diff --git a/src/server/middleware/v2auth/auth.go b/src/server/middleware/v2auth/auth.go index 6eb956d32..742533b39 100644 --- a/src/server/middleware/v2auth/auth.go +++ b/src/server/middleware/v2auth/auth.go @@ -58,11 +58,11 @@ func (rc *reqChecker) check(req *http.Request) error { return fmt.Errorf("unauthorized to access repository: %s, action: %s", a.Repository, action) } if req.Method == http.MethodPost && a.BlobMountProjectName != "" { // check permission for the source of blob mount - p, err := rc.pm.Get(a.BlobMountProjectName) + pid, err := rc.projectID(a.BlobMountProjectName) if err != nil { return err } - resource := rbac.NewProjectNamespace(p.ProjectID).Resource(rbac.ResourceRepository) + resource := rbac.NewProjectNamespace(pid).Resource(rbac.ResourceRepository) if !securityCtx.Can(rbac.ActionPull, resource) { return fmt.Errorf("unauthorized to access repository from which to mount blob: %s, action: %s", a.BlobMountRepository, rbac.ActionPull) } diff --git a/src/server/middleware/v2auth/auth_test.go b/src/server/middleware/v2auth/auth_test.go index 25c062134..85bbbe6b2 100644 --- a/src/server/middleware/v2auth/auth_test.go +++ b/src/server/middleware/v2auth/auth_test.go @@ -168,11 +168,21 @@ func TestMiddleware(t *testing.T) { BlobMountProjectName: "project_3", BlobMountDigest: "sha256:08e4a417ff4e3913d8723a05cc34055db01c2fd165b588e049c5bad16ce6094f", } + ar5 := &middleware.ArtifactInfo{ + Repository: "project_1/ubuntu", + Reference: "14.04", + ProjectName: "project_1", + BlobMountRepository: "project_0/ubuntu", + BlobMountProjectName: "project_0", + BlobMountDigest: "sha256:08e4a417ff4e3913d8723a05cc34055db01c2fd165b588e049c5bad16ce6094f", + } + ctx1 := context.WithValue(baseCtx, middleware.ArtifactInfoKey, ar1) ctx2 := context.WithValue(baseCtx, middleware.ArtifactInfoKey, ar2) ctx2x := context.WithValue(context.Background(), middleware.ArtifactInfoKey, ar2) // no securityCtx ctx3 := context.WithValue(baseCtx, middleware.ArtifactInfoKey, ar3) ctx4 := context.WithValue(baseCtx, middleware.ArtifactInfoKey, ar4) + ctx5 := context.WithValue(baseCtx, middleware.ArtifactInfoKey, ar5) req1a, _ := http.NewRequest(http.MethodGet, "/v2/project_1/hello-world/manifest/v1", nil) req1b, _ := http.NewRequest(http.MethodDelete, "/v2/project_1/hello-world/manifest/v1", nil) req2, _ := http.NewRequest(http.MethodGet, "/v2/library/ubuntu/manifest/14.04", nil) @@ -180,6 +190,7 @@ func TestMiddleware(t *testing.T) { req3, _ := http.NewRequest(http.MethodGet, "/v2/_catalog", nil) req4, _ := http.NewRequest(http.MethodPost, "/v2/project_1/ubuntu/blobs/uploads/mount=?mount=sha256:08e4a417ff4e3913d8723a05cc34055db01c2fd165b588e049c5bad16ce6094f&from=project_2/ubuntu", nil) req5, _ := http.NewRequest(http.MethodPost, "/v2/project_1/ubuntu/blobs/uploads/mount=?mount=sha256:08e4a417ff4e3913d8723a05cc34055db01c2fd165b588e049c5bad16ce6094f&from=project_3/ubuntu", nil) + req6, _ := http.NewRequest(http.MethodPost, "/v2/project_1/ubuntu/blobs/uploads/mount=?mount=sha256:08e4a417ff4e3913d8723a05cc34055db01c2fd165b588e049c5bad16ce6094f&from=project_0/ubuntu", nil) os.Setenv("REGISTRY_CREDENTIAL_USERNAME", "testuser") os.Setenv("REGISTRY_CREDENTIAL_PASSWORD", "testpassword") @@ -222,6 +233,10 @@ func TestMiddleware(t *testing.T) { input: req5.WithContext(ctx4), status: http.StatusUnauthorized, }, + { + input: req6.WithContext(ctx5), + status: http.StatusUnauthorized, + }, } for _, c := range cases { rec := httptest.NewRecorder()