Create sqlite database file if it doesn't exist, implement tls

2023-07-13 01:11:31 -04:00 · 2023-07-13 01:11:31 -04:00 · 2ecebab330
parent 0150a1a11e
commit 2ecebab330
12 changed files with 193 additions and 34 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -37,6 +37,12 @@ version = "1.0.70"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7de8ce5e0f9f8d88245311066a578d72b7af3e7088f32783804676302df237e4"
 [[package]]
 name = "arc-swap"
 version = "1.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bddcadddf5e9015d310179a59bb28c4d4b9920ad0f11e8e14dbadf654890c9a6"
 [[package]]
 name = "argmap"
 version = "1.1.2"
@ -113,9 +119,9 @@ checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
 [[package]]
 name = "axum"
-version = "0.6.16"
+version = "0.6.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "113713495a32dd0ab52baf5c10044725aa3aec00b31beda84218e469029b72a3"
+checksum = "f8175979259124331c1d7bf6586ee7e0da434155e4b2d48ec2c8386281d8df39"
 dependencies = [
 "async-trait",
 "axum-core",
@ -184,6 +190,26 @@ dependencies = [
 "syn 2.0.15",
 ]
 [[package]]
 name = "axum-server"
 version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "447f28c85900215cc1bea282f32d4a2f22d55c5a300afdfbc661c8d6a632e063"
 dependencies = [
 "arc-swap",
 "bytes",
 "futures-util",
 "http",
 "http-body",
 "hyper",
 "pin-project-lite",
 "rustls 0.21.5",
 "rustls-pemfile",
 "tokio",
 "tokio-rustls 0.24.1",
 "tower-service",
 ]
 [[package]]
 name = "base64"
 version = "0.13.1"
@ -742,6 +768,25 @@ version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b"
 [[package]]
 name = "h2"
 version = "0.3.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "97ec8491ebaf99c8eaa73058b045fe58073cd6be7f596ac993ced0b0a0c01049"
 dependencies = [
 "bytes",
 "fnv",
 "futures-core",
 "futures-sink",
 "futures-util",
 "http",
 "indexmap",
 "slab",
 "tokio",
 "tokio-util",
 "tracing",
 ]
 [[package]]
 name = "hashbrown"
 version = "0.12.3"
@ -849,6 +894,7 @@ dependencies = [
 "futures-channel",
 "futures-core",
 "futures-util",
 "h2",
 "http",
 "http-body",
 "httparse",
@ -1256,6 +1302,7 @@ dependencies = [
 "axum",
 "axum-auth",
 "axum-macros",
 "axum-server",
 "bcrypt",
 "bitflags 2.2.1",
 "bytes",
@ -1267,6 +1314,7 @@ dependencies = [
 "hmac",
 "jws",
 "jwt",
 "lazy_static",
 "ldap3",
 "pin-project-lite",
 "qstring",
@ -1572,6 +1620,18 @@ dependencies = [
 "webpki",
 ]
 [[package]]
 name = "rustls"
 version = "0.21.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "79ea77c539259495ce8ca47f53e66ae0330a8819f67e23ac96ca02f50e7b7d36"
 dependencies = [
 "log",
 "ring",
 "rustls-webpki",
 "sct",
 ]
 [[package]]
 name = "rustls-pemfile"
 version = "1.0.2"
@ -1581,6 +1641,16 @@ dependencies = [
 "base64 0.21.0",
 ]
 [[package]]
 name = "rustls-webpki"
 version = "0.101.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "15f36a6828982f422756984e47912a7a51dcbc2a197aa791158f8ca61cd8204e"
 dependencies = [
 "ring",
 "untrusted",
 ]
 [[package]]
 name = "rustversion"
 version = "1.0.12"
@ -1847,7 +1917,7 @@ dependencies = [
 "once_cell",
 "paste",
 "percent-encoding",
- "rustls",
+ "rustls 0.20.8",
 "rustls-pemfile",
 "sha2 0.10.6",
 "smallvec",
@ -1887,7 +1957,7 @@ checksum = "804d3f245f894e61b1e6263c84b23ca675d96753b5abfd5cc8597d86806e8024"
 dependencies = [
 "once_cell",
 "tokio",
- "tokio-rustls",
+ "tokio-rustls 0.23.4",
 ]
 [[package]]
@ -2083,11 +2153,21 @@ version = "0.23.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c43ee83903113e03984cb9e5cebe6c04a5116269e900e3ddba8f068a62adda59"
 dependencies = [
- "rustls",
+ "rustls 0.20.8",
 "tokio",
 "webpki",
 ]
 [[package]]
 name = "tokio-rustls"
 version = "0.24.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081"
 dependencies = [
 "rustls 0.21.5",
 "tokio",
 ]
 [[package]]
 name = "tokio-stream"
 version = "0.1.12"
--- a/Cargo.toml
+++ b/Cargo.toml
@ -32,7 +32,8 @@ sha256 = "1.1.2"
 pin-project-lite = "0.2.9"
 anyhow = "1.0.70"
 async-stream = "0.3.5"
-axum = "0.6.16"
+axum = "0.6.18"
 axum-server = { version = "0.5.1", features = [ "tls-rustls" ] }
 axum-macros = "0.3.7"
 tower-http = { version = "0.4.0", features = [ "trace", "normalize-path" ] }
@ -52,3 +53,4 @@ rand = "0.8.5"
 bcrypt = "0.14.0"
 bitflags = "2.2.1"
 ldap3 = "0.11.1"
 lazy_static = "1.4.0"
--- a/docs/todo.md
+++ b/docs/todo.md
@ -5,6 +5,7 @@
  - [ ] simple way to define users and their permissions through a "users.toml"
  - [x] Only allow users to create repositories if its the same name as their username, or if they're an admin
  - [x] Only allow users to pull from their own repositories
 - [ ] token expiry
 - [ ] postgresql
 - [ ] prometheus metrics
 - [ ] simple webui for managing the registry
@ -15,3 +16,5 @@
  - [ ] its not responding with anything
  - [ ] make sure private repositories dont show up
 - [x] fix pulling from public repositories when not logged in
 - [ ] database table for orca related info (version, etc.)
  - [ ] only execute sql schemas if this table is missing or not updated
--- a/src/api/auth.rs
+++ b/src/api/auth.rs
@ -179,7 +179,8 @@ pub async fn auth_basic_get(basic_auth: Option<AuthBasic>, state: State<Arc<AppS
                .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)? {
            debug!("Authentication failed, incorrect password!");
-            return Ok(unauthenticated_response(&state.config));
+            // TODO: Dont unwrap, find a way to return multiple scopes
            return Ok(unauthenticated_response(&state.config, auth.scope.first().unwrap()));
        }
        drop(auth_driver);
--- a/src/api/blobs.rs
+++ b/src/api/blobs.rs
@ -8,9 +8,10 @@ use axum::response::{IntoResponse, Response};
 use tokio_util::io::ReaderStream;
 use crate::app_state::AppState;
-use crate::auth::access_denied_response;
+use crate::auth::{access_denied_response, unauthenticated_response};
 use crate::database::Database;
 use crate::dto::RepositoryVisibility;
 use crate::dto::scope::{Scope, ScopeType, Action};
 use crate::dto::user::{Permission, UserAuth};
 use crate::error::AppError;
@ -24,7 +25,8 @@ pub async fn digest_exists_head(Path((name, layer_digest)): Path<(String, String
    } else {
        let database = &state.database;
        if database.get_repository_visibility(&name).await? != Some(RepositoryVisibility::Public) {
-            return Ok(access_denied_response(&state.config));
+            let s = Scope::new(ScopeType::Repository, name, &[Action::Push, Action::Pull]);
            return Ok(unauthenticated_response(&state.config, &s));
        }
    }
--- a/src/api/mod.rs
+++ b/src/api/mod.rs
@ -2,7 +2,8 @@ use std::sync::Arc;
 use axum::extract::State;
 use axum::response::{IntoResponse, Response};
-use axum::http::{StatusCode, HeaderName};
+use axum::http::{StatusCode, HeaderName, HeaderMap, header};
 use tracing::debug;
 use crate::app_state::AppState;
@ -18,8 +19,12 @@ use crate::dto::user::UserAuth;
 /// https://docs.docker.com/registry/spec/api/#api-version-check
 /// full endpoint: `/v2/`
 pub async fn version_check(_state: State<Arc<AppState>>) -> Response {
    let bearer = format!("Bearer realm=\"{}/auth\"", _state.config.url());
    (
-        StatusCode::OK,
+        StatusCode::UNAUTHORIZED,
-        [( HeaderName::from_static("docker-distribution-api-version"), "registry/2.0" )]
+        [
            ( HeaderName::from_static("docker-distribution-api-version"), "registry/2.0" ),
            //( header::WWW_AUTHENTICATE, &bearer ),
        ]
    ).into_response()
 }
--- a/src/api/uploads.rs
+++ b/src/api/uploads.rs
@ -12,13 +12,21 @@ use futures::StreamExt;
 use tracing::{debug, warn};
 use crate::app_state::AppState;
-use crate::auth::access_denied_response;
+use crate::auth::{access_denied_response, unauthenticated_response};
 use crate::byte_stream::ByteStream;
 use crate::dto::scope::{Scope, ScopeType, Action};
 use crate::dto::user::{UserAuth, Permission};
 use crate::error::AppError;
 /// Starting an upload
-pub async fn start_upload_post(Path((name, )): Path<(String, )>, auth: UserAuth, state: State<Arc<AppState>>) -> Result<Response, AppError> {
+pub async fn start_upload_post(Path((name, )): Path<(String, )>, auth: Option<UserAuth>, state: State<Arc<AppState>>) -> Result<Response, AppError> {
    if auth.is_none() {
        debug!("atuh was not given, responding with scope");
        let s = Scope::new(ScopeType::Repository, name, &[Action::Push, Action::Pull]);
        return Ok(unauthenticated_response(&state.config, &s));
    }
    let auth = auth.unwrap();
    let mut auth_driver = state.auth_checker.lock().await;
    if auth_driver.user_has_permission(auth.user.username, name.clone(), Permission::PUSH, None).await? {
        debug!("Upload requested");
--- a/src/auth/mod.rs
+++ b/src/auth/mod.rs
@ -7,7 +7,7 @@ use axum::{extract::State, http::{StatusCode, HeaderMap, header, HeaderName, Req
 use sqlx::{Pool, Sqlite};
 use tracing::debug;
-use crate::{app_state::AppState, dto::{user::{Permission, RegistryUserType}, RepositoryVisibility}, config::Config};
+use crate::{app_state::AppState, dto::{user::{Permission, RegistryUserType}, RepositoryVisibility, scope::{self, Scope}}, config::Config};
 use crate::database::Database;
 use async_trait::async_trait;
@ -133,14 +133,17 @@ pub async fn require_auth<B>(State(state): State<Arc<AppState>>, mut request: Re
 /// Creates a response with an Unauthorized (401) status code.
 /// The www-authenticate header is set to notify the client of where to authorize with.
 #[inline(always)]
-pub fn unauthenticated_response(config: &Config) -> Response {
+pub fn unauthenticated_response(config: &Config, scope: &Scope) -> Response {
-    let bearer = format!("Bearer realm=\"{}/auth\"", config.url());
+    let bearer = format!("Bearer realm=\"{}/auth\",service=\"{}\",scope=\"{}\"", config.url(), "localhost:3000", scope);
    debug!("responding with www-authenticate header of: \"{}\"", bearer);
    (
        StatusCode::UNAUTHORIZED,
        [
            ( header::WWW_AUTHENTICATE, bearer ),
            ( header::CONTENT_TYPE, "application/json".to_string() ),
            ( HeaderName::from_static("docker-distribution-api-version"), "registry/2.0".to_string() )
-        ]
+        ],
        "{\"errors\":[{\"code\":\"UNAUTHORIZED\",\"message\":\"access to the requested resource is not authorized\",\"detail\":[{\"Type\":\"repository\",\"Name\":\"samalba/my-app\",\"Action\":\"pull\"},{\"Type\":\"repository\",\"Name\":\"samalba/my-app\",\"Action\":\"push\"}]}]}"
    ).into_response()
 }
--- a/src/config.rs
+++ b/src/config.rs
@ -47,6 +47,13 @@ pub struct SqliteDbConfig {
    pub path: String,
 }
 #[derive(Deserialize, Clone)]
 pub struct TlsConfig {
    pub enable: bool,
    pub key: String,
    pub cert: String,
 }
 #[derive(Deserialize, Clone)]
 #[serde(tag = "type", rename_all = "snake_case")]
 pub enum DatabaseConfig {
@ -63,6 +70,7 @@ pub struct Config {
    pub ldap: Option<LdapConnectionConfig>,
    pub database: DatabaseConfig,
    pub storage: StorageConfig,
    pub tls: Option<TlsConfig>,
 }
 #[allow(dead_code)]
--- a/src/dto/scope.rs
+++ b/src/dto/scope.rs
@ -19,7 +19,7 @@ impl fmt::Display for ScopeType {
    }
 }
-#[derive(Default, Debug)]
+#[derive(Default, Debug, Clone)]
 pub enum Action {
    #[default]
    None,
@ -44,6 +44,16 @@ pub struct Scope {
    actions: Vec<Action>,
 }
 impl Scope {
    pub fn new(scope_type: ScopeType, path: String, actions: &[Action]) -> Self {
        Self {
            scope_type,
            path,
            actions: actions.to_vec(),
        }
    }
 }
 impl fmt::Display for Scope {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        let actions = self.actions
--- a/src/dto/user.rs
+++ b/src/dto/user.rs
@ -4,7 +4,7 @@ use async_trait::async_trait;
 use axum::{http::{StatusCode, header, HeaderName, HeaderMap, Request, request::Parts}, extract::{FromRequest, FromRequestParts}};
 use bitflags::bitflags;
 use chrono::{DateTime, Utc};
-use tracing::debug;
+use tracing::{debug, warn};
 use crate::{app_state::AppState, database::Database};
@ -87,14 +87,25 @@ impl FromRequestParts<Arc<AppState>> for UserAuth {
        failure_headers.append(header::WWW_AUTHENTICATE, bearer.parse().unwrap());
        failure_headers.append(HeaderName::from_static("docker-distribution-api-version"), "registry/2.0".parse().unwrap());
        debug!("starting UserAuth request parts");
        let auth = String::from(
            parts.headers
                .get(header::AUTHORIZATION)
-                .ok_or((StatusCode::UNAUTHORIZED, failure_headers.clone()))?
+                .ok_or(
                    {
                        debug!("Client did not send authorization header");
                        (StatusCode::UNAUTHORIZED, failure_headers.clone())
                    })?
                .to_str()
-                .map_err(|_| (StatusCode::UNAUTHORIZED, failure_headers.clone()))?
+                .map_err(|_| {
                    warn!("Failure to convert Authorization header to string!");
                    (StatusCode::UNAUTHORIZED, failure_headers.clone())
                })?
        );
        debug!("got auth header");
        let token = match auth.split_once(' ') {
            Some((auth, token)) if auth == "Bearer" => token,
            // This line would allow empty tokens
@ -102,6 +113,8 @@ impl FromRequestParts<Arc<AppState>> for UserAuth {
            _ => return Err( (StatusCode::UNAUTHORIZED, failure_headers) ),
        };
        debug!("got token");
        // If the token is not valid, return an unauthorized response
        let database = &state.database;
        if let Ok(Some(user)) = database.verify_user_token(token.to_string()).await {
@ -109,14 +122,11 @@ impl FromRequestParts<Arc<AppState>> for UserAuth {
            Ok(user)
        } else {
-            let bearer = format!("Bearer realm=\"{}/auth\"", state.config.url());
+            debug!("Failure to verify user token, responding with auth realm");
            let mut headers = HeaderMap::new();
            headers.insert(header::WWW_AUTHENTICATE, bearer.parse().unwrap());
            headers.insert(HeaderName::from_static("docker-distribution-api-version"), "registry/2.0".to_string().parse().unwrap());
            Err((
                StatusCode::UNAUTHORIZED,
-                headers
+                failure_headers
            ))
        }
    }
--- a/src/main.rs
+++ b/src/main.rs
@ -9,6 +9,7 @@ mod auth;
 mod error;
 use std::net::SocketAddr;
 use std::path::Path;
 use std::str::FromStr;
 use std::sync::Arc;
@ -18,7 +19,11 @@ use axum::middleware::Next;
 use axum::response::Response;
 use axum::{Router, routing};
 use axum::ServiceExt;
 use axum_server::tls_rustls::RustlsConfig;
 use lazy_static::lazy_static;
 use regex::Regex;
 use sqlx::ConnectOptions;
 use tokio::fs::File;
 use tower_layer::Layer;
 use sqlx::sqlite::{SqlitePoolOptions, SqliteConnectOptions, SqliteJournalMode};
@ -36,11 +41,14 @@ use crate::config::{Config, DatabaseConfig, StorageConfig};
 use tower_http::trace::TraceLayer;
 lazy_static! {
    static ref REGISTRY_URL_REGEX: Regex = regex::Regex::new(r"/v2/([\w\-_./]+)/(blobs|tags|manifests)").unwrap();
 }
 /// Encode the 'name' path parameter in the url
 async fn change_request_paths<B>(mut request: Request<B>, next: Next<B>) -> Result<Response, StatusCode> {
    // Attempt to find the name using regex in the url
-    let regex = regex::Regex::new(r"/v2/([\w/]+)/(blobs|tags|manifests)")
+    let regex = &REGISTRY_URL_REGEX;
        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
    let captures = match regex.captures(request.uri().path()) {
        Some(captures) => captures,
        None => return Ok(next.run(request).await),
@ -73,6 +81,11 @@ async fn main() -> anyhow::Result<()> {
        DatabaseConfig::Sqlite(sqlite) => sqlite,
    };
    // Create a database file if it doesn't exist already
    if !Path::new(&sqlite_config.path).exists() {
        File::create(&sqlite_config.path).await?;
    }
    let connection_options = SqliteConnectOptions::from_str(&format!("sqlite://{}", &sqlite_config.path))?
        .journal_mode(SqliteJournalMode::Wal);
    let pool = SqlitePoolOptions::new()
@ -100,6 +113,7 @@ async fn main() -> anyhow::Result<()> {
    let app_addr = SocketAddr::from_str(&format!("{}:{}", config.listen_address, config.listen_port))?;
    let tls_config = config.tls.clone();
    let state = Arc::new(AppState::new(pool, storage_driver, config, auth_driver));
    //let auth_middleware = axum::middleware::from_fn_with_state(state.clone(), auth::require_auth);
@ -136,10 +150,23 @@ async fn main() -> anyhow::Result<()> {
    let layered_app = NormalizePathLayer::trim_trailing_slash().layer(path_middleware.layer(app));
    match tls_config {
        Some(tls) if tls.enable => {
            info!("Starting https server, listening on {}", app_addr);
            let config = RustlsConfig::from_pem_file(&tls.cert, &tls.key).await?;
            axum_server::bind_rustls(app_addr, config)
                .serve(layered_app.into_make_service())
                .await?;
        },
        _ => {
            info!("Starting http server, listening on {}", app_addr);
            axum::Server::bind(&app_addr)
                .serve(layered_app.into_make_service())
                .await?;
        }
    }
    Ok(())
 }