Skip to content

Commit

Permalink
Introduce enum for access
Browse files Browse the repository at this point in the history
Signed-off-by: Riyaz Faizullabhoy <[email protected]>
  • Loading branch information
riyazdf committed Jul 14, 2016
1 parent b55f3fd commit 3efab29
Show file tree
Hide file tree
Showing 4 changed files with 37 additions and 56 deletions.
2 changes: 1 addition & 1 deletion cmd/notary/delegations.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ func (d *delegationCommander) delegationsList(cmd *cobra.Command, args []string)

gun := args[0]

rt, err := getTransport(config, gun, true)
rt, err := getTransport(config, gun, readOnly)
if err != nil {
return err
}
Expand Down
2 changes: 1 addition & 1 deletion cmd/notary/keys.go
Original file line number Diff line number Diff line change
Expand Up @@ -413,7 +413,7 @@ func (k *keyCommander) keysRotate(cmd *cobra.Command, args []string) error {
gun := args[0]
rotateKeyRole := args[1]

rt, err := getTransport(config, gun, false)
rt, err := getTransport(config, gun, readWrite)
if err != nil {
return err
}
Expand Down
65 changes: 27 additions & 38 deletions cmd/notary/tuf.go
Original file line number Diff line number Diff line change
Expand Up @@ -252,7 +252,7 @@ func (t *tufCommander) tufInit(cmd *cobra.Command, args []string) error {
}
gun := args[0]

rt, err := getTransport(config, gun, false)
rt, err := getTransport(config, gun, readWrite)
if err != nil {
return err
}
Expand Down Expand Up @@ -302,7 +302,7 @@ func (t *tufCommander) tufList(cmd *cobra.Command, args []string) error {
}
gun := args[0]

rt, err := getTransport(config, gun, true)
rt, err := getTransport(config, gun, readOnly)
if err != nil {
return err
}
Expand Down Expand Up @@ -342,7 +342,7 @@ func (t *tufCommander) tufLookup(cmd *cobra.Command, args []string) error {
gun := args[0]
targetName := args[1]

rt, err := getTransport(config, gun, true)
rt, err := getTransport(config, gun, readOnly)
if err != nil {
return err
}
Expand Down Expand Up @@ -423,7 +423,7 @@ func (t *tufCommander) tufPublish(cmd *cobra.Command, args []string) error {

cmd.Println("Pushing changes to", gun)

rt, err := getTransport(config, gun, false)
rt, err := getTransport(config, gun, readWrite)
if err != nil {
return err
}
Expand Down Expand Up @@ -497,7 +497,7 @@ func (t *tufCommander) tufVerify(cmd *cobra.Command, args []string) error {
gun := args[0]
targetName := args[1]

rt, err := getTransport(config, gun, true)
rt, err := getTransport(config, gun, readOnly)
if err != nil {
return err
}
Expand Down Expand Up @@ -568,37 +568,21 @@ func (ps passwordStore) Basic(u *url.URL) (string, string) {
return username, password
}

// getTransport returns a non-admin http.RoundTripper to be used for all http requests.
type httpAccess int

const (
readOnly httpAccess = iota
readWrite
admin
)

// It correctly handles the auth challenge/credentials required to interact
// with a notary server over both HTTP Basic Auth and the JWT auth implemented
// in the notary-server
// The readOnly flag indicates if the operation should be performed as an
// anonymous read only operation. If the command entered requires write
// permissions on the server, readOnly must be false
// This RoundTripper cannot perform admin requests, such as deleting repos
func getTransport(config *viper.Viper, gun string, readOnly bool) (http.RoundTripper, error) {
trustServerURL := getRemoteTrustServer(config)
base, err := getBaseTransport(config)
if err != nil {
return nil, err
}
return tokenAuth(trustServerURL, base, gun, readOnly, false)
}

// getAdminTransport returns an admin http.RoundTripper to be used for all http requests,
// and can be used for deleting repos
func getAdminTransport(config *viper.Viper, gun string) (http.RoundTripper, error) {
trustServerURL := getRemoteTrustServer(config)
base, err := getBaseTransport(config)
if err != nil {
return nil, err
}
return tokenAuth(trustServerURL, base, gun, false, true)
}

// getBaseTransport parses the config for TLS and server options to be used and bundles them in a
// http.Transport. This does not include logic for handling auth credentials
func getBaseTransport(config *viper.Viper) (*http.Transport, error) {
func getTransport(config *viper.Viper, gun string, permission httpAccess) (http.RoundTripper, error) {
// Attempt to get a root CA from the config file. Nil is the host defaults.
rootCAFile := utils.GetPathRelativeToConfig(config, "remote_server.root_ca")
clientCert := utils.GetPathRelativeToConfig(config, "remote_server.tls_client_cert")
Expand Down Expand Up @@ -634,11 +618,12 @@ func getBaseTransport(config *viper.Viper) (*http.Transport, error) {
TLSClientConfig: tlsConfig,
DisableKeepAlives: true,
}
return base, nil
trustServerURL := getRemoteTrustServer(config)
return tokenAuth(trustServerURL, base, gun, permission)
}

func tokenAuth(trustServerURL string, baseTransport *http.Transport, gun string,
readOnly, adminAccess bool) (http.RoundTripper, error) {
permission httpAccess) (http.RoundTripper, error) {

// TODO(dmcgowan): add notary specific headers
authTransport := transport.NewTransport(baseTransport)
Expand Down Expand Up @@ -685,22 +670,26 @@ func tokenAuth(trustServerURL string, baseTransport *http.Transport, gun string,
return nil, err
}

ps := passwordStore{anonymous: readOnly}
ps := passwordStore{anonymous: permission == readOnly}

var actions []string
if adminAccess {
switch permission {
case admin:
actions = []string{"*"}
} else if readOnly {
actions = []string{"pull"}
} else {
case readWrite:
actions = []string{"push", "pull"}
case readOnly:
actions = []string{"pull"}
default:
return nil, fmt.Errorf("Invalid permission requested for token authentication of gun %s", gun)
}

tokenHandler := auth.NewTokenHandler(authTransport, ps, gun, actions...)
basicHandler := auth.NewBasicHandler(ps)

modifier := auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler)

if adminAccess || !readOnly {
if permission != readOnly {
return newAuthRoundTripper(transport.NewTransport(baseTransport, modifier)), nil
}

Expand Down
24 changes: 8 additions & 16 deletions cmd/notary/tuf_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,22 +10,20 @@ import (

func TestTokenAuth(t *testing.T) {
var (
readOnly bool
baseTransport = &http.Transport{}
gun = "test"
)
auth, err := tokenAuth("https://localhost:9999", baseTransport, gun, readOnly, false)
auth, err := tokenAuth("https://localhost:9999", baseTransport, gun, readOnly)
require.NoError(t, err)
require.Nil(t, auth)
}

func TestAdminTokenAuth(t *testing.T) {
var (
readOnly bool
baseTransport = &http.Transport{}
gun = "test"
)
auth, err := tokenAuth("https://localhost:9999", baseTransport, gun, readOnly, true)
auth, err := tokenAuth("https://localhost:9999", baseTransport, gun, admin)
require.NoError(t, err)
require.Nil(t, auth)
}
Expand All @@ -37,28 +35,26 @@ func StatusOKTestHandler(w http.ResponseWriter, r *http.Request) {

func TestTokenAuth200Status(t *testing.T) {
var (
readOnly bool
baseTransport = &http.Transport{}
gun = "test"
)
s := httptest.NewServer(http.HandlerFunc(NotAuthorizedTestHandler))
defer s.Close()

auth, err := tokenAuth(s.URL, baseTransport, gun, readOnly, false)
auth, err := tokenAuth(s.URL, baseTransport, gun, readOnly)
require.NoError(t, err)
require.NotNil(t, auth)
}

func TestAdminTokenAuth200Status(t *testing.T) {
var (
readOnly bool
baseTransport = &http.Transport{}
gun = "test"
)
s := httptest.NewServer(http.HandlerFunc(NotAuthorizedTestHandler))
defer s.Close()

auth, err := tokenAuth(s.URL, baseTransport, gun, readOnly, true)
auth, err := tokenAuth(s.URL, baseTransport, gun, admin)
require.NoError(t, err)
require.NotNil(t, auth)
}
Expand All @@ -69,28 +65,26 @@ func NotAuthorizedTestHandler(w http.ResponseWriter, r *http.Request) {

func TestTokenAuth401Status(t *testing.T) {
var (
readOnly bool
baseTransport = &http.Transport{}
gun = "test"
)
s := httptest.NewServer(http.HandlerFunc(NotAuthorizedTestHandler))
defer s.Close()

auth, err := tokenAuth(s.URL, baseTransport, gun, readOnly, false)
auth, err := tokenAuth(s.URL, baseTransport, gun, readOnly)
require.NoError(t, err)
require.NotNil(t, auth)
}

func TestAdminTokenAuth401Status(t *testing.T) {
var (
readOnly bool
baseTransport = &http.Transport{}
gun = "test"
)
s := httptest.NewServer(http.HandlerFunc(NotAuthorizedTestHandler))
defer s.Close()

auth, err := tokenAuth(s.URL, baseTransport, gun, readOnly, true)
auth, err := tokenAuth(s.URL, baseTransport, gun, admin)
require.NoError(t, err)
require.NotNil(t, auth)
}
Expand All @@ -101,28 +95,26 @@ func NotFoundTestHandler(w http.ResponseWriter, r *http.Request) {

func TestTokenAuthNon200Non401Status(t *testing.T) {
var (
readOnly bool
baseTransport = &http.Transport{}
gun = "test"
)
s := httptest.NewServer(http.HandlerFunc(NotFoundTestHandler))
defer s.Close()

auth, err := tokenAuth(s.URL, baseTransport, gun, readOnly, false)
auth, err := tokenAuth(s.URL, baseTransport, gun, readOnly)
require.NoError(t, err)
require.Nil(t, auth)
}

func TestAdminTokenAuthNon200Non401Status(t *testing.T) {
var (
readOnly bool
baseTransport = &http.Transport{}
gun = "test"
)
s := httptest.NewServer(http.HandlerFunc(NotFoundTestHandler))
defer s.Close()

auth, err := tokenAuth(s.URL, baseTransport, gun, readOnly, true)
auth, err := tokenAuth(s.URL, baseTransport, gun, admin)
require.NoError(t, err)
require.Nil(t, auth)
}

0 comments on commit 3efab29

Please sign in to comment.