zot-wo-auth/pkg/api/authz.go

package api

import (
	"context"
	"encoding/base64"
	"net/http"
	"strings"
	"time"

	glob "github.com/bmatcuk/doublestar/v4"
	"github.com/gorilla/mux"
	"zotregistry.io/zot/pkg/api/config"
	"zotregistry.io/zot/pkg/common"
	"zotregistry.io/zot/pkg/log"
)

type contextKey int

const (
	// actions.
	CREATE = "create"
	READ   = "read"
	UPDATE = "update"
	DELETE = "delete"

	// request-local context key.
	authzCtxKey contextKey = 0
)

// AccessController authorizes users to act on resources.
type AccessController struct {
	Config *config.AccessControlConfig
	Log    log.Logger
}

// AccessControlContext context passed down to http.Handlers.
type AccessControlContext struct {
	globPatterns map[string]bool
	isAdmin      bool
}

func NewAccessController(config *config.Config) *AccessController {
	return &AccessController{
		Config: config.AccessControl,
		Log:    log.NewLogger(config.Log.Level, config.Log.Output),
	}
}

// getReadRepos get glob patterns from config file that the user has or doesn't have READ perms.
// used to filter /v2/_catalog repositories based on user rights.
func (ac *AccessController) getReadGlobPatterns(username string) map[string]bool {
	globPatterns := make(map[string]bool)

	for pattern, policyGroup := range ac.Config.Repositories {
		// check default policy
		if common.Contains(policyGroup.DefaultPolicy, READ) {
			globPatterns[pattern] = true
		}
		// check user based policy
		for _, p := range policyGroup.Policies {
			if common.Contains(p.Users, username) && common.Contains(p.Actions, READ) {
				globPatterns[pattern] = true
			}
		}

		// if not allowed then mark it
		if _, ok := globPatterns[pattern]; !ok {
			globPatterns[pattern] = false
		}
	}

	return globPatterns
}

// can verifies if a user can do action on repository.
func (ac *AccessController) can(username, action, repository string) bool {
	can := false

	var longestMatchedPattern string

	for pattern := range ac.Config.Repositories {
		matched, err := glob.Match(pattern, repository)
		if err == nil {
			if matched && len(pattern) > len(longestMatchedPattern) {
				longestMatchedPattern = pattern
			}
		}
	}

	// check matched repo based policy
	pg, ok := ac.Config.Repositories[longestMatchedPattern]
	if ok {
		can = isPermitted(username, action, pg)
	}

	// check admins based policy
	if !can {
		if ac.isAdmin(username) && common.Contains(ac.Config.AdminPolicy.Actions, action) {
			can = true
		}
	}

	return can
}

// isAdmin .
func (ac *AccessController) isAdmin(username string) bool {
	return common.Contains(ac.Config.AdminPolicy.Users, username)
}

// getContext builds ac context(allowed to read repos and if user is admin) and returns it.
func (ac *AccessController) getContext(username string, request *http.Request) context.Context {
	readGlobPatterns := ac.getReadGlobPatterns(username)
	acCtx := AccessControlContext{globPatterns: readGlobPatterns}

	if ac.isAdmin(username) {
		acCtx.isAdmin = true
	} else {
		acCtx.isAdmin = false
	}

	ctx := context.WithValue(request.Context(), authzCtxKey, acCtx)

	return ctx
}

// isPermitted returns true if username can do action on a repository policy.
func isPermitted(username, action string, policyGroup config.PolicyGroup) bool {
	var result bool
	// check repo/system based policies
	for _, p := range policyGroup.Policies {
		if common.Contains(p.Users, username) && common.Contains(p.Actions, action) {
			result = true

			break
		}
	}

	// check defaultPolicy
	if !result {
		if common.Contains(policyGroup.DefaultPolicy, action) {
			result = true
		}
	}

	return result
}

// returns either a user has or not rights on 'repository'.
func matchesRepo(globPatterns map[string]bool, repository string) bool {
	var longestMatchedPattern string

	// because of the longest path matching rule, we need to check all patterns from config
	for pattern := range globPatterns {
		matched, err := glob.Match(pattern, repository)
		if err == nil {
			if matched && len(pattern) > len(longestMatchedPattern) {
				longestMatchedPattern = pattern
			}
		}
	}

	allowed := globPatterns[longestMatchedPattern]

	return allowed
}

func AuthzHandler(ctlr *Controller) mux.MiddlewareFunc {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
			vars := mux.Vars(request)
			resource := vars["name"]
			reference, ok := vars["reference"]

			// bypass authz for /v2/ route
			if request.RequestURI == "/v2/" {
				next.ServeHTTP(response, request)

				return
			}

			acCtrlr := NewAccessController(ctlr.Config)
			username := getUsername(request)
			ctx := acCtrlr.getContext(username, request)

			// will return only repos on which client is authorized to read
			if request.RequestURI == "/v2/_catalog" {
				next.ServeHTTP(response, request.WithContext(ctx))

				return
			}

			var action string
			if request.Method == http.MethodGet || request.Method == http.MethodHead {
				action = READ
			}

			if request.Method == http.MethodPut || request.Method == http.MethodPatch || request.Method == http.MethodPost {
				// assume user wants to create
				action = CREATE
				// if we get a reference (tag)
				if ok {
					is := ctlr.StoreController.GetImageStore(resource)
					tags, err := is.GetImageTags(resource)
					// if repo exists and request's tag doesn't exist yet then action is UPDATE
					if err == nil && common.Contains(tags, reference) && reference != "latest" {
						action = UPDATE
					}
				}
			}

			if request.Method == http.MethodDelete {
				action = DELETE
			}

			can := acCtrlr.can(username, action, resource)
			if !can {
				authzFail(response, ctlr.Config.HTTP.Realm, ctlr.Config.HTTP.Auth.FailDelay)
			} else {
				next.ServeHTTP(response, request.WithContext(ctx))
			}
		})
	}
}

func getUsername(r *http.Request) string {
	// this should work because it was already parsed in authn middleware
	basicAuth := r.Header.Get("Authorization")
	s := strings.SplitN(basicAuth, " ", 2) //nolint:gomnd
	b, _ := base64.StdEncoding.DecodeString(s[1])
	pair := strings.SplitN(string(b), ":", 2) //nolint:gomnd

	return pair[0]
}

func authzFail(w http.ResponseWriter, realm string, delay int) {
	time.Sleep(time.Duration(delay) * time.Second)
	w.Header().Set("WWW-Authenticate", realm)
	w.Header().Set("Content-Type", "application/json")
	WriteJSON(w, http.StatusForbidden, NewErrorList(NewError(DENIED)))
}
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`package api`

			`import (`
			`"context"`
			`"encoding/base64"`
			`"net/http"`
			`"strings"`
			`"time"`

[Identity-based Authorization] Add an option to specify a global policy for all repositories using regex. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-09-10 18:23:26 +03:00			`glob "github.com/bmatcuk/doublestar/v4"`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`"github.com/gorilla/mux"`
move references to zotregistry.io and project-zot Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-04 03:50:58 +00:00			`"zotregistry.io/zot/pkg/api/config"`
sync: for a prefix, allow multiple registries as a list instead of only one, closes #343 Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-12-29 17:14:56 +02:00			`"zotregistry.io/zot/pkg/common"`
move references to zotregistry.io and project-zot Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-04 03:50:58 +00:00			`"zotregistry.io/zot/pkg/log"`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`)`

			`type contextKey int`

			`const (`
authn: serialize ldap authn calls Some LDAP servers are not MT-safe in that when searches happen with binds in flight leads to errors such as: "comment: No other operations may be performed on the connection while a bind is outstanding" Add goroutine-id in logs to help debug MT bugs. Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-09-18 00:00:59 +00:00			`// actions.`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`CREATE = "create"`
			`READ = "read"`
			`UPDATE = "update"`
			`DELETE = "delete"`

authn: serialize ldap authn calls Some LDAP servers are not MT-safe in that when searches happen with binds in flight leads to errors such as: "comment: No other operations may be performed on the connection while a bind is outstanding" Add goroutine-id in logs to help debug MT bugs. Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-09-18 00:00:59 +00:00			`// request-local context key.`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`authzCtxKey contextKey = 0`
			`)`

			`// AccessController authorizes users to act on resources.`
			`type AccessController struct {`
Added new extension "sync" Periodically poll registries and pull images according to sync's config Added sync on demand, syncing when clients asks for an image which zot doesn't have. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-06-08 23:11:18 +03:00			`Config *config.AccessControlConfig`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`Log log.Logger`
			`}`

			`// AccessControlContext context passed down to http.Handlers.`
			`type AccessControlContext struct {`
[Identity-based Authorization] Add an option to specify a global policy for all repositories using regex. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-09-10 18:23:26 +03:00			`globPatterns map[string]bool`
			`isAdmin bool`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`}`

Added new extension "sync" Periodically poll registries and pull images according to sync's config Added sync on demand, syncing when clients asks for an image which zot doesn't have. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-06-08 23:11:18 +03:00			`func NewAccessController(config config.Config) AccessController {`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`return &AccessController{`
			`Config: config.AccessControl,`
			`Log: log.NewLogger(config.Log.Level, config.Log.Output),`
			`}`
			`}`

[Identity-based Authorization] Add an option to specify a global policy for all repositories using regex. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-09-10 18:23:26 +03:00			`// getReadRepos get glob patterns from config file that the user has or doesn't have READ perms.`
			`// used to filter /v2/_catalog repositories based on user rights.`
			`func (ac *AccessController) getReadGlobPatterns(username string) map[string]bool {`
			`globPatterns := make(map[string]bool)`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00
[Identity-based Authorization] Add an option to specify a global policy for all repositories using regex. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-09-10 18:23:26 +03:00			`for pattern, policyGroup := range ac.Config.Repositories {`
			`// check default policy`
sync: for a prefix, allow multiple registries as a list instead of only one, closes #343 Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-12-29 17:14:56 +02:00			`if common.Contains(policyGroup.DefaultPolicy, READ) {`
[Identity-based Authorization] Add an option to specify a global policy for all repositories using regex. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-09-10 18:23:26 +03:00			`globPatterns[pattern] = true`
			`}`
			`// check user based policy`
			`for _, p := range policyGroup.Policies {`
sync: for a prefix, allow multiple registries as a list instead of only one, closes #343 Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-12-29 17:14:56 +02:00			`if common.Contains(p.Users, username) && common.Contains(p.Actions, READ) {`
[Identity-based Authorization] Add an option to specify a global policy for all repositories using regex. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-09-10 18:23:26 +03:00			`globPatterns[pattern] = true`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`}`
			`}`
[Identity-based Authorization] Add an option to specify a global policy for all repositories using regex. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-09-10 18:23:26 +03:00
			`// if not allowed then mark it`
			`if _, ok := globPatterns[pattern]; !ok {`
			`globPatterns[pattern] = false`
			`}`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`}`

[Identity-based Authorization] Add an option to specify a global policy for all repositories using regex. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-09-10 18:23:26 +03:00			`return globPatterns`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`}`

			`// can verifies if a user can do action on repository.`
			`func (ac *AccessController) can(username, action, repository string) bool {`
			`can := false`
[Identity-based Authorization] Add an option to specify a global policy for all repositories using regex. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-09-10 18:23:26 +03:00
			`var longestMatchedPattern string`

			`for pattern := range ac.Config.Repositories {`
			`matched, err := glob.Match(pattern, repository)`
			`if err == nil {`
			`if matched && len(pattern) > len(longestMatchedPattern) {`
			`longestMatchedPattern = pattern`
			`}`
			`}`
			`}`

			`// check matched repo based policy`
			`pg, ok := ac.Config.Repositories[longestMatchedPattern]`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`if ok {`
			`can = isPermitted(username, action, pg)`
			`}`

lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 19:23:31 +00:00			`// check admins based policy`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`if !can {`
sync: for a prefix, allow multiple registries as a list instead of only one, closes #343 Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-12-29 17:14:56 +02:00			`if ac.isAdmin(username) && common.Contains(ac.Config.AdminPolicy.Actions, action) {`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`can = true`
			`}`
			`}`

			`return can`
			`}`

			`// isAdmin .`
			`func (ac *AccessController) isAdmin(username string) bool {`
sync: for a prefix, allow multiple registries as a list instead of only one, closes #343 Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-12-29 17:14:56 +02:00			`return common.Contains(ac.Config.AdminPolicy.Users, username)`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`}`

			`// getContext builds ac context(allowed to read repos and if user is admin) and returns it.`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 19:23:31 +00:00			`func (ac AccessController) getContext(username string, request http.Request) context.Context {`
[Identity-based Authorization] Add an option to specify a global policy for all repositories using regex. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-09-10 18:23:26 +03:00			`readGlobPatterns := ac.getReadGlobPatterns(username)`
			`acCtx := AccessControlContext{globPatterns: readGlobPatterns}`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00
			`if ac.isAdmin(username) {`
			`acCtx.isAdmin = true`
			`} else {`
			`acCtx.isAdmin = false`
			`}`

lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 19:23:31 +00:00			`ctx := context.WithValue(request.Context(), authzCtxKey, acCtx)`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00
			`return ctx`
			`}`

			`// isPermitted returns true if username can do action on a repository policy.`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 19:23:31 +00:00			`func isPermitted(username, action string, policyGroup config.PolicyGroup) bool {`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`var result bool`
			`// check repo/system based policies`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 19:23:31 +00:00			`for _, p := range policyGroup.Policies {`
sync: for a prefix, allow multiple registries as a list instead of only one, closes #343 Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-12-29 17:14:56 +02:00			`if common.Contains(p.Users, username) && common.Contains(p.Actions, action) {`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`result = true`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 19:23:31 +00:00
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`break`
			`}`
			`}`

			`// check defaultPolicy`
			`if !result {`
sync: for a prefix, allow multiple registries as a list instead of only one, closes #343 Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-12-29 17:14:56 +02:00			`if common.Contains(policyGroup.DefaultPolicy, action) {`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`result = true`
			`}`
			`}`

			`return result`
			`}`

[Identity-based Authorization] Add an option to specify a global policy for all repositories using regex. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-09-10 18:23:26 +03:00			`// returns either a user has or not rights on 'repository'.`
			`func matchesRepo(globPatterns map[string]bool, repository string) bool {`
			`var longestMatchedPattern string`

			`// because of the longest path matching rule, we need to check all patterns from config`
			`for pattern := range globPatterns {`
			`matched, err := glob.Match(pattern, repository)`
			`if err == nil {`
			`if matched && len(pattern) > len(longestMatchedPattern) {`
			`longestMatchedPattern = pattern`
			`}`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`}`
			`}`

[Identity-based Authorization] Add an option to specify a global policy for all repositories using regex. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-09-10 18:23:26 +03:00			`allowed := globPatterns[longestMatchedPattern]`

			`return allowed`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`}`

lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 19:23:31 +00:00			`func AuthzHandler(ctlr *Controller) mux.MiddlewareFunc {`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`return func(next http.Handler) http.Handler {`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 19:23:31 +00:00			`return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {`
			`vars := mux.Vars(request)`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`resource := vars["name"]`
			`reference, ok := vars["reference"]`

[Identity-based Authorization] Add an option to specify a global policy for all repositories using regex. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-09-10 18:23:26 +03:00			`// bypass authz for /v2/ route`
			`if request.RequestURI == "/v2/" {`
			`next.ServeHTTP(response, request)`

			`return`
			`}`

lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 19:23:31 +00:00			`acCtrlr := NewAccessController(ctlr.Config)`
			`username := getUsername(request)`
			`ctx := acCtrlr.getContext(username, request)`

[Identity-based Authorization] Add an option to specify a global policy for all repositories using regex. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-09-10 18:23:26 +03:00			`// will return only repos on which client is authorized to read`
			`if request.RequestURI == "/v2/_catalog" {`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 19:23:31 +00:00			`next.ServeHTTP(response, request.WithContext(ctx))`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00
			`return`
			`}`

			`var action string`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 19:23:31 +00:00			`if request.Method == http.MethodGet \|\| request.Method == http.MethodHead {`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`action = READ`
			`}`

lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 19:23:31 +00:00			`if request.Method == http.MethodPut \|\| request.Method == http.MethodPatch \|\| request.Method == http.MethodPost {`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`// assume user wants to create`
			`action = CREATE`
			`// if we get a reference (tag)`
			`if ok {`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 19:23:31 +00:00			`is := ctlr.StoreController.GetImageStore(resource)`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`tags, err := is.GetImageTags(resource)`
			`// if repo exists and request's tag doesn't exist yet then action is UPDATE`
sync: for a prefix, allow multiple registries as a list instead of only one, closes #343 Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-12-29 17:14:56 +02:00			`if err == nil && common.Contains(tags, reference) && reference != "latest" {`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`action = UPDATE`
			`}`
			`}`
			`}`

lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 19:23:31 +00:00			`if request.Method == http.MethodDelete {`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`action = DELETE`
			`}`

lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 19:23:31 +00:00			`can := acCtrlr.can(username, action, resource)`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`if !can {`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 19:23:31 +00:00			`authzFail(response, ctlr.Config.HTTP.Realm, ctlr.Config.HTTP.Auth.FailDelay)`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`} else {`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 19:23:31 +00:00			`next.ServeHTTP(response, request.WithContext(ctx))`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`}`
			`})`
			`}`
			`}`

			`func getUsername(r *http.Request) string {`
[Identity-based Authorization] Add an option to specify a global policy for all repositories using regex. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> 2021-09-10 18:23:26 +03:00			`// this should work because it was already parsed in authn middleware`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`basicAuth := r.Header.Get("Authorization")`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 19:23:31 +00:00			`s := strings.SplitN(basicAuth, " ", 2) //nolint:gomnd`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00			`b, _ := base64.StdEncoding.DecodeString(s[1])`
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com> 2021-12-13 19:23:31 +00:00			`pair := strings.SplitN(string(b), ":", 2) //nolint:gomnd`
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity 2021-05-13 21:59:12 +03:00
			`return pair[0]`
			`}`

			`func authzFail(w http.ResponseWriter, realm string, delay int) {`
			`time.Sleep(time.Duration(delay) * time.Second)`
			`w.Header().Set("WWW-Authenticate", realm)`
			`w.Header().Set("Content-Type", "application/json")`
			`WriteJSON(w, http.StatusForbidden, NewErrorList(NewError(DENIED)))`
			`}`