fix(authz): assign identity to authz context in tls mutual authentication (#1541)

this causes a bug in extensions by not having the identity for the
authenticated user and couldn't apply his permissions, just the default ones.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>

pkg/api/authz.go

@@ -279,6 +279,9 @@ func AuthzHandler(ctlr *Controller) mux.MiddlewareFunc {
 
 						return
 					}
+
+					// assign identity to authz context, needed for extensions
+					acCtx.Username = identity
 				}
 			}
 

pkg/api/controller_test.go

@@ -1370,11 +1370,22 @@ func TestMutualTLSAuthWithUserPermissions(t *testing.T) {
 		So(resp, ShouldNotBeNil)
 		So(resp.StatusCode(), ShouldEqual, http.StatusOK)
 
+		resp, err = resty.R().Get(secureBaseURL + "/v2/_catalog")
+		So(err, ShouldBeNil)
+		So(resp, ShouldNotBeNil)
+		So(resp.StatusCode(), ShouldEqual, http.StatusOK)
+
 		// with creds, should get expected status code
 		resp, _ = resty.R().Get(secureBaseURL)
 		So(resp, ShouldNotBeNil)
 		So(resp.StatusCode(), ShouldEqual, http.StatusNotFound)
 
+		// reading a repo should not get 403
+		resp, err = resty.R().Get(secureBaseURL + "/v2/repo/tags/list")
+		So(err, ShouldBeNil)
+		So(resp, ShouldNotBeNil)
+		So(resp.StatusCode(), ShouldEqual, http.StatusNotFound)
+
 		// without creds, writes should fail
 		resp, err = resty.R().Post(secureBaseURL + "/v2/repo/blobs/uploads/")
 		So(err, ShouldBeNil)