Remove scanner-pull from system admin's permission (#13901)

Signed-off-by: Daniel Jiang <jiangd@vmware.com>

src/common/security/local/context_test.go

@@ -254,3 +254,20 @@ func TestHasPushPullPerm(t *testing.T) {
 		assert.True(t, ctx.Can(context.TODO(), rbac.ActionPush, resource) && ctx.Can(context.TODO(), rbac.ActionPull, resource))
 	}
 }
+
+func TestSysadminPerms(t *testing.T) {
+	// authenticated, system admin
+	ctl := &projecttesting.Controller{}
+	mock.OnAnything(ctl, "Get").Return(private, nil)
+	mock.OnAnything(ctl, "ListRoles").Return([]int{}, nil)
+
+	ctx := NewSecurityContext(&models.User{
+		Username:     "admin",
+		SysAdminFlag: true,
+	})
+	ctx.ctl = ctl
+	resource := rbac.NewProjectNamespace(private.ProjectID).Resource(rbac.ResourceRepository)
+	assert.True(t, ctx.Can(context.TODO(), rbac.ActionPush, resource) && ctx.Can(context.TODO(), rbac.ActionPull, resource))
+	assert.False(t, ctx.Can(context.TODO(), rbac.ActionScannerPull, resource))
+
+}

src/pkg/permission/evaluator/admin/admin.go

@@ -17,6 +17,7 @@ package admin
 import (
 	"context"
 
+	"github.com/goharbor/harbor/src/common/rbac"
 	"github.com/goharbor/harbor/src/lib/log"
 	"github.com/goharbor/harbor/src/pkg/permission/evaluator"
 	"github.com/goharbor/harbor/src/pkg/permission/types"
@@ -32,7 +33,8 @@ type Evaluator struct {
 // HasPermission always return true for the system administrator
 func (e *Evaluator) HasPermission(ctx context.Context, resource types.Resource, action types.Action) bool {
 	log.Debugf("system administrator %s require %s action for resource %s", e.username, action, resource)
-	return true
+	// scanner-pull is for scanner to bypass the policy checking so admin user should not have this permission
+	return action != rbac.ActionScannerPull
 }
 
 // New returns evaluator.Evaluator for the system administrator