Skip to content

Commit

Permalink
Extend oidc_cli security context generator to include calls to the v2…
Browse files Browse the repository at this point in the history
… API, remove idtoken security context generator, rename and consolidate tests and names accordingly
  • Loading branch information
Fittkau Luis committed Aug 14, 2024
1 parent ccceacf commit db95c7f
Show file tree
Hide file tree
Showing 5 changed files with 38 additions and 134 deletions.
69 changes: 0 additions & 69 deletions src/server/middleware/security/idtoken.go

This file was deleted.

50 changes: 0 additions & 50 deletions src/server/middleware/security/idtoken_test.go

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -43,9 +43,9 @@ var (
uctl = user.Ctl
)

type oidcCli struct{}
type oidcCliOrAPI struct{}

func (o *oidcCli) Generate(req *http.Request) security.Context {
func (o *oidcCliOrAPI) Generate(req *http.Request) security.Context {
ctx := req.Context()
if lib.GetAuthMode(ctx) != common.OIDCAuth {
return nil
Expand Down Expand Up @@ -78,7 +78,7 @@ func (o *oidcCli) Generate(req *http.Request) security.Context {
return local.NewSecurityContext(u)
}

func (o *oidcCli) valid(req *http.Request) bool {
func (o *oidcCliOrAPI) valid(req *http.Request) bool {
path := strings.TrimSuffix(req.URL.Path, "/")

if path == "/service/token" ||
Expand All @@ -104,5 +104,10 @@ func (o *oidcCli) valid(req *http.Request) bool {
if req.Method == http.MethodDelete && tagsAPIRe.MatchString(path) { // deleting tags
return true
}

// The request was sent to the v2 API directly
if strings.HasPrefix(req.URL.Path, "/api") || req.URL.Path == "/service/token" {
return true
}
return false
}
Original file line number Diff line number Diff line change
Expand Up @@ -31,17 +31,12 @@ import (
)

func TestOIDCCli(t *testing.T) {
oidcCli := &oidcCli{}
// not the candidate request
req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1/api/v2.0/users/", nil)
require.Nil(t, err)
ctx := oidcCli.Generate(req)
assert.Nil(t, ctx)
oc := &oidcCliOrAPI{}

// the auth mode isn't OIDC
req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1/service/token", nil)
req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1/service/token", nil)
require.Nil(t, err)
ctx = oidcCli.Generate(req)
ctx := oc.Generate(req)
assert.Nil(t, ctx)

// pass
Expand All @@ -57,12 +52,12 @@ func TestOIDCCli(t *testing.T) {
oidc.SetHardcodeVerifierForTest(password)
req = req.WithContext(lib.WithAuthMode(req.Context(), common.OIDCAuth))
req.SetBasicAuth(username, password)
ctx = oidcCli.Generate(req)
ctx = oc.Generate(req)
assert.NotNil(t, ctx)
}

func TestOIDCCliValid(t *testing.T) {
oc := &oidcCli{}
oc := &oidcCliOrAPI{}
req1, _ := http.NewRequest(http.MethodPost, "https://test.goharbor.io/api/v2.0/projects", nil)
req2, _ := http.NewRequest(http.MethodGet, "https://test.goharbor.io/api/v2.0/projects?name=test", nil)
req3, _ := http.NewRequest(http.MethodGet, "https://test.goharbor.io/api/v2.0/projects/library/repositories/", nil)
Expand Down Expand Up @@ -97,3 +92,27 @@ func TestOIDCCliValid(t *testing.T) {
}

}

func TestOIDCAPI(t *testing.T) {
oc := &oidcCliOrAPI{}

// not the OIDC mode
req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1/api/projects/", nil)
require.Nil(t, err)
ctx := oc.Generate(req)
assert.Nil(t, ctx)

// contains no authorization header
req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1/api/projects/", nil)
require.Nil(t, err)
req = req.WithContext(lib.WithAuthMode(req.Context(), common.OIDCAuth))
ctx = oc.Generate(req)
assert.Nil(t, ctx)

// contains no authorization header
req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1/service/token?service=harbor-registry&scope=repository:foo/bar:pull", nil)
require.Nil(t, err)
req = req.WithContext(lib.WithAuthMode(req.Context(), common.OIDCAuth))
ctx = oc.Generate(req)
assert.Nil(t, ctx)
}
3 changes: 1 addition & 2 deletions src/server/middleware/security/security.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,8 @@ import (
var (
generators = []generator{
&secret{},
&oidcCli{},
&oidcCliOrAPI{},
&v2Token{},
&idToken{},
&authProxy{},
&robot{},
&basicAuth{},
Expand Down

0 comments on commit db95c7f

Please sign in to comment.