fix(authz): assign identity to authz context in tls mutual authentica…

…tion (#1541) this causes a bug in extensions by not having the identity for the authenticated user and couldn't apply his permissions, just the default ones. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
project-zot · Jun 21, 2023 · d5487d5 · d5487d5
1 parent aab1496
commit d5487d5
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/pkg/api/authz.go b/pkg/api/authz.go
@@ -279,6 +279,9 @@ func AuthzHandler(ctlr *Controller) mux.MiddlewareFunc {
 
 						return
 					}
+
+					// assign identity to authz context, needed for extensions
+					acCtx.Username = identity
 				}
 			}
 

diff --git a/pkg/api/controller_test.go b/pkg/api/controller_test.go
@@ -1370,11 +1370,22 @@ func TestMutualTLSAuthWithUserPermissions(t *testing.T) {
 		So(resp, ShouldNotBeNil)
 		So(resp.StatusCode(), ShouldEqual, http.StatusOK)
 
+		resp, err = resty.R().Get(secureBaseURL + "/v2/_catalog")
+		So(err, ShouldBeNil)
+		So(resp, ShouldNotBeNil)
+		So(resp.StatusCode(), ShouldEqual, http.StatusOK)
+
 		// with creds, should get expected status code
 		resp, _ = resty.R().Get(secureBaseURL)
 		So(resp, ShouldNotBeNil)
 		So(resp.StatusCode(), ShouldEqual, http.StatusNotFound)
 
+		// reading a repo should not get 403
+		resp, err = resty.R().Get(secureBaseURL + "/v2/repo/tags/list")
+		So(err, ShouldBeNil)
+		So(resp, ShouldNotBeNil)
+		So(resp.StatusCode(), ShouldEqual, http.StatusNotFound)
+
 		// without creds, writes should fail
 		resp, err = resty.R().Post(secureBaseURL + "/v2/repo/blobs/uploads/")
 		So(err, ShouldBeNil)