Onboard user when doing token review

This commit will make the "tokenreview" security filter onboard user if the request carries a valid token. If the "skipsearch" flag in http_auth setting is set to false the onboard will fail. Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2025-02-02 21:11:37 +01:00 · 2019-12-25 19:32:41 +08:00 · 2019-12-25 19:32:41 +08:00 · 94a3da33e6
commit 94a3da33e6
parent 9755d879db
2 changed files with 18 additions and 28 deletions
--- a/src/core/filter/security.go
+++ b/src/core/filter/security.go
@ -334,17 +334,26 @@ func (ap *authProxyReqCtxModifier) Modify(ctx *beegoctx.Context) bool {
 		log.Errorf("user name doesn't match with token: %s", rawUserName)
 		return false
 	}
 	user, err := dao.GetUser(models.User{
 		Username: rawUserName,
 	})
 	if err != nil {
-		log.Errorf("fail to get user: %v", err)
+		log.Errorf("fail to get user: %s, error: %v", rawUserName, err)
 		return false
 	}
-	if user == nil {
+	if user == nil { // onboard user if it's not yet onboarded.
-		log.Errorf("User: %s has not been on boarded yet.", rawUserName)
+		uid, err := auth.SearchAndOnBoardUser(rawUserName)
-		return false
+		if err != nil {
 			log.Errorf("Failed to search and onboard user, username: %s, error: %v", rawUserName, err)
 			return false
 		}
 		user, err = dao.GetUser(models.User{
 			UserID: uid,
 		})
 		if err != nil {
 			log.Errorf("Fail to get user, name: %s, ID: %d, error: %v", rawUserName, uid, err)
 			return false
 		}
 	}
 	u2, err := authproxy.UserFromReviewStatus(tokenReviewStatus)
 	if err != nil {
--- a/src/core/filter/security_test.go
+++ b/src/core/filter/security_test.go
@ -39,6 +39,7 @@ import (
 	"github.com/goharbor/harbor/src/common/security/local"
 	"github.com/goharbor/harbor/src/common/security/secret"
 	"github.com/goharbor/harbor/src/common/utils/test"
 	_ "github.com/goharbor/harbor/src/core/auth/authproxy"
 	_ "github.com/goharbor/harbor/src/core/auth/db"
 	_ "github.com/goharbor/harbor/src/core/auth/ldap"
 	"github.com/goharbor/harbor/src/core/config"
@ -270,33 +271,13 @@ func TestAuthProxyReqCtxModifier(t *testing.T) {
 	addToReqContext(req, AuthModeKey, common.HTTPAuth)
 	ctx, err := newContext(req)
 	if err != nil {
-		t.Fatalf("failed to crate context: %v", err)
+		t.Fatalf("failed to create context: %v", err)
 	}
 	modifier := &authProxyReqCtxModifier{}
 	modified := modifier.Modify(ctx)
 	assert.False(t, modified)
 	// Onboard
 	err = dao.OnBoardUser(&models.User{
 		Username: "administrator@vsphere.local",
 	})
 	assert.Nil(t, err)
 	req, err = http.NewRequest(http.MethodGet,
 		"http://127.0.0.1/service/token", nil)
 	if err != nil {
 		t.Fatalf("failed to create request: %v", req)
 	}
 	req.SetBasicAuth("tokenreview$administrator@vsphere.local", "reviEwt0k3n")
 	addToReqContext(req, AuthModeKey, common.HTTPAuth)
 	ctx, err = newContext(req)
 	if err != nil {
 		t.Fatalf("failed to crate context: %v", err)
 	}
 	modifier = &authProxyReqCtxModifier{}
 	modified = modifier.Modify(ctx)
 	assert.True(t, modified)
 }
 func TestBasicAuthReqCtxModifier(t *testing.T) {
@ -347,7 +328,7 @@ func TestSessionReqCtxModifier(t *testing.T) {
 	addToReqContext(req, AuthModeKey, common.DBAuth)
 	ctx, err := newContext(req)
 	if err != nil {
-		t.Fatalf("failed to crate context: %v", err)
+		t.Fatalf("failed to create context: %v", err)
 	}
 	modifier := &sessionReqCtxModifier{}