remvoe bypass to scanner pull

Signed-off-by: wang yan <wangyan@vmware.com>
2024-11-18 16:25:16 +01:00 · 2019-10-24 14:02:25 +08:00 · 2019-10-24 14:02:25 +08:00 · 71c769ec97
commit 71c769ec97
parent a6ad1b2db8
5 changed files with 20 additions and 16 deletions
--- a/src/common/security/robot/robot.go
+++ b/src/common/security/robot/robot.go
@ -53,7 +53,6 @@ func filterPolicies(namespace rbac.Namespace, policies []*rbac.Policy) []*rbac.P
 			results = append(results, policy)
 		}
 	}
-
 	return results
 }

@ -63,7 +62,7 @@ func getAllPolicies(namespace rbac.Namespace) map[string]bool {
 	for _, policy := range project.GetAllPolicies(namespace) {
 		mp[policy.String()] = true
 	}
-	scannerPull := &rbac.Policy{Resource: rbac.ResourceRepository, Action: rbac.ActionScannerPull}
+	scannerPull := &rbac.Policy{Resource: namespace.Resource(rbac.ResourceRepository), Action: rbac.ActionScannerPull}
 	mp[scannerPull.String()] = true
 	return mp
 }
--- a/src/core/middlewares/contenttrust/handler.go
+++ b/src/core/middlewares/contenttrust/handler.go
@ -49,7 +49,7 @@ func (cth contentTrustHandler) ServeHTTP(rw http.ResponseWriter, req *http.Reque
 		cth.next.ServeHTTP(rw, req)
 		return
 	}
-	if bypass, ok := util.BypassPolicyCheckFromContext(req.Context()); ok && bypass {
+	if scannerPull, ok := util.ScannerPullFromContext(req.Context()); ok && scannerPull {
 		cth.next.ServeHTTP(rw, req)
 		return
 	}
--- a/src/core/middlewares/regtoken/handler.go
+++ b/src/core/middlewares/regtoken/handler.go
@ -27,7 +27,12 @@ func New(next http.Handler) http.Handler {

 // ServeHTTP ...
 func (r *regTokenHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
-	img, _ := util.ImageInfoFromContext(req.Context())
+	imgRaw := req.Context().Value(util.ImageInfoCtxKey)
+	if imgRaw == nil {
+		r.next.ServeHTTP(rw, req)
+		return
+	}
+	img, _ := req.Context().Value(util.ImageInfoCtxKey).(util.ImageInfo)
 	if img.Digest == "" {
 		r.next.ServeHTTP(rw, req)
 		return
@ -59,7 +64,7 @@ func (r *regTokenHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	accessSet := regTK.Claims.(*registry.Claim).GetAccess()
 	for _, access := range accessItems {
 		if accessSet.Contains(access) {
-			*req = *(req.WithContext(util.NewBypassPolicyCheckContext(req.Context(), true)))
+			*req = *(req.WithContext(util.NewScannerPullContext(req.Context(), true)))
 		}
 	}
 	r.next.ServeHTTP(rw, req)
--- a/src/core/middlewares/util/util.go
+++ b/src/core/middlewares/util/util.go
@ -49,8 +49,8 @@ type contextKey string
 const (
 	// ImageInfoCtxKey the context key for image information
 	ImageInfoCtxKey = contextKey("ImageInfo")
-	// ByPassPolicyCheckCtxKey the context key for robot account to bypass the pull policy check.
-	ByPassPolicyCheckCtxKey = contextKey("ByPassPolicyCheck")
+	// ScannerPullCtxKey the context key for robot account to bypass the pull policy check.
+	ScannerPullCtxKey = contextKey("ScannerPullCheck")
 	// TokenUsername ...
 	// TODO: temp solution, remove after vmware/harbor#2242 is resolved.
 	TokenUsername = "harbor-core"
@ -445,14 +445,14 @@ func ManifestInfoFromContext(ctx context.Context) (*ManifestInfo, bool) {
 	return info, ok
 }

-// NewBypassPolicyCheckContext returns context with policy check info
-func NewBypassPolicyCheckContext(ctx context.Context, bypass bool) context.Context {
-	return context.WithValue(ctx, ByPassPolicyCheckCtxKey, bypass)
+// NewScannerPullContext returns context with policy check info
+func NewScannerPullContext(ctx context.Context, scannerPull bool) context.Context {
+	return context.WithValue(ctx, ScannerPullCtxKey, scannerPull)
 }

-// BypassPolicyCheckFromContext returns whether to bypass policy check
-func BypassPolicyCheckFromContext(ctx context.Context) (bool, bool) {
-	info, ok := ctx.Value(ByPassPolicyCheckCtxKey).(bool)
+// ScannerPullFromContext returns whether to bypass policy check
+func ScannerPullFromContext(ctx context.Context) (bool, bool) {
+	info, ok := ctx.Value(ScannerPullCtxKey).(bool)
 	return info, ok
 }

--- a/src/core/middlewares/vulnerable/handler.go
+++ b/src/core/middlewares/vulnerable/handler.go
@ -52,7 +52,7 @@ func (vh vulnerableHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request)
 		return
 	}

-	if bypass, ok := util.BypassPolicyCheckFromContext(req.Context()); ok && bypass {
+	if scannerPull, ok := util.ScannerPullFromContext(req.Context()); ok && scannerPull {
 		vh.next.ServeHTTP(rw, req)
 		return
 	}
@ -114,10 +114,10 @@ func (vh vulnerableHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request)
 		return
 	}

-	// Print bypass CVE list
+	// Print scannerPull CVE list
 	if len(summary.CVEBypassed) > 0 {
 		for _, cve := range summary.CVEBypassed {
-			log.Infof("Vulnerable policy check: bypass CVE %s", cve)
+			log.Infof("Vulnerable policy check: scannerPull CVE %s", cve)
 		}
 	}