check the existence of project when generating token

2024-11-23 02:35:17 +01:00 · 2017-08-07 13:10:12 +08:00 · 2017-08-07 13:10:12 +08:00 · 7800d2c2b2
commit 7800d2c2b2
parent 0b2d7ae6c2
3 changed files with 28 additions and 9 deletions
--- a/src/ui/service/token/authutils.go
+++ b/src/ui/service/token/authutils.go
@ -29,6 +29,7 @@ import (
 	"github.com/vmware/harbor/src/common/security"
 	"github.com/vmware/harbor/src/common/utils/log"
 	"github.com/vmware/harbor/src/ui/config"
+	promgr "github.com/vmware/harbor/src/ui/projectmanager"
 )

 const (
@ -75,7 +76,7 @@ func GetResourceActions(scopes []string) []*token.ResourceActions {

 //filterAccess iterate a list of resource actions and try to use the filter that matches the resource type to filter the actions.
 func filterAccess(access []*token.ResourceActions, ctx security.Context,
-	filters map[string]accessFilter) error {
+	pm promgr.ProjectManager, filters map[string]accessFilter) error {
 	var err error
 	for _, a := range access {
 		f, ok := filters[a.Type]
@ -84,7 +85,7 @@ func filterAccess(access []*token.ResourceActions, ctx security.Context,
 			log.Warningf("No filter found for access type: %s, skip filter, the access of resource '%s' will be set empty.", a.Type, a.Name)
 			continue
 		}
-		err = f.filter(ctx, a)
+		err = f.filter(ctx, pm, a)
 		log.Debugf("user: %s, access: %v", ctx.GetUsername(), a)
 		if err != nil {
 			return err
--- a/src/ui/service/token/creator.go
+++ b/src/ui/service/token/creator.go
@ -26,6 +26,7 @@ import (
 	"github.com/vmware/harbor/src/common/utils/log"
 	"github.com/vmware/harbor/src/ui/config"
 	"github.com/vmware/harbor/src/ui/filter"
+	promgr "github.com/vmware/harbor/src/ui/projectmanager"
 )

 var creatorMap map[string]Creator
@ -126,13 +127,13 @@ func parseImg(s string) (*image, error) {

 // An accessFilter will filter access based on userinfo
 type accessFilter interface {
-	filter(ctx security.Context, a *token.ResourceActions) error
+	filter(ctx security.Context, pm promgr.ProjectManager, a *token.ResourceActions) error
 }

 type registryFilter struct {
 }

-func (reg registryFilter) filter(ctx security.Context,
+func (reg registryFilter) filter(ctx security.Context, pm promgr.ProjectManager,
 	a *token.ResourceActions) error {
 	//Do not filter if the request is to access registry catalog
 	if a.Name != "catalog" {
@ -150,7 +151,8 @@ type repositoryFilter struct {
 	parser imageParser
 }

-func (rep repositoryFilter) filter(ctx security.Context, a *token.ResourceActions) error {
+func (rep repositoryFilter) filter(ctx security.Context, pm promgr.ProjectManager,
+	a *token.ResourceActions) error {
 	//clear action list to assign to new acess element after perm check.
 	img, err := rep.parser.parse(a.Name)
 	if err != nil {
@ -158,6 +160,17 @@ func (rep repositoryFilter) filter(ctx security.Context, a *token.ResourceAction
 	}
 	project := img.namespace
 	permission := ""
+
+	exist, err := pm.Exist(project)
+	if err != nil {
+		return err
+	}
+	if !exist {
+		log.Debugf("project %s does not exist, set empty permission", project)
+		a.Actions = []string{}
+		return nil
+	}
+
 	if ctx.HasAllPerm(project) {
 		permission = "RWM"
 	} else if ctx.HasWritePerm(project) {
@ -191,6 +204,11 @@ func (g generalCreator) Create(r *http.Request) (*models.Token, error) {
 		return nil, fmt.Errorf("failed to  get security context from request")
 	}

+	pm, err := filter.GetProjectManager(r)
+	if err != nil {
+		return nil, fmt.Errorf("failed to  get project manager from request")
+	}
+
 	// for docker login
 	if !ctx.IsAuthenticated() {
 		if len(scopes) == 0 {
@ -198,7 +216,7 @@ func (g generalCreator) Create(r *http.Request) (*models.Token, error) {
 		}
 	}
 	access := GetResourceActions(scopes)
-	err = filterAccess(access, ctx, g.filterMap)
+	err = filterAccess(access, ctx, pm, g.filterMap)
 	if err != nil {
 		return nil, err
 	}
--- a/src/ui/service/token/token_test.go
+++ b/src/ui/service/token/token_test.go
@ -256,19 +256,19 @@ func TestFilterAccess(t *testing.T) {
 	}
 	err = filterAccess(a1, &fakeSecurityContext{
 		isAdmin: true,
-	}, registryFilterMap)
+	}, nil, registryFilterMap)
 	assert.Nil(t, err, "Unexpected error: %v", err)
 	assert.Equal(t, ra1, *a1[0], "Mismatch after registry filter Map")

 	err = filterAccess(a2, &fakeSecurityContext{
 		isAdmin: true,
-	}, notaryFilterMap)
+	}, nil, notaryFilterMap)
 	assert.Nil(t, err, "Unexpected error: %v", err)
 	assert.Equal(t, ra2, *a2[0], "Mismatch after notary filter Map")

 	err = filterAccess(a3, &fakeSecurityContext{
 		isAdmin: false,
-	}, registryFilterMap)
+	}, nil, registryFilterMap)
 	assert.Nil(t, err, "Unexpected error: %v", err)
 	assert.Equal(t, ra2, *a3[0], "Mismatch after registry filter Map")
 }