distribution/registry/auth/silly/access.go

// Package silly provides a simple authentication scheme that checks for the
// existence of an Authorization header and issues access if is present and
// non-empty.
//
// This package is present as an example implementation of a minimal
// auth.AccessController and for testing. This is not suitable for any kind of
// production security.
package silly

import (
	"fmt"
	"net/http"
	"strings"

	ctxu "github.com/docker/distribution/context"
	"github.com/docker/distribution/registry/auth"
	"golang.org/x/net/context"
)

// accessController provides a simple implementation of auth.AccessController
// that simply checks for a non-empty Authorization header. It is useful for
// demonstration and testing.
type accessController struct {
	realm   string
	service string
}

var _ auth.AccessController = &accessController{}

func newAccessController(options map[string]interface{}) (auth.AccessController, error) {
	realm, present := options["realm"]
	if _, ok := realm.(string); !present || !ok {
		return nil, fmt.Errorf(`"realm" must be set for silly access controller`)
	}

	service, present := options["service"]
	if _, ok := service.(string); !present || !ok {
		return nil, fmt.Errorf(`"service" must be set for silly access controller`)
	}

	return &accessController{realm: realm.(string), service: service.(string)}, nil
}

// Authorized simply checks for the existence of the authorization header,
// responding with a bearer challenge if it doesn't exist.
func (ac *accessController) Authorized(ctx context.Context, accessRecords ...auth.Access) (context.Context, error) {
	req, err := ctxu.GetRequest(ctx)
	if err != nil {
		return nil, err
	}

	if req.Header.Get("Authorization") == "" {
		challenge := challenge{
			realm:   ac.realm,
			service: ac.service,
		}

		if len(accessRecords) > 0 {
			var scopes []string
			for _, access := range accessRecords {
				scopes = append(scopes, fmt.Sprintf("%s:%s:%s", access.Type, access.Resource.Name, access.Action))
			}
			challenge.scope = strings.Join(scopes, " ")
		}

		return nil, &challenge
	}

	return auth.WithUser(ctx, auth.UserInfo{Name: "silly"}), nil
}

type challenge struct {
	realm   string
	service string
	scope   string
}

func (ch *challenge) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	header := fmt.Sprintf("Bearer realm=%q,service=%q", ch.realm, ch.service)

	if ch.scope != "" {
		header = fmt.Sprintf("%s,scope=%q", header, ch.scope)
	}

	w.Header().Set("WWW-Authenticate", header)
}

func (ch *challenge) Error() string {
	return fmt.Sprintf("silly authentication challenge: %#v", ch)
}

// init registers the silly auth backend.
func init() {
	auth.Register("silly", auth.InitFunc(newAccessController))
}
Integrate auth.AccessController into registry app This changeset integrates the AccessController into the main registry app. This includes support for configuration and a test implementation, called "silly" auth. Auth is only enabled if the configuration is present but takes measure to ensure that configuration errors don't allow the appserver to start with open access. 2014-12-18 20:30:19 +00:00			`// Package silly provides a simple authentication scheme that checks for the`
			`// existence of an Authorization header and issues access if is present and`
			`// non-empty.`
			`//`
			`// This package is present as an example implementation of a minimal`
			`// auth.AccessController and for testing. This is not suitable for any kind of`
			`// production security.`
			`package silly`

			`import (`
			`"fmt"`
			`"net/http"`
			`"strings"`

Update auth/token to use context package utils Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-02-06 03:12:32 +00:00			`ctxu "github.com/docker/distribution/context"`
Run goimports/gofmt on previous changes After all of the perl refactoring, some import orderings were left asunder. This commit corrects that. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-02-11 02:18:45 +00:00			`"github.com/docker/distribution/registry/auth"`
Use context for auth access controllers The auth package has been updated to use "golang.org/x/net/context" for passing information between the application and the auth backend. AccessControllers should now set a "auth.user" context value to a AuthUser struct containing a single "Name" field for now with possible, optional, values in the future. The "silly" auth backend always sets the name to "silly", while the "token" auth backend will set the name to match the "subject" claim of the JWT. Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn) 2015-02-04 01:59:24 +00:00			`"golang.org/x/net/context"`
Integrate auth.AccessController into registry app This changeset integrates the AccessController into the main registry app. This includes support for configuration and a test implementation, called "silly" auth. Auth is only enabled if the configuration is present but takes measure to ensure that configuration errors don't allow the appserver to start with open access. 2014-12-18 20:30:19 +00:00			`)`

			`// accessController provides a simple implementation of auth.AccessController`
			`// that simply checks for a non-empty Authorization header. It is useful for`
			`// demonstration and testing.`
			`type accessController struct {`
			`realm string`
			`service string`
			`}`

			`var _ auth.AccessController = &accessController{}`

			`func newAccessController(options map[string]interface{}) (auth.AccessController, error) {`
			`realm, present := options["realm"]`
			`if _, ok := realm.(string); !present \|\| !ok {`
			return nil, fmt.Errorf(`"realm" must be set for silly access controller`)
			`}`

			`service, present := options["service"]`
			`if _, ok := service.(string); !present \|\| !ok {`
			return nil, fmt.Errorf(`"service" must be set for silly access controller`)
			`}`

			`return &accessController{realm: realm.(string), service: service.(string)}, nil`
			`}`

			`// Authorized simply checks for the existence of the authorization header,`
			`// responding with a bearer challenge if it doesn't exist.`
Use context for auth access controllers The auth package has been updated to use "golang.org/x/net/context" for passing information between the application and the auth backend. AccessControllers should now set a "auth.user" context value to a AuthUser struct containing a single "Name" field for now with possible, optional, values in the future. The "silly" auth backend always sets the name to "silly", while the "token" auth backend will set the name to match the "subject" claim of the JWT. Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn) 2015-02-04 01:59:24 +00:00			`func (ac *accessController) Authorized(ctx context.Context, accessRecords ...auth.Access) (context.Context, error) {`
Update auth/token to use context package utils Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-02-06 03:12:32 +00:00			`req, err := ctxu.GetRequest(ctx)`
Use context for auth access controllers The auth package has been updated to use "golang.org/x/net/context" for passing information between the application and the auth backend. AccessControllers should now set a "auth.user" context value to a AuthUser struct containing a single "Name" field for now with possible, optional, values in the future. The "silly" auth backend always sets the name to "silly", while the "token" auth backend will set the name to match the "subject" claim of the JWT. Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn) 2015-02-04 01:59:24 +00:00			`if err != nil {`
			`return nil, err`
			`}`

Integrate auth.AccessController into registry app This changeset integrates the AccessController into the main registry app. This includes support for configuration and a test implementation, called "silly" auth. Auth is only enabled if the configuration is present but takes measure to ensure that configuration errors don't allow the appserver to start with open access. 2014-12-18 20:30:19 +00:00			`if req.Header.Get("Authorization") == "" {`
			`challenge := challenge{`
			`realm: ac.realm,`
			`service: ac.service,`
			`}`

			`if len(accessRecords) > 0 {`
			`var scopes []string`
			`for _, access := range accessRecords {`
Ensure that unset Context.Name only allowed on base route If Context.Name is not set, the acceess controller may allow an unintended request through. By only allowing a request to proceed without a name on the base route, we provide some protection if future bugs forget to set the context properly. 2014-12-19 01:20:35 +00:00			`scopes = append(scopes, fmt.Sprintf("%s:%s:%s", access.Type, access.Resource.Name, access.Action))`
Integrate auth.AccessController into registry app This changeset integrates the AccessController into the main registry app. This includes support for configuration and a test implementation, called "silly" auth. Auth is only enabled if the configuration is present but takes measure to ensure that configuration errors don't allow the appserver to start with open access. 2014-12-18 20:30:19 +00:00			`}`
			`challenge.scope = strings.Join(scopes, " ")`
			`}`

Use context for auth access controllers The auth package has been updated to use "golang.org/x/net/context" for passing information between the application and the auth backend. AccessControllers should now set a "auth.user" context value to a AuthUser struct containing a single "Name" field for now with possible, optional, values in the future. The "silly" auth backend always sets the name to "silly", while the "token" auth backend will set the name to match the "subject" claim of the JWT. Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn) 2015-02-04 01:59:24 +00:00			`return nil, &challenge`
Integrate auth.AccessController into registry app This changeset integrates the AccessController into the main registry app. This includes support for configuration and a test implementation, called "silly" auth. Auth is only enabled if the configuration is present but takes measure to ensure that configuration errors don't allow the appserver to start with open access. 2014-12-18 20:30:19 +00:00			`}`

Add auth.user.name to logging context 2015-04-14 23:07:23 +00:00			`return auth.WithUser(ctx, auth.UserInfo{Name: "silly"}), nil`
Integrate auth.AccessController into registry app This changeset integrates the AccessController into the main registry app. This includes support for configuration and a test implementation, called "silly" auth. Auth is only enabled if the configuration is present but takes measure to ensure that configuration errors don't allow the appserver to start with open access. 2014-12-18 20:30:19 +00:00			`}`

			`type challenge struct {`
			`realm string`
			`service string`
			`scope string`
			`}`

			`func (ch challenge) ServeHTTP(w http.ResponseWriter, r http.Request) {`
			`header := fmt.Sprintf("Bearer realm=%q,service=%q", ch.realm, ch.service)`

			`if ch.scope != "" {`
			`header = fmt.Sprintf("%s,scope=%q", header, ch.scope)`
			`}`

Send WWW-Authenticate header for silly auth Signed-off-by: Andy Goldstein <agoldste@redhat.com> 2015-03-11 19:10:49 +00:00			`w.Header().Set("WWW-Authenticate", header)`
Integrate auth.AccessController into registry app This changeset integrates the AccessController into the main registry app. This includes support for configuration and a test implementation, called "silly" auth. Auth is only enabled if the configuration is present but takes measure to ensure that configuration errors don't allow the appserver to start with open access. 2014-12-18 20:30:19 +00:00			`}`

			`func (ch *challenge) Error() string {`
			`return fmt.Sprintf("silly authentication challenge: %#v", ch)`
			`}`

			`// init registers the silly auth backend.`
			`func init() {`
			`auth.Register("silly", auth.InitFunc(newAccessController))`
			`}`