Upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor.git synced 2024-11-22 10:15:35 +01:00
Code Issues Projects Releases Wiki Activity

add scanner pull check in policy checker middleware (#10971)

Browse Source 
Scanner uses the robot account to pull image and scan, the policy checker should bypass the
pull action even the policy enabled, otherwise the scan job will fail.

Signed-off-by: wang yan <wangyan@vmware.com>
This commit is contained in:
Wang Yan 2020-03-09 12:11:54 +08:00 committed by GitHub
parent 7897fd752b
commit 073d95b89f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 30 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/server/middleware/contenttrust/contenttrust.go
View File

@ -1,6 +1,9 @@
package contenttrust
import (
"github.com/goharbor/harbor/src/api/project"
"github.com/goharbor/harbor/src/common/rbac"
"github.com/goharbor/harbor/src/common/security"
internal_errors "github.com/goharbor/harbor/src/internal/error"
"github.com/goharbor/harbor/src/pkg/signature"
serror "github.com/goharbor/harbor/src/server/error"
@ -49,6 +52,18 @@ func validate(req *http.Request) (bool, middleware.ArtifactInfo) {
if !ok {
return false, none
}
pro, err := project.Ctl.GetByName(req.Context(), af.ProjectName)
if err != nil {
return false, none
}
resource := rbac.NewProjectNamespace(pro.ProjectID).Resource(rbac.ResourceRepository)
securityCtx, ok := security.FromContext(req.Context())
if !ok {
return false, none
}
if !securityCtx.Can(rbac.ActionScannerPull, resource) {
return false, none
}
if !middleware.GetPolicyChecker().ContentTrustEnabled(af.ProjectName) {
return false, af
}

15
src/server/middleware/vulnerable/vulnerable.go
View File

@ -1,6 +1,9 @@
package vulnerable
import (
"github.com/goharbor/harbor/src/api/project"
"github.com/goharbor/harbor/src/common/rbac"
"github.com/goharbor/harbor/src/common/security"
"net/http"
"net/http/httptest"
@ -105,6 +108,18 @@ func validate(req *http.Request) (bool, middleware.ArtifactInfo, vuln.Severity,
return false, af, vs, wl
}
pro, err := project.Ctl.GetByName(req.Context(), af.ProjectName)
if err != nil {
return false, af, vs, wl
}
resource := rbac.NewProjectNamespace(pro.ProjectID).Resource(rbac.ResourceRepository)
securityCtx, ok := security.FromContext(req.Context())
if !ok {
return false, af, vs, wl
}
if !securityCtx.Can(rbac.ActionScannerPull, resource) {
return false, af, vs, wl
}
// Is vulnerable policy set?
projectVulnerableEnabled, projectVulnerableSeverity, wl := middleware.GetPolicyChecker().VulnerablePolicy(af.ProjectName)
if !projectVulnerableEnabled {