mirror of
https://github.com/project-zot/zot.git
synced 2026-06-17 21:17:58 +08:00
Andrei Aaron
08fae9104d
* feat: support mTLS-only authn/authz with AccessControl and allow combining mTLS with other auth mechanisms Signed-off-by: Ivan Arkhipov <me@endevir.ru> * refactor: improve authentication logic and TLS certificate generation - Fix mTLS authentication to use only leaf certificate instead of iterating through all certificates in the chain - Reject Authorization headers when corresponding auth method is disabled, regardless of mTLS status (security improvement) - Simplify authentication switch statement ordering and logic - Move ErrUserDataNotFound error handling into sessionAuthn method - Refactor TLS certificate generation to use Options pattern with CertificateOptions struct for better extensibility - Consolidate duplicate certificate generation code into helper functions (generateCertificate, parseCA, initializeTemplate, applyOptions) - Rename certificate generation functions for clarity: - GenerateCertWithCN -> GenerateClientCert - GenerateSelfSignedCertWithCN -> GenerateClientSelfSignedCert - Add support for SAN settings including email addresses in certificates - Update tests to reflect new authentication behavior and certificate API This commit improves both the security posture (rejecting disabled auth methods) and code maintainability (consolidated certificate generation). Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com> * fix: guard against multiple Authorization headers Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com> --------- Signed-off-by: Ivan Arkhipov <me@endevir.ru> Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com> Co-authored-by: Ivan Arkhipov <me@endevir.ru>
187 lines
5.6 KiB
YAML
187 lines
5.6 KiB
YAML
name: "Running tests"
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
pull_request:
|
|
branches: [main]
|
|
release:
|
|
types:
|
|
- published
|
|
|
|
permissions: read-all
|
|
|
|
jobs:
|
|
test-run-minimal:
|
|
name: Running zot without extensions tests
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
- name: Install go
|
|
uses: actions/setup-go@v6
|
|
with:
|
|
cache: false
|
|
go-version: 1.25.x
|
|
- name: Cache go dependencies
|
|
id: cache-go-dependencies
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
~/go/pkg/mod
|
|
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-go-mod-
|
|
- name: Install go dependencies
|
|
if: steps.cache-go-dependencies.outputs.cache-hit != 'true'
|
|
run: |
|
|
cd $GITHUB_WORKSPACE
|
|
go mod download
|
|
- uses: ./.github/actions/setup-localstack
|
|
- name: run zot minimal tests
|
|
run: |
|
|
cd $GITHUB_WORKSPACE
|
|
make test-minimal
|
|
env:
|
|
S3MOCK_ENDPOINT: localhost:4566
|
|
DYNAMODBMOCK_ENDPOINT: http://localhost:4566
|
|
AWS_ACCESS_KEY_ID: fake
|
|
AWS_SECRET_ACCESS_KEY: fake
|
|
- name: upload coverage
|
|
uses: actions/upload-artifact@v5
|
|
with:
|
|
name: coverage-minimal
|
|
path: coverage-minimal.txt
|
|
- uses: ./.github/actions/teardown-localstack
|
|
test-run-extensions:
|
|
name: Run zot with extensions tests
|
|
runs-on: oracle-vm-16cpu-64gb-x86-64
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
- uses: actions/setup-go@v6
|
|
with:
|
|
cache: false
|
|
go-version: 1.25.x
|
|
- name: Cache go dependencies
|
|
id: cache-go-dependencies
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
~/go/pkg/mod
|
|
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-go-mod-
|
|
- name: Install go dependencies
|
|
if: steps.cache-go-dependencies.outputs.cache-hit != 'true'
|
|
run: |
|
|
cd $GITHUB_WORKSPACE
|
|
go mod download
|
|
- uses: ./.github/actions/setup-localstack
|
|
- name: run zot extended tests
|
|
run: |
|
|
cd $GITHUB_WORKSPACE
|
|
make test-extended
|
|
env:
|
|
S3MOCK_ENDPOINT: localhost:4566
|
|
DYNAMODBMOCK_ENDPOINT: http://localhost:4566
|
|
AWS_ACCESS_KEY_ID: fake
|
|
AWS_SECRET_ACCESS_KEY: fake
|
|
- name: upload coverage
|
|
uses: actions/upload-artifact@v5
|
|
with:
|
|
name: coverage-extended
|
|
path: coverage-extended.txt
|
|
- uses: ./.github/actions/teardown-localstack
|
|
test-run-devmode:
|
|
name: Running development-mode tests on Linux
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
- uses: actions/setup-go@v6
|
|
with:
|
|
cache: false
|
|
go-version: 1.25.x
|
|
- name: Cache go dependencies
|
|
id: cache-go-dependencies
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
~/go/pkg/mod
|
|
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-go-mod-
|
|
- name: Install go dependencies
|
|
if: steps.cache-go-dependencies.outputs.cache-hit != 'true'
|
|
run: |
|
|
cd $GITHUB_WORKSPACE
|
|
go mod download
|
|
- name: run zot development-mode unit tests (possibly using failure injection)
|
|
run: make test-devmode
|
|
- name: upload coverage
|
|
uses: actions/upload-artifact@v5
|
|
with:
|
|
name: coverage-devmode
|
|
path: coverage-dev-*.txt
|
|
test-run-privileged:
|
|
name: Running privileged tests on Linux
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
- uses: actions/setup-go@v6
|
|
with:
|
|
cache: false
|
|
go-version: 1.25.x
|
|
- name: Cache go dependencies
|
|
id: cache-go-dependencies
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: |
|
|
~/go/pkg/mod
|
|
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-go-mod-
|
|
- name: Install go dependencies
|
|
if: steps.cache-go-dependencies.outputs.cache-hit != 'true'
|
|
run: |
|
|
cd $GITHUB_WORKSPACE
|
|
go mod download
|
|
- name: run zot privileged tests
|
|
run: sudo env "PATH=$PATH" make privileged-test
|
|
- name: upload coverage
|
|
uses: actions/upload-artifact@v5
|
|
with:
|
|
name: coverage-needprivileges
|
|
path: coverage-needprivileges.txt
|
|
test-coverage:
|
|
name: Collect all test coverage
|
|
runs-on: ubuntu-latest
|
|
if: always()
|
|
needs: [test-run-minimal,test-run-extensions,test-run-devmode,test-run-privileged]
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
- uses: actions/setup-go@v6
|
|
with:
|
|
cache: false
|
|
go-version: 1.25.x
|
|
- name: download all workflow coverage files
|
|
uses: actions/download-artifact@v6
|
|
- name: merge code coverage
|
|
run: |
|
|
cd $GITHUB_WORKSPACE
|
|
cp coverage-minimal/* .
|
|
cp coverage-extended/* .
|
|
cp coverage-devmode/* .
|
|
cp coverage-needprivileges/* .
|
|
make covhtml
|
|
mkdir unified-coverage
|
|
cp coverage.txt coverage.html unified-coverage/
|
|
- name: upload unified-coverage as build artifact
|
|
uses: actions/upload-artifact@v5
|
|
with:
|
|
name: unified-coverage
|
|
path: unified-coverage/*
|
|
- name: upload code coverage
|
|
uses: codecov/codecov-action@v5
|
|
with:
|
|
token: ${{ secrets.CODECOV_TOKEN }}
|
|
|