distribution/registry/auth/silly/access_test.go

package silly

import (
	"net/http"
	"net/http/httptest"
	"testing"

	"github.com/distribution/distribution/v3/registry/auth"
)

func TestSillyAccessController(t *testing.T) {
	ac := &accessController{
		realm:   "test-realm",
		service: "test-service",
	}

	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		grant, err := ac.Authorized(r)
		if err != nil {
			switch err := err.(type) {
			case auth.Challenge:
				err.SetHeaders(r, w)
				w.WriteHeader(http.StatusUnauthorized)
				return
			default:
				t.Fatalf("unexpected error authorizing request: %v", err)
			}
		}

		if grant == nil {
			t.Fatal("silly accessController did not return auth grant")
		}

		if grant.User.Name != "silly" {
			t.Fatalf("expected user name %q, got %q", "silly", grant.User.Name)
		}

		w.WriteHeader(http.StatusNoContent)
	}))

	resp, err := http.Get(server.URL)
	if err != nil {
		t.Fatalf("unexpected error during GET: %v", err)
	}
	defer resp.Body.Close()

	// Request should not be authorized
	if resp.StatusCode != http.StatusUnauthorized {
		t.Fatalf("unexpected response status: %v != %v", resp.StatusCode, http.StatusUnauthorized)
	}

	req, err := http.NewRequest(http.MethodGet, server.URL, nil)
	if err != nil {
		t.Fatalf("unexpected error creating new request: %v", err)
	}
	req.Header.Set("Authorization", "seriously, anything")

	resp, err = http.DefaultClient.Do(req)
	if err != nil {
		t.Fatalf("unexpected error during GET: %v", err)
	}
	defer resp.Body.Close()

	// Request should not be authorized
	if resp.StatusCode != http.StatusNoContent {
		t.Fatalf("unexpected response status: %v != %v", resp.StatusCode, http.StatusNoContent)
	}
}
Integrate auth.AccessController into registry app This changeset integrates the AccessController into the main registry app. This includes support for configuration and a test implementation, called "silly" auth. Auth is only enabled if the configuration is present but takes measure to ensure that configuration errors don't allow the appserver to start with open access. 2014-12-18 12:30:19 -08:00			`package silly`

			`import (`
			`"net/http"`
			`"net/http/httptest"`
			`"testing"`

go.mod: change imports to github.com/distribution/distribution/v3 Go 1.13 and up enforce import paths to be versioned if a project contains a go.mod and has released v2 or up. The current v2.x branches (and releases) do not yet have a go.mod, and therefore are still allowed to be imported with a non-versioned import path (go modules add a `+incompatible` annotation in that case). However, now that this project has a `go.mod` file, incompatible import paths will not be accepted by go modules, and attempting to use code from this repository will fail. This patch uses `v3` for the import-paths (not `v2`), because changing import paths itself is a breaking change, which means that the next release should increment the "major" version to comply with SemVer (as go modules dictate). Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-08-24 13:18:39 +02:00			`"github.com/distribution/distribution/v3/registry/auth"`
Integrate auth.AccessController into registry app This changeset integrates the AccessController into the main registry app. This includes support for configuration and a test implementation, called "silly" auth. Auth is only enabled if the configuration is present but takes measure to ensure that configuration errors don't allow the appserver to start with open access. 2014-12-18 12:30:19 -08:00			`)`

			`func TestSillyAccessController(t *testing.T) {`
			`ac := &accessController{`
			`realm: "test-realm",`
			`service: "test-service",`
			`}`

			`server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
reg/auth: remove contexts from Authorized method The details of how request-scoped information is propagated through the registry server app should be left as private implementation details so they can be changed without fear of breaking compatibility with third-party code which imports the distribution module. The AccessController interface unnecessarily bakes into the public API details of how authorization grants are propagated through request contexts. In practice the only values the in-tree authorizers attach to the request contexts are the UserInfo and Resources for the request. Change the AccessController interface to return the UserInfo and Resources directly to allow us to change how request contexts are used within the app without altering the AccessController interface contract. Signed-off-by: Cory Snider <csnider@mirantis.com> 2023-10-24 16:41:54 -04:00			`grant, err := ac.Authorized(r)`
Use context for auth access controllers The auth package has been updated to use "golang.org/x/net/context" for passing information between the application and the auth backend. AccessControllers should now set a "auth.user" context value to a AuthUser struct containing a single "Name" field for now with possible, optional, values in the future. The "silly" auth backend always sets the name to "silly", while the "token" auth backend will set the name to match the "subject" claim of the JWT. Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn) 2015-02-03 17:59:24 -08:00			`if err != nil {`
Integrate auth.AccessController into registry app This changeset integrates the AccessController into the main registry app. This includes support for configuration and a test implementation, called "silly" auth. Auth is only enabled if the configuration is present but takes measure to ensure that configuration errors don't allow the appserver to start with open access. 2014-12-18 12:30:19 -08:00			`switch err := err.(type) {`
			`case auth.Challenge:`
fix checks Signed-off-by: David Wu <david.wu@docker.com> 2018-09-20 14:53:34 -07:00			`err.SetHeaders(r, w)`
Move challenge http status code logic See: https://github.com/docker/distribution/blob/3ea67df37383dd6941908a9949ab55c7073ece5b/registry/handlers/app.go#L498 Per the comment on line 498, this moves the logic of setting the http status code into the serveJSON func, leaving the auth.Challenge.ServeHTTP() func to just set the auth challenge header. Signed-off-by: Doug Davis <dug@us.ibm.com> 2015-06-16 18:57:47 -07:00			`w.WriteHeader(http.StatusUnauthorized)`
Integrate auth.AccessController into registry app This changeset integrates the AccessController into the main registry app. This includes support for configuration and a test implementation, called "silly" auth. Auth is only enabled if the configuration is present but takes measure to ensure that configuration errors don't allow the appserver to start with open access. 2014-12-18 12:30:19 -08:00			`return`
			`default:`
			`t.Fatalf("unexpected error authorizing request: %v", err)`
			`}`
			`}`

reg/auth: remove contexts from Authorized method The details of how request-scoped information is propagated through the registry server app should be left as private implementation details so they can be changed without fear of breaking compatibility with third-party code which imports the distribution module. The AccessController interface unnecessarily bakes into the public API details of how authorization grants are propagated through request contexts. In practice the only values the in-tree authorizers attach to the request contexts are the UserInfo and Resources for the request. Change the AccessController interface to return the UserInfo and Resources directly to allow us to change how request contexts are used within the app without altering the AccessController interface contract. Signed-off-by: Cory Snider <csnider@mirantis.com> 2023-10-24 16:41:54 -04:00			`if grant == nil {`
			`t.Fatal("silly accessController did not return auth grant")`
Use context for auth access controllers The auth package has been updated to use "golang.org/x/net/context" for passing information between the application and the auth backend. AccessControllers should now set a "auth.user" context value to a AuthUser struct containing a single "Name" field for now with possible, optional, values in the future. The "silly" auth backend always sets the name to "silly", while the "token" auth backend will set the name to match the "subject" claim of the JWT. Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn) 2015-02-03 17:59:24 -08:00			`}`

reg/auth: remove contexts from Authorized method The details of how request-scoped information is propagated through the registry server app should be left as private implementation details so they can be changed without fear of breaking compatibility with third-party code which imports the distribution module. The AccessController interface unnecessarily bakes into the public API details of how authorization grants are propagated through request contexts. In practice the only values the in-tree authorizers attach to the request contexts are the UserInfo and Resources for the request. Change the AccessController interface to return the UserInfo and Resources directly to allow us to change how request contexts are used within the app without altering the AccessController interface contract. Signed-off-by: Cory Snider <csnider@mirantis.com> 2023-10-24 16:41:54 -04:00			`if grant.User.Name != "silly" {`
			`t.Fatalf("expected user name %q, got %q", "silly", grant.User.Name)`
Use context for auth access controllers The auth package has been updated to use "golang.org/x/net/context" for passing information between the application and the auth backend. AccessControllers should now set a "auth.user" context value to a AuthUser struct containing a single "Name" field for now with possible, optional, values in the future. The "silly" auth backend always sets the name to "silly", while the "token" auth backend will set the name to match the "subject" claim of the JWT. Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn) 2015-02-03 17:59:24 -08:00			`}`

Integrate auth.AccessController into registry app This changeset integrates the AccessController into the main registry app. This includes support for configuration and a test implementation, called "silly" auth. Auth is only enabled if the configuration is present but takes measure to ensure that configuration errors don't allow the appserver to start with open access. 2014-12-18 12:30:19 -08:00			`w.WriteHeader(http.StatusNoContent)`
			`}))`

			`resp, err := http.Get(server.URL)`
			`if err != nil {`
			`t.Fatalf("unexpected error during GET: %v", err)`
			`}`
			`defer resp.Body.Close()`

			`// Request should not be authorized`
			`if resp.StatusCode != http.StatusUnauthorized {`
			`t.Fatalf("unexpected response status: %v != %v", resp.StatusCode, http.StatusUnauthorized)`
			`}`

use http consts for request methods Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2022-11-02 23:31:23 +01:00			`req, err := http.NewRequest(http.MethodGet, server.URL, nil)`
Integrate auth.AccessController into registry app This changeset integrates the AccessController into the main registry app. This includes support for configuration and a test implementation, called "silly" auth. Auth is only enabled if the configuration is present but takes measure to ensure that configuration errors don't allow the appserver to start with open access. 2014-12-18 12:30:19 -08:00			`if err != nil {`
			`t.Fatalf("unexpected error creating new request: %v", err)`
			`}`
			`req.Header.Set("Authorization", "seriously, anything")`

			`resp, err = http.DefaultClient.Do(req)`
			`if err != nil {`
			`t.Fatalf("unexpected error during GET: %v", err)`
			`}`
			`defer resp.Body.Close()`

			`// Request should not be authorized`
			`if resp.StatusCode != http.StatusNoContent {`
			`t.Fatalf("unexpected response status: %v != %v", resp.StatusCode, http.StatusNoContent)`
			`}`
			`}`