Add tests for authentication and security features
- Implement unit tests for password handling in `auth_test.ts`, covering bcrypt and legacy password hashes. - Create a fake database for user management to facilitate testing of the `AdminHandler`. - Validate JWT-based identity verification against database records. - Introduce tests for credential encryption and registry management in `security_test.ts`. - Ensure registry passwords are securely stored and can be decrypted correctly, including legacy support. - Add utility functions for password hashing and verification in `auth.ts`.
This commit is contained in:
@@ -9,6 +9,9 @@ import type { IRegistry } from '../types.ts';
|
||||
import { logger } from '../logging.ts';
|
||||
import { getErrorMessage } from '../utils/error.ts';
|
||||
import { OneboxDatabase } from './database.ts';
|
||||
import { credentialEncryption } from './encryption.ts';
|
||||
|
||||
const encryptedPasswordPrefix = 'enc:v1:';
|
||||
|
||||
export class OneboxRegistriesManager {
|
||||
private oneboxRef: any; // Will be Onebox instance
|
||||
@@ -22,17 +25,23 @@ export class OneboxRegistriesManager {
|
||||
/**
|
||||
* Encrypt a password (simple base64 for now, should use proper encryption)
|
||||
*/
|
||||
private encryptPassword(password: string): string {
|
||||
// TODO: Use proper encryption with a secret key
|
||||
// For now, using base64 encoding (NOT SECURE, just for structure)
|
||||
return plugins.encoding.encodeBase64(new TextEncoder().encode(password));
|
||||
private async encryptPassword(password: string): Promise<string> {
|
||||
const encrypted = await credentialEncryption.encrypt({ password });
|
||||
return `${encryptedPasswordPrefix}${encrypted}`;
|
||||
}
|
||||
|
||||
/**
|
||||
* Decrypt a password
|
||||
*/
|
||||
private decryptPassword(encrypted: string): string {
|
||||
// TODO: Use proper decryption
|
||||
private async decryptPassword(encrypted: string): Promise<string> {
|
||||
if (encrypted.startsWith(encryptedPasswordPrefix)) {
|
||||
const decrypted = await credentialEncryption.decrypt<{ password: string }>(
|
||||
encrypted.slice(encryptedPasswordPrefix.length),
|
||||
);
|
||||
return decrypted.password;
|
||||
}
|
||||
|
||||
// Legacy compatibility for older databases that stored base64-encoded passwords.
|
||||
return new TextDecoder().decode(plugins.encoding.decodeBase64(encrypted));
|
||||
}
|
||||
|
||||
@@ -48,7 +57,7 @@ export class OneboxRegistriesManager {
|
||||
}
|
||||
|
||||
// Encrypt password
|
||||
const passwordEncrypted = this.encryptPassword(password);
|
||||
const passwordEncrypted = await this.encryptPassword(password);
|
||||
|
||||
// Create registry in database
|
||||
const registry = await this.database.createRegistry({
|
||||
@@ -111,7 +120,7 @@ export class OneboxRegistriesManager {
|
||||
try {
|
||||
logger.info(`Logging into registry: ${registry.url}`);
|
||||
|
||||
const password = this.decryptPassword(registry.passwordEncrypted);
|
||||
const password = await this.decryptPassword(registry.passwordEncrypted);
|
||||
|
||||
// Use docker login command
|
||||
const command = [
|
||||
|
||||
Reference in New Issue
Block a user