forked from TrueCloudLab/distribution
Fixed WWW-Authenticate: header, added example config and import into main, fixed golint warnings
Signed-off-by: Dave Trombley <dave.trombley@gmail.com>
This commit is contained in:
parent
8a204f59e7
commit
0ecaa7f40a
4 changed files with 13 additions and 2 deletions
|
@ -26,6 +26,10 @@ storage:
|
||||||
maintenance:
|
maintenance:
|
||||||
uploadpurging:
|
uploadpurging:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
auth:
|
||||||
|
basic:
|
||||||
|
realm: test-realm
|
||||||
|
path: /tmp/registry-dev/.htpasswd
|
||||||
http:
|
http:
|
||||||
addr: :5000
|
addr: :5000
|
||||||
secret: asecretforlocaldevelopment
|
secret: asecretforlocaldevelopment
|
||||||
|
|
|
@ -18,6 +18,7 @@ import (
|
||||||
"github.com/docker/distribution/configuration"
|
"github.com/docker/distribution/configuration"
|
||||||
"github.com/docker/distribution/context"
|
"github.com/docker/distribution/context"
|
||||||
_ "github.com/docker/distribution/health"
|
_ "github.com/docker/distribution/health"
|
||||||
|
_ "github.com/docker/distribution/registry/auth/basic"
|
||||||
_ "github.com/docker/distribution/registry/auth/silly"
|
_ "github.com/docker/distribution/registry/auth/silly"
|
||||||
_ "github.com/docker/distribution/registry/auth/token"
|
_ "github.com/docker/distribution/registry/auth/token"
|
||||||
"github.com/docker/distribution/registry/handlers"
|
"github.com/docker/distribution/registry/handlers"
|
||||||
|
|
|
@ -6,7 +6,6 @@
|
||||||
// system crypt() may be as well.
|
// system crypt() may be as well.
|
||||||
//
|
//
|
||||||
// This authentication method MUST be used under TLS, as simple token-replay attack is possible.
|
// This authentication method MUST be used under TLS, as simple token-replay attack is possible.
|
||||||
|
|
||||||
package basic
|
package basic
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
@ -33,7 +32,9 @@ type challenge struct {
|
||||||
|
|
||||||
var _ auth.AccessController = &accessController{}
|
var _ auth.AccessController = &accessController{}
|
||||||
var (
|
var (
|
||||||
|
// ErrPasswordRequired - returned when no auth token is given.
|
||||||
ErrPasswordRequired = errors.New("authorization credential required")
|
ErrPasswordRequired = errors.New("authorization credential required")
|
||||||
|
// ErrInvalidCredential - returned when the auth token does not authenticate correctly.
|
||||||
ErrInvalidCredential = errors.New("invalid authorization credential")
|
ErrInvalidCredential = errors.New("invalid authorization credential")
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -98,7 +99,7 @@ func (ac *accessController) Authorized(ctx context.Context, accessRecords ...aut
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ch *challenge) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
func (ch *challenge) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||||
header := fmt.Sprintf("Realm realm=%q", ch.realm)
|
header := fmt.Sprintf("Basic realm=%q", ch.realm)
|
||||||
w.Header().Set("WWW-Authenticate", header)
|
w.Header().Set("WWW-Authenticate", header)
|
||||||
w.WriteHeader(http.StatusUnauthorized)
|
w.WriteHeader(http.StatusUnauthorized)
|
||||||
}
|
}
|
||||||
|
|
|
@ -8,17 +8,22 @@ import (
|
||||||
"os"
|
"os"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// ErrSHARequired - returned in error field of challenge when the htpasswd was not made using SHA1 algorithm.
|
||||||
|
// (SHA1 is considered obsolete but the alternative for htpasswd is MD5, or system crypt...)
|
||||||
var ErrSHARequired = errors.New("htpasswd file must use SHA (htpasswd -s)")
|
var ErrSHARequired = errors.New("htpasswd file must use SHA (htpasswd -s)")
|
||||||
|
|
||||||
|
// HTPasswd - holds a path to a system .htpasswd file and the machinery to parse it.
|
||||||
type HTPasswd struct {
|
type HTPasswd struct {
|
||||||
path string
|
path string
|
||||||
reader *csv.Reader
|
reader *csv.Reader
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// NewHTPasswd - Create a new HTPasswd with the given path to .htpasswd file.
|
||||||
func NewHTPasswd(htpath string) *HTPasswd {
|
func NewHTPasswd(htpath string) *HTPasswd {
|
||||||
return &HTPasswd{path: htpath}
|
return &HTPasswd{path: htpath}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// AuthenticateUser - Check a given user:password credential against the receiving HTPasswd's file.
|
||||||
func (htpasswd *HTPasswd) AuthenticateUser(user string, pwd string) (bool, error) {
|
func (htpasswd *HTPasswd) AuthenticateUser(user string, pwd string) (bool, error) {
|
||||||
|
|
||||||
// Hash the credential.
|
// Hash the credential.
|
||||||
|
|
Loading…
Reference in a new issue