Upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor.git synced 2024-11-21 17:55:30 +01:00
Code Issues Projects Releases Wiki Activity

remove the robot update permission (#21028)

Browse Source 
from the perspective of preventing privilege escalation, remove the robot update permission from the possilbe permission set

Signed-off-by: wang yan <wangyan@vmware.com>
This commit is contained in:
Wang Yan 2024-10-12 18:08:50 +08:00 committed by GitHub
parent c4bad32bb3
commit 66ccf302f3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 0 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/common/rbac/const.go
View File

@ -121,7 +121,6 @@ func (n *NolimitProvider) GetPermissions(s scope) []*types.Policy {
return append(n.BaseProvider.GetPermissions(ScopeSystem),
&types.Policy{Resource: ResourceRobot, Action: ActionCreate},
&types.Policy{Resource: ResourceRobot, Action: ActionRead},
&types.Policy{Resource: ResourceRobot, Action: ActionUpdate},
&types.Policy{Resource: ResourceRobot, Action: ActionList},
&types.Policy{Resource: ResourceRobot, Action: ActionDelete},
@ -149,7 +148,6 @@ func (n *NolimitProvider) GetPermissions(s scope) []*types.Policy {
return append(n.BaseProvider.GetPermissions(ScopeProject),
&types.Policy{Resource: ResourceRobot, Action: ActionCreate},
&types.Policy{Resource: ResourceRobot, Action: ActionRead},
&types.Policy{Resource: ResourceRobot, Action: ActionUpdate},
&types.Policy{Resource: ResourceRobot, Action: ActionList},
&types.Policy{Resource: ResourceRobot, Action: ActionDelete},

36
src/server/v2.0/handler/robot.go
View File

@ -421,42 +421,6 @@ func (rAPI *robotAPI) updateV2Robot(ctx context.Context, params operation.Update
}
}
creatorRobot, err := rAPI.robotCtl.Get(ctx, r.CreatorRef, &robot.Option{
WithPermission: true,
})
if err != nil && !errors.IsErr(err, errors.NotFoundCode) {
return err
}
// for nested robot only
if creatorRobot != nil && r.CreatorType == "robot" {
sc, err := rAPI.GetSecurityContext(ctx)
if err != nil {
return err
}
if _, ok := sc.(*robotSc.SecurityContext); ok {
scRobots, err := rAPI.robotCtl.List(ctx, q.New(q.KeyWords{
"name": strings.TrimPrefix(sc.GetUsername(), config.RobotPrefix(ctx)),
"project_id": r.ProjectID,
}), &robot.Option{
WithPermission: true,
})
if err != nil {
return err
}
if len(scRobots) == 0 {
return errors.DeniedError(nil)
}
if scRobots[0].ID != creatorRobot.ID && scRobots[0].ID != r.ID {
return errors.New(nil).WithMessage("as for a nested robot account, only person who has the right permission or the creator robot or nested robot itself has the permission to update").WithCode(errors.DENIED)
}
}
if !isValidPermissionScope(params.Robot.Permissions, creatorRobot.Permissions) {
return errors.New(nil).WithMessagef("permission scope is invalid. It must be equal to or more restrictive than the creator robot's permissions: %s", creatorRobot.Name).WithCode(errors.DENIED)
}
}
if err := rAPI.robotCtl.Update(ctx, r, &robot.Option{
WithPermission: true,
}); err != nil {