From 22b4ea0f8916bedfddb231d4c29d01fae4b1df30 Mon Sep 17 00:00:00 2001 From: wang yan Date: Fri, 18 Oct 2019 10:42:56 +0800 Subject: [PATCH] Enable robot account bypass policy check 1, the commit is for internal robot to bypass policy check, like vul and signature checking. 2, add a bool attribute into registry token, decode it in the harbor core and add the status into request context. 3, add a bool attribut for robot API controller, but API will not use it.y Signed-off-by: wang yan --- src/common/security/admiral/context.go | 5 ++ src/common/security/context.go | 2 + src/common/security/local/context.go | 5 ++ src/common/security/robot/context.go | 21 +++-- src/common/security/robot/context_test.go | 24 ++--- src/common/security/secret/context.go | 5 ++ src/common/token/htoken.go | 87 ------------------- src/common/utils/notary/helper.go | 2 +- .../utils/registry/auth/tokenauthorizer.go | 2 +- src/core/api/robot.go | 1 + src/core/filter/security.go | 13 +-- src/core/middlewares/chain.go | 2 + src/core/middlewares/config.go | 3 +- src/core/middlewares/contenttrust/handler.go | 6 ++ src/core/middlewares/regtoken/handler.go | 55 ++++++++++++ src/core/middlewares/util/util.go | 2 + src/core/middlewares/vulnerable/handler.go | 7 ++ src/core/service/token/authutils.go | 33 ++++--- src/core/service/token/creator.go | 2 +- src/core/service/token/token_test.go | 9 +- src/pkg/robot/controller.go | 21 ++++- src/pkg/robot/model/robot.go | 1 + src/pkg/token/claim/registry.go | 22 +++++ .../claims.go => pkg/token/claim/robot.go} | 15 ++-- .../token/claim/robot_test.go} | 10 +-- .../token/option_test.go} | 4 +- src/{common => pkg}/token/options.go | 40 ++++----- src/pkg/token/token.go | 77 ++++++++++++++++ .../token/token_test.go} | 26 +++++- 29 files changed, 331 insertions(+), 171 deletions(-) delete mode 100644 src/common/token/htoken.go create mode 100644 src/core/middlewares/regtoken/handler.go create mode 100644 src/pkg/token/claim/registry.go rename src/{common/token/claims.go => pkg/token/claim/robot.go} (63%) rename src/{common/token/claims_test.go => pkg/token/claim/robot_test.go} (90%) rename src/{common/token/options_test.go => pkg/token/option_test.go} (86%) rename src/{common => pkg}/token/options.go (83%) create mode 100644 src/pkg/token/token.go rename src/{common/token/htoken_test.go => pkg/token/token_test.go} (80%) diff --git a/src/common/security/admiral/context.go b/src/common/security/admiral/context.go index fcc0a069f..b4e19dbda 100644 --- a/src/common/security/admiral/context.go +++ b/src/common/security/admiral/context.go @@ -64,6 +64,11 @@ func (s *SecurityContext) IsSysAdmin() bool { return s.ctx.IsSysAdmin() } +// PolicyCheck ... +func (s *SecurityContext) PolicyCheck() bool { + return true +} + // IsSolutionUser ... func (s *SecurityContext) IsSolutionUser() bool { return false diff --git a/src/common/security/context.go b/src/common/security/context.go index 4b879a218..2de8b7ed5 100644 --- a/src/common/security/context.go +++ b/src/common/security/context.go @@ -27,6 +27,8 @@ type Context interface { GetUsername() string // IsSysAdmin returns whether the user is system admin IsSysAdmin() bool + // PolicyCheck returns whether the middlerwares apply to the request + PolicyCheck() bool // IsSolutionUser returns whether the user is solution user IsSolutionUser() bool // Get current user's all project diff --git a/src/common/security/local/context.go b/src/common/security/local/context.go index a80130da8..56697f731 100644 --- a/src/common/security/local/context.go +++ b/src/common/security/local/context.go @@ -61,6 +61,11 @@ func (s *SecurityContext) IsSysAdmin() bool { return s.user.HasAdminRole } +// PolicyCheck ... +func (s *SecurityContext) PolicyCheck() bool { + return true +} + // IsSolutionUser ... func (s *SecurityContext) IsSolutionUser() bool { return false diff --git a/src/common/security/robot/context.go b/src/common/security/robot/context.go index 43ebf5921..c1a08fb29 100644 --- a/src/common/security/robot/context.go +++ b/src/common/security/robot/context.go @@ -23,17 +23,19 @@ import ( // SecurityContext implements security.Context interface based on database type SecurityContext struct { - robot *model.Robot - pm promgr.ProjectManager - policy []*rbac.Policy + robot *model.Robot + pm promgr.ProjectManager + policy []*rbac.Policy + polichCheck bool } // NewSecurityContext ... -func NewSecurityContext(robot *model.Robot, pm promgr.ProjectManager, policy []*rbac.Policy) *SecurityContext { +func NewSecurityContext(robot *model.Robot, pm promgr.ProjectManager, policy []*rbac.Policy, polichCheck bool) *SecurityContext { return &SecurityContext{ - robot: robot, - pm: pm, - policy: policy, + robot: robot, + pm: pm, + policy: policy, + polichCheck: polichCheck, } } @@ -56,6 +58,11 @@ func (s *SecurityContext) IsSysAdmin() bool { return false } +// PolicyCheck ... +func (s *SecurityContext) PolicyCheck() bool { + return s.polichCheck +} + // IsSolutionUser robot cannot be a system admin func (s *SecurityContext) IsSolutionUser() bool { return false diff --git a/src/common/security/robot/context_test.go b/src/common/security/robot/context_test.go index a16cd40fe..004a1acb6 100644 --- a/src/common/security/robot/context_test.go +++ b/src/common/security/robot/context_test.go @@ -93,45 +93,45 @@ func TestMain(m *testing.M) { func TestIsAuthenticated(t *testing.T) { // unauthenticated - ctx := NewSecurityContext(nil, nil, nil) + ctx := NewSecurityContext(nil, nil, nil, true) assert.False(t, ctx.IsAuthenticated()) // authenticated ctx = NewSecurityContext(&model.Robot{ Name: "test", Disabled: false, - }, nil, nil) + }, nil, nil, true) assert.True(t, ctx.IsAuthenticated()) } func TestGetUsername(t *testing.T) { // unauthenticated - ctx := NewSecurityContext(nil, nil, nil) + ctx := NewSecurityContext(nil, nil, nil, true) assert.Equal(t, "", ctx.GetUsername()) // authenticated ctx = NewSecurityContext(&model.Robot{ Name: "test", Disabled: false, - }, nil, nil) + }, nil, nil, true) assert.Equal(t, "test", ctx.GetUsername()) } func TestIsSysAdmin(t *testing.T) { // unauthenticated - ctx := NewSecurityContext(nil, nil, nil) + ctx := NewSecurityContext(nil, nil, nil, true) assert.False(t, ctx.IsSysAdmin()) // authenticated, non admin ctx = NewSecurityContext(&model.Robot{ Name: "test", Disabled: false, - }, nil, nil) + }, nil, nil, true) assert.False(t, ctx.IsSysAdmin()) } func TestIsSolutionUser(t *testing.T) { - ctx := NewSecurityContext(nil, nil, nil) + ctx := NewSecurityContext(nil, nil, nil, true) assert.False(t, ctx.IsSolutionUser()) } @@ -147,7 +147,7 @@ func TestHasPullPerm(t *testing.T) { Description: "desc", } - ctx := NewSecurityContext(robot, pm, policies) + ctx := NewSecurityContext(robot, pm, policies, true) resource := rbac.NewProjectNamespace(private.ProjectID).Resource(rbac.ResourceRepository) assert.True(t, ctx.Can(rbac.ActionPull, resource)) } @@ -164,7 +164,7 @@ func TestHasPushPerm(t *testing.T) { Description: "desc", } - ctx := NewSecurityContext(robot, pm, policies) + ctx := NewSecurityContext(robot, pm, policies, true) resource := rbac.NewProjectNamespace(private.ProjectID).Resource(rbac.ResourceRepository) assert.True(t, ctx.Can(rbac.ActionPush, resource)) } @@ -185,20 +185,20 @@ func TestHasPushPullPerm(t *testing.T) { Description: "desc", } - ctx := NewSecurityContext(robot, pm, policies) + ctx := NewSecurityContext(robot, pm, policies, true) resource := rbac.NewProjectNamespace(private.ProjectID).Resource(rbac.ResourceRepository) assert.True(t, ctx.Can(rbac.ActionPush, resource) && ctx.Can(rbac.ActionPull, resource)) } func TestGetMyProjects(t *testing.T) { - ctx := NewSecurityContext(nil, nil, nil) + ctx := NewSecurityContext(nil, nil, nil, true) projects, err := ctx.GetMyProjects() require.Nil(t, err) assert.Nil(t, projects) } func TestGetProjectRoles(t *testing.T) { - ctx := NewSecurityContext(nil, nil, nil) + ctx := NewSecurityContext(nil, nil, nil, true) roles := ctx.GetProjectRoles("test") assert.Nil(t, roles) } diff --git a/src/common/security/secret/context.go b/src/common/security/secret/context.go index 5dc06137a..3482d2aa9 100644 --- a/src/common/security/secret/context.go +++ b/src/common/security/secret/context.go @@ -66,6 +66,11 @@ func (s *SecurityContext) IsSysAdmin() bool { return false } +// PolicyCheck ... +func (s *SecurityContext) PolicyCheck() bool { + return true +} + // IsSolutionUser ... func (s *SecurityContext) IsSolutionUser() bool { return s.IsAuthenticated() diff --git a/src/common/token/htoken.go b/src/common/token/htoken.go deleted file mode 100644 index 897c50467..000000000 --- a/src/common/token/htoken.go +++ /dev/null @@ -1,87 +0,0 @@ -package token - -import ( - "crypto/ecdsa" - "crypto/rsa" - "errors" - "fmt" - "github.com/dgrijalva/jwt-go" - "github.com/goharbor/harbor/src/common/rbac" - "github.com/goharbor/harbor/src/common/utils/log" - "time" -) - -// HToken htoken is a jwt token for harbor robot account, -// which contains the robot ID, project ID and the access permission for the project. -// It used for authn/authz for robot account in Harbor. -type HToken struct { - jwt.Token -} - -// New ... -func New(tokenID, projectID, expiresAt int64, access []*rbac.Policy) (*HToken, error) { - rClaims := &RobotClaims{ - TokenID: tokenID, - ProjectID: projectID, - Access: access, - StandardClaims: jwt.StandardClaims{ - IssuedAt: time.Now().UTC().Unix(), - ExpiresAt: expiresAt, - Issuer: DefaultOptions().Issuer, - }, - } - err := rClaims.Valid() - if err != nil { - return nil, err - } - return &HToken{ - Token: *jwt.NewWithClaims(DefaultOptions().SignMethod, rClaims), - }, nil -} - -// Raw get the Raw string of token -func (htk *HToken) Raw() (string, error) { - key, err := DefaultOptions().GetKey() - if err != nil { - return "", nil - } - raw, err := htk.Token.SignedString(key) - if err != nil { - log.Debugf(fmt.Sprintf("failed to issue token %v", err)) - return "", err - } - return raw, err -} - -// ParseWithClaims ... -func ParseWithClaims(rawToken string, claims jwt.Claims) (*HToken, error) { - key, err := DefaultOptions().GetKey() - if err != nil { - return nil, err - } - token, err := jwt.ParseWithClaims(rawToken, claims, func(token *jwt.Token) (interface{}, error) { - if token.Method.Alg() != DefaultOptions().SignMethod.Alg() { - return nil, errors.New("invalid signing method") - } - switch k := key.(type) { - case *rsa.PrivateKey: - return &k.PublicKey, nil - case *ecdsa.PrivateKey: - return &k.PublicKey, nil - default: - return key, nil - } - }) - if err != nil { - log.Errorf(fmt.Sprintf("parse token error, %v", err)) - return nil, err - } - - if !token.Valid { - log.Errorf(fmt.Sprintf("invalid jwt token, %v", token)) - return nil, errors.New("invalid jwt token") - } - return &HToken{ - Token: *token, - }, nil -} diff --git a/src/common/utils/notary/helper.go b/src/common/utils/notary/helper.go index db80a9450..781ef793a 100644 --- a/src/common/utils/notary/helper.go +++ b/src/common/utils/notary/helper.go @@ -76,7 +76,7 @@ func GetTargets(notaryEndpoint string, username string, fqRepo string) ([]model. Type: "repository", Name: fqRepo, Actions: []string{"pull"}, - }}) + }}, true) if err != nil { return nil, err } diff --git a/src/common/utils/registry/auth/tokenauthorizer.go b/src/common/utils/registry/auth/tokenauthorizer.go index 1f1c95569..c2c5fcbd4 100644 --- a/src/common/utils/registry/auth/tokenauthorizer.go +++ b/src/common/utils/registry/auth/tokenauthorizer.go @@ -346,7 +346,7 @@ type rawTokenGenerator struct { // generate token directly func (r *rawTokenGenerator) generate(scopes []*token.ResourceActions, endpoint string) (*models.Token, error) { - return token_util.MakeToken(r.username, r.service, scopes) + return token_util.MakeToken(r.username, r.service, scopes, true) } func buildPingURL(endpoint string) string { diff --git a/src/core/api/robot.go b/src/core/api/robot.go index ded3a8d58..0304e4b54 100644 --- a/src/core/api/robot.go +++ b/src/core/api/robot.go @@ -108,6 +108,7 @@ func (r *RobotAPI) Post() { return } robotReq.Visible = true + robotReq.PolicyCheck = true robotReq.ProjectID = r.project.ProjectID if err := validateRobotReq(r.project, &robotReq); err != nil { diff --git a/src/core/filter/security.go b/src/core/filter/security.go index b8bbbac5b..9f2cdb620 100644 --- a/src/core/filter/security.go +++ b/src/core/filter/security.go @@ -34,7 +34,6 @@ import ( "github.com/goharbor/harbor/src/common/security/local" robotCtx "github.com/goharbor/harbor/src/common/security/robot" "github.com/goharbor/harbor/src/common/security/secret" - "github.com/goharbor/harbor/src/common/token" "github.com/goharbor/harbor/src/common/utils/log" "github.com/goharbor/harbor/src/core/auth" "github.com/goharbor/harbor/src/core/config" @@ -44,6 +43,8 @@ import ( "github.com/goharbor/harbor/src/pkg/authproxy" "github.com/goharbor/harbor/src/pkg/robot" + pkg_token "github.com/goharbor/harbor/src/pkg/token" + "github.com/goharbor/harbor/src/pkg/token/claim" ) // ContextValueKey for content value @@ -188,15 +189,17 @@ func (r *robotAuthReqCtxModifier) Modify(ctx *beegoctx.Context) bool { if !strings.HasPrefix(robotName, common.RobotPrefix) { return false } - rClaims := &token.RobotClaims{} - htk, err := token.ParseWithClaims(robotTk, rClaims) + rClaims := &claim.Robot{} + opt := pkg_token.DefaultTokenOptions() + rtk, err := pkg_token.Parse(opt, robotTk, rClaims) if err != nil { log.Errorf("failed to decrypt robot token, %v", err) return false } + // Do authn for robot account, as Harbor only stores the token ID, just validate the ID and disable. ctr := robot.RobotCtr - robot, err := ctr.GetRobotAccount(htk.Claims.(*token.RobotClaims).TokenID) + robot, err := ctr.GetRobotAccount(rtk.Claims.(*claim.Robot).TokenID) if err != nil { log.Errorf("failed to get robot %s: %v", robotName, err) return false @@ -215,7 +218,7 @@ func (r *robotAuthReqCtxModifier) Modify(ctx *beegoctx.Context) bool { } log.Debug("creating robot account security context...") pm := config.GlobalProjectMgr - securCtx := robotCtx.NewSecurityContext(robot, pm, htk.Claims.(*token.RobotClaims).Access) + securCtx := robotCtx.NewSecurityContext(robot, pm, rtk.Claims.(*claim.Robot).Access, rClaims.PolicyCheck) setSecurCtxAndPM(ctx.Request, securCtx, pm) return true } diff --git a/src/core/middlewares/chain.go b/src/core/middlewares/chain.go index 79617c735..630a8e8d4 100644 --- a/src/core/middlewares/chain.go +++ b/src/core/middlewares/chain.go @@ -25,6 +25,7 @@ import ( "github.com/goharbor/harbor/src/core/middlewares/listrepo" "github.com/goharbor/harbor/src/core/middlewares/multiplmanifest" "github.com/goharbor/harbor/src/core/middlewares/readonly" + "github.com/goharbor/harbor/src/core/middlewares/regtoken" "github.com/goharbor/harbor/src/core/middlewares/sizequota" "github.com/goharbor/harbor/src/core/middlewares/url" "github.com/goharbor/harbor/src/core/middlewares/vulnerable" @@ -72,6 +73,7 @@ func (b *DefaultCreator) geMiddleware(mName string) alice.Constructor { SIZEQUOTA: func(next http.Handler) http.Handler { return sizequota.New(next) }, COUNTQUOTA: func(next http.Handler) http.Handler { return countquota.New(next) }, IMMUTABLE: func(next http.Handler) http.Handler { return immutable.New(next) }, + REGTOKEN: func(next http.Handler) http.Handler { return regtoken.New(next) }, } return middlewares[mName] } diff --git a/src/core/middlewares/config.go b/src/core/middlewares/config.go index fa2b536f5..d80489312 100644 --- a/src/core/middlewares/config.go +++ b/src/core/middlewares/config.go @@ -26,13 +26,14 @@ const ( SIZEQUOTA = "sizequota" COUNTQUOTA = "countquota" IMMUTABLE = "immutable" + REGTOKEN = "REGTOKEN" ) // ChartMiddlewares middlewares for chart server var ChartMiddlewares = []string{CHART} // Middlewares with sequential organization -var Middlewares = []string{READONLY, URL, MUITIPLEMANIFEST, LISTREPO, CONTENTTRUST, VULNERABLE, SIZEQUOTA, IMMUTABLE, COUNTQUOTA} +var Middlewares = []string{READONLY, URL, REGTOKEN, MUITIPLEMANIFEST, LISTREPO, CONTENTTRUST, VULNERABLE, SIZEQUOTA, IMMUTABLE, COUNTQUOTA} // MiddlewaresLocal ... var MiddlewaresLocal = []string{SIZEQUOTA, IMMUTABLE, COUNTQUOTA} diff --git a/src/core/middlewares/contenttrust/handler.go b/src/core/middlewares/contenttrust/handler.go index bcc4de44a..9dc6d1e69 100644 --- a/src/core/middlewares/contenttrust/handler.go +++ b/src/core/middlewares/contenttrust/handler.go @@ -49,6 +49,12 @@ func (cth contentTrustHandler) ServeHTTP(rw http.ResponseWriter, req *http.Reque cth.next.ServeHTTP(rw, req) return } + // Token bypass policy check + policyCheck := req.Context().Value(util.PolicyCheckCtxKey) + if policyCheck != nil && !policyCheck.(bool) { + cth.next.ServeHTTP(rw, req) + return + } if !util.GetPolicyChecker().ContentTrustEnabled(img.ProjectName) { cth.next.ServeHTTP(rw, req) return diff --git a/src/core/middlewares/regtoken/handler.go b/src/core/middlewares/regtoken/handler.go new file mode 100644 index 000000000..67c2c934a --- /dev/null +++ b/src/core/middlewares/regtoken/handler.go @@ -0,0 +1,55 @@ +package regtoken + +import ( + "context" + "github.com/goharbor/harbor/src/common/utils/log" + "github.com/goharbor/harbor/src/core/config" + "github.com/goharbor/harbor/src/core/middlewares/util" + pkg_token "github.com/goharbor/harbor/src/pkg/token" + "github.com/goharbor/harbor/src/pkg/token/claim" + "net/http" + "strings" +) + +type regTokenHandler struct { + next http.Handler +} + +// New ... +func New(next http.Handler) http.Handler { + return ®TokenHandler{ + next: next, + } +} + +// ServeHTTP ... +func (r *regTokenHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request) { + imgRaw := req.Context().Value(util.ImageInfoCtxKey) + if imgRaw == nil || !config.WithClair() { + r.next.ServeHTTP(rw, req) + return + } + img, _ := req.Context().Value(util.ImageInfoCtxKey).(util.ImageInfo) + if img.Digest == "" { + r.next.ServeHTTP(rw, req) + return + } + + parts := strings.Split(req.Header.Get("Authorization"), " ") + if len(parts) != 2 || strings.ToLower(parts[0]) != "bearer" { + r.next.ServeHTTP(rw, req) + return + } + rawToken := parts[1] + opt := pkg_token.DefaultTokenOptions() + rClaims := &claim.Registry{} + rtk, err := pkg_token.Parse(opt, rawToken, rClaims) + if err != nil { + log.Debug("failed to decode reg token: %v, the error is skipped and round the request to native registry.", err) + r.next.ServeHTTP(rw, req) + return + } + ctx := context.WithValue(req.Context(), util.PolicyCheckCtxKey, rtk.Claims.(*claim.Registry).PolicyCheck) + req = req.WithContext(ctx) + r.next.ServeHTTP(rw, req) +} diff --git a/src/core/middlewares/util/util.go b/src/core/middlewares/util/util.go index 9c05b7599..4997bf338 100644 --- a/src/core/middlewares/util/util.go +++ b/src/core/middlewares/util/util.go @@ -49,6 +49,8 @@ type contextKey string const ( // ImageInfoCtxKey the context key for image information ImageInfoCtxKey = contextKey("ImageInfo") + // PolicyCheckCtxKey the context key for image information + PolicyCheckCtxKey = contextKey("PolicyCheck") // TokenUsername ... // TODO: temp solution, remove after vmware/harbor#2242 is resolved. TokenUsername = "harbor-core" diff --git a/src/core/middlewares/vulnerable/handler.go b/src/core/middlewares/vulnerable/handler.go index a1ba6bda9..eaecbae5a 100644 --- a/src/core/middlewares/vulnerable/handler.go +++ b/src/core/middlewares/vulnerable/handler.go @@ -52,6 +52,13 @@ func (vh vulnerableHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request) return } + // Token bypass policy check + policyCheck := req.Context().Value(util.PolicyCheckCtxKey) + if policyCheck != nil && !policyCheck.(bool) { + vh.next.ServeHTTP(rw, req) + return + } + // Is vulnerable policy set? projectVulnerableEnabled, projectVulnerableSeverity, wl := util.GetPolicyChecker().VulnerablePolicy(img.ProjectName) if !projectVulnerableEnabled { diff --git a/src/core/service/token/authutils.go b/src/core/service/token/authutils.go index 8de8a50ca..aac46c259 100644 --- a/src/core/service/token/authutils.go +++ b/src/core/service/token/authutils.go @@ -42,6 +42,12 @@ func init() { privateKey = config.TokenPrivateKeyPath() } +// ClaimSet ... +type ClaimSet struct { + token.ClaimSet + PolicyCheck bool `json:"policy_check"` +} + // GetResourceActions ... func GetResourceActions(scopes []string) []*token.ResourceActions { log.Debugf("scopes: %+v", scopes) @@ -100,7 +106,7 @@ func filterAccess(access []*token.ResourceActions, ctx security.Context, } // MakeToken makes a valid jwt token based on parms. -func MakeToken(username, service string, access []*token.ResourceActions) (*models.Token, error) { +func MakeToken(username, service string, access []*token.ResourceActions, policyCheck bool) (*models.Token, error) { pk, err := libtrust.LoadKeyFile(privateKey) if err != nil { return nil, err @@ -110,7 +116,7 @@ func MakeToken(username, service string, access []*token.ResourceActions) (*mode return nil, err } - tk, expiresIn, issuedAt, err := makeTokenCore(issuer, username, service, expiration, access, pk) + tk, expiresIn, issuedAt, err := makeTokenCore(issuer, username, service, expiration, access, pk, policyCheck) if err != nil { return nil, err } @@ -138,7 +144,7 @@ func permToActions(p string) []string { // make token core func makeTokenCore(issuer, subject, audience string, expiration int, - access []*token.ResourceActions, signingKey libtrust.PrivateKey) (t *token.Token, expiresIn int, issuedAt *time.Time, err error) { + access []*token.ResourceActions, signingKey libtrust.PrivateKey, policyCheck bool) (t *token.Token, expiresIn int, issuedAt *time.Time, err error) { joseHeader := &token.Header{ Type: "JWT", @@ -155,15 +161,18 @@ func makeTokenCore(issuer, subject, audience string, expiration int, issuedAt = &now expiresIn = expiration * 60 - claimSet := &token.ClaimSet{ - Issuer: issuer, - Subject: subject, - Audience: audience, - Expiration: now.Add(time.Duration(expiration) * time.Minute).Unix(), - NotBefore: now.Unix(), - IssuedAt: now.Unix(), - JWTID: jwtID, - Access: access, + claimSet := &ClaimSet{ + ClaimSet: token.ClaimSet{ + Issuer: issuer, + Subject: subject, + Audience: audience, + Expiration: now.Add(time.Duration(expiration) * time.Minute).Unix(), + NotBefore: now.Unix(), + IssuedAt: now.Unix(), + JWTID: jwtID, + Access: access, + }, + PolicyCheck: policyCheck, } var joseHeaderBytes, claimSetBytes []byte diff --git a/src/core/service/token/creator.go b/src/core/service/token/creator.go index feca191e6..6ca8036ae 100644 --- a/src/core/service/token/creator.go +++ b/src/core/service/token/creator.go @@ -222,7 +222,7 @@ func (g generalCreator) Create(r *http.Request) (*models.Token, error) { if err != nil { return nil, err } - return MakeToken(ctx.GetUsername(), g.service, access) + return MakeToken(ctx.GetUsername(), g.service, access, ctx.PolicyCheck()) } func parseScopes(u *url.URL) []string { diff --git a/src/core/service/token/token_test.go b/src/core/service/token/token_test.go index 4a8435c2c..5a722c23a 100644 --- a/src/core/service/token/token_test.go +++ b/src/core/service/token/token_test.go @@ -119,7 +119,8 @@ func getPublicKey(crtPath string) (*rsa.PublicKey, error) { type harborClaims struct { jwt.StandardClaims // Private claims - Access []*token.ResourceActions `json:"access"` + Access []*token.ResourceActions `json:"access"` + PolicyCheck bool `json:"policy_check"` } func TestMakeToken(t *testing.T) { @@ -133,7 +134,7 @@ func TestMakeToken(t *testing.T) { }} svc := "harbor-registry" u := "tester" - tokenJSON, err := MakeToken(u, svc, ra) + tokenJSON, err := MakeToken(u, svc, ra, true) if err != nil { t.Errorf("Error while making token: %v", err) } @@ -154,6 +155,7 @@ func TestMakeToken(t *testing.T) { t.Errorf("Error while parsing the token: %v", err) } claims := tok.Claims.(*harborClaims) + assert.True(t, claims.PolicyCheck) assert.Equal(t, *(claims.Access[0]), *(ra[0]), "Access mismatch") assert.Equal(t, claims.Audience, svc, "Audience mismatch") } @@ -242,6 +244,9 @@ func (f *fakeSecurityContext) IsSysAdmin() bool { func (f *fakeSecurityContext) IsSolutionUser() bool { return false } +func (f *fakeSecurityContext) PolicyCheck() bool { + return false +} func (f *fakeSecurityContext) Can(action rbac.Action, resource rbac.Resource) bool { return false } diff --git a/src/pkg/robot/controller.go b/src/pkg/robot/controller.go index 5a6565711..8d132fea6 100644 --- a/src/pkg/robot/controller.go +++ b/src/pkg/robot/controller.go @@ -2,12 +2,14 @@ package robot import ( "fmt" + "github.com/dgrijalva/jwt-go" "github.com/goharbor/harbor/src/common" - "github.com/goharbor/harbor/src/common/token" "github.com/goharbor/harbor/src/common/utils/log" "github.com/goharbor/harbor/src/core/config" "github.com/goharbor/harbor/src/pkg/q" "github.com/goharbor/harbor/src/pkg/robot/model" + "github.com/goharbor/harbor/src/pkg/token" + "github.com/goharbor/harbor/src/pkg/token/claim" "github.com/pkg/errors" "time" ) @@ -76,13 +78,24 @@ func (d *DefaultAPIController) CreateRobotAccount(robotReq *model.RobotCreate) ( // generate the token, and return it with response data. // token is not stored in the database. - jwtToken, err := token.New(id, robotReq.ProjectID, expiresAt, robotReq.Access) + opt := token.DefaultTokenOptions() + rClaims := &claim.Robot{ + TokenID: id, + ProjectID: robotReq.ProjectID, + Access: robotReq.Access, + PolicyCheck: robotReq.PolicyCheck, + StandardClaims: jwt.StandardClaims{ + IssuedAt: time.Now().UTC().Unix(), + ExpiresAt: expiresAt, + Issuer: opt.Issuer, + }, + } + tk, err := token.New(opt, rClaims) if err != nil { deferDel = err return nil, fmt.Errorf("failed to valid parameters to generate token for robot account, %v", err) } - - rawTk, err := jwtToken.Raw() + rawTk, err := tk.Raw() if err != nil { deferDel = err return nil, fmt.Errorf("failed to sign token for robot account, %v", err) diff --git a/src/pkg/robot/model/robot.go b/src/pkg/robot/model/robot.go index db911f11c..c5cf530c6 100644 --- a/src/pkg/robot/model/robot.go +++ b/src/pkg/robot/model/robot.go @@ -50,6 +50,7 @@ type RobotCreate struct { Description string `json:"description"` Disabled bool `json:"disabled"` Visible bool `json:"-"` + PolicyCheck bool `json:"-"` Access []*rbac.Policy `json:"access"` } diff --git a/src/pkg/token/claim/registry.go b/src/pkg/token/claim/registry.go new file mode 100644 index 000000000..a93e499a9 --- /dev/null +++ b/src/pkg/token/claim/registry.go @@ -0,0 +1,22 @@ +package claim + +import ( + "github.com/dgrijalva/jwt-go" + "github.com/docker/distribution/registry/auth/token" +) + +// Registry implements the interface of jwt.Claims +type Registry struct { + jwt.StandardClaims + PolicyCheck bool `json:"policy_check"` + Access []*token.ResourceActions `json:"access"` +} + +// Valid valid the standard claims +func (rc *Registry) Valid() error { + stdErr := rc.StandardClaims.Valid() + if stdErr != nil { + return stdErr + } + return nil +} diff --git a/src/common/token/claims.go b/src/pkg/token/claim/robot.go similarity index 63% rename from src/common/token/claims.go rename to src/pkg/token/claim/robot.go index bec9f5f2f..58a25a9de 100644 --- a/src/common/token/claims.go +++ b/src/pkg/token/claim/robot.go @@ -1,4 +1,4 @@ -package token +package claim import ( "errors" @@ -6,16 +6,17 @@ import ( "github.com/goharbor/harbor/src/common/rbac" ) -// RobotClaims implements the interface of jwt.Claims -type RobotClaims struct { +// Robot implements the interface of jwt.Claims +type Robot struct { jwt.StandardClaims - TokenID int64 `json:"id"` - ProjectID int64 `json:"pid"` - Access []*rbac.Policy `json:"access"` + TokenID int64 `json:"id"` + ProjectID int64 `json:"pid"` + PolicyCheck bool `json:"policy_check"` + Access []*rbac.Policy `json:"access"` } // Valid valid the claims "tokenID, projectID and access". -func (rc RobotClaims) Valid() error { +func (rc Robot) Valid() error { if rc.TokenID < 0 { return errors.New("Token id must an valid INT") } diff --git a/src/common/token/claims_test.go b/src/pkg/token/claim/robot_test.go similarity index 90% rename from src/common/token/claims_test.go rename to src/pkg/token/claim/robot_test.go index dc25a120a..50442f72b 100644 --- a/src/common/token/claims_test.go +++ b/src/pkg/token/claim/robot_test.go @@ -1,4 +1,4 @@ -package token +package claim import ( "github.com/goharbor/harbor/src/common/rbac" @@ -15,7 +15,7 @@ func TestValid(t *testing.T) { policies := []*rbac.Policy{} policies = append(policies, rbacPolicy) - rClaims := &RobotClaims{ + rClaims := &Robot{ TokenID: 1, ProjectID: 2, Access: policies, @@ -32,7 +32,7 @@ func TestUnValidTokenID(t *testing.T) { policies := []*rbac.Policy{} policies = append(policies, rbacPolicy) - rClaims := &RobotClaims{ + rClaims := &Robot{ TokenID: -1, ProjectID: 2, Access: policies, @@ -49,7 +49,7 @@ func TestUnValidProjectID(t *testing.T) { policies := []*rbac.Policy{} policies = append(policies, rbacPolicy) - rClaims := &RobotClaims{ + rClaims := &Robot{ TokenID: 1, ProjectID: -2, Access: policies, @@ -59,7 +59,7 @@ func TestUnValidProjectID(t *testing.T) { func TestUnValidPolicy(t *testing.T) { - rClaims := &RobotClaims{ + rClaims := &Robot{ TokenID: 1, ProjectID: 2, Access: nil, diff --git a/src/common/token/options_test.go b/src/pkg/token/option_test.go similarity index 86% rename from src/common/token/options_test.go rename to src/pkg/token/option_test.go index 5f64fb380..227cf688d 100644 --- a/src/common/token/options_test.go +++ b/src/pkg/token/option_test.go @@ -8,7 +8,7 @@ import ( ) func TestNewOptions(t *testing.T) { - defaultOpt := DefaultOptions() + defaultOpt := DefaultTokenOptions() assert.NotNil(t, defaultOpt) assert.Equal(t, defaultOpt.SignMethod, jwt.GetSigningMethod("RS256")) assert.Equal(t, defaultOpt.Issuer, "harbor-token-issuer") @@ -16,7 +16,7 @@ func TestNewOptions(t *testing.T) { } func TestGetKey(t *testing.T) { - defaultOpt := DefaultOptions() + defaultOpt := DefaultTokenOptions() key, err := defaultOpt.GetKey() assert.Nil(t, err) assert.NotNil(t, key) diff --git a/src/common/token/options.go b/src/pkg/token/options.go similarity index 83% rename from src/common/token/options.go rename to src/pkg/token/options.go index 747d7435d..e1d96d476 100644 --- a/src/common/token/options.go +++ b/src/pkg/token/options.go @@ -11,9 +11,9 @@ import ( ) const ( - ttl = 60 * time.Minute - issuer = "harbor-token-issuer" - signedMethod = "RS256" + defaultTTL = 60 * time.Minute + defaultIssuer = "harbor-token-defaultIssuer" + defaultSignedMethod = "RS256" ) // Options ... @@ -25,23 +25,6 @@ type Options struct { Issuer string } -// DefaultOptions ... -func DefaultOptions() *Options { - privateKeyFile := config.TokenPrivateKeyPath() - privateKey, err := ioutil.ReadFile(privateKeyFile) - if err != nil { - log.Errorf(fmt.Sprintf("failed to read private key %v", err)) - return nil - } - opt := &Options{ - SignMethod: jwt.GetSigningMethod(signedMethod), - PrivateKey: privateKey, - Issuer: issuer, - TTL: ttl, - } - return opt -} - // GetKey ... func (o *Options) GetKey() (interface{}, error) { var err error @@ -76,3 +59,20 @@ func (o *Options) GetKey() (interface{}, error) { return nil, fmt.Errorf(fmt.Sprintf("unsupported sign method, %s", o.SignMethod)) } } + +// DefaultTokenOptions ... +func DefaultTokenOptions() *Options { + privateKeyFile := config.TokenPrivateKeyPath() + privateKey, err := ioutil.ReadFile(privateKeyFile) + if err != nil { + log.Errorf(fmt.Sprintf("failed to read private key %v", err)) + return nil + } + opt := &Options{ + SignMethod: jwt.GetSigningMethod(defaultSignedMethod), + PrivateKey: privateKey, + Issuer: defaultIssuer, + TTL: defaultTTL, + } + return opt +} diff --git a/src/pkg/token/token.go b/src/pkg/token/token.go new file mode 100644 index 000000000..62e1e3fec --- /dev/null +++ b/src/pkg/token/token.go @@ -0,0 +1,77 @@ +package token + +import ( + "crypto/ecdsa" + "crypto/rsa" + "errors" + "fmt" + "github.com/dgrijalva/jwt-go" + "github.com/goharbor/harbor/src/common/utils/log" +) + +// Token is a jwt token for harbor robot account, +type Token struct { + jwt.Token + Opt *Options + Claim jwt.Claims +} + +// New ... +func New(opt *Options, claims jwt.Claims) (*Token, error) { + err := claims.Valid() + if err != nil { + return nil, err + } + return &Token{ + Token: *jwt.NewWithClaims(opt.SignMethod, claims), + Opt: opt, + Claim: claims, + }, nil +} + +// Raw get the Raw string of token +func (tk *Token) Raw() (string, error) { + key, err := tk.Opt.GetKey() + if err != nil { + return "", nil + } + raw, err := tk.Token.SignedString(key) + if err != nil { + log.Debugf(fmt.Sprintf("failed to issue token %v", err)) + return "", err + } + return raw, err +} + +// Parse ... +func Parse(opt *Options, rawToken string, claims jwt.Claims) (*Token, error) { + key, err := opt.GetKey() + if err != nil { + return nil, err + } + token, err := jwt.ParseWithClaims(rawToken, claims, func(token *jwt.Token) (interface{}, error) { + if token.Method.Alg() != opt.SignMethod.Alg() { + return nil, errors.New("invalid signing method") + } + switch k := key.(type) { + case *rsa.PrivateKey: + return &k.PublicKey, nil + case *ecdsa.PrivateKey: + return &k.PublicKey, nil + default: + return key, nil + } + }) + if err != nil { + log.Errorf(fmt.Sprintf("parse token error, %v", err)) + return nil, err + } + + if !token.Valid { + log.Errorf(fmt.Sprintf("invalid jwt token, %v", token)) + return nil, errors.New("invalid jwt token") + } + return &Token{ + Token: *token, + }, nil +} diff --git a/src/common/token/htoken_test.go b/src/pkg/token/token_test.go similarity index 80% rename from src/common/token/htoken_test.go rename to src/pkg/token/token_test.go index 38e187ef7..0dd42d4ff 100644 --- a/src/common/token/htoken_test.go +++ b/src/pkg/token/token_test.go @@ -5,8 +5,10 @@ import ( "testing" "time" + "github.com/dgrijalva/jwt-go" "github.com/goharbor/harbor/src/common/rbac" "github.com/goharbor/harbor/src/core/config" + "github.com/goharbor/harbor/src/pkg/token/claim" "github.com/stretchr/testify/assert" ) @@ -33,7 +35,15 @@ func TestNew(t *testing.T) { projectID := int64(321) tokenExpiration := time.Duration(10) * 24 * time.Hour expiresAt := time.Now().UTC().Add(tokenExpiration).Unix() - token, err := New(tokenID, projectID, expiresAt, policies) + robot := claim.Robot{ + TokenID: tokenID, + ProjectID: projectID, + Access: policies, + StandardClaims: jwt.StandardClaims{ + ExpiresAt: expiresAt, + }, + } + token, err := New(DefaultTokenOptions(), robot) assert.Nil(t, err) assert.Equal(t, token.Header["alg"], "RS256") @@ -54,7 +64,15 @@ func TestRaw(t *testing.T) { tokenExpiration := time.Duration(10) * 24 * time.Hour expiresAt := time.Now().UTC().Add(tokenExpiration).Unix() - token, err := New(tokenID, projectID, expiresAt, policies) + robot := claim.Robot{ + TokenID: tokenID, + ProjectID: projectID, + Access: policies, + StandardClaims: jwt.StandardClaims{ + ExpiresAt: expiresAt, + }, + } + token, err := New(DefaultTokenOptions(), robot) assert.Nil(t, err) rawTk, err := token.Raw() @@ -64,8 +82,8 @@ func TestRaw(t *testing.T) { func TestParseWithClaims(t *testing.T) { rawTk := "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJJRCI6MTIzLCJQcm9qZWN0SUQiOjAsIkFjY2VzcyI6W3siUmVzb3VyY2UiOiIvcHJvamVjdC9saWJyYXkvcmVwb3NpdG9yeSIsIkFjdGlvbiI6InB1bGwiLCJFZmZlY3QiOiIifV0sIlN0YW5kYXJkQ2xhaW1zIjp7ImV4cCI6MTU0ODE0MDIyOSwiaXNzIjoiaGFyYm9yLXRva2VuLWlzc3VlciJ9fQ.Jc3qSKN4SJVUzAvBvemVpRcSOZaHlu0Avqms04qzPm4ru9-r9IRIl3mnSkI6m9XkzLUeJ7Kiwyw63ghngnVKw_PupeclOGC6s3TK5Cfmo4h-lflecXjZWwyy-dtH_e7Us_ItS-R3nXDJtzSLEpsGHCcAj-1X2s93RB2qD8LNSylvYeDezVkTzqRzzfawPJheKKh9JTrz-3eUxCwQard9-xjlwvfUYULoHTn9npNAUq4-jqhipW4uE8HL-ym33AGF57la8U0RO11hmDM5K8-PiYknbqJ_oONeS3HBNym2pEFeGjtTv2co213wl4T5lemlg4SGolMBuJ03L7_beVZ0o-MKTkKDqDwJalb6_PM-7u3RbxC9IzJMiwZKIPnD3FvV10iPxUUQHaH8Jz5UZ2pFIhi_8BNnlBfT0JOPFVYATtLjHMczZelj2YvAeR1UHBzq3E0jPpjjwlqIFgaHCaN_KMwEvadTo_Fi2sEH4pNGP7M3yehU_72oLJQgF4paJarsmEoij6ZtPs6xekBz1fccVitq_8WNIz9aeCUdkUBRwI5QKw1RdW4ua-w74ld5MZStWJA8veyoLkEb_Q9eq2oAj5KWFjJbW5-ltiIfM8gxKflsrkWAidYGcEIYcuXr7UdqEKXxtPiWM0xb3B91ovYvO5402bn3f9-UGtlcestxNHA" - rClaims := &RobotClaims{} - _, _ = ParseWithClaims(rawTk, rClaims) + rClaims := &claim.Robot{} + _, _ = Parse(DefaultTokenOptions(), rawTk, rClaims) assert.Equal(t, int64(123), rClaims.TokenID) assert.Equal(t, int64(0), rClaims.ProjectID) assert.Equal(t, "/project/libray/repository", rClaims.Access[0].Resource.String())