fix: make config read/write thread safe

1. The config config has a lock - covers most cases
2. The extensions config has a lock - covers cases for extensions (it is referenced in structs independently of the main config)
3. The access control config has a lock - covers cases for access control (it is referenced in structs independently of main config)
4. The auth config is a special case it doesn't have lock, we use a copy, as the config object may mutate in the middle of an auth request,
and using that may result in incompatible partial configuration being applied for that request.

Moved some of the methods which were on the main config to the auth, access control and extension configs

Signed-off-by: Andrei Aaron <[email protected]>

Author: andaaron

pkg/api/authn.go

@@ -55,7 +55,8 @@ func AuthHandler(ctlr *Controller) mux.MiddlewareFunc {
 		log:      ctlr.Log,
 	}
 
-	if ctlr.Config.IsBearerAuthEnabled() {
+	authConfig := ctlr.Config.GetAuthConfig()
+	if authConfig.IsBearerAuthEnabled() {
 		return bearerAuthHandler(ctlr)
 	}
 
@@ -103,6 +104,12 @@ func (amw *AuthnMiddleware) basicAuthn(ctlr *Controller, userAc *reqCtx.UserAcce
 ) (bool, error) {
 	cookieStore := ctlr.CookieStore
 
+	// Get auth config once to avoid multiple calls
+	authConfig := ctlr.Config.GetAuthConfig()
+	if authConfig == nil {
+		return false, nil
+	}
+
 	identity, passphrase, err := getUsernamePasswordBasicAuth(request)
 	if err != nil {
 		ctlr.Log.Error().Err(err).Msg("failed to parse authorization header")
@@ -116,7 +123,8 @@ func (amw *AuthnMiddleware) basicAuthn(ctlr *Controller, userAc *reqCtx.UserAcce
 		// Process request
 		var groups []string
 
-		if ctlr.Config.HTTP.AccessControl != nil {
+		accessControl := ctlr.Config.GetAccessControlConfig()
+		if accessControl != nil {
 			ac := NewAccessController(ctlr.Config)
 			groups = ac.getUserGroups(identity)
 		}
@@ -145,13 +153,14 @@ func (amw *AuthnMiddleware) basicAuthn(ctlr *Controller, userAc *reqCtx.UserAcce
 	}
 
 	// next, LDAP if configured (network-based which can lose connectivity)
-	if ctlr.Config.HTTP.Auth != nil && ctlr.Config.HTTP.Auth.LDAP != nil {
+	if authConfig.IsLdapAuthEnabled() {
 		ok, _, ldapgroups, err := amw.ldapClient.Authenticate(identity, passphrase)
 		if ok && err == nil {
 			// Process request
 			var groups []string
 
-			if ctlr.Config.HTTP.AccessControl != nil {
+			accessControl := ctlr.Config.GetAccessControlConfig()
+			if accessControl != nil {
 				ac := NewAccessController(ctlr.Config)
 				groups = ac.getUserGroups(identity)
 			}
@@ -181,7 +190,7 @@ func (amw *AuthnMiddleware) basicAuthn(ctlr *Controller, userAc *reqCtx.UserAcce
 	}
 
 	// last try API keys
-	if ctlr.Config.IsAPIKeyEnabled() {
+	if authConfig.IsAPIKeyEnabled() {
 		apiKey := passphrase
 
 		if !strings.HasPrefix(apiKey, constants.APIKeysPrefix) {
@@ -248,16 +257,22 @@ func (amw *AuthnMiddleware) basicAuthn(ctlr *Controller, userAc *reqCtx.UserAcce
 }
 
 func (amw *AuthnMiddleware) tryAuthnHandlers(ctlr *Controller) mux.MiddlewareFunc { //nolint: gocyclo
+	// Get auth config once to avoid multiple calls
+	authConfig := ctlr.Config.GetAuthConfig()
+	if authConfig == nil {
+		return noPasswdAuth(ctlr)
+	}
+
 	// no password based authN, if neither LDAP nor HTTP BASIC is enabled
-	if !ctlr.Config.IsBasicAuthnEnabled() {
+	if !authConfig.IsBasicAuthnEnabled() {
 		return noPasswdAuth(ctlr)
 	}
 
-	delay := ctlr.Config.HTTP.Auth.FailDelay
+	delay := authConfig.GetFailDelay()
 
 	// ldap and htpasswd based authN
-	if ctlr.Config.IsLdapAuthEnabled() {
-		ldapConfig := ctlr.Config.HTTP.Auth.LDAP
+	if authConfig.IsLdapAuthEnabled() {
+		ldapConfig := authConfig.LDAP
 
 		ctlr.LDAPClient = &LDAPClient{
 			Host:               ldapConfig.Address,
@@ -278,17 +293,17 @@ func (amw *AuthnMiddleware) tryAuthnHandlers(ctlr *Controller) mux.MiddlewareFun
 
 		amw.ldapClient = ctlr.LDAPClient
 
-		if ctlr.Config.HTTP.Auth.LDAP.CACert != "" {
-			caCert, err := os.ReadFile(ctlr.Config.HTTP.Auth.LDAP.CACert)
+		if authConfig.LDAP.CACert != "" {
+			caCert, err := os.ReadFile(authConfig.LDAP.CACert)
 			if err != nil {
-				amw.log.Panic().Err(err).Str("caCert", ctlr.Config.HTTP.Auth.LDAP.CACert).
+				amw.log.Panic().Err(err).Str("caCert", authConfig.LDAP.CACert).
 					Msg("failed to read caCert")
 			}
 
 			caCertPool := x509.NewCertPool()
 
 			if !caCertPool.AppendCertsFromPEM(caCert) {
-				amw.log.Panic().Err(zerr.ErrBadCACert).Str("caCert", ctlr.Config.HTTP.Auth.LDAP.CACert).
+				amw.log.Panic().Err(zerr.ErrBadCACert).Str("caCert", authConfig.LDAP.CACert).
 					Msg("failed to read caCert")
 			}
 
@@ -297,34 +312,34 @@ func (amw *AuthnMiddleware) tryAuthnHandlers(ctlr *Controller) mux.MiddlewareFun
 			// default to system cert pool
 			caCertPool, err := x509.SystemCertPool()
 			if err != nil {
-				amw.log.Panic().Err(zerr.ErrBadCACert).Str("caCert", ctlr.Config.HTTP.Auth.LDAP.CACert).
+				amw.log.Panic().Err(zerr.ErrBadCACert).Str("caCert", authConfig.LDAP.CACert).
 					Msg("failed to get system cert pool")
 			}
 
 			amw.ldapClient.ClientCAs = caCertPool
 		}
 	}
 
-	if ctlr.Config.IsHtpasswdAuthEnabled() {
-		err := amw.htpasswd.Reload(ctlr.Config.HTTP.Auth.HTPasswd.Path)
+	if authConfig.IsHtpasswdAuthEnabled() {
+		err := amw.htpasswd.Reload(authConfig.HTPasswd.Path)
 		if err != nil {
-			amw.log.Panic().Err(err).Str("credsFile", ctlr.Config.HTTP.Auth.HTPasswd.Path).
+			amw.log.Panic().Err(err).Str("credsFile", authConfig.HTPasswd.Path).
 				Msg("failed to open creds-file")
 		}
 	}
 
 	// openid based authN
-	if ctlr.Config.IsOpenIDAuthEnabled() {
+	if authConfig.IsOpenIDAuthEnabled() {
 		ctlr.RelyingParties = make(map[string]rp.RelyingParty)
 
-		for provider := range ctlr.Config.HTTP.Auth.OpenID.Providers {
+		for provider := range authConfig.OpenID.Providers {
 			if config.IsOpenIDSupported(provider) {
-				rp := NewRelyingPartyOIDC(context.TODO(), ctlr.Config, provider, ctlr.Config.HTTP.Auth.SessionHashKey,
-					ctlr.Config.HTTP.Auth.SessionEncryptKey, ctlr.Log)
+				rp := NewRelyingPartyOIDC(context.TODO(), ctlr.Config, provider, authConfig.SessionHashKey,
+					authConfig.SessionEncryptKey, ctlr.Log)
 				ctlr.RelyingParties[provider] = rp
 			} else if config.IsOauth2Supported(provider) {
-				rp := NewRelyingPartyGithub(ctlr.Config, provider, ctlr.Config.HTTP.Auth.SessionHashKey,
-					ctlr.Config.HTTP.Auth.SessionEncryptKey, ctlr.Log)
+				rp := NewRelyingPartyGithub(ctlr.Config, provider, authConfig.SessionHashKey,
+					authConfig.SessionEncryptKey, ctlr.Log)
 				ctlr.RelyingParties[provider] = rp
 			}
 		}
@@ -340,7 +355,10 @@ func (amw *AuthnMiddleware) tryAuthnHandlers(ctlr *Controller) mux.MiddlewareFun
 			}
 
 			isMgmtRequested := request.RequestURI == constants.FullMgmt
-			allowAnonymous := ctlr.Config.HTTP.AccessControl.AnonymousPolicyExists()
+
+			// Get access control config safely
+			accessControlConfig := ctlr.Config.GetAccessControlConfig()
+			allowAnonymous := accessControlConfig != nil && accessControlConfig.AnonymousPolicyExists()
 
 			// build user access control info
 			userAc := reqCtx.NewUserAccessControl()
@@ -370,7 +388,9 @@ func (amw *AuthnMiddleware) tryAuthnHandlers(ctlr *Controller) mux.MiddlewareFun
 					if errors.Is(err, zerr.ErrUserDataNotFound) {
 						ctlr.Log.Err(err).Msg("failed to find user profile in DB")
 
-						authFail(response, request, ctlr.Config.HTTP.Realm, delay)
+						// Get HTTP config safely for realm
+						httpConfig := ctlr.Config.GetHTTPConfig()
+						authFail(response, request, httpConfig.Realm, delay)
 					}
 
 					response.WriteHeader(http.StatusInternalServerError)
@@ -397,22 +417,27 @@ func (amw *AuthnMiddleware) tryAuthnHandlers(ctlr *Controller) mux.MiddlewareFun
 				return
 			}
 
-			authFail(response, request, ctlr.Config.HTTP.Realm, delay)
+			// Get HTTP config safely for realm
+			httpConfig := ctlr.Config.GetHTTPConfig()
+			authFail(response, request, httpConfig.Realm, delay)
 		})
 	}
 }
 
 func bearerAuthHandler(ctlr *Controller) mux.MiddlewareFunc {
+	// Get auth config safely
+	authConfig := ctlr.Config.GetAuthConfig()
+
 	// although the configuration option is called 'cert', this function will also parse a public key directly
 	// see https://github.com/project-zot/zot/issues/3173 for info
-	publicKey, err := loadPublicKeyFromFile(ctlr.Config.HTTP.Auth.Bearer.Cert)
+	publicKey, err := loadPublicKeyFromFile(authConfig.Bearer.Cert)
 	if err != nil {
 		ctlr.Log.Panic().Err(err).Msg("failed to load public key for bearer authentication")
 	}
 
 	authorizer := NewBearerAuthorizer(
-		ctlr.Config.HTTP.Auth.Bearer.Realm,
-		ctlr.Config.HTTP.Auth.Bearer.Service,
+		authConfig.Bearer.Realm,
+		authConfig.Bearer.Service,
 		publicKey,
 	)
 
@@ -509,7 +534,12 @@ func noPasswdAuth(ctlr *Controller) mux.MiddlewareFunc {
 			}
 
 			if ctlr.Config.IsMTLSAuthEnabled() && userAc.IsAnonymous() {
-				authFail(response, request, ctlr.Config.HTTP.Realm, ctlr.Config.HTTP.Auth.FailDelay)
+				// Get HTTP config safely for realm and fail delay
+				httpConfig := ctlr.Config.GetHTTPConfig()
+				authConfig := ctlr.Config.GetAuthConfig()
+				failDelay := authConfig.GetFailDelay()
+
+				authFail(response, request, httpConfig.Realm, failDelay)
 
 				return
 			}

pkg/api/authz.go

@@ -42,16 +42,20 @@ type AccessController struct {
 }
 
 func NewAccessController(conf *config.Config) *AccessController {
-	if conf.HTTP.AccessControl == nil {
+	// Get access control config safely
+	accessControlConfig := conf.GetAccessControlConfig()
+	logConfig := conf.GetLogConfig()
+
+	if accessControlConfig == nil {
 		return &AccessController{
 			Config: &config.AccessControlConfig{},
-			Log:    log.NewLogger(conf.Log.Level, conf.Log.Output),
+			Log:    log.NewLogger(logConfig.Level, logConfig.Output),
 		}
 	}
 
 	return &AccessController{
-		Config: conf.HTTP.AccessControl,
-		Log:    log.NewLogger(conf.Log.Level, conf.Log.Output),
+		Config: accessControlConfig,
+		Log:    log.NewLogger(logConfig.Level, logConfig.Output),
 	}
 }
 
@@ -117,14 +121,17 @@ func (ac *AccessController) can(userAc *reqCtx.UserAccessControl, action, reposi
 	username := userAc.GetUsername()
 
 	// check matched repo based policy
-	pg, ok := ac.Config.Repositories[longestMatchedPattern]
+	repositories := ac.Config.GetRepositories()
+	pg, ok := repositories[longestMatchedPattern]
+
 	if ok {
 		can = ac.isPermitted(userGroups, username, action, pg)
 	}
 
 	// check admins based policy
 	if !can {
-		if ac.isAdmin(username, userGroups) && common.Contains(ac.Config.AdminPolicy.Actions, action) {
+		adminPolicy := ac.Config.GetAdminPolicy()
+		if ac.isAdmin(username, userGroups) && common.Contains(adminPolicy.Actions, action) {
 			can = true
 		}
 	}
@@ -134,16 +141,18 @@ func (ac *AccessController) can(userAc *reqCtx.UserAccessControl, action, reposi
 
 // isAdmin .
 func (ac *AccessController) isAdmin(username string, userGroups []string) bool {
-	if common.Contains(ac.Config.AdminPolicy.Users, username) || ac.isAnyGroupInAdminPolicy(userGroups) {
+	adminPolicy := ac.Config.GetAdminPolicy()
+	if common.Contains(adminPolicy.Users, username) || ac.isAnyGroupInAdminPolicy(userGroups) {
 		return true
 	}
 
 	return false
 }
 
 func (ac *AccessController) isAnyGroupInAdminPolicy(userGroups []string) bool {
+	adminPolicy := ac.Config.GetAdminPolicy()
 	for _, group := range userGroups {
-		if common.Contains(ac.Config.AdminPolicy.Groups, group) {
+		if common.Contains(adminPolicy.Groups, group) {
 			return true
 		}
 	}
@@ -154,7 +163,8 @@ func (ac *AccessController) isAnyGroupInAdminPolicy(userGroups []string) bool {
 func (ac *AccessController) getUserGroups(username string) []string {
 	var groupNames []string
 
-	for groupName, group := range ac.Config.Groups {
+	groups := ac.Config.GetGroups()
+	for groupName, group := range groups {
 		for _, user := range group.Users {
 			// find if the user is part of any groups
 			if user == username {
@@ -241,6 +251,10 @@ func (ac *AccessController) isPermitted(userGroups []string, username, action st
 func BaseAuthzHandler(ctlr *Controller) mux.MiddlewareFunc {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
+			// Get configs safely
+			authConfig := ctlr.Config.GetAuthConfig()
+			httpConfig := ctlr.Config.GetHTTPConfig()
+
 			/* NOTE:
 			since we only do READ actions in extensions, this middleware is enough for them because
 			it populates the context with user relevant data to be processed by each individual extension
@@ -271,7 +285,7 @@ func BaseAuthzHandler(ctlr *Controller) mux.MiddlewareFunc {
 			// get access control context made in authn.go
 			userAc, err := reqCtx.UserAcFromContext(request.Context())
 			if err != nil { // should never happen
-				authFail(response, request, ctlr.Config.HTTP.Realm, ctlr.Config.HTTP.Auth.FailDelay)
+				authFail(response, request, httpConfig.Realm, authConfig.GetFailDelay())
 
 				return
 			}
@@ -287,6 +301,10 @@ func BaseAuthzHandler(ctlr *Controller) mux.MiddlewareFunc {
 func DistSpecAuthzHandler(ctlr *Controller) mux.MiddlewareFunc {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
+			// Get configs safely
+			authConfig := ctlr.Config.GetAuthConfig()
+			httpConfig := ctlr.Config.GetHTTPConfig()
+
 			if request.Method == http.MethodOptions {
 				next.ServeHTTP(response, request)
 
@@ -310,7 +328,7 @@ func DistSpecAuthzHandler(ctlr *Controller) mux.MiddlewareFunc {
 			// get userAc built in authn and previous authz middlewares
 			userAc, err := reqCtx.UserAcFromContext(request.Context())
 			if err != nil { // should never happen
-				authFail(response, request, ctlr.Config.HTTP.Realm, ctlr.Config.HTTP.Auth.FailDelay)
+				authFail(response, request, httpConfig.Realm, authConfig.GetFailDelay())
 
 				return
 			}
@@ -341,7 +359,7 @@ func DistSpecAuthzHandler(ctlr *Controller) mux.MiddlewareFunc {
 
 			can := acCtrlr.can(userAc, action, resource) //nolint:contextcheck
 			if !can {
-				common.AuthzFail(response, request, userAc.GetUsername(), ctlr.Config.HTTP.Realm, ctlr.Config.HTTP.Auth.FailDelay)
+				common.AuthzFail(response, request, userAc.GetUsername(), httpConfig.Realm, authConfig.GetFailDelay())
 			} else {
 				next.ServeHTTP(response, request) //nolint:contextcheck
 			}
@@ -352,32 +370,38 @@ func DistSpecAuthzHandler(ctlr *Controller) mux.MiddlewareFunc {
 func MetricsAuthzHandler(ctlr *Controller) mux.MiddlewareFunc {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
-			if ctlr.Config.HTTP.AccessControl == nil {
+			// Get configs safely
+			authConfig := ctlr.Config.GetAuthConfig()
+			httpConfig := ctlr.Config.GetHTTPConfig()
+			accessControlConfig := ctlr.Config.GetAccessControlConfig()
+
+			if accessControlConfig == nil {
 				// allow access to authenticated user as anonymous policy does not exist
 				next.ServeHTTP(response, request)
 
 				return
 			}
 
-			if len(ctlr.Config.HTTP.AccessControl.Metrics.Users) == 0 {
+			metricsConfig := accessControlConfig.GetMetrics()
+			if len(metricsConfig.Users) == 0 {
 				log := ctlr.Log
 				log.Warn().Msg("auth is enabled but no metrics users in accessControl: /metrics is unaccesible")
-				common.AuthzFail(response, request, "", ctlr.Config.HTTP.Realm, ctlr.Config.HTTP.Auth.FailDelay)
+				common.AuthzFail(response, request, "", httpConfig.Realm, authConfig.GetFailDelay())
 
 				return
 			}
 
 			// get access control context made in authn.go
 			userAc, err := reqCtx.UserAcFromContext(request.Context())
 			if err != nil { // should never happen
-				common.AuthzFail(response, request, "", ctlr.Config.HTTP.Realm, ctlr.Config.HTTP.Auth.FailDelay)
+				common.AuthzFail(response, request, "", httpConfig.Realm, authConfig.GetFailDelay())
 
 				return
 			}
 
 			username := userAc.GetUsername()
-			if !common.Contains(ctlr.Config.HTTP.AccessControl.Metrics.Users, username) {
-				common.AuthzFail(response, request, username, ctlr.Config.HTTP.Realm, ctlr.Config.HTTP.Auth.FailDelay)
+			if !common.Contains(metricsConfig.Users, username) {
+				common.AuthzFail(response, request, username, httpConfig.Realm, authConfig.GetFailDelay())
 
 				return
 			}