Merge pull request #1838 from dmcgowan/search-v2-auth-test

Search v2 auth test
This commit is contained in:
Derek McGowan 2016-07-15 14:27:56 -07:00 committed by GitHub
commit b1ab3bfde5
8 changed files with 100 additions and 5 deletions

View file

@ -18,6 +18,7 @@ nginx:
- "5557:5557" - "5557:5557"
- "5558:5558" - "5558:5558"
- "5559:5559" - "5559:5559"
- "5600:5600"
- "6666:6666" - "6666:6666"
links: links:
- registryv2:registryv2 - registryv2:registryv2
@ -25,6 +26,7 @@ nginx:
- registryv2token:registryv2token - registryv2token:registryv2token
- tokenserver:tokenserver - tokenserver:tokenserver
- registryv2tokenoauth:registryv2tokenoauth - registryv2tokenoauth:registryv2tokenoauth
- registryv2tokenoauthnotls:registryv2tokenoauthnotls
- tokenserveroauth:tokenserveroauth - tokenserveroauth:tokenserveroauth
registryv2: registryv2:
image: golem-distribution:latest image: golem-distribution:latest
@ -53,6 +55,13 @@ registryv2tokenoauth:
- ./tokenserver-oauth/certs/localregistry.cert:/etc/docker/registry/localregistry.cert - ./tokenserver-oauth/certs/localregistry.cert:/etc/docker/registry/localregistry.cert
- ./tokenserver-oauth/certs/localregistry.key:/etc/docker/registry/localregistry.key - ./tokenserver-oauth/certs/localregistry.key:/etc/docker/registry/localregistry.key
- ./tokenserver-oauth/certs/signing.cert:/etc/docker/registry/tokenbundle.pem - ./tokenserver-oauth/certs/signing.cert:/etc/docker/registry/tokenbundle.pem
registryv2tokenoauthnotls:
image: golem-distribution:latest
ports:
- "5000"
volumes:
- ./tokenserver-oauth/registry-config-notls.yml:/etc/docker/registry/config.yml
- ./tokenserver-oauth/certs/signing.cert:/etc/docker/registry/tokenbundle.pem
tokenserveroauth: tokenserveroauth:
build: "tokenserver-oauth" build: "tokenserver-oauth"
command: "--debug -addr 0.0.0.0:5559 -issuer registry-test -passwd .htpasswd -tlscert tls.cert -tlskey tls.key -key sign.key -realm http://auth.localregistry:5559" command: "--debug -addr 0.0.0.0:5559 -issuer registry-test -passwd .htpasswd -tlscert tls.cert -tlskey tls.key -key sign.key -realm http://auth.localregistry:5559"

View file

@ -23,6 +23,7 @@ install_test_certs() {
# For test remove CA # For test remove CA
rm $1/${hostname}:5447/ca.crt rm $1/${hostname}:5447/ca.crt
install_ca $1 5448 install_ca $1 5448
install_ca $1 5600
} }
install_ca_file() { install_ca_file() {
@ -30,6 +31,11 @@ install_ca_file() {
cp $1 $2/ca.crt cp $1 $2/ca.crt
} }
append_ca_file() {
mkdir -p $2
cat $1 >> $2/ca.crt
}
install_test_certs $installdir install_test_certs $installdir
# Malevolent server # Malevolent server
@ -40,4 +46,5 @@ install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5554
install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5555 install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5555
install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5557 install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5557
install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5558 install_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5558
append_ca_file ./tokenserver/certs/ca.pem $installdir/$hostname:5600

View file

@ -7,3 +7,4 @@ COPY registry-noauth.conf /etc/nginx/registry-noauth.conf
COPY registry-basic.conf /etc/nginx/registry-basic.conf COPY registry-basic.conf /etc/nginx/registry-basic.conf
COPY test.passwd /etc/nginx/test.passwd COPY test.passwd /etc/nginx/test.passwd
COPY ssl /etc/nginx/ssl COPY ssl /etc/nginx/ssl
COPY v1 /var/www/html/v1

View file

@ -219,3 +219,42 @@ server {
include registry-noauth.conf; include registry-noauth.conf;
} }
# V1 search test
# Registry configured with token auth and no tls
# TLS termination done by nginx, search results
# served by nginx
upstream docker-registry-v2-oauth {
server registryv2tokenoauthnotls:5000;
}
server {
listen 5600;
server_name localregistry;
ssl on;
ssl_certificate /etc/nginx/ssl/registry-ca+localregistry-cert.pem;
ssl_certificate_key /etc/nginx/ssl/registry-ca+localregistry-key.pem;
root /var/www/html;
client_max_body_size 0;
chunked_transfer_encoding on;
location /v2/ {
proxy_buffering off;
proxy_pass http://docker-registry-v2-oauth;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
location /v1/search {
if ($http_authorization !~ "Bearer [a-zA-Z0-9\._-]+") {
return 401;
}
try_files /v1/search.json =404;
add_header Content-Type application/json;
}
}

View file

@ -0,0 +1 @@
{"num_pages":1,"num_results":2,"page":1,"page_size": 25,"query":"testsearch","results":[{"description":"","is_automated":false,"is_official":false,"is_trusted":false, "name":"dmcgowan/testsearch-1","star_count":1000},{"description":"Some automated build","is_automated":true,"is_official":false,"is_trusted":false,"name":"dmcgowan/testsearch-2","star_count":10}]}

View file

@ -117,3 +117,19 @@ base="hello-world"
run docker_t push $image run docker_t push $image
[ "$status" -ne 0 ] [ "$status" -ne 0 ]
} }
@test "Test oauth with v1 search" {
version_check docker "$GOLEM_DIND_VERSION" "1.12.0"
run docker_t search localregistry:5600/testsearch
[ "$status" -ne 0 ]
login_oauth localregistry:5600
run docker_t search localregistry:5600/testsearch
echo $output
[ "$status" -eq 0 ]
echo $output | grep "testsearch-1"
echo $output | grep "testsearch-2"
}

View file

@ -0,0 +1,15 @@
version: 0.1
loglevel: debug
storage:
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /tmp/registry-dev
http:
addr: 0.0.0.0:5000
auth:
token:
realm: "https://auth.localregistry:5559/token/"
issuer: "registry-test"
service: "registry-test"
rootcertbundle: "/etc/docker/registry/tokenbundle.pem"

View file

@ -163,14 +163,21 @@ func filterAccessList(ctx context.Context, scope string, requestedAccessList []a
} }
grantedAccessList := make([]auth.Access, 0, len(requestedAccessList)) grantedAccessList := make([]auth.Access, 0, len(requestedAccessList))
for _, access := range requestedAccessList { for _, access := range requestedAccessList {
if access.Type != "repository" { if access.Type == "repository" {
context.GetLogger(ctx).Debugf("Skipping unsupported resource type: %s", access.Type)
continue
}
if !strings.HasPrefix(access.Name, scope) { if !strings.HasPrefix(access.Name, scope) {
context.GetLogger(ctx).Debugf("Resource scope not allowed: %s", access.Name) context.GetLogger(ctx).Debugf("Resource scope not allowed: %s", access.Name)
continue continue
} }
} else if access.Type == "registry" {
if access.Name != "catalog" {
context.GetLogger(ctx).Debugf("Unknown registry resource: %s", access.Name)
continue
}
// TODO: Limit some actions to "admin" users
} else {
context.GetLogger(ctx).Debugf("Skipping unsupported resource type: %s", access.Type)
continue
}
grantedAccessList = append(grantedAccessList, access) grantedAccessList = append(grantedAccessList, access)
} }
return grantedAccessList return grantedAccessList