forked from TrueCloudLab/distribution
Merge pull request #1838 from dmcgowan/search-v2-auth-test
Search v2 auth test
This commit is contained in:
commit
b1ab3bfde5
8 changed files with 100 additions and 5 deletions
|
@ -18,6 +18,7 @@ nginx:
|
||||||
- "5557:5557"
|
- "5557:5557"
|
||||||
- "5558:5558"
|
- "5558:5558"
|
||||||
- "5559:5559"
|
- "5559:5559"
|
||||||
|
- "5600:5600"
|
||||||
- "6666:6666"
|
- "6666:6666"
|
||||||
links:
|
links:
|
||||||
- registryv2:registryv2
|
- registryv2:registryv2
|
||||||
|
@ -25,6 +26,7 @@ nginx:
|
||||||
- registryv2token:registryv2token
|
- registryv2token:registryv2token
|
||||||
- tokenserver:tokenserver
|
- tokenserver:tokenserver
|
||||||
- registryv2tokenoauth:registryv2tokenoauth
|
- registryv2tokenoauth:registryv2tokenoauth
|
||||||
|
- registryv2tokenoauthnotls:registryv2tokenoauthnotls
|
||||||
- tokenserveroauth:tokenserveroauth
|
- tokenserveroauth:tokenserveroauth
|
||||||
registryv2:
|
registryv2:
|
||||||
image: golem-distribution:latest
|
image: golem-distribution:latest
|
||||||
|
@ -53,6 +55,13 @@ registryv2tokenoauth:
|
||||||
- ./tokenserver-oauth/certs/localregistry.cert:/etc/docker/registry/localregistry.cert
|
- ./tokenserver-oauth/certs/localregistry.cert:/etc/docker/registry/localregistry.cert
|
||||||
- ./tokenserver-oauth/certs/localregistry.key:/etc/docker/registry/localregistry.key
|
- ./tokenserver-oauth/certs/localregistry.key:/etc/docker/registry/localregistry.key
|
||||||
- ./tokenserver-oauth/certs/signing.cert:/etc/docker/registry/tokenbundle.pem
|
- ./tokenserver-oauth/certs/signing.cert:/etc/docker/registry/tokenbundle.pem
|
||||||
|
registryv2tokenoauthnotls:
|
||||||
|
image: golem-distribution:latest
|
||||||
|
ports:
|
||||||
|
- "5000"
|
||||||
|
volumes:
|
||||||
|
- ./tokenserver-oauth/registry-config-notls.yml:/etc/docker/registry/config.yml
|
||||||
|
- ./tokenserver-oauth/certs/signing.cert:/etc/docker/registry/tokenbundle.pem
|
||||||
tokenserveroauth:
|
tokenserveroauth:
|
||||||
build: "tokenserver-oauth"
|
build: "tokenserver-oauth"
|
||||||
command: "--debug -addr 0.0.0.0:5559 -issuer registry-test -passwd .htpasswd -tlscert tls.cert -tlskey tls.key -key sign.key -realm http://auth.localregistry:5559"
|
command: "--debug -addr 0.0.0.0:5559 -issuer registry-test -passwd .htpasswd -tlscert tls.cert -tlskey tls.key -key sign.key -realm http://auth.localregistry:5559"
|
||||||
|
|
|
@ -23,6 +23,7 @@ install_test_certs() {
|
||||||
# For test remove CA
|
# For test remove CA
|
||||||
rm $1/${hostname}:5447/ca.crt
|
rm $1/${hostname}:5447/ca.crt
|
||||||
install_ca $1 5448
|
install_ca $1 5448
|
||||||
|
install_ca $1 5600
|
||||||
}
|
}
|
||||||
|
|
||||||
install_ca_file() {
|
install_ca_file() {
|
||||||
|
@ -30,6 +31,11 @@ install_ca_file() {
|
||||||
cp $1 $2/ca.crt
|
cp $1 $2/ca.crt
|
||||||
}
|
}
|
||||||
|
|
||||||
|
append_ca_file() {
|
||||||
|
mkdir -p $2
|
||||||
|
cat $1 >> $2/ca.crt
|
||||||
|
}
|
||||||
|
|
||||||
install_test_certs $installdir
|
install_test_certs $installdir
|
||||||
|
|
||||||
# Malevolent server
|
# Malevolent server
|
||||||
|
@ -40,4 +46,5 @@ install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5554
|
||||||
install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5555
|
install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5555
|
||||||
install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5557
|
install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5557
|
||||||
install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5558
|
install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5558
|
||||||
|
append_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5600
|
||||||
|
|
||||||
|
|
|
@ -7,3 +7,4 @@ COPY registry-noauth.conf /etc/nginx/registry-noauth.conf
|
||||||
COPY registry-basic.conf /etc/nginx/registry-basic.conf
|
COPY registry-basic.conf /etc/nginx/registry-basic.conf
|
||||||
COPY test.passwd /etc/nginx/test.passwd
|
COPY test.passwd /etc/nginx/test.passwd
|
||||||
COPY ssl /etc/nginx/ssl
|
COPY ssl /etc/nginx/ssl
|
||||||
|
COPY v1 /var/www/html/v1
|
||||||
|
|
|
@ -219,3 +219,42 @@ server {
|
||||||
include registry-noauth.conf;
|
include registry-noauth.conf;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# V1 search test
|
||||||
|
# Registry configured with token auth and no tls
|
||||||
|
# TLS termination done by nginx, search results
|
||||||
|
# served by nginx
|
||||||
|
|
||||||
|
upstream docker-registry-v2-oauth {
|
||||||
|
server registryv2tokenoauthnotls:5000;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 5600;
|
||||||
|
server_name localregistry;
|
||||||
|
ssl on;
|
||||||
|
ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
|
||||||
|
|
||||||
|
root /var/www/html;
|
||||||
|
|
||||||
|
client_max_body_size 0;
|
||||||
|
chunked_transfer_encoding on;
|
||||||
|
location /v2/ {
|
||||||
|
proxy_buffering off;
|
||||||
|
proxy_pass http://docker-registry-v2-oauth;
|
||||||
|
proxy_set_header Host $http_host; # required for docker client's sake
|
||||||
|
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_read_timeout 900;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /v1/search {
|
||||||
|
if ($http_authorization !~ "Bearer [a-zA-Z0-9\._-]+") {
|
||||||
|
return 401;
|
||||||
|
}
|
||||||
|
try_files /v1/search.json =404;
|
||||||
|
add_header Content-Type application/json;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
1
contrib/docker-integration/nginx/v1/search.json
Normal file
1
contrib/docker-integration/nginx/v1/search.json
Normal file
|
@ -0,0 +1 @@
|
||||||
|
{"num_pages":1,"num_results":2,"page":1,"page_size": 25,"query":"testsearch","results":[{"description":"","is_automated":false,"is_official":false,"is_trusted":false, "name":"dmcgowan/testsearch-1","star_count":1000},{"description":"Some automated build","is_automated":true,"is_official":false,"is_trusted":false,"name":"dmcgowan/testsearch-2","star_count":10}]}
|
|
@ -117,3 +117,19 @@ base="hello-world"
|
||||||
run docker_t push $image
|
run docker_t push $image
|
||||||
[ "$status" -ne 0 ]
|
[ "$status" -ne 0 ]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@test "Test oauth with v1 search" {
|
||||||
|
version_check docker "$GOLEM_DIND_VERSION" "1.12.0"
|
||||||
|
|
||||||
|
run docker_t search localregistry:5600/testsearch
|
||||||
|
[ "$status" -ne 0 ]
|
||||||
|
|
||||||
|
login_oauth localregistry:5600
|
||||||
|
|
||||||
|
run docker_t search localregistry:5600/testsearch
|
||||||
|
echo $output
|
||||||
|
[ "$status" -eq 0 ]
|
||||||
|
|
||||||
|
echo $output | grep "testsearch-1"
|
||||||
|
echo $output | grep "testsearch-2"
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,15 @@
|
||||||
|
version: 0.1
|
||||||
|
loglevel: debug
|
||||||
|
storage:
|
||||||
|
cache:
|
||||||
|
blobdescriptor: inmemory
|
||||||
|
filesystem:
|
||||||
|
rootdirectory: /tmp/registry-dev
|
||||||
|
http:
|
||||||
|
addr: 0.0.0.0:5000
|
||||||
|
auth:
|
||||||
|
token:
|
||||||
|
realm: "https://auth.localregistry:5559/token/"
|
||||||
|
issuer: "registry-test"
|
||||||
|
service: "registry-test"
|
||||||
|
rootcertbundle: "/etc/docker/registry/tokenbundle.pem"
|
|
@ -163,14 +163,21 @@ func filterAccessList(ctx context.Context, scope string, requestedAccessList []a
|
||||||
}
|
}
|
||||||
grantedAccessList := make([]auth.Access, 0, len(requestedAccessList))
|
grantedAccessList := make([]auth.Access, 0, len(requestedAccessList))
|
||||||
for _, access := range requestedAccessList {
|
for _, access := range requestedAccessList {
|
||||||
if access.Type != "repository" {
|
if access.Type == "repository" {
|
||||||
context.GetLogger(ctx).Debugf("Skipping unsupported resource type: %s", access.Type)
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
if !strings.HasPrefix(access.Name, scope) {
|
if !strings.HasPrefix(access.Name, scope) {
|
||||||
context.GetLogger(ctx).Debugf("Resource scope not allowed: %s", access.Name)
|
context.GetLogger(ctx).Debugf("Resource scope not allowed: %s", access.Name)
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
} else if access.Type == "registry" {
|
||||||
|
if access.Name != "catalog" {
|
||||||
|
context.GetLogger(ctx).Debugf("Unknown registry resource: %s", access.Name)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
// TODO: Limit some actions to "admin" users
|
||||||
|
} else {
|
||||||
|
context.GetLogger(ctx).Debugf("Skipping unsupported resource type: %s", access.Type)
|
||||||
|
continue
|
||||||
|
}
|
||||||
grantedAccessList = append(grantedAccessList, access)
|
grantedAccessList = append(grantedAccessList, access)
|
||||||
}
|
}
|
||||||
return grantedAccessList
|
return grantedAccessList
|
||||||
|
|
Loading…
Reference in a new issue