mirror of
https://github.com/goharbor/harbor.git
synced 2025-02-02 21:11:37 +01:00
Merge pull request #2218 from ywk253100/170503_pms_db
Implement the project manager based on database
This commit is contained in:
commit
7b0daca06a
@ -17,20 +17,20 @@ package rbac
|
||||
import (
|
||||
"github.com/vmware/harbor/src/common"
|
||||
"github.com/vmware/harbor/src/common/models"
|
||||
"github.com/vmware/harbor/src/ui/pms"
|
||||
"github.com/vmware/harbor/src/ui/pm"
|
||||
)
|
||||
|
||||
// SecurityContext implements security.Context interface based on database
|
||||
type SecurityContext struct {
|
||||
user *models.User
|
||||
pms pms.PMS
|
||||
pm pm.PM
|
||||
}
|
||||
|
||||
// NewSecurityContext ...
|
||||
func NewSecurityContext(user *models.User, pms pms.PMS) *SecurityContext {
|
||||
func NewSecurityContext(user *models.User, pm pm.PM) *SecurityContext {
|
||||
return &SecurityContext{
|
||||
user: user,
|
||||
pms: pms,
|
||||
pm: pm,
|
||||
}
|
||||
}
|
||||
|
||||
@ -60,7 +60,7 @@ func (s *SecurityContext) IsSysAdmin() bool {
|
||||
// HasReadPerm returns whether the user has read permission to the project
|
||||
func (s *SecurityContext) HasReadPerm(projectIDOrName interface{}) bool {
|
||||
// public project
|
||||
if s.pms.IsPublic(projectIDOrName) {
|
||||
if s.pm.IsPublic(projectIDOrName) {
|
||||
return true
|
||||
}
|
||||
|
||||
@ -74,7 +74,7 @@ func (s *SecurityContext) HasReadPerm(projectIDOrName interface{}) bool {
|
||||
return true
|
||||
}
|
||||
|
||||
roles := s.pms.GetRoles(s.GetUsername(), projectIDOrName)
|
||||
roles := s.pm.GetRoles(s.GetUsername(), projectIDOrName)
|
||||
for _, role := range roles {
|
||||
switch role {
|
||||
case common.RoleProjectAdmin,
|
||||
@ -98,7 +98,7 @@ func (s *SecurityContext) HasWritePerm(projectIDOrName interface{}) bool {
|
||||
return true
|
||||
}
|
||||
|
||||
roles := s.pms.GetRoles(s.GetUsername(), projectIDOrName)
|
||||
roles := s.pm.GetRoles(s.GetUsername(), projectIDOrName)
|
||||
for _, role := range roles {
|
||||
switch role {
|
||||
case common.RoleProjectAdmin,
|
||||
@ -120,7 +120,7 @@ func (s *SecurityContext) HasAllPerm(projectIDOrName interface{}) bool {
|
||||
return true
|
||||
}
|
||||
|
||||
roles := s.pms.GetRoles(s.GetUsername(), projectIDOrName)
|
||||
roles := s.pm.GetRoles(s.GetUsername(), projectIDOrName)
|
||||
for _, role := range roles {
|
||||
switch role {
|
||||
case common.RoleProjectAdmin:
|
||||
|
@ -22,15 +22,15 @@ import (
|
||||
"github.com/vmware/harbor/src/common/models"
|
||||
)
|
||||
|
||||
type fakePMS struct {
|
||||
type fakePM struct {
|
||||
public string
|
||||
roles map[string][]int
|
||||
}
|
||||
|
||||
func (f *fakePMS) IsPublic(projectIDOrName interface{}) bool {
|
||||
func (f *fakePM) IsPublic(projectIDOrName interface{}) bool {
|
||||
return f.public == projectIDOrName.(string)
|
||||
}
|
||||
func (f *fakePMS) GetRoles(username string, projectIDOrName interface{}) []int {
|
||||
func (f *fakePM) GetRoles(username string, projectIDOrName interface{}) []int {
|
||||
return f.roles[projectIDOrName.(string)]
|
||||
}
|
||||
|
||||
@ -78,7 +78,7 @@ func TestIsSysAdmin(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestHasReadPerm(t *testing.T) {
|
||||
pms := &fakePMS{
|
||||
pm := &fakePM{
|
||||
public: "public_project",
|
||||
roles: map[string][]int{
|
||||
"has_read_perm_project": []int{common.RoleGuest},
|
||||
@ -86,35 +86,35 @@ func TestHasReadPerm(t *testing.T) {
|
||||
}
|
||||
|
||||
// public project, unauthenticated
|
||||
ctx := NewSecurityContext(nil, pms)
|
||||
ctx := NewSecurityContext(nil, pm)
|
||||
assert.True(t, ctx.HasReadPerm("public_project"))
|
||||
|
||||
// private project, unauthenticated
|
||||
ctx = NewSecurityContext(nil, pms)
|
||||
ctx = NewSecurityContext(nil, pm)
|
||||
assert.False(t, ctx.HasReadPerm("has_read_perm_project"))
|
||||
|
||||
// private project, authenticated, has no perm
|
||||
ctx = NewSecurityContext(&models.User{
|
||||
Username: "test",
|
||||
}, pms)
|
||||
}, pm)
|
||||
assert.False(t, ctx.HasReadPerm("has_no_perm_project"))
|
||||
|
||||
// private project, authenticated, has read perm
|
||||
ctx = NewSecurityContext(&models.User{
|
||||
Username: "test",
|
||||
}, pms)
|
||||
}, pm)
|
||||
assert.True(t, ctx.HasReadPerm("has_read_perm_project"))
|
||||
|
||||
// private project, authenticated, system admin
|
||||
ctx = NewSecurityContext(&models.User{
|
||||
Username: "test",
|
||||
HasAdminRole: 1,
|
||||
}, pms)
|
||||
}, pm)
|
||||
assert.True(t, ctx.HasReadPerm("has_no_perm_project"))
|
||||
}
|
||||
|
||||
func TestHasWritePerm(t *testing.T) {
|
||||
pms := &fakePMS{
|
||||
pm := &fakePM{
|
||||
roles: map[string][]int{
|
||||
"has_read_perm_project": []int{common.RoleGuest},
|
||||
"has_write_perm_project": []int{common.RoleGuest, common.RoleDeveloper},
|
||||
@ -122,31 +122,31 @@ func TestHasWritePerm(t *testing.T) {
|
||||
}
|
||||
|
||||
// unauthenticated
|
||||
ctx := NewSecurityContext(nil, pms)
|
||||
ctx := NewSecurityContext(nil, pm)
|
||||
assert.False(t, ctx.HasWritePerm("has_write_perm_project"))
|
||||
|
||||
// authenticated, has read perm
|
||||
ctx = NewSecurityContext(&models.User{
|
||||
Username: "test",
|
||||
}, pms)
|
||||
}, pm)
|
||||
assert.False(t, ctx.HasWritePerm("has_read_perm_project")) // authenticated, has read perm
|
||||
|
||||
// authenticated, has write perm
|
||||
ctx = NewSecurityContext(&models.User{
|
||||
Username: "test",
|
||||
}, pms)
|
||||
}, pm)
|
||||
assert.True(t, ctx.HasWritePerm("has_write_perm_project"))
|
||||
|
||||
// authenticated, system admin
|
||||
ctx = NewSecurityContext(&models.User{
|
||||
Username: "test",
|
||||
HasAdminRole: 1,
|
||||
}, pms)
|
||||
}, pm)
|
||||
assert.True(t, ctx.HasReadPerm("has_no_perm_project"))
|
||||
}
|
||||
|
||||
func TestHasAllPerm(t *testing.T) {
|
||||
pms := &fakePMS{
|
||||
pm := &fakePM{
|
||||
roles: map[string][]int{
|
||||
"has_read_perm_project": []int{common.RoleGuest},
|
||||
"has_write_perm_project": []int{common.RoleGuest, common.RoleDeveloper},
|
||||
@ -155,31 +155,31 @@ func TestHasAllPerm(t *testing.T) {
|
||||
}
|
||||
|
||||
// unauthenticated
|
||||
ctx := NewSecurityContext(nil, pms)
|
||||
ctx := NewSecurityContext(nil, pm)
|
||||
assert.False(t, ctx.HasAllPerm("has_all_perm_project"))
|
||||
|
||||
// authenticated, has read perm
|
||||
ctx = NewSecurityContext(&models.User{
|
||||
Username: "test",
|
||||
}, pms)
|
||||
}, pm)
|
||||
assert.False(t, ctx.HasAllPerm("has_read_perm_project"))
|
||||
|
||||
// authenticated, has write perm
|
||||
ctx = NewSecurityContext(&models.User{
|
||||
Username: "test",
|
||||
}, pms)
|
||||
}, pm)
|
||||
assert.False(t, ctx.HasAllPerm("has_write_perm_project"))
|
||||
|
||||
// authenticated, has all perms
|
||||
ctx = NewSecurityContext(&models.User{
|
||||
Username: "test",
|
||||
}, pms)
|
||||
}, pm)
|
||||
assert.True(t, ctx.HasAllPerm("has_all_perm_project"))
|
||||
|
||||
// authenticated, system admin
|
||||
ctx = NewSecurityContext(&models.User{
|
||||
Username: "test",
|
||||
HasAdminRole: 1,
|
||||
}, pms)
|
||||
}, pm)
|
||||
assert.True(t, ctx.HasReadPerm("has_no_perm_project"))
|
||||
}
|
||||
|
110
src/ui/pm/db/pm.go
Normal file
110
src/ui/pm/db/pm.go
Normal file
@ -0,0 +1,110 @@
|
||||
// Copyright (c) 2017 VMware, Inc. All Rights Reserved.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package db
|
||||
|
||||
import (
|
||||
"github.com/vmware/harbor/src/common"
|
||||
"github.com/vmware/harbor/src/common/dao"
|
||||
"github.com/vmware/harbor/src/common/models"
|
||||
"github.com/vmware/harbor/src/common/utils/log"
|
||||
)
|
||||
|
||||
// PM implements pm.PM interface based on database
|
||||
type PM struct{}
|
||||
|
||||
// IsPublic returns whether the project is public or not
|
||||
func (p *PM) IsPublic(projectIDOrName interface{}) bool {
|
||||
var project *models.Project
|
||||
var err error
|
||||
switch projectIDOrName.(type) {
|
||||
case string:
|
||||
name := projectIDOrName.(string)
|
||||
project, err = dao.GetProjectByName(name)
|
||||
if err != nil {
|
||||
log.Errorf("failed to get project %s: %v", name, err)
|
||||
}
|
||||
case int64:
|
||||
id := projectIDOrName.(int64)
|
||||
project, err = dao.GetProjectByID(id)
|
||||
if err != nil {
|
||||
log.Errorf("failed to get project %d: %v", id, err)
|
||||
}
|
||||
default:
|
||||
log.Errorf("unsupported type of %v, must be string or int64", projectIDOrName)
|
||||
}
|
||||
|
||||
if project == nil {
|
||||
return false
|
||||
}
|
||||
|
||||
return project.Public == 1
|
||||
}
|
||||
|
||||
// GetRoles return a role list which contains the user's roles to the project
|
||||
func (p *PM) GetRoles(username string, projectIDOrName interface{}) []int {
|
||||
roles := []int{}
|
||||
|
||||
user, err := dao.GetUser(models.User{
|
||||
Username: username,
|
||||
})
|
||||
if err != nil {
|
||||
log.Errorf("failed to get user %s: %v", username, err)
|
||||
return roles
|
||||
}
|
||||
if user == nil {
|
||||
return roles
|
||||
}
|
||||
|
||||
var projectID int64
|
||||
switch projectIDOrName.(type) {
|
||||
case string:
|
||||
name := projectIDOrName.(string)
|
||||
project, err := dao.GetProjectByName(name)
|
||||
if err != nil {
|
||||
log.Errorf("failed to get project %s: %v", name, err)
|
||||
return roles
|
||||
}
|
||||
|
||||
if project == nil {
|
||||
return roles
|
||||
}
|
||||
projectID = project.ProjectID
|
||||
case int64:
|
||||
projectID = projectIDOrName.(int64)
|
||||
default:
|
||||
log.Errorf("unsupported type of %v, must be string or int64", projectIDOrName)
|
||||
return roles
|
||||
}
|
||||
|
||||
roleList, err := dao.GetUserProjectRoles(user.UserID, projectID)
|
||||
if err != nil {
|
||||
log.Errorf("failed to get roles for user %d to project %d: %v",
|
||||
user.UserID, projectID, err)
|
||||
return roles
|
||||
}
|
||||
|
||||
for _, role := range roleList {
|
||||
switch role.RoleCode {
|
||||
case "MDRWS":
|
||||
roles = append(roles, common.RoleProjectAdmin)
|
||||
case "RWS":
|
||||
roles = append(roles, common.RoleDeveloper)
|
||||
case "RS":
|
||||
roles = append(roles, common.RoleGuest)
|
||||
}
|
||||
}
|
||||
|
||||
return roles
|
||||
}
|
106
src/ui/pm/db/pm_test.go
Normal file
106
src/ui/pm/db/pm_test.go
Normal file
@ -0,0 +1,106 @@
|
||||
// Copyright (c) 2017 VMware, Inc. All Rights Reserved.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package db
|
||||
|
||||
import (
|
||||
"os"
|
||||
"strconv"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/vmware/harbor/src/common"
|
||||
"github.com/vmware/harbor/src/common/dao"
|
||||
"github.com/vmware/harbor/src/common/models"
|
||||
"github.com/vmware/harbor/src/common/utils/log"
|
||||
)
|
||||
|
||||
func TestMain(m *testing.M) {
|
||||
dbHost := os.Getenv("MYSQL_HOST")
|
||||
if len(dbHost) == 0 {
|
||||
log.Fatalf("environment variable MYSQL_HOST is not set")
|
||||
}
|
||||
dbPortStr := os.Getenv("MYSQL_PORT")
|
||||
if len(dbPortStr) == 0 {
|
||||
log.Fatalf("environment variable MYSQL_PORT is not set")
|
||||
}
|
||||
dbPort, err := strconv.Atoi(dbPortStr)
|
||||
if err != nil {
|
||||
log.Fatalf("invalid MYSQL_PORT: %v", err)
|
||||
}
|
||||
dbUser := os.Getenv("MYSQL_USR")
|
||||
if len(dbUser) == 0 {
|
||||
log.Fatalf("environment variable MYSQL_USR is not set")
|
||||
}
|
||||
|
||||
dbPassword := os.Getenv("MYSQL_PWD")
|
||||
dbDatabase := os.Getenv("MYSQL_DATABASE")
|
||||
if len(dbDatabase) == 0 {
|
||||
log.Fatalf("environment variable MYSQL_DATABASE is not set")
|
||||
}
|
||||
|
||||
database := &models.Database{
|
||||
Type: "mysql",
|
||||
MySQL: &models.MySQL{
|
||||
Host: dbHost,
|
||||
Port: dbPort,
|
||||
Username: dbUser,
|
||||
Password: dbPassword,
|
||||
Database: dbDatabase,
|
||||
},
|
||||
}
|
||||
|
||||
log.Infof("MYSQL_HOST: %s, MYSQL_USR: %s, MYSQL_PORT: %d, MYSQL_PWD: %s\n", dbHost, dbUser, dbPort, dbPassword)
|
||||
|
||||
if err := dao.InitDatabase(database); err != nil {
|
||||
log.Fatalf("failed to initialize database: %v", err)
|
||||
}
|
||||
|
||||
os.Exit(m.Run())
|
||||
}
|
||||
|
||||
func TestIsPublic(t *testing.T) {
|
||||
pms := &PM{}
|
||||
// project name
|
||||
assert.True(t, pms.IsPublic("library"))
|
||||
// project ID
|
||||
assert.True(t, pms.IsPublic(int64(1)))
|
||||
// non exist project
|
||||
assert.False(t, pms.IsPublic("non_exist_project"))
|
||||
// invalid type
|
||||
assert.False(t, pms.IsPublic(1))
|
||||
}
|
||||
|
||||
func TestGetRoles(t *testing.T) {
|
||||
pm := &PM{}
|
||||
|
||||
// non exist user
|
||||
assert.Equal(t, []int{},
|
||||
pm.GetRoles("non_exist_user", int64(1)))
|
||||
|
||||
// project ID
|
||||
assert.Equal(t, []int{common.RoleProjectAdmin},
|
||||
pm.GetRoles("admin", int64(1)))
|
||||
|
||||
// project name
|
||||
assert.Equal(t, []int{common.RoleProjectAdmin},
|
||||
pm.GetRoles("admin", "library"))
|
||||
|
||||
// non exist project
|
||||
assert.Equal(t, []int{},
|
||||
pm.GetRoles("admin", "non_exist_project"))
|
||||
|
||||
// invalid type
|
||||
assert.Equal(t, []int{}, pm.GetRoles("admin", 1))
|
||||
}
|
@ -12,11 +12,11 @@
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package pms
|
||||
package pm
|
||||
|
||||
// PMS is the project mamagement service which abstracts
|
||||
// the operations related to projects
|
||||
type PMS interface {
|
||||
// PM is the project mamager which abstracts the operations related
|
||||
// to projects
|
||||
type PM interface {
|
||||
IsPublic(projectIDOrName interface{}) bool
|
||||
GetRoles(username string, projectIDOrName interface{}) []int
|
||||
}
|
@ -1,15 +0,0 @@
|
||||
// Copyright (c) 2017 VMware, Inc. All Rights Reserved.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package db
|
Loading…
Reference in New Issue
Block a user