github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-17 21:17:58 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
fa2960b705e4e1b2186b31d5355d56017fdef0e6
zot/test/blackbox/openid_claim_mapping.bats
T
Andrei Aaron fa2960b705 fix(auth): refine OIDC identity handling and claim-mapping logs (#4028) 
Rename getOpenIDUsername to getOpenIDIdentity and thread "identity"
through bearer OIDC, Basic-auth parsing, OAuth2Callback, and log fields.

Only fall back (and warn) to the default email claim when the configured
username claim is non-default but missing or empty.

Stop emitting Info logs when groups are absent on only UserInfo or only ID
token claims; log once at Debug when no groups remain after merging both.

Update ClaimMapping docs to mention username and groups claims; fix mTLS
extractIdentity comment typo; clarify GetAuthUserFromRequestSession doc.

Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com>
2026-05-01 09:34:48 -07:00

408 lines
12 KiB
Bash
Executable File
Raw Blame History

# Note: Intended to be run as "make run-blackbox-tests" or "make run-blackbox-ci"
# Makefile target installs & checks all necessary tooling
# Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()
load helpers_zot
load helpers_wait
load ../port_helper
function verify_prerequisites {
if [ ! $(command -v curl) ]; then
echo "you need to install curl as a prerequisite to running the tests" >&3
return 1
fi
if [ ! $(command -v jq) ]; then
echo "you need to install jq as a prerequisite to running the tests" >&3
return 1
fi
if [ ! $(command -v docker) ]; then
echo "you need to install docker as a prerequisite to running the tests" >&3
return 1
fi
return 0
}
function assert_oidc_extract_identity_log() {
local log_file=${1:?}
local expect_fell_back=${2:?}
local expect_claim=${3:?}
grep '"message":"extracted identity"' "${log_file}" \
| grep "\"claim\":\"${expect_claim}\"" \
| grep "\"fellBackToDefaultClaim\":${expect_fell_back}" \
| grep -q .
}
IDP_PID=""
function setup_file() {
# Verify prerequisites are available
if ! $(verify_prerequisites); then
exit 1
fi
# Pre-allocate all ports we'll need
idp_port=$(get_free_port_for_service "idp")
echo ${idp_port} > ${BATS_FILE_TMPDIR}/idp.port
# Setup oidc provider
npm link oidc-provider express
node ${ROOT_DIR}/test/scripts/panva-idp.js ${idp_port} > ${BATS_FILE_TMPDIR}/idp.log 2>&1 &
IDP_PID=$!
# Wait for oidc provider to be ready
echo "Waiting for idp to be ready on port ${idp_port}..." >&3
local idp_url=http://127.0.0.1:${idp_port}/.well-known/openid-configuration
local max_attempts=60
local attempt=0
while [ $attempt -lt $max_attempts ]; do
if curl -f -s -o /dev/null ${idp_url} 2>&1; then
echo "oidc idp is ready!" >&3
break
fi
attempt=$((attempt + 1))
sleep 2
done
if [ $attempt -eq $max_attempts ]; then
echo "idp failed to start within timeout" >&3
return 1
fi
}
function teardown_file() {
zot_stop_all
kill ${IDP_PID} 2>/dev/null || true
if [ -f "${BATS_FILE_TMPDIR}/idp.log" ]; then
echo "--- IDP LOG ---"
cat ${BATS_FILE_TMPDIR}/idp.log
echo "--- END IDP LOG ---"
fi
}
function teardown() {
# conditionally printing on failure is possible from teardown but not from teardown_file
if [ -f "${BATS_FILE_TMPDIR}/zot-preferred-username.log" ]; then
cat ${BATS_FILE_TMPDIR}/zot-preferred-username.log
fi
if [ -f "${BATS_FILE_TMPDIR}/zot-email.log" ]; then
cat ${BATS_FILE_TMPDIR}/zot-email.log
fi
if [ -f "${BATS_FILE_TMPDIR}/zot-sub.log" ]; then
cat ${BATS_FILE_TMPDIR}/zot-sub.log
fi
if [ -f "${BATS_FILE_TMPDIR}/zot-default.log" ]; then
cat ${BATS_FILE_TMPDIR}/zot-default.log
fi
if [ -f "${BATS_FILE_TMPDIR}/idp.log" ]; then
echo "--- IDP LOG (teardown) ---"
cat ${BATS_FILE_TMPDIR}/idp.log
echo "--- END IDP LOG ---"
fi
}
function idp_session() {
local zot_port=${1}
local idp_port=$(cat ${BATS_FILE_TMPDIR}/idp.port)
# With the auto-login enabled IDP, we just need to hit the login endpoint and follow redirects.
# We use a cookie jar to handle the session cookies during the redirects.
curl -v -L -c ${BATS_FILE_TMPDIR}/cookies "http://127.0.0.1:${zot_port}/zot/auth/login?provider=oidc"
}
@test "test OIDC claim mapping with preferred_username" {
local zot_root_dir=${BATS_FILE_TMPDIR}/zot-preferred-username
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config_preferred_username.json
local zot_credentials_file=${BATS_FILE_TMPDIR}/zot_credentials_preferred_username.json
local idp_port=$(cat ${BATS_FILE_TMPDIR}/idp.port)
zot_port=$(get_free_port_for_service "zot_preferred_username")
mkdir -p ${zot_root_dir}
cat > ${zot_credentials_file}<<EOF
{
"clientid": "zot-client",
"clientsecret": "ZXhhbXBsZS1hcHAtc2VjcmV0"
}
EOF
cat > ${zot_config_file}<<EOF
{
"distSpecVersion": "1.1.1",
"storage": {
"rootDirectory": "${zot_root_dir}",
"dedupe": true
},
"http": {
"address": "127.0.0.1",
"port": "${zot_port}",
"realm": "zot",
"auth": {
"openid": {
"providers": {
"oidc": {
"name": "panva",
"issuer": "http://127.0.0.1:${idp_port}/",
"credentialsFile": "${zot_credentials_file}",
"scopes": ["openid", "profile", "email", "groups"],
"claimMapping": {
"username": "preferred_username"
}
}
}
},
"failDelay": 5
},
"accessControl": {
"repositories": {
"**": {
"policies": [
{
"users": ["alice"],
"actions": ["read", "create", "update", "delete"]
}
],
"defaultPolicy": ["read"]
}
}
}
},
"log": {
"level": "debug",
"output": "${BATS_FILE_TMPDIR}/zot-preferred-username.log"
}
}
EOF
zot_serve ${ZOT_PATH} ${zot_config_file}
wait_zot_reachable ${zot_port}
run idp_session ${zot_port}
[ "$status" -eq 0 ]
echo "$output"
# Verify structured extract identity debug line (preferred_username mapped)
assert_oidc_extract_identity_log ${BATS_FILE_TMPDIR}/zot-preferred-username.log false preferred_username
}
@test "test OIDC claim mapping with email" {
local zot_root_dir=${BATS_FILE_TMPDIR}/zot-email
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config_email.json
local zot_credentials_file=${BATS_FILE_TMPDIR}/zot_credentials_email.json
local idp_port=$(cat ${BATS_FILE_TMPDIR}/idp.port)
zot_port=$(get_free_port_for_service "zot_email")
mkdir -p ${zot_root_dir}
cat > ${zot_credentials_file}<<EOF
{
"clientid": "zot-client",
"clientsecret": "ZXhhbXBsZS1hcHAtc2VjcmV0"
}
EOF
cat > ${zot_config_file}<<EOF
{
"distSpecVersion": "1.1.1",
"storage": {
"rootDirectory": "${zot_root_dir}",
"dedupe": true
},
"http": {
"address": "127.0.0.1",
"port": "${zot_port}",
"realm": "zot",
"auth": {
"openid": {
"providers": {
"oidc": {
"name": "panva",
"issuer": "http://127.0.0.1:${idp_port}/",
"credentialsFile": "${zot_credentials_file}",
"scopes": ["openid", "profile", "email", "groups"],
"claimMapping": {
"username": "email"
}
}
}
},
"failDelay": 5
},
"accessControl": {
"repositories": {
"**": {
"policies": [
{
"users": ["alice@example.com"],
"actions": ["read", "create", "update", "delete"]
}
],
"defaultPolicy": ["read"]
}
}
}
},
"log": {
"level": "debug",
"output": "${BATS_FILE_TMPDIR}/zot-email.log"
}
}
EOF
zot_serve ${ZOT_PATH} ${zot_config_file}
wait_zot_reachable ${zot_port}
run idp_session ${zot_port}
[ "$status" -eq 0 ]
echo "$output"
# Verify structured extract identity debug line (explicit email username claim)
assert_oidc_extract_identity_log ${BATS_FILE_TMPDIR}/zot-email.log false email
}
@test "test OIDC claim mapping with sub" {
local zot_root_dir=${BATS_FILE_TMPDIR}/zot-sub
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config_sub.json
local zot_credentials_file=${BATS_FILE_TMPDIR}/zot_credentials_sub.json
local idp_port=$(cat ${BATS_FILE_TMPDIR}/idp.port)
zot_port=$(get_free_port_for_service "zot_sub")
mkdir -p ${zot_root_dir}
cat > ${zot_credentials_file}<<EOF
{
"clientid": "zot-client",
"clientsecret": "ZXhhbXBsZS1hcHAtc2VjcmV0"
}
EOF
cat > ${zot_config_file}<<EOF
{
"distSpecVersion": "1.1.1",
"storage": {
"rootDirectory": "${zot_root_dir}",
"dedupe": true
},
"http": {
"address": "127.0.0.1",
"port": "${zot_port}",
"realm": "zot",
"auth": {
"openid": {
"providers": {
"oidc": {
"name": "panva",
"issuer": "http://127.0.0.1:${idp_port}/",
"credentialsFile": "${zot_credentials_file}",
"scopes": ["openid", "profile", "email", "groups"],
"claimMapping": {
"username": "sub"
}
}
}
},
"failDelay": 5
},
"accessControl": {
"repositories": {
"**": {
"defaultPolicy": ["read"]
}
}
}
},
"log": {
"level": "debug",
"output": "${BATS_FILE_TMPDIR}/zot-sub.log"
}
}
EOF
zot_serve ${ZOT_PATH} ${zot_config_file}
wait_zot_reachable ${zot_port}
run idp_session ${zot_port}
[ "$status" -eq 0 ]
echo "$output"
# Verify structured extract identity debug line (sub mapped)
assert_oidc_extract_identity_log ${BATS_FILE_TMPDIR}/zot-sub.log false sub
}
@test "test OIDC with no claim mapping (default to email)" {
local zot_root_dir=${BATS_FILE_TMPDIR}/zot-default
local zot_config_file=${BATS_FILE_TMPDIR}/zot_config_default.json
ZOT_LOG_FILE=${BATS_FILE_TMPDIR}/zot-default.log
local zot_credentials_file=${BATS_FILE_TMPDIR}/zot_credentials_default.json
local idp_port=$(cat ${BATS_FILE_TMPDIR}/idp.port)
zot_port=$(get_free_port_for_service "zot_default")
mkdir -p ${zot_root_dir}
cat > ${zot_credentials_file}<<EOF
{
"clientid": "zot-client",
"clientsecret": "ZXhhbXBsZS1hcHAtc2VjcmV0"
}
EOF
# Note: No claimMapping section - should default to email
cat > ${zot_config_file}<<EOF
{
"distSpecVersion": "1.1.1",
"storage": {
"rootDirectory": "${zot_root_dir}",
"dedupe": true
},
"http": {
"address": "127.0.0.1",
"port": "${zot_port}",
"realm": "zot",
"auth": {
"openid": {
"providers": {
"oidc": {
"name": "panva",
"issuer": "http://127.0.0.1:${idp_port}/",
"credentialsFile": "${zot_credentials_file}",
"scopes": ["openid", "profile", "email", "groups"]
}
}
},
"failDelay": 5
},
"accessControl": {
"repositories": {
"**": {
"policies": [
{
"users": ["alice@example.com"],
"actions": ["read", "create", "update", "delete"]
}
],
"defaultPolicy": ["read"]
}
}
}
},
"log": {
"level": "debug",
"output": "${ZOT_LOG_FILE}"
}
}
EOF
zot_serve ${ZOT_PATH} ${zot_config_file}
wait_zot_reachable ${zot_port}
run idp_session ${zot_port}
[ "$status" -eq 0 ]
echo "$output"
# Verify structured extract identity debug line (default email claim, no claimMapping)
assert_oidc_extract_identity_log ${ZOT_LOG_FILE} false email
}
Reference in New Issue View Git Blame Copy Permalink