From dbcbe80084a7406d8d2b681c48f9135a97b9555a Mon Sep 17 00:00:00 2001 From: Ricardo Pchevuzinske Katz Date: Sat, 5 Nov 2016 00:57:57 -0200 Subject: [PATCH 1/5] Improve Project Name handling for Docker Notary requests --- src/ui/service/token/authutils.go | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/ui/service/token/authutils.go b/src/ui/service/token/authutils.go index d9ce76400..7cc25ab5b 100644 --- a/src/ui/service/token/authutils.go +++ b/src/ui/service/token/authutils.go @@ -105,8 +105,15 @@ func FilterAccess(username string, a *token.ResourceActions) { //clear action list to assign to new acess element after perm check. a.Actions = []string{} if a.Type == "repository" { - if strings.Contains(a.Name, "/") { //Only check the permission when the requested image has a namespace, i.e. project - projectName := a.Name[0:strings.LastIndex(a.Name, "/")] + repoSplit := strings.Split(a.Name, "/") + repoLength := len(repoSplit) + if repoLength > 0 { //Only check the permission when the requested image has a namespace, i.e. project + var projectName string + if repoLength > 2 { //If the repo contains more than 1 separation (as privateregistry.local/library/alpine) consider the second item from array (library) + projectName = repoSplit[1] + } else { // Otherwise (only library/alpine) consider the first item from array (library) + projectName = repoSplit[0] + } var permission string if len(username) > 0 { isAdmin, err := dao.IsAdminRole(username) From 802fea663329e4c8631842c4c128fb278bf3d4d5 Mon Sep 17 00:00:00 2001 From: Ricardo Pchevuzinske Katz Date: Sat, 5 Nov 2016 01:04:52 -0200 Subject: [PATCH 2/5] Fix the repoLenght variable verification --- src/ui/service/token/authutils.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ui/service/token/authutils.go b/src/ui/service/token/authutils.go index 7cc25ab5b..ffe7fcdb4 100644 --- a/src/ui/service/token/authutils.go +++ b/src/ui/service/token/authutils.go @@ -107,7 +107,7 @@ func FilterAccess(username string, a *token.ResourceActions) { if a.Type == "repository" { repoSplit := strings.Split(a.Name, "/") repoLength := len(repoSplit) - if repoLength > 0 { //Only check the permission when the requested image has a namespace, i.e. project + if repoLength > 1 { //Only check the permission when the requested image has a namespace, i.e. project/alpine var projectName string if repoLength > 2 { //If the repo contains more than 1 separation (as privateregistry.local/library/alpine) consider the second item from array (library) projectName = repoSplit[1] From 72b44a17c6d5452f14745679cedd057cd36bdb17 Mon Sep 17 00:00:00 2001 From: Ricardo Pchevuzinske Katz Date: Tue, 8 Nov 2016 20:12:58 -0200 Subject: [PATCH 3/5] Improved Harbor URL detection on Notary Requests --- src/ui/service/token/authutils.go | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/ui/service/token/authutils.go b/src/ui/service/token/authutils.go index ffe7fcdb4..9e41409a6 100644 --- a/src/ui/service/token/authutils.go +++ b/src/ui/service/token/authutils.go @@ -107,11 +107,13 @@ func FilterAccess(username string, a *token.ResourceActions) { if a.Type == "repository" { repoSplit := strings.Split(a.Name, "/") repoLength := len(repoSplit) - if repoLength > 1 { //Only check the permission when the requested image has a namespace, i.e. project/alpine + if repoLength > 1 { //Only check the permission when the requested image has a namespace, i.e. project var projectName string - if repoLength > 2 { //If the repo contains more than 1 separation (as privateregistry.local/library/alpine) consider the second item from array (library) + registryUrl := os.Getenv("HARBOR_REG_URL") + if repoSplit[0] == registryUrl { projectName = repoSplit[1] - } else { // Otherwise (only library/alpine) consider the first item from array (library) + log.Infof("Detected Registry URL in Project Name. Assuming this is a notary request and setting Project Name as %s\n", projectName) + } else { projectName = repoSplit[0] } var permission string From 804759cbdb7614195e37bdf447ef2bf5c37154f6 Mon Sep 17 00:00:00 2001 From: Ricardo Pchevuzinske Katz Date: Tue, 8 Nov 2016 21:36:53 -0200 Subject: [PATCH 4/5] Corrected the registryURL var name --- src/ui/service/token/authutils.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ui/service/token/authutils.go b/src/ui/service/token/authutils.go index 9e41409a6..f41d0f4d9 100644 --- a/src/ui/service/token/authutils.go +++ b/src/ui/service/token/authutils.go @@ -109,7 +109,7 @@ func FilterAccess(username string, a *token.ResourceActions) { repoLength := len(repoSplit) if repoLength > 1 { //Only check the permission when the requested image has a namespace, i.e. project var projectName string - registryUrl := os.Getenv("HARBOR_REG_URL") + registryURL := os.Getenv("HARBOR_REG_URL") if repoSplit[0] == registryUrl { projectName = repoSplit[1] log.Infof("Detected Registry URL in Project Name. Assuming this is a notary request and setting Project Name as %s\n", projectName) From 7a1212db45a35788a6b11437a8d004d4be3dc0e0 Mon Sep 17 00:00:00 2001 From: Ricardo Pchevuzinske Katz Date: Tue, 8 Nov 2016 21:52:22 -0200 Subject: [PATCH 5/5] Corrected the registryURL var name --- src/ui/service/token/authutils.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ui/service/token/authutils.go b/src/ui/service/token/authutils.go index f41d0f4d9..63e884f5b 100644 --- a/src/ui/service/token/authutils.go +++ b/src/ui/service/token/authutils.go @@ -110,7 +110,7 @@ func FilterAccess(username string, a *token.ResourceActions) { if repoLength > 1 { //Only check the permission when the requested image has a namespace, i.e. project var projectName string registryURL := os.Getenv("HARBOR_REG_URL") - if repoSplit[0] == registryUrl { + if repoSplit[0] == registryURL { projectName = repoSplit[1] log.Infof("Detected Registry URL in Project Name. Assuming this is a notary request and setting Project Name as %s\n", projectName) } else {