config.Storage.SubPaths = subPaths
+
+		ctlrManager := test.NewControllerManager(ctlr)
+		ctlrManager.StartAndWait(port)
+		defer ctlrManager.StopServer()
+
+		data, _ := os.ReadFile(logFile.Name())
+
+		So(string(data), ShouldContainSubstring, "setting up mgmt routes")
+
+		// without credentials
+		resp, err := resty.R().Get(baseURL + constants.FullMgmtPrefix)
+		So(err, ShouldBeNil)
+		So(resp.StatusCode(), ShouldEqual, http.StatusOK)
+
+		mgmtResp := extensions.StrippedConfig{}
+		err = json.Unmarshal(resp.Body(), &mgmtResp)
+		So(err, ShouldBeNil)
+		So(mgmtResp.HTTP.Auth.HTPasswd.Path, ShouldEqual, "")
+		// ldap is always nil, htpasswd should be populated when ldap is used
+		So(mgmtResp.HTTP.Auth.LDAP, ShouldBeNil)
+		So(mgmtResp.HTTP.Auth.Bearer, ShouldBeNil)
+	})
+
+	Convey("Verify mgmt route enabled with htpasswd + ldap", t, func() {
+		htpasswdPath := test.MakeHtpasswdFile()
+		conf.HTTP.Auth.HTPasswd.Path = htpasswdPath
+		conf.HTTP.Auth.LDAP = &config.LDAPConfig{
+			BindDN:  "binddn",
+			BaseDN:  "basedn",
+			Address: "ldapexample",
+		}
+
+		conf.Extensions = &extconf.ExtensionConfig{}
+		conf.Extensions.Mgmt = &extconf.MgmtConfig{
+			BaseConfig: extconf.BaseConfig{
+				Enable: &defaultValue,
+			},
+		}
+
+		conf.Log.Output = logFile.Name()
+		defer os.Remove(logFile.Name()) // cleanup
+
+		ctlr := api.NewController(conf)
+
+		subPaths := make(map[string]config.StorageConfig)
+		subPaths["/a"] = config.StorageConfig{}
+
+		ctlr.Config.Storage.RootDirectory = globalDir
+		ctlr.Config.Storage.SubPaths = subPaths
+
+		ctlrManager := test.NewControllerManager(ctlr)
+		ctlrManager.StartAndWait(port)
+		defer ctlrManager.StopServer()
+
+		data, _ := os.ReadFile(logFile.Name())
+
+		So(string(data), ShouldContainSubstring, "setting up mgmt routes")
+
+		// without credentials
+		resp, err := resty.R().Get(baseURL + constants.FullMgmtPrefix)
+		So(err, ShouldBeNil)
+		So(resp.StatusCode(), ShouldEqual, http.StatusOK)
+
+		mgmtResp := extensions.StrippedConfig{}
+		err = json.Unmarshal(resp.Body(), &mgmtResp)
+		So(err, ShouldBeNil)
+		So(mgmtResp.HTTP.Auth.HTPasswd, ShouldNotBeNil)
+		So(mgmtResp.HTTP.Auth.HTPasswd.Path, ShouldEqual, "")
+		So(mgmtResp.HTTP.Auth.LDAP, ShouldBeNil)
+		So(mgmtResp.HTTP.Auth.Bearer, ShouldBeNil)
+
+		// with credentials
+		resp, err = resty.R().SetBasicAuth("test", "test").Get(baseURL + constants.FullMgmtPrefix)
+		So(err, ShouldBeNil)
+		So(resp.StatusCode(), ShouldEqual, http.StatusOK)
+
+		mgmtResp = extensions.StrippedConfig{}
+		err = json.Unmarshal(resp.Body(), &mgmtResp)
+		So(err, ShouldBeNil)
+		So(mgmtResp.HTTP.Auth.HTPasswd, ShouldNotBeNil)
+		So(mgmtResp.HTTP.Auth.HTPasswd.Path, ShouldEqual, "")
+		So(mgmtResp.HTTP.Auth.LDAP, ShouldBeNil)
+		So(mgmtResp.HTTP.Auth.Bearer, ShouldBeNil)
+	})
+
+	Convey("Verify mgmt route enabled with htpasswd + ldap + bearer", t, func() {
+		htpasswdPath := test.MakeHtpasswdFile()
+		conf.HTTP.Auth.HTPasswd.Path = htpasswdPath
+		conf.HTTP.Auth.LDAP = &config.LDAPConfig{
+			BindDN:  "binddn",
+			BaseDN:  "basedn",
+			Address: "ldapexample",
+		}
+
+		conf.HTTP.Auth.Bearer = &config.BearerConfig{
+			Realm:   "realm",
+			Service: "service",
+		}
+
+		conf.Extensions = &extconf.ExtensionConfig{}
+		conf.Extensions.Mgmt = &extconf.MgmtConfig{
+			BaseConfig: extconf.BaseConfig{
+				Enable: &defaultValue,
+			},
+		}
+
+		conf.Log.Output = logFile.Name()
+		defer os.Remove(logFile.Name()) // cleanup
+
+		ctlr := api.NewController(conf)
+
+		subPaths := make(map[string]config.StorageConfig)
+		subPaths["/a"] = config.StorageConfig{}
+
+		ctlr.Config.Storage.RootDirectory = globalDir
+		ctlr.Config.Storage.SubPaths = subPaths
+
+		ctlrManager := test.NewControllerManager(ctlr)
+		ctlrManager.StartAndWait(port)
+		defer ctlrManager.StopServer()
+
+		data, _ := os.ReadFile(logFile.Name())
+
+		So(string(data), ShouldContainSubstring, "setting up mgmt routes")
+
+		// without credentials
+		resp, err := resty.R().Get(baseURL + constants.FullMgmtPrefix)
+		So(err, ShouldBeNil)
+		So(resp.StatusCode(), ShouldEqual, http.StatusOK)
+
+		mgmtResp := extensions.StrippedConfig{}
+		err = json.Unmarshal(resp.Body(), &mgmtResp)
+		So(err, ShouldBeNil)
+		So(mgmtResp.HTTP.Auth.HTPasswd, ShouldNotBeNil)
+		So(mgmtResp.HTTP.Auth.HTPasswd.Path, ShouldEqual, "")
+		So(mgmtResp.HTTP.Auth.LDAP, ShouldBeNil)
+		So(mgmtResp.HTTP.Auth.Bearer, ShouldNotBeNil)
+		So(mgmtResp.HTTP.Auth.Bearer.Realm, ShouldEqual, "realm")
+		So(mgmtResp.HTTP.Auth.Bearer.Service, ShouldEqual, "service")
+
+		// with credentials
+		resp, err = resty.R().SetBasicAuth("test", "test").Get(baseURL + constants.FullMgmtPrefix)
+		So(err, ShouldBeNil)
+		So(resp.StatusCode(), ShouldEqual, http.StatusOK)
+
+		mgmtResp = extensions.StrippedConfig{}
+		err = json.Unmarshal(resp.Body(), &mgmtResp)
+		So(err, ShouldBeNil)
+		So(mgmtResp.HTTP.Auth.HTPasswd, ShouldNotBeNil)
+		So(mgmtResp.HTTP.Auth.HTPasswd.Path, ShouldEqual, "")
+		So(mgmtResp.HTTP.Auth.LDAP, ShouldBeNil)
+		So(mgmtResp.HTTP.Auth.Bearer, ShouldNotBeNil)
+		So(mgmtResp.HTTP.Auth.Bearer.Realm, ShouldEqual, "realm")
+		So(mgmtResp.HTTP.Auth.Bearer.Service, ShouldEqual, "service")
+	})
+
+	Convey("Verify mgmt route enabled with ldap + bearer", t, func() {
+		conf.HTTP.Auth.HTPasswd.Path = ""
+		conf.HTTP.Auth.LDAP = &config.LDAPConfig{
+			BindDN:  "binddn",
+			BaseDN:  "basedn",
+			Address: "ldapexample",
+		}
+
+		conf.HTTP.Auth.Bearer = &config.BearerConfig{
+			Realm:   "realm",
+			Service: "service",
+		}
+
+		conf.Extensions = &extconf.ExtensionConfig{}
+		conf.Extensions.Mgmt = &extconf.MgmtConfig{
+			BaseConfig: extconf.BaseConfig{
+				Enable: &defaultValue,
+			},
+		}
+
+		conf.Log.Output = logFile.Name()
+		defer os.Remove(logFile.Name()) // cleanup
+
+		ctlr := api.NewController(conf)
+
+		subPaths := make(map[string]config.StorageConfig)
+		subPaths["/a"] = config.StorageConfig{}
+
+		ctlr.Config.Storage.RootDirectory = globalDir
+		ctlr.Config.Storage.SubPaths = subPaths
+
+		ctlrManager := test.NewControllerManager(ctlr)
+		ctlrManager.StartAndWait(port)
+		defer ctlrManager.StopServer()
+
+		data, _ := os.ReadFile(logFile.Name())
+
+		So(string(data), ShouldContainSubstring, "setting up mgmt routes")
+
+		// without credentials
+		resp, err := resty.R().Get(baseURL + constants.FullMgmtPrefix)
+		So(err, ShouldBeNil)
+		So(resp.StatusCode(), ShouldEqual, http.StatusOK)
+
+		mgmtResp := extensions.StrippedConfig{}
+		err = json.Unmarshal(resp.Body(), &mgmtResp)
+		So(err, ShouldBeNil)
+		So(mgmtResp.HTTP.Auth.HTPasswd, ShouldNotBeNil)
+		So(mgmtResp.HTTP.Auth.HTPasswd.Path, ShouldEqual, "")
+		So(mgmtResp.HTTP.Auth.LDAP, ShouldBeNil)
+		So(mgmtResp.HTTP.Auth.Bearer, ShouldNotBeNil)
+		So(mgmtResp.HTTP.Auth.Bearer.Realm, ShouldEqual, "realm")
+		So(mgmtResp.HTTP.Auth.Bearer.Service, ShouldEqual, "service")
+	})
+
+	Convey("Verify mgmt route enabled with bearer", t, func() {
+		conf.HTTP.Auth.HTPasswd.Path = ""
+		conf.HTTP.Auth.LDAP = nil
+		conf.HTTP.Auth.Bearer = &config.BearerConfig{
+			Realm:   "realm",
+			Service: "service",
+		}
+
+		conf.Extensions = &extconf.ExtensionConfig{}
+		conf.Extensions.Mgmt = &extconf.MgmtConfig{
+			BaseConfig: extconf.BaseConfig{
+				Enable: &defaultValue,
+			},
+		}
+
+		conf.Log.Output = logFile.Name()
+		defer os.Remove(logFile.Name()) // cleanup
+
+		ctlr := api.NewController(conf)
+
+		subPaths := make(map[string]config.StorageConfig)
+		subPaths["/a"] = config.StorageConfig{}
+
+		ctlr.Config.Storage.RootDirectory = globalDir
+		ctlr.Config.Storage.SubPaths = subPaths
+
+		ctlrManager := test.NewControllerManager(ctlr)
+		ctlrManager.StartAndWait(port)
+		defer ctlrManager.StopServer()
+
+		data, _ := os.ReadFile(logFile.Name())
+
+		So(string(data), ShouldContainSubstring, "setting up mgmt routes")
+
+		// without credentials
+		resp, err := resty.R().Get(baseURL + constants.FullMgmtPrefix)
+		So(err, ShouldBeNil)
+		So(resp.StatusCode(), ShouldEqual, http.StatusOK)
+
+		mgmtResp := extensions.StrippedConfig{}
+		err = json.Unmarshal(resp.Body(), &mgmtResp)
+		So(err, ShouldBeNil)
+		So(mgmtResp.HTTP.Auth.HTPasswd, ShouldBeNil)
+		So(mgmtResp.HTTP.Auth.LDAP, ShouldBeNil)
+		So(mgmtResp.HTTP.Auth.Bearer, ShouldNotBeNil)
+		So(mgmtResp.HTTP.Auth.Bearer.Realm, ShouldEqual, "realm")
+		So(mgmtResp.HTTP.Auth.Bearer.Service, ShouldEqual, "service")
+	})
+
+	Convey("Verify mgmt route enabled without any auth", t, func() {
+		globalDir := t.TempDir()
+		conf := config.New()
+		port := test.GetFreePort()
+		conf.HTTP.Port = port
+		baseURL := test.GetBaseURL(port)
+
+		logFile, err := os.CreateTemp(globalDir, "zot-log*.txt")
+		So(err, ShouldBeNil)
+		defaultValue := true
+
+		conf.Commit = "v1.0.0"
+
+		conf.Extensions = &extconf.ExtensionConfig{}
+		conf.Extensions.Mgmt = &extconf.MgmtConfig{
+			BaseConfig: extconf.BaseConfig{
+				Enable: &defaultValue,
+			},
+		}
+
+		conf.Log.Output = logFile.Name()
+		defer os.Remove(logFile.Name()) // cleanup
+
+		ctlr := api.NewController(conf)
+
+		subPaths := make(map[string]config.StorageConfig)
+		subPaths["/a"] = config.StorageConfig{}
+
+		ctlr.Config.Storage.RootDirectory = globalDir
+		ctlr.Config.Storage.SubPaths = subPaths
+
+		ctlrManager := test.NewControllerManager(ctlr)
+		ctlrManager.StartAndWait(port)
+		defer ctlrManager.StopServer()
+
+		resp, err := resty.R().Get(baseURL + constants.FullMgmtPrefix)
+		So(err, ShouldBeNil)
+		So(resp.StatusCode(), ShouldEqual, http.StatusOK)
+
+		mgmtResp := extensions.StrippedConfig{}
+		err = json.Unmarshal(resp.Body(), &mgmtResp)
+		So(err, ShouldBeNil)
+		So(mgmtResp.DistSpecVersion, ShouldResemble, conf.DistSpecVersion)
+		So(mgmtResp.HTTP.Auth.Bearer, ShouldBeNil)
+		So(mgmtResp.HTTP.Auth.HTPasswd, ShouldBeNil)
+		So(mgmtResp.HTTP.Auth.LDAP, ShouldBeNil)
+
+		data, _ := os.ReadFile(logFile.Name())
+		So(string(data), ShouldContainSubstring, "setting up mgmt routes")
+	})
+}

pkg/extensions/mgmt.md

@@ -0,0 +1,44 @@
+# `mgmt`
+
+`mgmt` component provides an endpoint for configuration management
+
+Response depends on the user privileges:
+- unauthenticated and authenticated users will get a stripped config
+- admins will get full configuration with passwords hidden (not implemented yet)
+
+
+| Supported queries | Input | Output | Description |
+| --- | --- | --- | --- |
+| [Get current configuration](#get-current-configuration) | None | config json | Get current zot configuration | 
+
+
+## Get current configuration
+
+**Sample request**
+
+```bash
+curl http://localhost:8080/v2/_zot/ext/mgmt | jq
+```
+
+**Sample response**
+
+```json
+{
+  "distSpecVersion": "1.1.0-dev",
+  "binaryType": "-sync-search-scrub-metrics-lint-ui-mgmt",
+  "http": {
+    "auth": {
+      "htpasswd": {},
+      "bearer": {
+        "realm": "https://auth.myreg.io/auth/token",
+        "service": "myauth"
+      }
+    }
+  }
+}
+```
+
+If ldap or htpasswd are enabled mgmt will return `{"htpasswd": {}}` indicating that clients can authenticate with basic auth credentials.
+
+If any key is present under `'auth'` key, in the mgmt response, it means that particular authentication method is enabled.
+