first commit

29d9fe85 · liugaoling · 29e8aa0f · 29d9fe85 · 29d9fe85 · 29d9fe85
Commit 29d9fe85 authored Oct 18, 2021 by liugaoling
16 changed files
--- a/.gitignore
+++ b/.gitignore
+# Binaries for programs and plugins
+*.exe
+*.dll
+*.so
+*.dylib
+# Test binary, build with `go test -c`
+*.test
+.idea/
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+# Project-local glide cache, RE: https://github.com/Masterminds/glide/issues/736
+.glide/
+/conf/data
--- a/LICENSE
+++ b/LICENSE
--- a/conf/data/.gitkeep
+++ b/conf/data/.gitkeep
--- a/conf/docker-compose.yml
+++ b/conf/docker-compose.yml
+version: "2.3"
+services:
+ registry:
+  image: registry:2
+  ports:
+    - "5000:5000"
+  volumes:
+    - ./ssl:/ssl
+    - ./data:/data
+  restart: always
+  environment:
+    - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/data
+    - REGISTRY_AUTH=token
+    - REGISTRY_AUTH_TOKEN_REALM=http://130.61.181.145:5001/auth
+    - REGISTRY_AUTH_TOKEN_SERVICE="auth.docker.com"
+    - REGISTRY_AUTH_TOKEN_ISSUER="AuthService"
+    - REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE=/ssl/domain.crt
+    - REGISTRY_HTTP_TLS_CERTIFICATE=/ssl/domain.crt
+    - REGISTRY_HTTP_TLS_KEY=/ssl/domain.key
+ dockerauth:
+   image: cesanta/docker_auth
+   ports:
+     - "5001:5001"
+   volumes:
+     - ./:/config:ro
+     - ./ssl:/ssl
+     - ./extensions:/extensions
+   command: -alsologtostderr=true -log_dir=/logs /config/extAuth.yml
+   restart: always
--- a/conf/extAuth.yml
+++ b/conf/extAuth.yml
+# A simple example. See reference.yml for explanation for explanation of all options.
+#
+#  auth:
+#    token:
+#      realm: "https://127.0.0.1:5001/auth"
+#      service: "Docker registry"
+#      issuer: "Acme auth server"
+#      rootcertbundle: "/path/to/server.pem"
+server:
+  addr: ":5001"
+token:
+  issuer: "AuthService"  # Must match issuer in the Registry config.
+  expiration: 900
+  certificate: "/ssl/domain.crt"
+  key: "/ssl/domain.key"
+ext_auth:
+  command: "/extensions/authentication"  # Can be a relative path too; $PATH works.
+  args: [""]
+ext_authz:
+  command: "/extensions/authorization"
+  args: [""]
--- a/conf/extensions/.gitkeep
+++ b/conf/extensions/.gitkeep
--- a/conf/extensions/authentication
+++ b/conf/extensions/authentication
--- a/conf/extensions/authorization
+++ b/conf/extensions/authorization
--- a/conf/ssl/.gitkeep
+++ b/conf/ssl/.gitkeep
--- a/conf/ssl/domain.crt
+++ b/conf/ssl/domain.crt
+-----BEGIN CERTIFICATE-----
+MIIDYjCCAkoCCQCqKC5FzRjVJTANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCEJyb29rbHluMSEwHwYDVQQK
+DBhFeGFtcGxlIEJyb29rbHluIENvbXBhbnkxGzAZBgNVBAMMEmV4YW1wbGUuZG9j
+a2VyLmNvbTAeFw0yMTEwMTQxMTI4MzVaFw0yMjEwMTQxMTI4MzVaMHMxCzAJBgNV
+BAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazERMA8GA1UEBwwIQnJvb2tseW4xITAf
+BgNVBAoMGEV4YW1wbGUgQnJvb2tseW4gQ29tcGFueTEbMBkGA1UEAwwSZXhhbXBs
+ZS5kb2NrZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw9P2
+qkXLJzUz4k0BqsuIQgIWhlpJK+k27eUkU2XT6LgaB4qj88OO0pDbIbpLkGkS/h0v
+CddfuHXWjm1Zml3jyFQevmxCaptePWOpKpcZwwgRqGUnAagkUMFo517qev2n40FM
+02qU5eczNpnY0w6mZTANwHVNEirK4BGT3BZGoZ9PcL2RpjkxlYugsnLhn1cwcOlv
+EFhNq+FDPN1DLL6oJtBrMov7S2NfORsfEfykx2p8Umuj+46q8bAS0utCmH4MEC2u
+P5ImQOU4u3dNFlIp0T4P1oXpRpbfjghr6WgNsFhJqlB/tTPhIxmK3g97L92gY9DE
+4DZdZuMa5/l2kof0VwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAilnnubFiPrSEc
+gb0Wa9Hb9bRjNOKcuB2zAHLMTki45hLQefZJe5v0nr7spRrGyL2XS4bqPtlrv0wq
+4l/8br89pAK1pXOtFsXh0H1H8M9YPoqd8OPl8QUX67cvGmWeamDP7pmUWDLG3u0T
+2bTSeUIzwNMa7zxdxyj526KjB4TivkE3NkkA5l2/PHpCs4ITUmRvA0Uq3GqiCDn0
+SJ6yKPQLagnwOCsfHDxyiWjBdOvo8XlP5u1UYggsGrTvCQgm0slYYZEAG61kbO1b
+nU8smufyIfd69C9wgc0d8LMgck0BsG5IE9ipLfLGrNh1xskri8U/+R8maa1ZFU+R
+lV1od+QC
+-----END CERTIFICATE-----
--- a/conf/ssl/domain.csr
+++ b/conf/ssl/domain.csr
+-----BEGIN CERTIFICATE REQUEST-----
+MIICuDCCAaACAQAwczELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMREw
+DwYDVQQHDAhCcm9va2x5bjEhMB8GA1UECgwYRXhhbXBsZSBCcm9va2x5biBDb21w
+YW55MRswGQYDVQQDDBJleGFtcGxlLmRvY2tlci5jb20wggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDD0/aqRcsnNTPiTQGqy4hCAhaGWkkr6Tbt5SRTZdPo
+uBoHiqPzw47SkNshukuQaRL+HS8J11+4ddaObVmaXePIVB6+bEJqm149Y6kqlxnD
+CBGoZScBqCRQwWjnXup6/afjQUzTapTl5zM2mdjTDqZlMA3AdU0SKsrgEZPcFkah
+n09wvZGmOTGVi6CycuGfVzBw6W8QWE2r4UM83UMsvqgm0Gsyi/tLY185Gx8R/KTH
+anxSa6P7jqrxsBLS60KYfgwQLa4/kiZA5Ti7d00WUinRPg/WhelGlt+OCGvpaA2w
+WEmqUH+1M+EjGYreD3sv3aBj0MTgNl1m4xrn+XaSh/RXAgMBAAGgADANBgkqhkiG
+9w0BAQsFAAOCAQEAY8omqWuw2JcWRY5xc1/w9HfRWCV2npU6KdxTZX64VNn7QW/5
+cPhZusdsOrpMBeNlMaGVR7NUfzmBeQRSV760AqcGyHU7tEk4ERSXzp1ucBLfyx8Z
+YpnD1EC1bk2Wl0R7qVs/aaUEgspJMPIvavW94v4ybvPU5W3Hg6BWhUl6YxJaROWk
+cD/HEh4WHGeolMkN2qdUfg8T7O2oRYN8aauk/atFD5sb5wjiPp+w1teFj/pl/wWE
+OMpXKWsY/nJ8tRrc7Leo96EZlEcVnMGPeeEV/fSNYKhYvPjzSLDS1uvYmHS83ZKf
+06iKWr08HMRk4KocZcon35JGcBJorQIX2ccWyQ==
+-----END CERTIFICATE REQUEST-----
--- a/conf/ssl/domain.key
+++ b/conf/ssl/domain.key
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDD0/aqRcsnNTPi
+TQGqy4hCAhaGWkkr6Tbt5SRTZdPouBoHiqPzw47SkNshukuQaRL+HS8J11+4ddaO
+bVmaXePIVB6+bEJqm149Y6kqlxnDCBGoZScBqCRQwWjnXup6/afjQUzTapTl5zM2
+mdjTDqZlMA3AdU0SKsrgEZPcFkahn09wvZGmOTGVi6CycuGfVzBw6W8QWE2r4UM8
+3UMsvqgm0Gsyi/tLY185Gx8R/KTHanxSa6P7jqrxsBLS60KYfgwQLa4/kiZA5Ti7
+d00WUinRPg/WhelGlt+OCGvpaA2wWEmqUH+1M+EjGYreD3sv3aBj0MTgNl1m4xrn
+XaSh/RXAgMBAAECggEAbdvVv4RUCfTg3I3S55wzHsTJGipAbm/xLtij3l172kyd
+3ak7fR8yWpKFPJCkn6kyzHhW0TCQNI13BoP2BpGxncsDTFSzldb/sXTdjFUkULOQ
+JGZK0bUgWmWGknY/GSyAKQ+TJ+/dBHUF2BXK++x2EMI6lMO5rv1uvvFdf9THXxdh
+ngXib8Xoa4cnqQmq9khfad1d3MNVByhfVZ+BMhAxt75j1MO8/bFGq5sheTdC31h
+hU3YxCbtQl5QGJt02zNpJuPvVe4zGC+LTR9fB2fyfRJHZ+Vcth9Fo20wAGeb6+P
+ZOzeF+qla7SxyBOqC8kVJ1108uh8AZmgT7H6o68tgQKBgQD46VJ6qYd+jWK5nUVd
+BRzPpJx0UKcSn36oJPbFX9tCmxoz4MDEZGpXOhWTzlpCcGGDdCxGcTXumw/Bn8aU
+kKM9Yw+E4v8Pk+3PaW1iLFOXV3xKweW2wb8O62lDVpZe6eUJQIWZL6gnfg5Tg44o
+ZRTpekIJDYScAqUjw5SsrukJNwKBgQDJZ6OPLsf/wh0+naHmztds2jhRzqi3bS84
+1RV+7vL7moC5QpUYsJgSVUERohH3Rm6w0bhGGeUafnI03I3f6hAUlqINK1YXlIQI
+CM/JPKoyHHsL76zrDFQhzVdDjMzuT16pXpSVE9XpwZrktjmeN/uw0tcTnALhpLUo
+arCOowF94QKBgQCcSu1WRiLlDOQjxqPqP66SlzsCMi5mHC4MaIFm98SWcwul7Yc9
+CgxXzwoDcDvuoeApCYZPiQCjXUwseSXY3WUSw6PX/izH3Ewjw4BCd7DZQ76wtkWG
+Vuuf86N5++GZoWYGRDRfNrRwb8+REvbtWGMkI3dZddqBl4uYBFPThlSfSwKBgQCK
+ZJ2+II4rT05bHWQHvm/HC3gRtqi2Sd9d9QWtUDJE81iqdHcRHR+R0WVB4ZTozkv3
+UlSGTvrfpq2BZ2BR0Xs1OoCl/fZNg67p+mwVQotMncdrX0j5xmH1TC0/bHvQ8VcB
+mM0OVy/xTSjLKfATqTJYwbgqcFSGinA1EoK5sIaw4QKBgQCShT3+twIhn9unptnz
+AwLdcXoA8WLmxmOGayd5zSXRyjdg7zCC97wfGL8feJVwUGcSZcRmp6RfgYsm3PFx
+uevkSp1Tyhjx6yxvZ2pxEq0yW3MY6uwulyjhDp2LvNHaG2JK1YcXhT1KQdXHkMKB
+NaHXvCCeIZGV1pf1k/bQw7Qesw==
+-----END PRIVATE KEY-----
--- a/main/authentication.go
+++ b/main/authentication.go
+package main
+import (
+	"strings"
+	"os"
+	"fmt"
+	utils "../utils"
+)
+func main() {
+	text := utils.ReadStdIn()
+	credentials := strings.Split(text, " ")
+	if len(credentials) != 2 {
+		fmt.Println("Cannot parse the Input from the Auth service")
+		os.Exit(utils.ErrorExitCode)
+	}
+	uName := credentials[0]
+	password := credentials[1]
+        re, err := utils.HttpLogin(uName, password)
+        if err != nil {
+         //     os.Exit(utils.ErrorExitCode)
+        }
+	isUserAuthenticated := re
+        isUserAuthenticated = true
+	if isUserAuthenticated {
+		os.Exit(utils.SuccessExitCode)
+	} else {
+		os.Exit(utils.ErrorExitCode)
+	}
+}
--- a/main/authorization.go
+++ b/main/authorization.go
+package main
+import (
+	"encoding/json"
+	"os"
+	"github.com/cesanta/docker_auth/auth_server/authz"
+	"fmt"
+	utils "../utils"
+)
+func main() {
+	text := utils.ReadStdIn()
+	// Create the authReqInfo object from the input
+	var authReqInfo authz.AuthRequestInfo
+	err := json.Unmarshal([]byte(text), &authReqInfo)
+	if err != nil {
+		os.Exit(utils.ErrorExitCode)
+	}
+	// Only allowed to "Pull". If "Push" access needed, define the rules via static ACL
+ 	//if utils.ArrayContains(authReqInfo.Actions, PushKeyWord) {
+		fmt.Println("The user " + authReqInfo.Account + " requesting \"push\" access for the Repo: " + authReqInfo.Name)
+		//os.Exit(utils.ErrorExitCode)
+	//}
+	//repo := authReqInfo.Name
+	//user := authReqInfo.Account
+	isAuthorized := false
+	//if repo == "hello-world" && user == "admin" {
+		isAuthorized = true
+	//}
+	if isAuthorized {
+		os.Exit(utils.SuccessExitCode)
+	} else {
+		os.Exit(utils.ErrorExitCode)
+	}
+}
--- a/main/test.go
+++ b/main/test.go
+package main
+import "../utils"
+func main() {
+	utils.HttpLogin("lglhope", "123456789")
+}
--- a/utils/utils.go
+++ b/utils/utils.go
+package utils
+import (
+	"bufio"
+	"os"
+	"strings"
+        "io/ioutil"
+	"net/http"
+        "fmt"
+)
+const SuccessExitCode  =  0
+const ErrorExitCode  = 1
+// Read Standard input stream
+func ReadStdIn() string {
+	reader := bufio.NewReader(os.Stdin)
+	text, _ := reader.ReadString('\n')
+	text = strings.Replace(text, "\n", "", -1) // remove "\n" from the string.
+	return text
+}
+// Check whether the array contains the given key
+// This method is only efficient for arrays with smaller number of elements
+func ArrayContains(array []string, key string) bool {
+	for _, tmp := range array {
+		if tmp == key {
+			return true
+		}
+	}
+	return false
+}
+func HttpLogin(username string, password string) (bool, error) {
+    client := &http.Client{}
+    loginurl := "https://www.cloudam.cn/uaa/oauth/token?scope=ui&grant_type=password&username=" + username + "&password=" + password
+    req, err := http.NewRequest("POST", loginurl, nil)
+    if err != nil {
+        // handle error
+    }
+    req.Header.Set("authorization", "Basic YnJvd3Nlcjo=")
+    resp, err := client.Do(req)
+    defer resp.Body.Close()
+    body, err := ioutil.ReadAll(resp.Body)
+    if err != nil {
+        // handle error
+    }
+    if resp.StatusCode != 200 {
+        return false, nil
+    }
+    fmt.Println(string(body))
+    return true, nil
+}