diff --git a/contrib/docker-integration/docker-compose.yml b/contrib/docker-integration/docker-compose.yml index 32bfaad08..4d4f3856f 100644 --- a/contrib/docker-integration/docker-compose.yml +++ b/contrib/docker-integration/docker-compose.yml @@ -18,6 +18,7 @@ nginx: - "5557:5557" - "5558:5558" - "5559:5559" + - "5600:5600" - "6666:6666" links: - registryv2:registryv2 @@ -25,6 +26,7 @@ nginx: - registryv2token:registryv2token - tokenserver:tokenserver - registryv2tokenoauth:registryv2tokenoauth + - registryv2tokenoauthnotls:registryv2tokenoauthnotls - tokenserveroauth:tokenserveroauth registryv2: image: golem-distribution:latest @@ -53,6 +55,13 @@ registryv2tokenoauth: - ./tokenserver-oauth/certs/localregistry.cert:/etc/docker/registry/localregistry.cert - ./tokenserver-oauth/certs/localregistry.key:/etc/docker/registry/localregistry.key - ./tokenserver-oauth/certs/signing.cert:/etc/docker/registry/tokenbundle.pem +registryv2tokenoauthnotls: + image: golem-distribution:latest + ports: + - "5000" + volumes: + - ./tokenserver-oauth/registry-config-notls.yml:/etc/docker/registry/config.yml + - ./tokenserver-oauth/certs/signing.cert:/etc/docker/registry/tokenbundle.pem tokenserveroauth: build: "tokenserver-oauth" command: "--debug -addr 0.0.0.0:5559 -issuer registry-test -passwd .htpasswd -tlscert tls.cert -tlskey tls.key -key sign.key -realm http://auth.localregistry:5559" diff --git a/contrib/docker-integration/install_certs.sh b/contrib/docker-integration/install_certs.sh index 828b7896e..53a8ac876 100644 --- a/contrib/docker-integration/install_certs.sh +++ b/contrib/docker-integration/install_certs.sh @@ -23,6 +23,7 @@ install_test_certs() { # For test remove CA rm $1/${hostname}:5447/ca.crt install_ca $1 5448 + install_ca $1 5600 } install_ca_file() { @@ -30,6 +31,11 @@ install_ca_file() { cp $1 $2/ca.crt } +append_ca_file() { + mkdir -p $2 + cat $1 >> $2/ca.crt +} + install_test_certs $installdir # Malevolent server @@ -40,4 +46,5 @@ install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5554 install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5555 install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5557 install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5558 +append_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5600 diff --git a/contrib/docker-integration/nginx/Dockerfile b/contrib/docker-integration/nginx/Dockerfile index 735f8a815..17f999d24 100644 --- a/contrib/docker-integration/nginx/Dockerfile +++ b/contrib/docker-integration/nginx/Dockerfile @@ -7,3 +7,4 @@ COPY registry-noauth.conf /etc/nginx/registry-noauth.conf COPY registry-basic.conf /etc/nginx/registry-basic.conf COPY test.passwd /etc/nginx/test.passwd COPY ssl /etc/nginx/ssl +COPY v1 /var/www/html/v1 diff --git a/contrib/docker-integration/nginx/registry.conf b/contrib/docker-integration/nginx/registry.conf index d8585ee0a..e693d569a 100644 --- a/contrib/docker-integration/nginx/registry.conf +++ b/contrib/docker-integration/nginx/registry.conf @@ -219,3 +219,42 @@ server { include registry-noauth.conf; } + +# V1 search test +# Registry configured with token auth and no tls +# TLS termination done by nginx, search results +# served by nginx + +upstream docker-registry-v2-oauth { + server registryv2tokenoauthnotls:5000; +} + +server { + listen 5600; + server_name localregistry; + ssl on; + ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem; + ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem; + + root /var/www/html; + + client_max_body_size 0; + chunked_transfer_encoding on; + location /v2/ { + proxy_buffering off; + proxy_pass http://docker-registry-v2-oauth; + proxy_set_header Host $http_host; # required for docker client's sake + proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 900; + } + + location /v1/search { + if ($http_authorization !~ "Bearer [a-zA-Z0-9\._-]+") { + return 401; + } + try_files /v1/search.json =404; + add_header Content-Type application/json; + } +} diff --git a/contrib/docker-integration/nginx/v1/search.json b/contrib/docker-integration/nginx/v1/search.json new file mode 100644 index 000000000..3da8f1adb --- /dev/null +++ b/contrib/docker-integration/nginx/v1/search.json @@ -0,0 +1 @@ +{"num_pages":1,"num_results":2,"page":1,"page_size": 25,"query":"testsearch","results":[{"description":"","is_automated":false,"is_official":false,"is_trusted":false, "name":"dmcgowan/testsearch-1","star_count":1000},{"description":"Some automated build","is_automated":true,"is_official":false,"is_trusted":false,"name":"dmcgowan/testsearch-2","star_count":10}]} diff --git a/contrib/docker-integration/token.bats b/contrib/docker-integration/token.bats index e8a424829..256885a22 100644 --- a/contrib/docker-integration/token.bats +++ b/contrib/docker-integration/token.bats @@ -117,3 +117,19 @@ base="hello-world" run docker_t push $image [ "$status" -ne 0 ] } + +@test "Test oauth with v1 search" { + version_check docker "$GOLEM_DIND_VERSION" "1.12.0" + + run docker_t search localregistry:5600/testsearch + [ "$status" -ne 0 ] + + login_oauth localregistry:5600 + + run docker_t search localregistry:5600/testsearch + echo $output + [ "$status" -eq 0 ] + + echo $output | grep "testsearch-1" + echo $output | grep "testsearch-2" +} diff --git a/contrib/docker-integration/tokenserver-oauth/registry-config-notls.yml b/contrib/docker-integration/tokenserver-oauth/registry-config-notls.yml new file mode 100644 index 000000000..ed6b3ea5d --- /dev/null +++ b/contrib/docker-integration/tokenserver-oauth/registry-config-notls.yml @@ -0,0 +1,15 @@ +version: 0.1 +loglevel: debug +storage: + cache: + blobdescriptor: inmemory + filesystem: + rootdirectory: /tmp/registry-dev +http: + addr: 0.0.0.0:5000 +auth: + token: + realm: "https://auth.localregistry:5559/token/" + issuer: "registry-test" + service: "registry-test" + rootcertbundle: "/etc/docker/registry/tokenbundle.pem" diff --git a/contrib/token-server/main.go b/contrib/token-server/main.go index edd894f48..6a4c1778b 100644 --- a/contrib/token-server/main.go +++ b/contrib/token-server/main.go @@ -163,14 +163,21 @@ func filterAccessList(ctx context.Context, scope string, requestedAccessList []a } grantedAccessList := make([]auth.Access, 0, len(requestedAccessList)) for _, access := range requestedAccessList { - if access.Type != "repository" { + if access.Type == "repository" { + if !strings.HasPrefix(access.Name, scope) { + context.GetLogger(ctx).Debugf("Resource scope not allowed: %s", access.Name) + continue + } + } else if access.Type == "registry" { + if access.Name != "catalog" { + context.GetLogger(ctx).Debugf("Unknown registry resource: %s", access.Name) + continue + } + // TODO: Limit some actions to "admin" users + } else { context.GetLogger(ctx).Debugf("Skipping unsupported resource type: %s", access.Type) continue } - if !strings.HasPrefix(access.Name, scope) { - context.GetLogger(ctx).Debugf("Resource scope not allowed: %s", access.Name) - continue - } grantedAccessList = append(grantedAccessList, access) } return grantedAccessList