filter access should work when user use email to docker login

This commit is contained in:
Tan Jiang 2016-09-27 13:29:44 +08:00
parent ec9e21709c
commit a6d88d7074
2 changed files with 19 additions and 19 deletions

View File

@ -95,8 +95,7 @@ func GetResourceActions(scopes []string) []*token.ResourceActions {
}
// FilterAccess modify the action list in access based on permission
// determine if the request needs to be authenticated.
func FilterAccess(username string, authenticated bool, a *token.ResourceActions) {
func FilterAccess(username string, a *token.ResourceActions) {
if a.Type == "registry" && a.Name == "catalog" {
log.Infof("current access, type: %s, name:%s, actions:%v \n", a.Type, a.Name, a.Actions)
@ -109,7 +108,7 @@ func FilterAccess(username string, authenticated bool, a *token.ResourceActions)
if strings.Contains(a.Name, "/") { //Only check the permission when the requested image has a namespace, i.e. project
projectName := a.Name[0:strings.LastIndex(a.Name, "/")]
var permission string
if authenticated {
if len(username) > 0 {
isAdmin, err := dao.IsAdminRole(username)
if err != nil {
log.Errorf("Error occurred in IsAdminRole: %v", err)
@ -152,7 +151,7 @@ func FilterAccess(username string, authenticated bool, a *token.ResourceActions)
func GenTokenForUI(username string, service string, scopes []string) (token string, expiresIn int, issuedAt *time.Time, err error) {
access := GetResourceActions(scopes)
for _, a := range access {
FilterAccess(username, true, a)
FilterAccess(username, a)
}
return MakeToken(username, service, access)
}

View File

@ -38,7 +38,7 @@ type Handler struct {
// checkes the permission agains local DB and generates jwt token.
func (h *Handler) Get() {
var username, password string
var uid, password, username string
request := h.Ctx.Request
service := h.GetString("service")
scopes := h.GetStrings("scope")
@ -49,15 +49,20 @@ func (h *Handler) Get() {
log.Debugf("Will grant all access as this request is from job service with legal secret.")
username = "job-service-user"
} else {
username, password, _ = request.BasicAuth()
authenticated := authenticate(username, password)
if len(scopes) == 0 && !authenticated {
log.Info("login request with invalid credentials")
h.CustomAbort(http.StatusUnauthorized, "")
uid, password, _ = request.BasicAuth()
log.Debugf("uid for logging: %s", uid)
user := authenticate(uid, password)
if user == nil {
log.Warningf("login request with invalid credentials in token service, uid: %s", uid)
if len(scopes) == 0 {
h.CustomAbort(http.StatusUnauthorized, "")
}
} else {
username = user.Username
}
log.Debugf("username for filtering access: %s.", username)
for _, a := range access {
FilterAccess(username, authenticated, a)
FilterAccess(username, a)
}
}
h.serveToken(username, service, access)
@ -80,18 +85,14 @@ func (h *Handler) serveToken(username, service string, access []*token.ResourceA
h.ServeJSON()
}
func authenticate(principal, password string) bool {
func authenticate(principal, password string) *models.User {
user, err := auth.Login(models.AuthModel{
Principal: principal,
Password: password,
})
if err != nil {
log.Errorf("Error occurred in UserLogin: %v", err)
return false
return nil
}
if user == nil {
return false
}
return true
return user
}