mirror of
https://github.com/goharbor/harbor.git
synced 2024-11-23 02:35:17 +01:00
commit
8dab10bbed
@ -12,7 +12,7 @@
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package ram
|
||||
package rbac
|
||||
|
||||
import (
|
||||
"errors"
|
@ -12,7 +12,7 @@
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package ram
|
||||
package rbac
|
||||
|
||||
import (
|
||||
"fmt"
|
@ -12,7 +12,7 @@
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package ram
|
||||
package rbac
|
||||
|
||||
import (
|
||||
"testing"
|
@ -12,7 +12,7 @@
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package ram
|
||||
package rbac
|
||||
|
||||
import (
|
||||
"errors"
|
@ -12,7 +12,7 @@
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package ram
|
||||
package rbac
|
||||
|
||||
import (
|
||||
"testing"
|
@ -15,19 +15,19 @@
|
||||
package project
|
||||
|
||||
import (
|
||||
"github.com/goharbor/harbor/src/common/ram"
|
||||
"github.com/goharbor/harbor/src/common/rbac"
|
||||
)
|
||||
|
||||
// const action variables
|
||||
const (
|
||||
ActionAll = ram.Action("*")
|
||||
ActionPull = ram.Action("pull")
|
||||
ActionPush = ram.Action("push")
|
||||
ActionPushPull = ram.Action("push+pull")
|
||||
ActionAll = rbac.Action("*")
|
||||
ActionPull = rbac.Action("pull")
|
||||
ActionPush = rbac.Action("push")
|
||||
ActionPushPull = rbac.Action("push+pull")
|
||||
)
|
||||
|
||||
// const resource variables
|
||||
const (
|
||||
ResourceAll = ram.Resource("*")
|
||||
ResourceImage = ram.Resource("image")
|
||||
ResourceAll = rbac.Resource("*")
|
||||
ResourceImage = rbac.Resource("image")
|
||||
)
|
@ -15,26 +15,26 @@
|
||||
package project
|
||||
|
||||
import (
|
||||
"github.com/goharbor/harbor/src/common/ram"
|
||||
"github.com/goharbor/harbor/src/common/rbac"
|
||||
)
|
||||
|
||||
var (
|
||||
// subresource policies for public project
|
||||
publicProjectPolicies = []*ram.Policy{
|
||||
publicProjectPolicies = []*rbac.Policy{
|
||||
{Resource: ResourceImage, Action: ActionPull},
|
||||
}
|
||||
|
||||
// subresource policies for system admin visitor
|
||||
systemAdminProjectPolicies = []*ram.Policy{
|
||||
systemAdminProjectPolicies = []*rbac.Policy{
|
||||
{Resource: ResourceAll, Action: ActionAll},
|
||||
}
|
||||
)
|
||||
|
||||
func policiesForPublicProject(namespace ram.Namespace) []*ram.Policy {
|
||||
policies := []*ram.Policy{}
|
||||
func policiesForPublicProject(namespace rbac.Namespace) []*rbac.Policy {
|
||||
policies := []*rbac.Policy{}
|
||||
|
||||
for _, policy := range publicProjectPolicies {
|
||||
policies = append(policies, &ram.Policy{
|
||||
policies = append(policies, &rbac.Policy{
|
||||
Resource: namespace.Resource(policy.Resource),
|
||||
Action: policy.Action,
|
||||
Effect: policy.Effect,
|
||||
@ -44,11 +44,11 @@ func policiesForPublicProject(namespace ram.Namespace) []*ram.Policy {
|
||||
return policies
|
||||
}
|
||||
|
||||
func policiesForSystemAdmin(namespace ram.Namespace) []*ram.Policy {
|
||||
policies := []*ram.Policy{}
|
||||
func policiesForSystemAdmin(namespace rbac.Namespace) []*rbac.Policy {
|
||||
policies := []*rbac.Policy{}
|
||||
|
||||
for _, policy := range systemAdminProjectPolicies {
|
||||
policies = append(policies, &ram.Policy{
|
||||
policies = append(policies, &rbac.Policy{
|
||||
Resource: namespace.Resource(policy.Resource),
|
||||
Action: policy.Action,
|
||||
Effect: policy.Effect,
|
@ -15,7 +15,7 @@
|
||||
package project
|
||||
|
||||
import (
|
||||
"github.com/goharbor/harbor/src/common/ram"
|
||||
"github.com/goharbor/harbor/src/common/rbac"
|
||||
)
|
||||
|
||||
// visitorContext the context interface for the project visitor
|
||||
@ -27,10 +27,10 @@ type visitorContext interface {
|
||||
IsSysAdmin() bool
|
||||
}
|
||||
|
||||
// visitor implement the ram.User interface for project visitor
|
||||
// visitor implement the rbac.User interface for project visitor
|
||||
type visitor struct {
|
||||
ctx visitorContext
|
||||
namespace ram.Namespace
|
||||
namespace rbac.Namespace
|
||||
projectRoles []int
|
||||
}
|
||||
|
||||
@ -45,7 +45,7 @@ func (v *visitor) GetUserName() string {
|
||||
}
|
||||
|
||||
// GetPolicies returns policies of the visitor
|
||||
func (v *visitor) GetPolicies() []*ram.Policy {
|
||||
func (v *visitor) GetPolicies() []*rbac.Policy {
|
||||
if v.ctx.IsSysAdmin() {
|
||||
return policiesForSystemAdmin(v.namespace)
|
||||
}
|
||||
@ -58,12 +58,12 @@ func (v *visitor) GetPolicies() []*ram.Policy {
|
||||
}
|
||||
|
||||
// GetRoles returns roles of the visitor
|
||||
func (v *visitor) GetRoles() []ram.Role {
|
||||
func (v *visitor) GetRoles() []rbac.Role {
|
||||
if !v.ctx.IsAuthenticated() {
|
||||
return nil
|
||||
}
|
||||
|
||||
roles := []ram.Role{}
|
||||
roles := []rbac.Role{}
|
||||
|
||||
for _, roleID := range v.projectRoles {
|
||||
roles = append(roles, &visitorRole{roleID: roleID, namespace: v.namespace})
|
||||
@ -72,8 +72,8 @@ func (v *visitor) GetRoles() []ram.Role {
|
||||
return roles
|
||||
}
|
||||
|
||||
// NewUser returns ram.User interface for the project visitor
|
||||
func NewUser(ctx visitorContext, namespace ram.Namespace, projectRoles ...int) ram.User {
|
||||
// NewUser returns rbac.User interface for the project visitor
|
||||
func NewUser(ctx visitorContext, namespace rbac.Namespace, projectRoles ...int) rbac.User {
|
||||
return &visitor{
|
||||
ctx: ctx,
|
||||
namespace: namespace,
|
@ -16,11 +16,11 @@ package project
|
||||
|
||||
import (
|
||||
"github.com/goharbor/harbor/src/common"
|
||||
"github.com/goharbor/harbor/src/common/ram"
|
||||
"github.com/goharbor/harbor/src/common/rbac"
|
||||
)
|
||||
|
||||
var (
|
||||
rolePoliciesMap = map[string][]*ram.Policy{
|
||||
rolePoliciesMap = map[string][]*rbac.Policy{
|
||||
"projectAdmin": {
|
||||
{Resource: ResourceImage, Action: ActionPushPull}, // compatible with security all perm of project
|
||||
{Resource: ResourceImage, Action: ActionPush},
|
||||
@ -38,9 +38,9 @@ var (
|
||||
}
|
||||
)
|
||||
|
||||
// visitorRole implement the ram.Role interface
|
||||
// visitorRole implement the rbac.Role interface
|
||||
type visitorRole struct {
|
||||
namespace ram.Namespace
|
||||
namespace rbac.Namespace
|
||||
roleID int
|
||||
}
|
||||
|
||||
@ -59,8 +59,8 @@ func (role *visitorRole) GetRoleName() string {
|
||||
}
|
||||
|
||||
// GetPolicies returns policies for the visitor role
|
||||
func (role *visitorRole) GetPolicies() []*ram.Policy {
|
||||
policies := []*ram.Policy{}
|
||||
func (role *visitorRole) GetPolicies() []*rbac.Policy {
|
||||
policies := []*rbac.Policy{}
|
||||
|
||||
roleName := role.GetRoleName()
|
||||
if roleName == "" {
|
||||
@ -68,7 +68,7 @@ func (role *visitorRole) GetPolicies() []*ram.Policy {
|
||||
}
|
||||
|
||||
for _, policy := range rolePoliciesMap[roleName] {
|
||||
policies = append(policies, &ram.Policy{
|
||||
policies = append(policies, &rbac.Policy{
|
||||
Resource: role.namespace.Resource(policy.Resource),
|
||||
Action: policy.Action,
|
||||
Effect: policy.Effect,
|
@ -18,7 +18,7 @@ import (
|
||||
"testing"
|
||||
|
||||
"github.com/goharbor/harbor/src/common"
|
||||
"github.com/goharbor/harbor/src/common/ram"
|
||||
"github.com/goharbor/harbor/src/common/rbac"
|
||||
"github.com/stretchr/testify/suite"
|
||||
)
|
||||
|
||||
@ -50,8 +50,8 @@ type VisitorTestSuite struct {
|
||||
}
|
||||
|
||||
func (suite *VisitorTestSuite) TestGetPolicies() {
|
||||
namespace := ram.NewProjectNamespace("library", false)
|
||||
publicNamespace := ram.NewProjectNamespace("library", true)
|
||||
namespace := rbac.NewProjectNamespace("library", false)
|
||||
publicNamespace := rbac.NewProjectNamespace("library", true)
|
||||
|
||||
anonymous := NewUser(anonymousCtx, namespace)
|
||||
suite.Nil(anonymous.GetPolicies())
|
||||
@ -73,7 +73,7 @@ func (suite *VisitorTestSuite) TestGetPolicies() {
|
||||
}
|
||||
|
||||
func (suite *VisitorTestSuite) TestGetRoles() {
|
||||
namespace := ram.NewProjectNamespace("library", false)
|
||||
namespace := rbac.NewProjectNamespace("library", false)
|
||||
|
||||
anonymous := NewUser(anonymousCtx, namespace)
|
||||
suite.Nil(anonymous.GetRoles())
|
@ -12,7 +12,7 @@
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package ram
|
||||
package rbac
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
@ -87,14 +87,14 @@ func (p *Policy) GetEffect() string {
|
||||
return eft.String()
|
||||
}
|
||||
|
||||
// Role the interface of ram role
|
||||
// Role the interface of rbac role
|
||||
type Role interface {
|
||||
// GetRoleName returns the role identity, if empty string role's policies will be ignore
|
||||
GetRoleName() string
|
||||
GetPolicies() []*Policy
|
||||
}
|
||||
|
||||
// User the interface of ram user
|
||||
// User the interface of rbac user
|
||||
type User interface {
|
||||
// GetUserName returns the user identity, if empty string user's all policies will be ignore
|
||||
GetUserName() string
|
@ -12,7 +12,7 @@
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package ram
|
||||
package rbac
|
||||
|
||||
import (
|
||||
"reflect"
|
@ -16,8 +16,8 @@ package admiral
|
||||
|
||||
import (
|
||||
"github.com/goharbor/harbor/src/common/models"
|
||||
"github.com/goharbor/harbor/src/common/ram"
|
||||
"github.com/goharbor/harbor/src/common/ram/project"
|
||||
"github.com/goharbor/harbor/src/common/rbac"
|
||||
"github.com/goharbor/harbor/src/common/rbac/project"
|
||||
"github.com/goharbor/harbor/src/common/security/admiral/authcontext"
|
||||
"github.com/goharbor/harbor/src/core/promgr"
|
||||
)
|
||||
@ -72,32 +72,32 @@ func (s *SecurityContext) IsSolutionUser() bool {
|
||||
// HasReadPerm returns whether the user has read permission to the project
|
||||
func (s *SecurityContext) HasReadPerm(projectIDOrName interface{}) bool {
|
||||
isPublicProject, _ := s.pm.IsPublic(projectIDOrName)
|
||||
return s.Can(project.ActionPull, ram.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
|
||||
return s.Can(project.ActionPull, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
|
||||
}
|
||||
|
||||
// HasWritePerm returns whether the user has write permission to the project
|
||||
func (s *SecurityContext) HasWritePerm(projectIDOrName interface{}) bool {
|
||||
isPublicProject, _ := s.pm.IsPublic(projectIDOrName)
|
||||
return s.Can(project.ActionPush, ram.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
|
||||
return s.Can(project.ActionPush, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
|
||||
}
|
||||
|
||||
// HasAllPerm returns whether the user has all permissions to the project
|
||||
func (s *SecurityContext) HasAllPerm(projectIDOrName interface{}) bool {
|
||||
isPublicProject, _ := s.pm.IsPublic(projectIDOrName)
|
||||
return s.Can(project.ActionPushPull, ram.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
|
||||
return s.Can(project.ActionPushPull, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
|
||||
}
|
||||
|
||||
// Can returns whether the user can do action on resource
|
||||
func (s *SecurityContext) Can(action ram.Action, resource ram.Resource) bool {
|
||||
func (s *SecurityContext) Can(action rbac.Action, resource rbac.Resource) bool {
|
||||
ns, err := resource.GetNamespace()
|
||||
if err == nil {
|
||||
switch ns.Kind() {
|
||||
case "project":
|
||||
projectIDOrName := ns.Identity()
|
||||
isPublicProject, _ := s.pm.IsPublic(projectIDOrName)
|
||||
projectNamespace := ram.NewProjectNamespace(projectIDOrName, isPublicProject)
|
||||
projectNamespace := rbac.NewProjectNamespace(projectIDOrName, isPublicProject)
|
||||
user := project.NewUser(s, projectNamespace, s.GetProjectRoles(projectIDOrName)...)
|
||||
return ram.HasPermission(user, resource, action)
|
||||
return rbac.HasPermission(user, resource, action)
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -19,8 +19,8 @@ import (
|
||||
"github.com/goharbor/harbor/src/common/dao"
|
||||
"github.com/goharbor/harbor/src/common/dao/group"
|
||||
"github.com/goharbor/harbor/src/common/models"
|
||||
"github.com/goharbor/harbor/src/common/ram"
|
||||
"github.com/goharbor/harbor/src/common/ram/project"
|
||||
"github.com/goharbor/harbor/src/common/rbac"
|
||||
"github.com/goharbor/harbor/src/common/rbac/project"
|
||||
"github.com/goharbor/harbor/src/common/utils/log"
|
||||
"github.com/goharbor/harbor/src/core/promgr"
|
||||
)
|
||||
@ -70,32 +70,32 @@ func (s *SecurityContext) IsSolutionUser() bool {
|
||||
// HasReadPerm returns whether the user has read permission to the project
|
||||
func (s *SecurityContext) HasReadPerm(projectIDOrName interface{}) bool {
|
||||
isPublicProject, _ := s.pm.IsPublic(projectIDOrName)
|
||||
return s.Can(project.ActionPull, ram.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
|
||||
return s.Can(project.ActionPull, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
|
||||
}
|
||||
|
||||
// HasWritePerm returns whether the user has write permission to the project
|
||||
func (s *SecurityContext) HasWritePerm(projectIDOrName interface{}) bool {
|
||||
isPublicProject, _ := s.pm.IsPublic(projectIDOrName)
|
||||
return s.Can(project.ActionPush, ram.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
|
||||
return s.Can(project.ActionPush, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
|
||||
}
|
||||
|
||||
// HasAllPerm returns whether the user has all permissions to the project
|
||||
func (s *SecurityContext) HasAllPerm(projectIDOrName interface{}) bool {
|
||||
isPublicProject, _ := s.pm.IsPublic(projectIDOrName)
|
||||
return s.Can(project.ActionPushPull, ram.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
|
||||
return s.Can(project.ActionPushPull, rbac.NewProjectNamespace(projectIDOrName, isPublicProject).Resource(project.ResourceImage))
|
||||
}
|
||||
|
||||
// Can returns whether the user can do action on resource
|
||||
func (s *SecurityContext) Can(action ram.Action, resource ram.Resource) bool {
|
||||
func (s *SecurityContext) Can(action rbac.Action, resource rbac.Resource) bool {
|
||||
ns, err := resource.GetNamespace()
|
||||
if err == nil {
|
||||
switch ns.Kind() {
|
||||
case "project":
|
||||
projectIDOrName := ns.Identity()
|
||||
isPublicProject, _ := s.pm.IsPublic(projectIDOrName)
|
||||
projectNamespace := ram.NewProjectNamespace(projectIDOrName, isPublicProject)
|
||||
projectNamespace := rbac.NewProjectNamespace(projectIDOrName, isPublicProject)
|
||||
user := project.NewUser(s, projectNamespace, s.GetProjectRoles(projectIDOrName)...)
|
||||
return ram.HasPermission(user, resource, action)
|
||||
return rbac.HasPermission(user, resource, action)
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -19,7 +19,7 @@ import (
|
||||
|
||||
"github.com/goharbor/harbor/src/common"
|
||||
"github.com/goharbor/harbor/src/common/models"
|
||||
"github.com/goharbor/harbor/src/common/ram"
|
||||
"github.com/goharbor/harbor/src/common/rbac"
|
||||
"github.com/goharbor/harbor/src/common/secret"
|
||||
"github.com/goharbor/harbor/src/common/utils/log"
|
||||
)
|
||||
@ -99,7 +99,7 @@ func (s *SecurityContext) HasAllPerm(projectIDOrName interface{}) bool {
|
||||
}
|
||||
|
||||
// Can returns whether the user can do action on resource
|
||||
func (s *SecurityContext) Can(action ram.Action, resource ram.Resource) bool {
|
||||
func (s *SecurityContext) Can(action rbac.Action, resource rbac.Resource) bool {
|
||||
if s.store == nil {
|
||||
return false
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user