diff --git a/cmd/registry/config.yml b/cmd/registry/config.yml index 6d41cc8f..abc868d9 100644 --- a/cmd/registry/config.yml +++ b/cmd/registry/config.yml @@ -26,6 +26,10 @@ storage: maintenance: uploadpurging: enabled: false +auth: + basic: + realm: test-realm + path: /tmp/registry-dev/.htpasswd http: addr: :5000 secret: asecretforlocaldevelopment diff --git a/cmd/registry/main.go b/cmd/registry/main.go index 49132bf1..8c591bad 100644 --- a/cmd/registry/main.go +++ b/cmd/registry/main.go @@ -18,6 +18,7 @@ import ( "github.com/docker/distribution/configuration" "github.com/docker/distribution/context" _ "github.com/docker/distribution/health" + _ "github.com/docker/distribution/registry/auth/basic" _ "github.com/docker/distribution/registry/auth/silly" _ "github.com/docker/distribution/registry/auth/token" "github.com/docker/distribution/registry/handlers" diff --git a/registry/auth/basic/access.go b/registry/auth/basic/access.go index 1833296a..76f036c0 100644 --- a/registry/auth/basic/access.go +++ b/registry/auth/basic/access.go @@ -6,7 +6,6 @@ // system crypt() may be as well. // // This authentication method MUST be used under TLS, as simple token-replay attack is possible. - package basic import ( @@ -33,7 +32,9 @@ type challenge struct { var _ auth.AccessController = &accessController{} var ( + // ErrPasswordRequired - returned when no auth token is given. ErrPasswordRequired = errors.New("authorization credential required") + // ErrInvalidCredential - returned when the auth token does not authenticate correctly. ErrInvalidCredential = errors.New("invalid authorization credential") ) @@ -98,7 +99,7 @@ func (ac *accessController) Authorized(ctx context.Context, accessRecords ...aut } func (ch *challenge) ServeHTTP(w http.ResponseWriter, r *http.Request) { - header := fmt.Sprintf("Realm realm=%q", ch.realm) + header := fmt.Sprintf("Basic realm=%q", ch.realm) w.Header().Set("WWW-Authenticate", header) w.WriteHeader(http.StatusUnauthorized) } diff --git a/registry/auth/basic/htpasswd.go b/registry/auth/basic/htpasswd.go index 6833bc5c..36eca347 100644 --- a/registry/auth/basic/htpasswd.go +++ b/registry/auth/basic/htpasswd.go @@ -8,17 +8,22 @@ import ( "os" ) +// ErrSHARequired - returned in error field of challenge when the htpasswd was not made using SHA1 algorithm. +// (SHA1 is considered obsolete but the alternative for htpasswd is MD5, or system crypt...) var ErrSHARequired = errors.New("htpasswd file must use SHA (htpasswd -s)") +// HTPasswd - holds a path to a system .htpasswd file and the machinery to parse it. type HTPasswd struct { path string reader *csv.Reader } +// NewHTPasswd - Create a new HTPasswd with the given path to .htpasswd file. func NewHTPasswd(htpath string) *HTPasswd { return &HTPasswd{path: htpath} } +// AuthenticateUser - Check a given user:password credential against the receiving HTPasswd's file. func (htpasswd *HTPasswd) AuthenticateUser(user string, pwd string) (bool, error) { // Hash the credential.