mirror of
https://github.com/project-zot/zot.git
synced 2026-06-15 11:37:56 +08:00
Luca Muscariello
2402296e9a
* fix: migrate to Go module v2 for proper semantic versioning This change updates the module path from 'zotregistry.dev/zot' to 'zotregistry.dev/zot/v2' to comply with Go's semantic versioning rules. According to Go's module versioning requirements, major version v2+ must include the major version in the module path. The current module path 'zotregistry.dev/zot' only supports v0.x.x and v1.x.x versions, making existing v2.x.x tags (like v2.1.8) unusable. Changes: - Updated go.mod module path to zotregistry.dev/zot/v2 - Updated all internal import paths across 280+ Go source files - Updated configuration files (golangcilint.yaml, gqlgen.yml) - Updated README.md Go reference badge This fix enables proper use of existing v2.x.x Git tags and allows external packages to import zot v2+ versions without compatibility errors. Resolves: Go module import compatibility for v2+ versions Fixes: #3071 Signed-off-by: Luca Muscariello <muscariello@ieee.org> * fix: regenerate GraphQL files with updated v2 import paths The gqlgen tool needs to regenerate the GraphQL schema files after the module path change to use the new v2 imports. Signed-off-by: Luca Muscariello <muscariello@ieee.org> --------- Signed-off-by: Luca Muscariello <muscariello@ieee.org>
122 lines
2.9 KiB
Go
122 lines
2.9 KiB
Go
package api_test
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/golang-jwt/jwt/v5"
|
|
. "github.com/smartystreets/goconvey/convey"
|
|
|
|
zerr "zotregistry.dev/zot/v2/errors"
|
|
"zotregistry.dev/zot/v2/pkg/api"
|
|
)
|
|
|
|
func TestBearerAuthorizer(t *testing.T) {
|
|
Convey("Test bearer token authorization", t, func() {
|
|
signingMethod := jwt.SigningMethodRS256
|
|
|
|
privKey, err := rsa.GenerateKey(rand.Reader, 2048)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
pubKey := privKey.Public()
|
|
|
|
authorizer := api.NewBearerAuthorizer("realm", "service", pubKey)
|
|
|
|
Convey("Empty authorization header given", func() {
|
|
err := authorizer.Authorize("", nil)
|
|
So(err, ShouldBeError, zerr.ErrNoBearerToken)
|
|
})
|
|
|
|
Convey("Valid token", func() {
|
|
access := []api.ResourceAccess{
|
|
{
|
|
Name: "authorized-repository",
|
|
Type: "repository",
|
|
Actions: []string{"pull"},
|
|
},
|
|
}
|
|
|
|
now := time.Now()
|
|
claims := api.ClaimsWithAccess{
|
|
Access: access,
|
|
RegisteredClaims: jwt.RegisteredClaims{
|
|
ExpiresAt: jwt.NewNumericDate(now.Add(time.Minute * 1)),
|
|
IssuedAt: jwt.NewNumericDate(now),
|
|
Issuer: "Zot",
|
|
Audience: []string{"Zot Registry"},
|
|
},
|
|
}
|
|
|
|
token, err := jwt.NewWithClaims(signingMethod, claims).SignedString(privKey)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
authHeader := "Bearer " + token
|
|
|
|
Convey("Unauthorized type", func() {
|
|
requested := &api.ResourceAction{
|
|
Type: "registry",
|
|
Name: "catalog",
|
|
Action: "*",
|
|
}
|
|
|
|
err := authorizer.Authorize(authHeader, requested)
|
|
So(err, ShouldHaveSameTypeAs, &api.AuthChallengeError{})
|
|
So(err, ShouldBeError, zerr.ErrInsufficientScope)
|
|
})
|
|
|
|
Convey("Unauthorized name", func() {
|
|
requested := &api.ResourceAction{
|
|
Type: "repository",
|
|
Name: "unauthorized-repository",
|
|
Action: "pull",
|
|
}
|
|
|
|
err := authorizer.Authorize(authHeader, requested)
|
|
So(err, ShouldHaveSameTypeAs, &api.AuthChallengeError{})
|
|
So(err, ShouldBeError, zerr.ErrInsufficientScope)
|
|
})
|
|
|
|
Convey("Unauthorized action", func() {
|
|
requested := &api.ResourceAction{
|
|
Type: "repository",
|
|
Name: "authorized-repository",
|
|
Action: "push",
|
|
}
|
|
|
|
err := authorizer.Authorize(authHeader, requested)
|
|
So(err, ShouldHaveSameTypeAs, &api.AuthChallengeError{})
|
|
So(err, ShouldBeError, zerr.ErrInsufficientScope)
|
|
})
|
|
|
|
Convey("Successful authorization with requested access", func() {
|
|
requested := &api.ResourceAction{
|
|
Type: "repository",
|
|
Name: "authorized-repository",
|
|
Action: "pull",
|
|
}
|
|
|
|
err := authorizer.Authorize(authHeader, requested)
|
|
So(err, ShouldBeNil)
|
|
})
|
|
|
|
Convey("Successful authorization without requested access", func() {
|
|
err := authorizer.Authorize(authHeader, nil)
|
|
So(err, ShouldBeNil)
|
|
})
|
|
})
|
|
|
|
Convey("Invalid token", func() {
|
|
authHeader := "invalid"
|
|
|
|
err := authorizer.Authorize(authHeader, nil)
|
|
So(err, ShouldWrap, zerr.ErrInvalidBearerToken)
|
|
})
|
|
})
|
|
}
|