Get username in case of certificates authentication

.github/workflows/ecosystem-tools.yaml

@@ -49,3 +49,6 @@ jobs:
       - name: Run scrub tests
         run: |
             make bats-scrub
+      - name: Run anonymous-push-pull tests
+        run: |
+            make anonymous-push-pull

Makefile

@@ -315,3 +315,7 @@ fuzz-all:
 	rm -rf test-data; \
 	bash test/scripts/fuzzAll.sh ${fuzztime}; \
 	rm -rf pkg/storage/testdata; \
+
+.PHONY: anonymous-push-pull
+anonymous-push-pull: binary check-skopeo $(BATS)
+	$(BATS) --trace --print-output-on-failure test/blackbox/anonymous_policiy.bats

errors/errors.go

@@ -54,4 +54,5 @@ var (
 	ErrSyncSignatureNotFound   = errors.New("sync: couldn't find any upstream notary/cosign signatures")
 	ErrSyncSignature           = errors.New("sync: couldn't get upstream notary/cosign signatures")
 	ErrImageLintAnnotations    = errors.New("routes: lint checks failed")
+	ErrParsingAuthHeader       = errors.New("auth: failed parsing authorization header")
 )

examples/README.md

@@ -49,13 +49,6 @@ Additionally, TLS configuration can be specified with:
         },
 ```
 
-The registry can be deployed as a read-only service with:
-
-```
-        "ReadOnly": false
-    },
-```
-
 ## Storage
 
 Configure storage with:
@@ -209,7 +202,8 @@ create/update/delete can not be used without 'read' action, make sure read is al
           "actions": ["read", "create", "update"]
         }
       ],
-      "defaultPolicy": ["read", "create"]                      # default policy which is applied for all users => so all users can read/create repositories
+      "defaultPolicy": ["read", "create"],                     # default policy which is applied for authenticated users, other than "charlie"=> so these users can read/create repositories
+      "anonymousPolicy": ["read]                               # anonymous policy which is applied for unauthenticated users => so they can read repositories
     },
     "tmp/**": {                                                # matches all repos under tmp/ recursively
       "defaultPolicy": ["read", "create", "update"]            # so all users have read/create/update on all repos under tmp/ eg: tmp/infra/repo

examples/config-default-authz.json → examples/config-anonymous-authz.json

@@ -9,25 +9,25 @@
     "realm": "zot",
     "accessControl": {
       "**": {
-        "defaultPolicy": [
+        "anonymousPolicy": [
           "read",
           "create"
         ]
       },
       "tmp/**": {
-        "defaultPolicy": [
+        "anonymousPolicy": [
           "read",
           "create",
           "update"
         ]
       },
       "infra/**": {
-        "defaultPolicy": [
+        "anonymousPolicy": [
           "read"
         ]
       },
       "repos2/repo": {
-        "defaultPolicy": [
+        "anonymousPolicy": [
           "read"
         ]
       }

examples/config-bench.json

@@ -5,8 +5,7 @@
     },
     "http": {
         "address": "127.0.0.1",
-        "port": "8080",
-        "ReadOnly": false
+        "port": "8080"
     },
     "log": {
         "level": "debug",

examples/config-commit.json

@@ -6,8 +6,7 @@
     },
     "http": {
         "address": "127.0.0.1",
-        "port": "8080",
-        "ReadOnly": false
+        "port": "8080"
     },
     "log": {
         "level": "debug"

examples/config-example.json

@@ -27,8 +27,7 @@
         "path": "test/data/htpasswd"
       },
       "failDelay": 5
-    },
-    "allowReadAccess": false
+    }
   },
   "log": {
     "level": "debug",

examples/config-example.yaml

@@ -1,7 +1,6 @@
 distspecversion: 1.0.1-dev
 http:
   address: 127.0.0.1
-  allowreadaccess: false
   auth:
     faildelay: 5
     htpasswd:

examples/config-gc.json

@@ -7,8 +7,7 @@
     },
     "http": {
         "address": "127.0.0.1",
-        "port": "8080",
-        "ReadOnly": false
+        "port": "8080"
     },
     "log": {
         "level": "debug"

examples/config-lint.json

@@ -5,8 +5,7 @@
     },
     "http": {
         "address": "127.0.0.1",
-        "port": "8080",
-        "ReadOnly": false
+        "port": "8080"
     },
     "log": {
         "level": "debug"
@@ -18,4 +17,4 @@
 
           }
       }
-}
+}

examples/config-minimal.json

@@ -5,8 +5,7 @@
     },
     "http": {
         "address": "127.0.0.1",
-        "port": "8080",
-        "ReadOnly": false
+        "port": "8080"
     },
     "log": {
         "level": "debug"

examples/config-multiple-cve.json

@@ -21,8 +21,7 @@
     },
     "http": {
         "address": "127.0.0.1",
-        "port": "5000",
-        "ReadOnly": false
+        "port": "5000"
     },
     "log": {
         "level": "debug"

examples/config-multiple.json

@@ -21,8 +21,7 @@
     },
     "http": {
         "address": "127.0.0.1",
-        "port": "5000",
-        "ReadOnly": false
+        "port": "5000"
     },
     "log": {
         "level": "debug"

examples/config-policy.json

@@ -15,6 +15,7 @@
     },
     "accessControl": {
       "**": {
+        "anonymousPolicy": ["read"],
         "policies": [
           {
             "users": [

examples/config-ratelimit.json

@@ -6,7 +6,6 @@
     "http": {
         "address": "127.0.0.1",
         "port": "8080",
-        "ReadOnly": false,
         "Ratelimit": {
             "Rate": 10,
             "Methods": [

examples/config-s3.json

@@ -52,8 +52,7 @@
     },
     "http": {
         "address": "127.0.0.1",
-        "port": "8080",
-        "ReadOnly": false
+        "port": "8080"
     },
     "log": {
         "level": "debug"

examples/config-tls.json

@@ -9,7 +9,14 @@
     "realm": "zot",
     "tls": {
       "cert": "test/data/server.cert",
-      "key": "test/data/server.key"
+      "key": "test/data/server.key",
+      "cacert": "test/data/ca.crt"
+    },
+    "accessControl": {
+      "**": {
+        "anonymousPolicy": ["read"],
+        "defaultPolicy": ["read"]
+      }
     }
   },
   "log": {

pkg/api/authn.go

@@ -86,22 +86,6 @@ func noPasswdAuth(realm string, config *config.Config) mux.MiddlewareFunc {
 				return
 			}
 
-			if config.HTTP.AllowReadAccess &&
-				config.HTTP.TLS.CACert != "" &&
-				request.TLS.VerifiedChains == nil &&
-				request.Method != http.MethodGet && request.Method != http.MethodHead {
-				authFail(response, realm, 5) //nolint:gomnd
-
-				return
-			}
-
-			if (request.Method != http.MethodGet && request.Method != http.MethodHead) && config.HTTP.ReadOnly {
-				// Reject modification requests in read-only mode
-				response.WriteHeader(http.StatusMethodNotAllowed)
-
-				return
-			}
-
 			// Process request
 			next.ServeHTTP(response, request)
 		})
@@ -197,52 +181,37 @@ func basicAuthHandler(ctlr *Controller) mux.MiddlewareFunc {
 
 				return
 			}
-			if (request.Method == http.MethodGet || request.Method == http.MethodHead) && ctlr.Config.HTTP.AllowReadAccess {
+			if request.Header.Get("Authorization") == "" && checkAnonymousPolicyExists(ctlr.Config.AccessControl) {
 				// Process request
 				next.ServeHTTP(response, request)
 
 				return
 			}
 
-			if (request.Method != http.MethodGet && request.Method != http.MethodHead) && ctlr.Config.HTTP.ReadOnly {
-				response.WriteHeader(http.StatusMethodNotAllowed)
-
-				return
-			}
-
-			basicAuth := request.Header.Get("Authorization")
-			if basicAuth == "" {
-				authFail(response, realm, delay)
-
-				return
-			}
-
-			splitStr := strings.SplitN(basicAuth, " ", 2) //nolint:gomnd
-
-			if len(splitStr) != 2 || strings.ToLower(splitStr[0]) != "basic" {
-				authFail(response, realm, delay)
+			username, passphrase, err := getUsernamePasswordBasicAuth(request)
+			if err != nil {
+				if request.TLS.VerifiedChains != nil && checkAnonymousPolicyExists(ctlr.Config.AccessControl) {
+					// Process request
+					next.ServeHTTP(response, request)
 
-				return
-			}
+					return
+				}
 
-			decodedStr, err := base64.StdEncoding.DecodeString(splitStr[1])
-			if err != nil {
+				ctlr.Log.Error().Err(err).Msg("failed to parse authorization header")
 				authFail(response, realm, delay)
 
 				return
 			}
 
-			pair := strings.SplitN(string(decodedStr), ":", 2) //nolint:gomnd
-			// nolint:gomnd
-			if len(pair) != 2 {
-				authFail(response, realm, delay)
+			// some client tools might send Authorization: Basic Og== (decoded into ":")
+			// empty username and password
+			if username == "" && passphrase == "" && checkAnonymousPolicyExists(ctlr.Config.AccessControl) {
+				// Process request
+				next.ServeHTTP(response, request)
 
 				return
 			}
 
-			username := pair[0]
-			passphrase := pair[1]
-
 			// first, HTTPPassword authN (which is local)
 			passphraseHash, ok := credMap[username]
 			if ok {
@@ -297,3 +266,31 @@ func authFail(w http.ResponseWriter, realm string, delay int) {
 	w.Header().Set("Content-Type", "application/json")
 	WriteJSON(w, http.StatusUnauthorized, NewErrorList(NewError(UNAUTHORIZED)))
 }
+
+func getUsernamePasswordBasicAuth(request *http.Request) (string, string, error) {
+	basicAuth := request.Header.Get("Authorization")
+
+	if basicAuth == "" {
+		return "", "", errors.ErrParsingAuthHeader
+	}
+
+	splitStr := strings.SplitN(basicAuth, " ", 2) //nolint:gomnd
+	if len(splitStr) != 2 || strings.ToLower(splitStr[0]) != "basic" {
+		return "", "", errors.ErrParsingAuthHeader
+	}
+
+	decodedStr, err := base64.StdEncoding.DecodeString(splitStr[1])
+	if err != nil {
+		return "", "", err
+	}
+
+	pair := strings.SplitN(string(decodedStr), ":", 2) //nolint:gomnd
+	if len(pair) != 2 {                                //nolint:gomnd
+		return "", "", errors.ErrParsingAuthHeader
+	}
+
+	username := pair[0]
+	passphrase := pair[1]
+
+	return username, passphrase, nil
+}