This repository was archived by the owner on Jan 2, 2026. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathaccess_controller.go
More file actions
112 lines (96 loc) · 2.6 KB
/
access_controller.go
File metadata and controls
112 lines (96 loc) · 2.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
package main
import (
"encoding/json"
"fmt"
"net/http"
"os"
"strings"
"github.com/distribution/distribution/v3/registry/auth"
"golang.org/x/crypto/bcrypt"
)
type accessController struct {
apiBaseURL string
ravelPassword []byte
}
func newAccessController(options map[string]any) (auth.AccessController, error) {
password := os.Getenv("REGISTRY_RAVEL_PASSWORD")
bcrypted, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
if err != nil {
return nil, fmt.Errorf("error hashing the password: %w", err)
}
return &accessController{
apiBaseURL: os.Getenv("VALYENT_API_BASE_URL"),
ravelPassword: bcrypted,
}, nil
}
func (ac *accessController) Authorized(req *http.Request, accessRecords ...auth.Access) (*auth.Grant, error) {
username, password, ok := req.BasicAuth()
if !ok {
return nil, &challenge{
err: auth.ErrInvalidCredential,
}
}
// When Ravel consumes the registry,
// check if the password matches the expected one
if username == "valyent" {
// constant-time comparison
if err := bcrypt.CompareHashAndPassword(ac.ravelPassword, []byte(password)); err != nil {
return nil, &challenge{
err: auth.ErrInvalidCredential,
}
} else {
return &auth.Grant{
User: auth.UserInfo{Name: "valyent"},
}, nil
}
}
// Check if the password matches a valid API key
valid, err := ac.validateApiKey(password, accessRecords)
if err != nil {
return nil, &challenge{
err: fmt.Errorf("error validating API key: %v", err),
}
}
if !valid {
return nil, &challenge{
err: auth.ErrInvalidCredential,
}
}
return &auth.Grant{
User: auth.UserInfo{Name: "valyent"},
}, nil
}
func (ac *accessController) validateApiKey(apiKey string, accessRecords []auth.Access) (bool, error) {
// Create the request to the Valyent API
url := fmt.Sprintf("%s/auth/api/check", ac.apiBaseURL)
req, err := http.NewRequest("GET", url, nil)
if err != nil {
return false, err
}
// Set the Authorization header with the Bearer token
req.Header.Set("Authorization", "Bearer "+apiKey)
// Send the request
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
return false, err
}
defer resp.Body.Close()
// Parse the response
var result struct {
Authenticated bool `json:"authenticated"`
OrganizationSlug string `json:"organizationSlug"`
}
if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
return false, err
}
if !result.Authenticated {
return false, nil
}
for _, accessRecord := range accessRecords {
if !strings.HasPrefix(accessRecord.Name, result.OrganizationSlug) {
return false, nil
}
}
return true, nil
}