From 38cc18471d4d839769778ce6c63858a38c4b7459 Mon Sep 17 00:00:00 2001
From: "stonezdj(Daojun Zhang)" <stonezdj@gmail.com>
Date: Wed, 27 Jul 2022 01:11:26 +0800
Subject: [PATCH] Add check when updating immutable tag (#17239)

Add check to the immutable tag update

Signed-off-by: stonezdj <stonezdj@gmail.com>
---
 src/server/v2.0/handler/immutable.go | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/src/server/v2.0/handler/immutable.go b/src/server/v2.0/handler/immutable.go
index 1776ae5b0..3b86eee37 100644
--- a/src/server/v2.0/handler/immutable.go
+++ b/src/server/v2.0/handler/immutable.go
@@ -2,13 +2,13 @@ package handler
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"github.com/go-openapi/runtime/middleware"
 	"github.com/goharbor/harbor/src/common/rbac"
 	"github.com/goharbor/harbor/src/controller/immutable"
 	"github.com/goharbor/harbor/src/controller/project"
 	"github.com/goharbor/harbor/src/lib"
+	"github.com/goharbor/harbor/src/lib/errors"
 	"github.com/goharbor/harbor/src/pkg/immutable/model"
 	handler_model "github.com/goharbor/harbor/src/server/v2.0/handler/model"
 	"github.com/goharbor/harbor/src/server/v2.0/models"
@@ -58,7 +58,14 @@ func (ia *immutableAPI) DeleteImmuRule(ctx context.Context, params operation.Del
 	if err := ia.RequireProjectAccess(ctx, projectNameOrID, rbac.ActionDelete, rbac.ResourceImmutableTag); err != nil {
 		return ia.SendError(ctx, err)
 	}
+	projectID, err := ia.getProjectID(ctx, projectNameOrID)
+	if err != nil {
+		return ia.SendError(ctx, err)
+	}
 
+	if err := ia.requireRuleAccess(ctx, projectID, params.ImmutableRuleID); err != nil {
+		return ia.SendError(ctx, err)
+	}
 	if err := ia.immuCtl.DeleteImmutableRule(ctx, params.ImmutableRuleID); err != nil {
 		return ia.SendError(ctx, err)
 	}
@@ -81,6 +88,10 @@ func (ia *immutableAPI) UpdateImmuRule(ctx context.Context, params operation.Upd
 	}
 	metadata.ProjectID = projectID
 
+	if err = ia.requireRuleAccess(ctx, projectID, metadata.ID); err != nil {
+		return ia.SendError(ctx, err)
+	}
+
 	if err := ia.immuCtl.UpdateImmutableRule(ctx, projectID, &metadata); err != nil {
 		return ia.SendError(ctx, err)
 	}
@@ -141,3 +152,17 @@ func (ia *immutableAPI) getProjectID(ctx context.Context, projectNameOrID interf
 	}
 	return 0, errors.New("unknown project identifier type")
 }
+
+// requireRuleAccess checks whether the project has the permission to the
+// immutable rule.
+func (ia *immutableAPI) requireRuleAccess(ctx context.Context, projectID, metadataID int64) error {
+	rule, err := ia.immuCtl.GetImmutableRule(ctx, metadataID)
+	if err != nil {
+		return err
+	}
+	// if input project id does not equal projectID in db return err
+	if rule.ProjectID != projectID {
+		return errors.NotFoundError(errors.Errorf("project id %d does not match", projectID))
+	}
+	return nil
+}