Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: use the "zot" namespace for the authentication urls #1947

Merged
merged 1 commit into from
Oct 20, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
@@ -24,7 +24,7 @@ CRICTL := $(TOOLSDIR)/bin/crictl
CRICTL_VERSION := v1.26.1
ACTION_VALIDATOR := $(TOOLSDIR)/bin/action-validator
ACTION_VALIDATOR_VERSION := v0.5.3
ZUI_VERSION := commit-19e366e
ZUI_VERSION := commit-fad5572
SWAGGER_VERSION := v1.8.12
STACKER := $(TOOLSDIR)/bin/stacker
BATS := $(TOOLSDIR)/bin/bats
26 changes: 13 additions & 13 deletions examples/README.md
Original file line number Diff line number Diff line change
@@ -209,13 +209,13 @@ zot can be configured to use the above providers with:
}
```

To login with either provider use http://127.0.0.1:8080/auth/login?provider=\<provider\>&callback_ui=http://127.0.0.1:8080/home
for example to login with github use http://127.0.0.1:8080/auth/login?provider=github&callback_ui=http://127.0.0.1:8080/home
To login with either provider use http://127.0.0.1:8080/zot/auth/login?provider=\<provider\>&callback_ui=http://127.0.0.1:8080/home
for example to login with github use http://127.0.0.1:8080/zot/auth/login?provider=github&callback_ui=http://127.0.0.1:8080/home

callback_ui query parameter is used by zot to redirect to UI after a successful openid/oauth2 authentication

The callback url which should be used when making oauth2 provider setup is http://127.0.0.1:8080/auth/callback/\<provider\>
for example github callback url would be http://127.0.0.1:8080/auth/callback/github
The callback url which should be used when making oauth2 provider setup is http://127.0.0.1:8080/zot/auth/callback/\<provider\>
for example github callback url would be http://127.0.0.1:8080/zot/auth/callback/github

If network policy doesn't allow inbound connections, this callback wont work!

@@ -228,7 +228,7 @@ To configure zot as a client in dex (assuming zot is hosted at 127.0.0.1:8080),
staticClients:
- id: zot-client
redirectURIs:
- 'http://127.0.0.1:8080/auth/callback/oidc'
- 'http://127.0.0.1:8080/zot/auth/callback/oidc'
name: 'zot'
secret: ZXhhbXBsZS1hcHAtc2VjcmV0
```
@@ -254,7 +254,7 @@ zot can be configured to use dex with:
}
```

To login using openid dex provider use http://127.0.0.1:8080/auth/login?provider=oidc
To login using openid dex provider use http://127.0.0.1:8080/zot/auth/login?provider=oidc

NOTE: Social login is not supported by command line tools, or other software responsible for pushing/pulling
images to/from zot.
@@ -323,14 +323,14 @@ To activate API keys use:

Create an API key for the current user using the REST API

**Usage**: POST /auth/apikey
**Usage**: POST /zot/auth/apikey

**Produces**: application/json

**Sample input**:

```
POST /auth/apikey
POST /zot/auth/apikey
Body: {"label": "git", "scopes": ["repo1", "repo2"], "expirationDate": "2023-08-28T17:10:05+03:00"}'
```

@@ -339,7 +339,7 @@ The time format of expirationDate is RFC1123Z.
**Example cURL without expiration date**

```bash
curl -u user:password -X POST http://localhost:8080/auth/apikey -d '{"label": "git", "scopes": ["repo1", "repo2"]}'
curl -u user:password -X POST http://localhost:8080/zot/auth/apikey -d '{"label": "git", "scopes": ["repo1", "repo2"]}'
```

**Sample output**:
@@ -365,7 +365,7 @@ curl -u user:password -X POST http://localhost:8080/auth/apikey -d '{"label": "g
**Example cURL with expiration date**

```bash
curl -u user:password -X POST http://localhost:8080/auth/apikey -d '{"label": "myAPIKEY", "expirationDate": "2023-08-28T17:10:05+03:00"}'
curl -u user:password -X POST http://localhost:8080/zot/auth/apikey -d '{"label": "myAPIKEY", "expirationDate": "2023-08-28T17:10:05+03:00"}'
```

**Sample output**:
@@ -389,7 +389,7 @@ curl -u user:password -X POST http://localhost:8080/auth/apikey -d '{"label": "m

Get list of API keys for the current user using the REST API

**Usage**: GET /auth/apikey
**Usage**: GET /zot/auth/apikey

**Produces**: application/json

@@ -448,14 +448,14 @@ Other command line tools will similarly accept the API key instead of a password

How to revoke an API key for the current user

**Usage**: DELETE /auth/apikey?id=$uuid
**Usage**: DELETE /zot/auth/apikey?id=$uuid

**Produces**: application/json

**Example cURL**

```bash
curl -u user:password -X DELETE http://localhost:8080/v2/auth/apikey?id=46a45ce7-5d92-498a-a9cb-9654b1da3da1
curl -u user:password -X DELETE http://localhost:8080/zot/auth/apikey?id=46a45ce7-5d92-498a-a9cb-9654b1da3da1
```

#### Authentication Failures
9 changes: 5 additions & 4 deletions pkg/api/constants/consts.go
Original file line number Diff line number Diff line change
@@ -14,10 +14,11 @@ const (
DefaultMediaType = "application/json"
BinaryMediaType = "application/octet-stream"
DefaultMetricsExtensionRoute = "/metrics"
CallbackBasePath = "/auth/callback"
LoginPath = "/auth/login"
LogoutPath = "/auth/logout"
APIKeyPath = "/auth/apikey" //nolint: gosec
AppNamespacePath = "/zot"
CallbackBasePath = AppNamespacePath + "/auth/callback"
LoginPath = AppNamespacePath + "/auth/login"
LogoutPath = AppNamespacePath + "/auth/logout"
APIKeyPath = AppNamespacePath + "/auth/apikey"
SessionClientHeaderName = "X-ZOT-API-CLIENT"
SessionClientHeaderValue = "zot-ui"
APIKeysPrefix = "zak_"
102 changes: 51 additions & 51 deletions pkg/api/routes.go
Original file line number Diff line number Diff line change
@@ -226,10 +226,10 @@ func getUIHeadersHandler(config *config.Config, allowedMethods ...string) func(h
// CheckVersionSupport godoc
// @Summary Check API support
// @Description Check if this API version is supported
// @Router /v2/ [get]
// @Router /v2/ [get]
// @Accept json
// @Produce json
// @Success 200 {string} string "ok".
// @Success 200 {string} string "ok".
func (rh *RouteHandler) CheckVersionSupport(response http.ResponseWriter, request *http.Request) {
if request.Method == http.MethodOptions {
return
@@ -255,15 +255,15 @@ func (rh *RouteHandler) CheckVersionSupport(response http.ResponseWriter, reques
// ListTags godoc
// @Summary List image tags
// @Description List all image tags in a repository
// @Router /v2/{name}/tags/list [get]
// @Router /v2/{name}/tags/list [get]
// @Accept json
// @Produce json
// @Param name path string true "test"
// @Param n query integer true "limit entries for pagination"
// @Param last query string true "last tag value for pagination"
// @Success 200 {object} common.ImageTags
// @Failure 404 {string} string "not found"
// @Failure 400 {string} string "bad request".
// @Param name path string true "repository name"
// @Param n query integer true "limit entries for pagination"
// @Param last query string true "last tag value for pagination"
// @Success 200 {object} common.ImageTags
// @Failure 404 {string} string "not found"
// @Failure 400 {string} string "bad request".
func (rh *RouteHandler) ListTags(response http.ResponseWriter, request *http.Request) {
if request.Method == http.MethodOptions {
return
@@ -389,12 +389,12 @@ func (rh *RouteHandler) ListTags(response http.ResponseWriter, request *http.Req
// CheckManifest godoc
// @Summary Check image manifest
// @Description Check an image's manifest given a reference or a digest
// @Router /v2/{name}/manifests/{reference} [head]
// @Router /v2/{name}/manifests/{reference} [head]
// @Accept json
// @Produce json
// @Param name path string true "repository name"
// @Param name path string true "repository name"
// @Param reference path string true "image reference or digest"
// @Success 200 {string} string "ok"
// @Success 200 {string} string "ok"
// @Header 200 {object} constants.DistContentDigestKey
// @Failure 404 {string} string "not found"
// @Failure 500 {string} string "internal server error".
@@ -461,9 +461,9 @@ type ExtensionList struct {
// @Description Get an image's manifest given a reference or a digest
// @Accept json
// @Produce application/vnd.oci.image.manifest.v1+json
// @Param name path string true "repository name"
// @Param reference path string true "image reference or digest"
// @Success 200 {object} api.ImageManifest
// @Param name path string true "repository name"
// @Param reference path string true "image reference or digest"
// @Success 200 {object} api.ImageManifest
// @Header 200 {object} constants.DistContentDigestKey
// @Failure 404 {string} string "not found"
// @Failure 500 {string} string "internal server error"
@@ -562,10 +562,10 @@ func getReferrers(ctx context.Context, routeHandler *RouteHandler,
// @Description Get referrers given a digest
// @Accept json
// @Produce application/vnd.oci.image.index.v1+json
// @Param name path string true "repository name"
// @Param name path string true "repository name"
// @Param digest path string true "digest"
// @Param artifactType query string false "artifact type"
// @Success 200 {object} api.ImageIndex
// @Success 200 {object} api.ImageIndex
// @Failure 404 {string} string "not found"
// @Failure 500 {string} string "internal server error"
// @Router /v2/{name}/referrers/{digest} [get].
@@ -633,10 +633,10 @@ func (rh *RouteHandler) GetReferrers(response http.ResponseWriter, request *http
// @Description Update an image's manifest given a reference or a digest
// @Accept json
// @Produce json
// @Param name path string true "repository name"
// @Param reference path string true "image reference or digest"
// @Param name path string true "repository name"
// @Param reference path string true "image reference or digest"
// @Header 201 {object} constants.DistContentDigestKey
// @Success 201 {string} string "created"
// @Success 201 {string} string "created"
// @Failure 400 {string} string "bad request"
// @Failure 404 {string} string "not found"
// @Failure 500 {string} string "internal server error"
@@ -744,9 +744,9 @@ func (rh *RouteHandler) UpdateManifest(response http.ResponseWriter, request *ht
// @Description Delete an image's manifest given a reference or a digest
// @Accept json
// @Produce json
// @Param name path string true "repository name"
// @Param name path string true "repository name"
// @Param reference path string true "image reference or digest"
// @Success 200 {string} string "ok"
// @Success 200 {string} string "ok"
// @Router /v2/{name}/manifests/{reference} [delete].
func (rh *RouteHandler) DeleteManifest(response http.ResponseWriter, request *http.Request) {
vars := mux.Vars(request)
@@ -853,8 +853,8 @@ func (rh *RouteHandler) DeleteManifest(response http.ResponseWriter, request *ht
// @Description Check an image's blob/layer given a digest
// @Accept json
// @Produce json
// @Param name path string true "repository name"
// @Param digest path string true "blob/layer digest"
// @Param name path string true "repository name"
// @Param digest path string true "blob/layer digest"
// @Success 200 {object} api.ImageManifest
// @Header 200 {object} constants.DistContentDigestKey
// @Router /v2/{name}/blobs/{digest} [head].
@@ -967,8 +967,8 @@ func parseRangeHeader(contentRange string) (int64, int64, error) {
// @Description Get an image's blob/layer given a digest
// @Accept json
// @Produce application/vnd.oci.image.layer.v1.tar+gzip
// @Param name path string true "repository name"
// @Param digest path string true "blob/layer digest"
// @Param name path string true "repository name"
// @Param digest path string true "blob/layer digest"
// @Header 200 {object} constants.DistContentDigestKey
// @Success 200 {object} api.ImageManifest
// @Router /v2/{name}/blobs/{digest} [get].
@@ -1077,8 +1077,8 @@ func (rh *RouteHandler) GetBlob(response http.ResponseWriter, request *http.Requ
// @Description Delete an image's blob/layer given a digest
// @Accept json
// @Produce json
// @Param name path string true "repository name"
// @Param digest path string true "blob/layer digest"
// @Param name path string true "repository name"
// @Param digest path string true "blob/layer digest"
// @Success 202 {string} string "accepted"
// @Router /v2/{name}/blobs/{digest} [delete].
func (rh *RouteHandler) DeleteBlob(response http.ResponseWriter, request *http.Request) {
@@ -1137,8 +1137,8 @@ func (rh *RouteHandler) DeleteBlob(response http.ResponseWriter, request *http.R
// @Description Create a new image blob/layer upload
// @Accept json
// @Produce json
// @Param name path string true "repository name"
// @Success 202 {string} string "accepted"
// @Param name path string true "repository name"
// @Success 202 {string} string "accepted"
// @Header 202 {string} Location "/v2/{name}/blobs/uploads/{session_id}"
// @Header 202 {string} Range "0-0"
// @Failure 401 {string} string "unauthorized"
@@ -1292,8 +1292,8 @@ func (rh *RouteHandler) CreateBlobUpload(response http.ResponseWriter, request *
// @Description Get an image's blob/layer upload given a session_id
// @Accept json
// @Produce json
// @Param name path string true "repository name"
// @Param session_id path string true "upload session_id"
// @Param name path string true "repository name"
// @Param session_id path string true "upload session_id"
// @Success 204 {string} string "no content"
// @Header 202 {string} Location "/v2/{name}/blobs/uploads/{session_id}"
// @Header 202 {string} Range "0-128"
@@ -1353,9 +1353,9 @@ func (rh *RouteHandler) GetBlobUpload(response http.ResponseWriter, request *htt
// @Description Resume an image's blob/layer upload given an session_id
// @Accept json
// @Produce json
// @Param name path string true "repository name"
// @Param session_id path string true "upload session_id"
// @Success 202 {string} string "accepted"
// @Param name path string true "repository name"
// @Param session_id path string true "upload session_id"
// @Success 202 {string} string "accepted"
// @Header 202 {string} Location "/v2/{name}/blobs/uploads/{session_id}"
// @Header 202 {string} Range "0-128"
// @Header 200 {object} api.BlobUploadUUID
@@ -1452,10 +1452,10 @@ func (rh *RouteHandler) PatchBlobUpload(response http.ResponseWriter, request *h
// @Description Update and finish an image's blob/layer upload given a digest
// @Accept json
// @Produce json
// @Param name path string true "repository name"
// @Param session_id path string true "upload session_id"
// @Param digest query string true "blob/layer digest"
// @Success 201 {string} string "created"
// @Param name path string true "repository name"
// @Param session_id path string true "upload session_id"
// @Param digest query string true "blob/layer digest"
// @Success 201 {string} string "created"
// @Header 202 {string} Location "/v2/{name}/blobs/uploads/{digest}"
// @Header 200 {object} constants.DistContentDigestKey
// @Failure 404 {string} string "not found"
@@ -1610,8 +1610,8 @@ finish:
// @Description Delete an image's blob/layer given a digest
// @Accept json
// @Produce json
// @Param name path string true "repository name"
// @Param session_id path string true "upload session_id"
// @Param name path string true "repository name"
// @Param session_id path string true "upload session_id"
// @Success 200 {string} string "ok"
// @Failure 404 {string} string "not found"
// @Failure 500 {string} string "internal server error"
@@ -1665,7 +1665,7 @@ type RepositoryList struct {
// @Description List all image repositories
// @Accept json
// @Produce json
// @Success 200 {object} api.RepositoryList
// @Success 200 {object} api.RepositoryList
// @Failure 500 {string} string "internal server error"
// @Router /v2/_catalog [get].
func (rh *RouteHandler) ListRepositories(response http.ResponseWriter, request *http.Request) {
@@ -1729,7 +1729,7 @@ func (rh *RouteHandler) ListRepositories(response http.ResponseWriter, request *
// @Description List all extensions present on registry
// @Accept json
// @Produce json
// @Success 200 {object} api.ExtensionList
// @Success 200 {object} api.ExtensionList
// @Router /v2/_oci/ext/discover [get].
func (rh *RouteHandler) ListExtensions(w http.ResponseWriter, r *http.Request) {
if r.Method == http.MethodOptions {
@@ -1746,10 +1746,10 @@ func (rh *RouteHandler) ListExtensions(w http.ResponseWriter, r *http.Request) {
// Logout godoc
// @Summary Logout by removing current session
// @Description Logout by removing current session
// @Router /auth/logout [post]
// @Router /zot/auth/logout [post]
// @Accept json
// @Produce json
// @Success 200 {string} string "ok".
// @Success 200 {string} string "ok".
// @Failure 500 {string} string "internal server error".
func (rh *RouteHandler) Logout(response http.ResponseWriter, request *http.Request) {
if request.Method == http.MethodOptions {
@@ -1958,9 +1958,9 @@ type ReferenceList struct {
// @Description Get references for an image given a digest and artifact type
// @Accept json
// @Produce json
// @Param name path string true "repository name"
// @Param digest path string true "image digest"
// @Param artifactType query string true "artifact type"
// @Param name path string true "repository name"
// @Param digest path string true "image digest"
// @Param artifactType query string true "artifact type"
// @Success 200 {string} string "ok"
// @Failure 404 {string} string "not found"
// @Failure 500 {string} string "internal server error"
@@ -2035,7 +2035,7 @@ type APIKeyPayload struct { //nolint:revive
// @Success 200 {string} string "ok"
// @Failure 401 {string} string "unauthorized"
// @Failure 500 {string} string "internal server error"
// @Router /auth/apikey [get].
// @Router /zot/auth/apikey [get].
func (rh *RouteHandler) GetAPIKeys(resp http.ResponseWriter, req *http.Request) {
apiKeys, err := rh.c.MetaDB.GetUserAPIKeys(req.Context())
if err != nil {
@@ -2077,7 +2077,7 @@ func (rh *RouteHandler) GetAPIKeys(resp http.ResponseWriter, req *http.Request)
// @Failure 400 {string} string "bad request"
// @Failure 401 {string} string "unauthorized"
// @Failure 500 {string} string "internal server error"
// @Router /auth/apikey [post].
// @Router /zot/auth/apikey [post].
func (rh *RouteHandler) CreateAPIKey(resp http.ResponseWriter, req *http.Request) {
var payload APIKeyPayload

@@ -2178,7 +2178,7 @@ func (rh *RouteHandler) CreateAPIKey(resp http.ResponseWriter, req *http.Request
// @Failure 500 {string} string "internal server error"
// @Failure 401 {string} string "unauthorized"
// @Failure 400 {string} string "bad request"
// @Router /auth/apikey [delete].
// @Router /zot/auth/apikey [delete].
func (rh *RouteHandler) RevokeAPIKey(resp http.ResponseWriter, req *http.Request) {
ids, ok := req.URL.Query()["id"]
if !ok || len(ids) != 1 {
Loading