mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-18 22:57:38 +01:00
remvoe bypass to scanner pull
Signed-off-by: wang yan <wangyan@vmware.com>
This commit is contained in:
parent
a6ad1b2db8
commit
71c769ec97
@ -53,7 +53,6 @@ func filterPolicies(namespace rbac.Namespace, policies []*rbac.Policy) []*rbac.P
|
||||
results = append(results, policy)
|
||||
}
|
||||
}
|
||||
|
||||
return results
|
||||
}
|
||||
|
||||
@ -63,7 +62,7 @@ func getAllPolicies(namespace rbac.Namespace) map[string]bool {
|
||||
for _, policy := range project.GetAllPolicies(namespace) {
|
||||
mp[policy.String()] = true
|
||||
}
|
||||
scannerPull := &rbac.Policy{Resource: rbac.ResourceRepository, Action: rbac.ActionScannerPull}
|
||||
scannerPull := &rbac.Policy{Resource: namespace.Resource(rbac.ResourceRepository), Action: rbac.ActionScannerPull}
|
||||
mp[scannerPull.String()] = true
|
||||
return mp
|
||||
}
|
||||
|
@ -49,7 +49,7 @@ func (cth contentTrustHandler) ServeHTTP(rw http.ResponseWriter, req *http.Reque
|
||||
cth.next.ServeHTTP(rw, req)
|
||||
return
|
||||
}
|
||||
if bypass, ok := util.BypassPolicyCheckFromContext(req.Context()); ok && bypass {
|
||||
if scannerPull, ok := util.ScannerPullFromContext(req.Context()); ok && scannerPull {
|
||||
cth.next.ServeHTTP(rw, req)
|
||||
return
|
||||
}
|
||||
|
@ -27,7 +27,12 @@ func New(next http.Handler) http.Handler {
|
||||
|
||||
// ServeHTTP ...
|
||||
func (r *regTokenHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
|
||||
img, _ := util.ImageInfoFromContext(req.Context())
|
||||
imgRaw := req.Context().Value(util.ImageInfoCtxKey)
|
||||
if imgRaw == nil {
|
||||
r.next.ServeHTTP(rw, req)
|
||||
return
|
||||
}
|
||||
img, _ := req.Context().Value(util.ImageInfoCtxKey).(util.ImageInfo)
|
||||
if img.Digest == "" {
|
||||
r.next.ServeHTTP(rw, req)
|
||||
return
|
||||
@ -59,7 +64,7 @@ func (r *regTokenHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
|
||||
accessSet := regTK.Claims.(*registry.Claim).GetAccess()
|
||||
for _, access := range accessItems {
|
||||
if accessSet.Contains(access) {
|
||||
*req = *(req.WithContext(util.NewBypassPolicyCheckContext(req.Context(), true)))
|
||||
*req = *(req.WithContext(util.NewScannerPullContext(req.Context(), true)))
|
||||
}
|
||||
}
|
||||
r.next.ServeHTTP(rw, req)
|
||||
|
@ -49,8 +49,8 @@ type contextKey string
|
||||
const (
|
||||
// ImageInfoCtxKey the context key for image information
|
||||
ImageInfoCtxKey = contextKey("ImageInfo")
|
||||
// ByPassPolicyCheckCtxKey the context key for robot account to bypass the pull policy check.
|
||||
ByPassPolicyCheckCtxKey = contextKey("ByPassPolicyCheck")
|
||||
// ScannerPullCtxKey the context key for robot account to bypass the pull policy check.
|
||||
ScannerPullCtxKey = contextKey("ScannerPullCheck")
|
||||
// TokenUsername ...
|
||||
// TODO: temp solution, remove after vmware/harbor#2242 is resolved.
|
||||
TokenUsername = "harbor-core"
|
||||
@ -445,14 +445,14 @@ func ManifestInfoFromContext(ctx context.Context) (*ManifestInfo, bool) {
|
||||
return info, ok
|
||||
}
|
||||
|
||||
// NewBypassPolicyCheckContext returns context with policy check info
|
||||
func NewBypassPolicyCheckContext(ctx context.Context, bypass bool) context.Context {
|
||||
return context.WithValue(ctx, ByPassPolicyCheckCtxKey, bypass)
|
||||
// NewScannerPullContext returns context with policy check info
|
||||
func NewScannerPullContext(ctx context.Context, scannerPull bool) context.Context {
|
||||
return context.WithValue(ctx, ScannerPullCtxKey, scannerPull)
|
||||
}
|
||||
|
||||
// BypassPolicyCheckFromContext returns whether to bypass policy check
|
||||
func BypassPolicyCheckFromContext(ctx context.Context) (bool, bool) {
|
||||
info, ok := ctx.Value(ByPassPolicyCheckCtxKey).(bool)
|
||||
// ScannerPullFromContext returns whether to bypass policy check
|
||||
func ScannerPullFromContext(ctx context.Context) (bool, bool) {
|
||||
info, ok := ctx.Value(ScannerPullCtxKey).(bool)
|
||||
return info, ok
|
||||
}
|
||||
|
||||
|
@ -52,7 +52,7 @@ func (vh vulnerableHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request)
|
||||
return
|
||||
}
|
||||
|
||||
if bypass, ok := util.BypassPolicyCheckFromContext(req.Context()); ok && bypass {
|
||||
if scannerPull, ok := util.ScannerPullFromContext(req.Context()); ok && scannerPull {
|
||||
vh.next.ServeHTTP(rw, req)
|
||||
return
|
||||
}
|
||||
@ -114,10 +114,10 @@ func (vh vulnerableHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request)
|
||||
return
|
||||
}
|
||||
|
||||
// Print bypass CVE list
|
||||
// Print scannerPull CVE list
|
||||
if len(summary.CVEBypassed) > 0 {
|
||||
for _, cve := range summary.CVEBypassed {
|
||||
log.Infof("Vulnerable policy check: bypass CVE %s", cve)
|
||||
log.Infof("Vulnerable policy check: scannerPull CVE %s", cve)
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user