Upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor.git synced 2024-11-15 23:05:57 +01:00
Code Issues Projects Releases Wiki Activity

Add check when updating immutable tag (#17239)

Browse Source 
Add check to the immutable tag update

Signed-off-by: stonezdj <stonezdj@gmail.com>
This commit is contained in:
stonezdj(Daojun Zhang) 2022-07-27 01:11:26 +08:00 committed by GitHub
parent eff9118591
commit 38cc18471d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
src/server/v2.0/handler/immutable.go
View File

@ -2,13 +2,13 @@ package handler
import (
"context"
"errors"
"fmt"
"github.com/go-openapi/runtime/middleware"
"github.com/goharbor/harbor/src/common/rbac"
"github.com/goharbor/harbor/src/controller/immutable"
"github.com/goharbor/harbor/src/controller/project"
"github.com/goharbor/harbor/src/lib"
"github.com/goharbor/harbor/src/lib/errors"
"github.com/goharbor/harbor/src/pkg/immutable/model"
handler_model "github.com/goharbor/harbor/src/server/v2.0/handler/model"
"github.com/goharbor/harbor/src/server/v2.0/models"
@ -58,7 +58,14 @@ func (ia *immutableAPI) DeleteImmuRule(ctx context.Context, params operation.Del
if err := ia.RequireProjectAccess(ctx, projectNameOrID, rbac.ActionDelete, rbac.ResourceImmutableTag); err != nil {
return ia.SendError(ctx, err)
}
projectID, err := ia.getProjectID(ctx, projectNameOrID)
if err != nil {
return ia.SendError(ctx, err)
}
if err := ia.requireRuleAccess(ctx, projectID, params.ImmutableRuleID); err != nil {
return ia.SendError(ctx, err)
}
if err := ia.immuCtl.DeleteImmutableRule(ctx, params.ImmutableRuleID); err != nil {
return ia.SendError(ctx, err)
}
@ -81,6 +88,10 @@ func (ia *immutableAPI) UpdateImmuRule(ctx context.Context, params operation.Upd
}
metadata.ProjectID = projectID
if err = ia.requireRuleAccess(ctx, projectID, metadata.ID); err != nil {
return ia.SendError(ctx, err)
}
if err := ia.immuCtl.UpdateImmutableRule(ctx, projectID, &metadata); err != nil {
return ia.SendError(ctx, err)
}
@ -141,3 +152,17 @@ func (ia *immutableAPI) getProjectID(ctx context.Context, projectNameOrID interf
}
return 0, errors.New("unknown project identifier type")
}
// requireRuleAccess checks whether the project has the permission to the
// immutable rule.
func (ia *immutableAPI) requireRuleAccess(ctx context.Context, projectID, metadataID int64) error {
rule, err := ia.immuCtl.GetImmutableRule(ctx, metadataID)
if err != nil {
return err
}
// if input project id does not equal projectID in db return err
if rule.ProjectID != projectID {
return errors.NotFoundError(errors.Errorf("project id %d does not match", projectID))
}
return nil
}