From 6e95b98108e17155cccfd1d53ae53ce1bef557a5 Mon Sep 17 00:00:00 2001 From: He Weiwei Date: Tue, 29 Jan 2019 11:58:35 +0800 Subject: [PATCH] Standard actions for rbac Signed-off-by: He Weiwei --- src/common/rbac/const.go | 53 ++++++ src/common/rbac/project/const.go | 61 ------ src/common/rbac/project/util.go | 114 ++++++------ src/common/rbac/project/visitor_role.go | 238 +++++++++++++----------- src/common/security/admiral/context.go | 6 +- src/common/security/local/context.go | 6 +- src/core/api/chart_repository_test.go | 5 +- 7 files changed, 246 insertions(+), 237 deletions(-) create mode 100644 src/common/rbac/const.go delete mode 100644 src/common/rbac/project/const.go diff --git a/src/common/rbac/const.go b/src/common/rbac/const.go new file mode 100644 index 000000000..e0894d763 --- /dev/null +++ b/src/common/rbac/const.go @@ -0,0 +1,53 @@ +// Copyright Project Harbor Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package rbac + +// const action variables +const ( + ActionAll = Action("*") // action match any other actions + + ActionPull = Action("pull") // pull repository tag + ActionPush = Action("push") // push repository tag + ActionPushPull = Action("push+pull") // compatible with security all perm of project + + // create, read, update, delete, list actions compatible with restful api methods + ActionCreate = Action("create") + ActionRead = Action("read") + ActionUpdate = Action("update") + ActionDelete = Action("delete") + ActionList = Action("list") +) + +// const resource variables +const ( + ResourceAll = Resource("*") // resource match any other resources + ResourceConfiguration = Resource("configuration") // project configuration compatible for portal only + ResourceHelmChart = Resource("helm-chart") + ResourceHelmChartVersion = Resource("helm-chart-version") + ResourceHelmChartVersionLabel = Resource("helm-chart-version-label") + ResourceLabel = Resource("label") + ResourceLog = Resource("log") + ResourceMember = Resource("member") + ResourceReplication = Resource("replication") + ResourceReplicationJob = Resource("replication-job") + ResourceRepository = Resource("repository") + ResourceRepositoryTag = Resource("repository-tag") + ResourceRepositoryTagLabel = Resource("repository-tag-label") + ResourceRepositoryTagManifest = Resource("repository-tag-manifest") + ResourceRepositoryTagScanJob = Resource("repository-tag-scan-job") + ResourceRepositoryTagVulnerability = Resource("repository-tag-vulnerability") + ResourceRobot = Resource("robot") + ResourceSelf = Resource("") // subresource for self +) diff --git a/src/common/rbac/project/const.go b/src/common/rbac/project/const.go deleted file mode 100644 index c4c14f703..000000000 --- a/src/common/rbac/project/const.go +++ /dev/null @@ -1,61 +0,0 @@ -// Copyright Project Harbor Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package project - -import ( - "github.com/goharbor/harbor/src/common/rbac" -) - -// const action variables -const ( - ActionAll = rbac.Action("*") // action match any other actions - - ActionPull = rbac.Action("pull") // pull repository tag - ActionPush = rbac.Action("push") // push repository tag - ActionPushPull = rbac.Action("push+pull") // compatible with security all perm of project - - // create, read, update, delete, list actions compatible with restful api methods - ActionCreate = rbac.Action("create") - ActionRead = rbac.Action("read") - ActionUpdate = rbac.Action("update") - ActionDelete = rbac.Action("delete") - ActionList = rbac.Action("list") - - // execute replication for the replication policy (replication rule) - ActionExecute = rbac.Action("execute") - - // vulnerabilities scan for repository tag (aka, image tag) - ActionScan = rbac.Action("scan") -) - -// const resource variables -const ( - ResourceAll = rbac.Resource("*") // resource match any other resources - ResourceSelf = rbac.Resource("") // subresource for project self - ResourceMember = rbac.Resource("member") - ResourceLog = rbac.Resource("log") - ResourceReplication = rbac.Resource("replication") - ResourceLabel = rbac.Resource("label") - ResourceRepository = rbac.Resource("repository") - ResourceRepositoryTag = rbac.Resource("repository-tag") - ResourceRepositoryTagManifest = rbac.Resource("repository-tag-manifest") - ResourceRepositoryTagVulnerability = rbac.Resource("repository-tag-vulnerability") - ResourceRepositoryTagLabel = rbac.Resource("repository-tag-label") - ResourceHelmChart = rbac.Resource("helm-chart") - ResourceHelmChartVersion = rbac.Resource("helm-chart-version") - ResourceHelmChartVersionLabel = rbac.Resource("helm-chart-version-label") - ResourceConfiguration = rbac.Resource("configuration") // compatible for portal only - ResourceRobot = rbac.Resource("robot") -) diff --git a/src/common/rbac/project/util.go b/src/common/rbac/project/util.go index 1515f65e4..ac0911026 100644 --- a/src/common/rbac/project/util.go +++ b/src/common/rbac/project/util.go @@ -21,81 +21,87 @@ import ( var ( // subresource policies for public project publicProjectPolicies = []*rbac.Policy{ - {Resource: ResourceSelf, Action: ActionRead}, + {Resource: rbac.ResourceSelf, Action: rbac.ActionRead}, - {Resource: ResourceRepository, Action: ActionList}, - {Resource: ResourceRepository, Action: ActionPull}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionList}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionPull}, - {Resource: ResourceHelmChart, Action: ActionRead}, - {Resource: ResourceHelmChart, Action: ActionList}, + {Resource: rbac.ResourceHelmChart, Action: rbac.ActionRead}, + {Resource: rbac.ResourceHelmChart, Action: rbac.ActionList}, - {Resource: ResourceHelmChartVersion, Action: ActionRead}, - {Resource: ResourceHelmChartVersion, Action: ActionList}, + {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionRead}, + {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionList}, } // all policies for the projects allPolicies = []*rbac.Policy{ - {Resource: ResourceSelf, Action: ActionRead}, - {Resource: ResourceSelf, Action: ActionUpdate}, - {Resource: ResourceSelf, Action: ActionDelete}, + {Resource: rbac.ResourceSelf, Action: rbac.ActionRead}, + {Resource: rbac.ResourceSelf, Action: rbac.ActionUpdate}, + {Resource: rbac.ResourceSelf, Action: rbac.ActionDelete}, - {Resource: ResourceMember, Action: ActionCreate}, - {Resource: ResourceMember, Action: ActionUpdate}, - {Resource: ResourceMember, Action: ActionDelete}, - {Resource: ResourceMember, Action: ActionList}, + {Resource: rbac.ResourceMember, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceMember, Action: rbac.ActionUpdate}, + {Resource: rbac.ResourceMember, Action: rbac.ActionDelete}, + {Resource: rbac.ResourceMember, Action: rbac.ActionList}, - {Resource: ResourceLog, Action: ActionList}, + {Resource: rbac.ResourceLog, Action: rbac.ActionList}, - {Resource: ResourceReplication, Action: ActionList}, - {Resource: ResourceReplication, Action: ActionCreate}, - {Resource: ResourceReplication, Action: ActionUpdate}, - {Resource: ResourceReplication, Action: ActionDelete}, - {Resource: ResourceReplication, Action: ActionExecute}, + {Resource: rbac.ResourceReplication, Action: rbac.ActionList}, + {Resource: rbac.ResourceReplication, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceReplication, Action: rbac.ActionUpdate}, + {Resource: rbac.ResourceReplication, Action: rbac.ActionDelete}, - {Resource: ResourceLabel, Action: ActionCreate}, - {Resource: ResourceLabel, Action: ActionUpdate}, - {Resource: ResourceLabel, Action: ActionDelete}, - {Resource: ResourceLabel, Action: ActionList}, + {Resource: rbac.ResourceReplicationJob, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceReplicationJob, Action: rbac.ActionRead}, + {Resource: rbac.ResourceReplicationJob, Action: rbac.ActionList}, - {Resource: ResourceRepository, Action: ActionCreate}, - {Resource: ResourceRepository, Action: ActionUpdate}, - {Resource: ResourceRepository, Action: ActionDelete}, - {Resource: ResourceRepository, Action: ActionList}, - {Resource: ResourceRepository, Action: ActionPushPull}, // compatible with security all perm of project - {Resource: ResourceRepository, Action: ActionPush}, - {Resource: ResourceRepository, Action: ActionPull}, + {Resource: rbac.ResourceLabel, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceLabel, Action: rbac.ActionUpdate}, + {Resource: rbac.ResourceLabel, Action: rbac.ActionDelete}, + {Resource: rbac.ResourceLabel, Action: rbac.ActionList}, - {Resource: ResourceRepositoryTag, Action: ActionDelete}, - {Resource: ResourceRepositoryTag, Action: ActionList}, - {Resource: ResourceRepositoryTag, Action: ActionScan}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionUpdate}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionDelete}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionList}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionPushPull}, // compatible with security all perm of project + {Resource: rbac.ResourceRepository, Action: rbac.ActionPush}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionPull}, - {Resource: ResourceRepositoryTagVulnerability, Action: ActionList}, + {Resource: rbac.ResourceRepositoryTag, Action: rbac.ActionRead}, + {Resource: rbac.ResourceRepositoryTag, Action: rbac.ActionDelete}, + {Resource: rbac.ResourceRepositoryTag, Action: rbac.ActionList}, - {Resource: ResourceRepositoryTagManifest, Action: ActionRead}, + {Resource: rbac.ResourceRepositoryTagScanJob, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceRepositoryTagScanJob, Action: rbac.ActionRead}, - {Resource: ResourceRepositoryTagLabel, Action: ActionCreate}, - {Resource: ResourceRepositoryTagLabel, Action: ActionDelete}, + {Resource: rbac.ResourceRepositoryTagVulnerability, Action: rbac.ActionList}, - {Resource: ResourceHelmChart, Action: ActionCreate}, - {Resource: ResourceHelmChart, Action: ActionRead}, - {Resource: ResourceHelmChart, Action: ActionDelete}, - {Resource: ResourceHelmChart, Action: ActionList}, + {Resource: rbac.ResourceRepositoryTagManifest, Action: rbac.ActionRead}, - {Resource: ResourceHelmChartVersion, Action: ActionRead}, - {Resource: ResourceHelmChartVersion, Action: ActionDelete}, - {Resource: ResourceHelmChartVersion, Action: ActionList}, + {Resource: rbac.ResourceRepositoryTagLabel, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceRepositoryTagLabel, Action: rbac.ActionDelete}, - {Resource: ResourceHelmChartVersionLabel, Action: ActionCreate}, - {Resource: ResourceHelmChartVersionLabel, Action: ActionDelete}, + {Resource: rbac.ResourceHelmChart, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceHelmChart, Action: rbac.ActionRead}, + {Resource: rbac.ResourceHelmChart, Action: rbac.ActionDelete}, + {Resource: rbac.ResourceHelmChart, Action: rbac.ActionList}, - {Resource: ResourceConfiguration, Action: ActionRead}, - {Resource: ResourceConfiguration, Action: ActionUpdate}, + {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionRead}, + {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionDelete}, + {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionList}, - {Resource: ResourceRobot, Action: ActionCreate}, - {Resource: ResourceRobot, Action: ActionRead}, - {Resource: ResourceRobot, Action: ActionUpdate}, - {Resource: ResourceRobot, Action: ActionDelete}, - {Resource: ResourceRobot, Action: ActionList}, + {Resource: rbac.ResourceHelmChartVersionLabel, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceHelmChartVersionLabel, Action: rbac.ActionDelete}, + + {Resource: rbac.ResourceConfiguration, Action: rbac.ActionRead}, + {Resource: rbac.ResourceConfiguration, Action: rbac.ActionUpdate}, + + {Resource: rbac.ResourceRobot, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceRobot, Action: rbac.ActionRead}, + {Resource: rbac.ResourceRobot, Action: rbac.ActionUpdate}, + {Resource: rbac.ResourceRobot, Action: rbac.ActionDelete}, + {Resource: rbac.ResourceRobot, Action: rbac.ActionList}, } ) diff --git a/src/common/rbac/project/visitor_role.go b/src/common/rbac/project/visitor_role.go index 0ae5bc1a2..ac499887d 100644 --- a/src/common/rbac/project/visitor_role.go +++ b/src/common/rbac/project/visitor_role.go @@ -22,175 +22,187 @@ import ( var ( rolePoliciesMap = map[string][]*rbac.Policy{ "projectAdmin": { - {Resource: ResourceSelf, Action: ActionRead}, - {Resource: ResourceSelf, Action: ActionUpdate}, - {Resource: ResourceSelf, Action: ActionDelete}, + {Resource: rbac.ResourceSelf, Action: rbac.ActionRead}, + {Resource: rbac.ResourceSelf, Action: rbac.ActionUpdate}, + {Resource: rbac.ResourceSelf, Action: rbac.ActionDelete}, - {Resource: ResourceMember, Action: ActionCreate}, - {Resource: ResourceMember, Action: ActionUpdate}, - {Resource: ResourceMember, Action: ActionDelete}, - {Resource: ResourceMember, Action: ActionList}, + {Resource: rbac.ResourceMember, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceMember, Action: rbac.ActionUpdate}, + {Resource: rbac.ResourceMember, Action: rbac.ActionDelete}, + {Resource: rbac.ResourceMember, Action: rbac.ActionList}, - {Resource: ResourceLog, Action: ActionList}, + {Resource: rbac.ResourceLog, Action: rbac.ActionList}, - {Resource: ResourceReplication, Action: ActionRead}, - {Resource: ResourceReplication, Action: ActionList}, + {Resource: rbac.ResourceReplication, Action: rbac.ActionRead}, + {Resource: rbac.ResourceReplication, Action: rbac.ActionList}, - {Resource: ResourceLabel, Action: ActionCreate}, - {Resource: ResourceLabel, Action: ActionUpdate}, - {Resource: ResourceLabel, Action: ActionDelete}, - {Resource: ResourceLabel, Action: ActionList}, + {Resource: rbac.ResourceReplicationJob, Action: rbac.ActionRead}, + {Resource: rbac.ResourceReplicationJob, Action: rbac.ActionList}, - {Resource: ResourceRepository, Action: ActionCreate}, - {Resource: ResourceRepository, Action: ActionUpdate}, - {Resource: ResourceRepository, Action: ActionDelete}, - {Resource: ResourceRepository, Action: ActionList}, - {Resource: ResourceRepository, Action: ActionPushPull}, // compatible with security all perm of project - {Resource: ResourceRepository, Action: ActionPush}, - {Resource: ResourceRepository, Action: ActionPull}, + {Resource: rbac.ResourceLabel, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceLabel, Action: rbac.ActionUpdate}, + {Resource: rbac.ResourceLabel, Action: rbac.ActionDelete}, + {Resource: rbac.ResourceLabel, Action: rbac.ActionList}, - {Resource: ResourceRepositoryTag, Action: ActionDelete}, - {Resource: ResourceRepositoryTag, Action: ActionList}, - {Resource: ResourceRepositoryTag, Action: ActionScan}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionUpdate}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionDelete}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionList}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionPushPull}, // compatible with security all perm of project + {Resource: rbac.ResourceRepository, Action: rbac.ActionPush}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionPull}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionPushPull}, - {Resource: ResourceRepositoryTagVulnerability, Action: ActionList}, + {Resource: rbac.ResourceRepositoryTag, Action: rbac.ActionRead}, + {Resource: rbac.ResourceRepositoryTag, Action: rbac.ActionDelete}, + {Resource: rbac.ResourceRepositoryTag, Action: rbac.ActionList}, - {Resource: ResourceRepositoryTagManifest, Action: ActionRead}, + {Resource: rbac.ResourceRepositoryTagScanJob, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceRepositoryTagScanJob, Action: rbac.ActionRead}, - {Resource: ResourceRepositoryTagLabel, Action: ActionCreate}, - {Resource: ResourceRepositoryTagLabel, Action: ActionDelete}, + {Resource: rbac.ResourceRepositoryTagVulnerability, Action: rbac.ActionList}, - {Resource: ResourceHelmChart, Action: ActionCreate}, // upload helm chart - {Resource: ResourceHelmChart, Action: ActionRead}, // download helm chart - {Resource: ResourceHelmChart, Action: ActionDelete}, - {Resource: ResourceHelmChart, Action: ActionList}, + {Resource: rbac.ResourceRepositoryTagManifest, Action: rbac.ActionRead}, - {Resource: ResourceHelmChartVersion, Action: ActionCreate}, // upload helm chart version - {Resource: ResourceHelmChartVersion, Action: ActionRead}, // read and download helm chart version - {Resource: ResourceHelmChartVersion, Action: ActionDelete}, - {Resource: ResourceHelmChartVersion, Action: ActionList}, + {Resource: rbac.ResourceRepositoryTagLabel, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceRepositoryTagLabel, Action: rbac.ActionDelete}, - {Resource: ResourceHelmChartVersionLabel, Action: ActionCreate}, - {Resource: ResourceHelmChartVersionLabel, Action: ActionDelete}, + {Resource: rbac.ResourceHelmChart, Action: rbac.ActionCreate}, // upload helm chart + {Resource: rbac.ResourceHelmChart, Action: rbac.ActionRead}, // download helm chart + {Resource: rbac.ResourceHelmChart, Action: rbac.ActionDelete}, + {Resource: rbac.ResourceHelmChart, Action: rbac.ActionList}, - {Resource: ResourceConfiguration, Action: ActionRead}, - {Resource: ResourceConfiguration, Action: ActionUpdate}, + {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionCreate}, // upload helm chart version + {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionRead}, // read and download helm chart version + {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionDelete}, + {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionList}, - {Resource: ResourceRobot, Action: ActionCreate}, - {Resource: ResourceRobot, Action: ActionRead}, - {Resource: ResourceRobot, Action: ActionUpdate}, - {Resource: ResourceRobot, Action: ActionDelete}, - {Resource: ResourceRobot, Action: ActionList}, + {Resource: rbac.ResourceHelmChartVersionLabel, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceHelmChartVersionLabel, Action: rbac.ActionDelete}, + + {Resource: rbac.ResourceConfiguration, Action: rbac.ActionRead}, + {Resource: rbac.ResourceConfiguration, Action: rbac.ActionUpdate}, + + {Resource: rbac.ResourceRobot, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceRobot, Action: rbac.ActionRead}, + {Resource: rbac.ResourceRobot, Action: rbac.ActionUpdate}, + {Resource: rbac.ResourceRobot, Action: rbac.ActionDelete}, + {Resource: rbac.ResourceRobot, Action: rbac.ActionList}, }, "master": { - {Resource: ResourceSelf, Action: ActionRead}, + {Resource: rbac.ResourceSelf, Action: rbac.ActionRead}, - {Resource: ResourceMember, Action: ActionList}, + {Resource: rbac.ResourceMember, Action: rbac.ActionList}, - {Resource: ResourceLog, Action: ActionList}, + {Resource: rbac.ResourceLog, Action: rbac.ActionList}, - {Resource: ResourceReplication, Action: ActionRead}, - {Resource: ResourceReplication, Action: ActionList}, + {Resource: rbac.ResourceReplication, Action: rbac.ActionRead}, + {Resource: rbac.ResourceReplication, Action: rbac.ActionList}, - {Resource: ResourceLabel, Action: ActionCreate}, - {Resource: ResourceLabel, Action: ActionUpdate}, - {Resource: ResourceLabel, Action: ActionDelete}, - {Resource: ResourceLabel, Action: ActionList}, + {Resource: rbac.ResourceLabel, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceLabel, Action: rbac.ActionUpdate}, + {Resource: rbac.ResourceLabel, Action: rbac.ActionDelete}, + {Resource: rbac.ResourceLabel, Action: rbac.ActionList}, - {Resource: ResourceRepository, Action: ActionCreate}, - {Resource: ResourceRepository, Action: ActionUpdate}, - {Resource: ResourceRepository, Action: ActionDelete}, - {Resource: ResourceRepository, Action: ActionList}, - {Resource: ResourceRepository, Action: ActionPush}, - {Resource: ResourceRepository, Action: ActionPull}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionUpdate}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionDelete}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionList}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionPush}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionPull}, - {Resource: ResourceRepositoryTag, Action: ActionDelete}, - {Resource: ResourceRepositoryTag, Action: ActionList}, - {Resource: ResourceRepositoryTag, Action: ActionScan}, + {Resource: rbac.ResourceRepositoryTag, Action: rbac.ActionRead}, + {Resource: rbac.ResourceRepositoryTag, Action: rbac.ActionDelete}, + {Resource: rbac.ResourceRepositoryTag, Action: rbac.ActionList}, - {Resource: ResourceRepositoryTagVulnerability, Action: ActionList}, + {Resource: rbac.ResourceRepositoryTagScanJob, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceRepositoryTagScanJob, Action: rbac.ActionRead}, - {Resource: ResourceRepositoryTagManifest, Action: ActionRead}, + {Resource: rbac.ResourceRepositoryTagVulnerability, Action: rbac.ActionList}, - {Resource: ResourceRepositoryTagLabel, Action: ActionCreate}, - {Resource: ResourceRepositoryTagLabel, Action: ActionDelete}, + {Resource: rbac.ResourceRepositoryTagManifest, Action: rbac.ActionRead}, - {Resource: ResourceHelmChart, Action: ActionCreate}, - {Resource: ResourceHelmChart, Action: ActionRead}, - {Resource: ResourceHelmChart, Action: ActionDelete}, - {Resource: ResourceHelmChart, Action: ActionList}, + {Resource: rbac.ResourceRepositoryTagLabel, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceRepositoryTagLabel, Action: rbac.ActionDelete}, - {Resource: ResourceHelmChartVersion, Action: ActionCreate}, - {Resource: ResourceHelmChartVersion, Action: ActionRead}, - {Resource: ResourceHelmChartVersion, Action: ActionDelete}, - {Resource: ResourceHelmChartVersion, Action: ActionList}, + {Resource: rbac.ResourceHelmChart, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceHelmChart, Action: rbac.ActionRead}, + {Resource: rbac.ResourceHelmChart, Action: rbac.ActionDelete}, + {Resource: rbac.ResourceHelmChart, Action: rbac.ActionList}, - {Resource: ResourceHelmChartVersionLabel, Action: ActionCreate}, - {Resource: ResourceHelmChartVersionLabel, Action: ActionDelete}, + {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionRead}, + {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionDelete}, + {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionList}, - {Resource: ResourceConfiguration, Action: ActionRead}, - {Resource: ResourceConfiguration, Action: ActionUpdate}, + {Resource: rbac.ResourceHelmChartVersionLabel, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceHelmChartVersionLabel, Action: rbac.ActionDelete}, + + {Resource: rbac.ResourceConfiguration, Action: rbac.ActionRead}, + {Resource: rbac.ResourceConfiguration, Action: rbac.ActionUpdate}, }, "developer": { - {Resource: ResourceSelf, Action: ActionRead}, + {Resource: rbac.ResourceSelf, Action: rbac.ActionRead}, - {Resource: ResourceMember, Action: ActionList}, + {Resource: rbac.ResourceMember, Action: rbac.ActionList}, - {Resource: ResourceLog, Action: ActionList}, + {Resource: rbac.ResourceLog, Action: rbac.ActionList}, - {Resource: ResourceRepository, Action: ActionCreate}, - {Resource: ResourceRepository, Action: ActionList}, - {Resource: ResourceRepository, Action: ActionPush}, - {Resource: ResourceRepository, Action: ActionPull}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionList}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionPush}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionPull}, - {Resource: ResourceRepositoryTag, Action: ActionList}, + {Resource: rbac.ResourceRepositoryTag, Action: rbac.ActionRead}, + {Resource: rbac.ResourceRepositoryTag, Action: rbac.ActionList}, - {Resource: ResourceRepositoryTagVulnerability, Action: ActionList}, + {Resource: rbac.ResourceRepositoryTagVulnerability, Action: rbac.ActionList}, - {Resource: ResourceRepositoryTagManifest, Action: ActionRead}, + {Resource: rbac.ResourceRepositoryTagManifest, Action: rbac.ActionRead}, - {Resource: ResourceRepositoryTagLabel, Action: ActionCreate}, - {Resource: ResourceRepositoryTagLabel, Action: ActionDelete}, + {Resource: rbac.ResourceRepositoryTagLabel, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceRepositoryTagLabel, Action: rbac.ActionDelete}, - {Resource: ResourceHelmChart, Action: ActionCreate}, - {Resource: ResourceHelmChart, Action: ActionRead}, - {Resource: ResourceHelmChart, Action: ActionList}, + {Resource: rbac.ResourceHelmChart, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceHelmChart, Action: rbac.ActionRead}, + {Resource: rbac.ResourceHelmChart, Action: rbac.ActionList}, - {Resource: ResourceHelmChartVersion, Action: ActionCreate}, - {Resource: ResourceHelmChartVersion, Action: ActionRead}, - {Resource: ResourceHelmChartVersion, Action: ActionList}, + {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionRead}, + {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionList}, - {Resource: ResourceHelmChartVersionLabel, Action: ActionCreate}, - {Resource: ResourceHelmChartVersionLabel, Action: ActionDelete}, + {Resource: rbac.ResourceHelmChartVersionLabel, Action: rbac.ActionCreate}, + {Resource: rbac.ResourceHelmChartVersionLabel, Action: rbac.ActionDelete}, - {Resource: ResourceConfiguration, Action: ActionRead}, + {Resource: rbac.ResourceConfiguration, Action: rbac.ActionRead}, }, "guest": { - {Resource: ResourceSelf, Action: ActionRead}, + {Resource: rbac.ResourceSelf, Action: rbac.ActionRead}, - {Resource: ResourceMember, Action: ActionList}, + {Resource: rbac.ResourceMember, Action: rbac.ActionList}, - {Resource: ResourceLog, Action: ActionList}, + {Resource: rbac.ResourceLog, Action: rbac.ActionList}, - {Resource: ResourceRepository, Action: ActionList}, - {Resource: ResourceRepository, Action: ActionPull}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionList}, + {Resource: rbac.ResourceRepository, Action: rbac.ActionPull}, - {Resource: ResourceRepositoryTag, Action: ActionList}, + {Resource: rbac.ResourceRepositoryTag, Action: rbac.ActionRead}, + {Resource: rbac.ResourceRepositoryTag, Action: rbac.ActionList}, - {Resource: ResourceRepositoryTagVulnerability, Action: ActionList}, + {Resource: rbac.ResourceRepositoryTagVulnerability, Action: rbac.ActionList}, - {Resource: ResourceRepositoryTagManifest, Action: ActionRead}, + {Resource: rbac.ResourceRepositoryTagManifest, Action: rbac.ActionRead}, - {Resource: ResourceHelmChart, Action: ActionRead}, - {Resource: ResourceHelmChart, Action: ActionList}, + {Resource: rbac.ResourceHelmChart, Action: rbac.ActionRead}, + {Resource: rbac.ResourceHelmChart, Action: rbac.ActionList}, - {Resource: ResourceHelmChartVersion, Action: ActionRead}, - {Resource: ResourceHelmChartVersion, Action: ActionList}, + {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionRead}, + {Resource: rbac.ResourceHelmChartVersion, Action: rbac.ActionList}, - {Resource: ResourceConfiguration, Action: ActionRead}, + {Resource: rbac.ResourceConfiguration, Action: rbac.ActionRead}, }, } ) diff --git a/src/common/security/admiral/context.go b/src/common/security/admiral/context.go index 72840d36b..9abc5faea 100644 --- a/src/common/security/admiral/context.go +++ b/src/common/security/admiral/context.go @@ -72,19 +72,19 @@ func (s *SecurityContext) IsSolutionUser() bool { // HasReadPerm returns whether the user has read permission to the project func (s *SecurityContext) HasReadPerm(projectIDOrName interface{}) bool { isPublicProject, _ := s.pm.IsPublic(projectIDOrName) - return s.Can(project.ActionPull, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceRepository)) + return s.Can(rbac.ActionPull, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(rbac.ResourceRepository)) } // HasWritePerm returns whether the user has write permission to the project func (s *SecurityContext) HasWritePerm(projectIDOrName interface{}) bool { isPublicProject, _ := s.pm.IsPublic(projectIDOrName) - return s.Can(project.ActionPush, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceRepository)) + return s.Can(rbac.ActionPush, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(rbac.ResourceRepository)) } // HasAllPerm returns whether the user has all permissions to the project func (s *SecurityContext) HasAllPerm(projectIDOrName interface{}) bool { isPublicProject, _ := s.pm.IsPublic(projectIDOrName) - return s.Can(project.ActionPushPull, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceRepository)) + return s.Can(rbac.ActionPushPull, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(rbac.ResourceRepository)) } // Can returns whether the user can do action on resource diff --git a/src/common/security/local/context.go b/src/common/security/local/context.go index d56433214..f0d33ceed 100644 --- a/src/common/security/local/context.go +++ b/src/common/security/local/context.go @@ -70,19 +70,19 @@ func (s *SecurityContext) IsSolutionUser() bool { // HasReadPerm returns whether the user has read permission to the project func (s *SecurityContext) HasReadPerm(projectIDOrName interface{}) bool { isPublicProject, _ := s.pm.IsPublic(projectIDOrName) - return s.Can(project.ActionPull, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceRepository)) + return s.Can(rbac.ActionPull, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(rbac.ResourceRepository)) } // HasWritePerm returns whether the user has write permission to the project func (s *SecurityContext) HasWritePerm(projectIDOrName interface{}) bool { isPublicProject, _ := s.pm.IsPublic(projectIDOrName) - return s.Can(project.ActionPush, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceRepository)) + return s.Can(rbac.ActionPush, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(rbac.ResourceRepository)) } // HasAllPerm returns whether the user has all permissions to the project func (s *SecurityContext) HasAllPerm(projectIDOrName interface{}) bool { isPublicProject, _ := s.pm.IsPublic(projectIDOrName) - return s.Can(project.ActionPushPull, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceRepository)) + return s.Can(rbac.ActionPushPull, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(rbac.ResourceRepository)) } // Can returns whether the user can do action on resource diff --git a/src/core/api/chart_repository_test.go b/src/core/api/chart_repository_test.go index 4bcb1f009..05a3c138f 100644 --- a/src/core/api/chart_repository_test.go +++ b/src/core/api/chart_repository_test.go @@ -9,7 +9,6 @@ import ( "github.com/goharbor/harbor/src/chartserver" "github.com/goharbor/harbor/src/common/models" "github.com/goharbor/harbor/src/common/rbac" - "github.com/goharbor/harbor/src/common/rbac/project" "github.com/goharbor/harbor/src/core/promgr/metamgr" ) @@ -313,12 +312,12 @@ func (msc *mockSecurityContext) IsSolutionUser() bool { // HasReadPerm returns whether the user has read permission to the project func (msc *mockSecurityContext) HasReadPerm(projectIDOrName interface{}) bool { - return msc.Can(project.ActionPull, rbac.NewProjectNamespace(projectIDOrName, false).Resource(project.ResourceRepository)) + return msc.Can(rbac.ActionPull, rbac.NewProjectNamespace(projectIDOrName, false).Resource(rbac.ResourceRepository)) } // HasWritePerm returns whether the user has write permission to the project func (msc *mockSecurityContext) HasWritePerm(projectIDOrName interface{}) bool { - return msc.Can(project.ActionPush, rbac.NewProjectNamespace(projectIDOrName, false).Resource(project.ResourceRepository)) + return msc.Can(rbac.ActionPush, rbac.NewProjectNamespace(projectIDOrName, false).Resource(rbac.ResourceRepository)) } // HasAllPerm returns whether the user has all permissions to the project