daniel
/
distribution
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #1934 from jheiss/token_ssl_pem_type 

Check PEM block type when reading token cert file
master
Derek McGowan 2016-09-13 09:45:06 -07:00 committed by GitHub
parent cb744efe8b d04481e388
commit 17fb0bb6b3
2 changed files with 60 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
registry/auth/token/accesscontroller.go
View File

@ -176,12 +176,14 @@ func newAccessController(options map[string]interface{}) (auth.AccessController,
var rootCerts []*x509.Certificate var rootCerts []*x509.Certificate
pemBlock, rawCertBundle := pem.Decode(rawCertBundle) pemBlock, rawCertBundle := pem.Decode(rawCertBundle)
for pemBlock != nil { for pemBlock != nil {
cert, err := x509.ParseCertificate(pemBlock.Bytes) if pemBlock.Type == "CERTIFICATE" {
if err != nil { cert, err := x509.ParseCertificate(pemBlock.Bytes)
return nil, fmt.Errorf("unable to parse token auth root certificate: %s", err) if err != nil {
} return nil, fmt.Errorf("unable to parse token auth root certificate: %s", err)
}
rootCerts = append(rootCerts, cert) rootCerts = append(rootCerts, cert)
}
pemBlock, rawCertBundle = pem.Decode(rawCertBundle) pemBlock, rawCertBundle = pem.Decode(rawCertBundle)
} }

53
registry/auth/token/token_test.go
View File

@ -455,3 +455,56 @@ func TestAccessController(t *testing.T) {
t.Fatalf("expected user name %q, got %q", "foo", userInfo.Name) t.Fatalf("expected user name %q, got %q", "foo", userInfo.Name)
} }
} }
// This tests that newAccessController can handle PEM blocks in the certificate
// file other than certificates, for example a private key.
func TestNewAccessControllerPemBlock(t *testing.T) {
rootKeys, err := makeRootKeys(2)
if err != nil {
t.Fatal(err)
}
rootCertBundleFilename, err := writeTempRootCerts(rootKeys)
if err != nil {
t.Fatal(err)
}
defer os.Remove(rootCertBundleFilename)
// Add something other than a certificate to the rootcertbundle
file, err := os.OpenFile(rootCertBundleFilename, os.O_WRONLY|os.O_APPEND, 0666)
if err != nil {
t.Fatal(err)
}
keyBlock, err := rootKeys[0].PEMBlock()
if err != nil {
t.Fatal(err)
}
err = pem.Encode(file, keyBlock)
if err != nil {
t.Fatal(err)
}
err = file.Close()
if err != nil {
t.Fatal(err)
}
realm := "https://auth.example.com/token/"
issuer := "test-issuer.example.com"
service := "test-service.example.com"
options := map[string]interface{}{
"realm": realm,
"issuer": issuer,
"service": service,
"rootcertbundle": rootCertBundleFilename,
}
ac, err := newAccessController(options)
if err != nil {
t.Fatal(err)
}
if len(ac.(*accessController).rootCerts.Subjects()) != 2 {
t.Fatal("accessController has the wrong number of certificates")
}
}