Upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor.git synced 2024-07-01 09:15:08 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #14911 from reasonerjt/fix-14386

Browse Source 
Use system configuration resource for permission checking
This commit is contained in:
Daniel Jiang 2021-05-20 14:05:06 +08:00 committed by GitHub
commit 5be0c6d35a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 4 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/common/rbac/const.go
View File

@ -73,6 +73,4 @@ const (
ResourceReplicationPolicy = Resource("replication-policy") ResourceReplicationPolicy = Resource("replication-policy")
ResourceScanAll = Resource("scan-all") ResourceScanAll = Resource("scan-all")
ResourceSystemVolumes = Resource("system-volumes") ResourceSystemVolumes = Resource("system-volumes")
ResourceOIDCEndpoint = Resource("oidc-endpoint")
ResourceSystemCVEAllowList = Resource("system-cve-allowlist")
) )

6
src/common/rbac/system/policies.go
View File

@ -61,11 +61,9 @@ var (
{Resource: rbac.ResourceSystemVolumes, Action: rbac.ActionRead}, {Resource: rbac.ResourceSystemVolumes, Action: rbac.ActionRead},
{Resource: rbac.ResourceOIDCEndpoint, Action: rbac.ActionUpdate},
{Resource: rbac.ResourceOIDCEndpoint, Action: rbac.ActionRead},
{Resource: rbac.ResourceLdapUser, Action: rbac.ActionCreate}, {Resource: rbac.ResourceLdapUser, Action: rbac.ActionCreate},
{Resource: rbac.ResourceLdapUser, Action: rbac.ActionList}, {Resource: rbac.ResourceLdapUser, Action: rbac.ActionList},
{Resource: rbac.ResourceSystemCVEAllowList, Action: rbac.ActionRead}, {Resource: rbac.ResourceConfiguration, Action: rbac.ActionRead},
{Resource: rbac.ResourceSystemCVEAllowList, Action: rbac.ActionUpdate}, {Resource: rbac.ResourceConfiguration, Action: rbac.ActionUpdate},
} }
) )

2
src/server/v2.0/handler/oidc.go
View File

@ -20,7 +20,7 @@ func newOIDCAPI() *oidcAPI {
} }
func (o oidcAPI) PingOIDC(ctx context.Context, params oidc.PingOIDCParams) middleware.Responder { func (o oidcAPI) PingOIDC(ctx context.Context, params oidc.PingOIDCParams) middleware.Responder {
if err := o.RequireSystemAccess(ctx, rbac.ActionUpdate, rbac.ResourceOIDCEndpoint); err != nil { if err := o.RequireSystemAccess(ctx, rbac.ActionUpdate, rbac.ResourceConfiguration); err != nil {
return o.SendError(ctx, err) return o.SendError(ctx, err)
} }
err := oidcpkg.TestEndpoint(oidcpkg.Conn{ err := oidcpkg.TestEndpoint(oidcpkg.Conn{

2
src/server/v2.0/handler/sys_cve_allowlist.go
View File

@ -38,7 +38,7 @@ func newSystemCVEAllowListAPI() *systemCVEAllowListAPI {
} }
func (s systemCVEAllowListAPI) PutSystemCVEAllowlist(ctx context.Context, params system_cve_allowlist.PutSystemCVEAllowlistParams) middleware.Responder { func (s systemCVEAllowListAPI) PutSystemCVEAllowlist(ctx context.Context, params system_cve_allowlist.PutSystemCVEAllowlistParams) middleware.Responder {
if err := s.RequireSystemAccess(ctx, rbac.ActionUpdate, rbac.ResourceSystemCVEAllowList); err != nil { if err := s.RequireSystemAccess(ctx, rbac.ActionUpdate, rbac.ResourceConfiguration); err != nil {
return s.SendError(ctx, err) return s.SendError(ctx, err)
} }
l := models.CVEAllowlist{} l := models.CVEAllowlist{}