Registry Token Server Enhancements

This commit enhances the registry token server with the following - "public" is now treated as a public repo and all Docker users are allowed to pull from it. - the "paused" and "acmesolver" images are treated as public images, where any user is allowed to pull. This is because acmesolver needs to be deployed in namespaces without access to the admin pull secret - the "mtce" repo is now closed to the "mtce" user. we are treating this repo as "reserved for internal use". This is because we are going to use "mtce" as a public user. Admin accounts can still push to the "mtce" repo Partial-bug: 1894930 Change-Id: I8faeaffee61a483eb8802fbae3f5d14fda226004 Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
2020-10-07 12:22:52 -04:00 · 2020-10-07 12:22:52 -04:00 · 0c7c1ac2da
parent 9aed7196fa
commit 0c7c1ac2da
2 changed files with 43 additions and 2 deletions
--- a/registry-token-server/centos/build_srpm.data
+++ b/registry-token-server/centos/build_srpm.data
@ -8,4 +8,4 @@ COPY_LIST=" \
  $STX_BASE/downloads/gophercloud-gophercloud-aa00757ee3ab58e53520b6cb910ca0543116400a.tar.gz \
  $STX_BASE/downloads/gorilla-mux-599cba5e7b6137d46ddf58fb1765f5d928e69604.tar.gz \
 "
-TIS_PATCH_VER=2
+TIS_PATCH_VER=PKG_GITREVCOUNT
--- a/registry-token-server/src/main.go
+++ b/registry-token-server/src/main.go
@ -180,10 +180,51 @@ func filterAccessList(ctx context.Context, scope string, requestedAccessList []a
 	grantedAccessList := make([]auth.Access, 0, len(requestedAccessList))
 	for _, access := range requestedAccessList {
 		if access.Type == "repository" {
+
+			publicRepos := []string{"public/"}
+			// pause is usually used as a test deployment by kubernetes and deployed without pull secrets
+			// acmesolver is deployed in a namespace that don't have access to pull secrets
+			publicImages := []string{"k8s.gcr.io/pause",
+						 "quay.io/jetstack/cert-manager-acmesolver"}
+
+			// this controls our own authorization rules like admin accounts and public repos/images
+			// if authorized through other means, skip the usual authorization policy of
+			// user can only interact with their own repo
+			skipStandardAuthz := false
+
+			// public repo allows all images too be pulled by everyone
+			if strings.EqualFold(access.Action, "pull") {
+				for _, publicRepo := range publicRepos {
+					if strings.HasPrefix(access.Name, publicRepo) {
+						skipStandardAuthz = true
+					}
+				}
+			}
+
+                        // public images can be pulled by anyone, even though they sit in private repos
+                        if strings.EqualFold(access.Action, "pull") {
+                                for _, publicImage := range publicImages {
+                                        if access.Name == publicImage {
+                                                skipStandardAuthz = true
+                                        }
+                                }
+                        }
+
 			// filter access to repos if the user is not "admin" or "sysinv"
 			// need to have a "/" at the end because it adds one at the beginning of the fcn
 			// probably to prevent people making accounts like "adminnot" to steal admin powers
-			if !strings.HasPrefix(access.Name, scope) && scope != "admin/" && scope != "sysinv/" {
+			if scope == "admin/" || scope == "sysinv/" {
+				skipStandardAuthz = true
+			}
+
+			// we do not allow "mtce" to access the mtce repo because it is reserved for internal use
+			// we still allow the admin accounts to access the "mtce repo though
+                        if strings.HasPrefix(access.Name, scope) && scope == "mtce/" {
+                                dcontext.GetLogger(ctx).Debugf("Resource scope not allowed: %s", access.Name)
+                                continue
+                        }
+
+			if !strings.HasPrefix(access.Name, scope) && !skipStandardAuthz {
 				dcontext.GetLogger(ctx).Debugf("Resource scope not allowed: %s", access.Name)
 				continue
 			}