mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-25 01:58:35 +01:00
filter access should work when user use email to docker login
This commit is contained in:
parent
ec9e21709c
commit
a6d88d7074
@ -95,8 +95,7 @@ func GetResourceActions(scopes []string) []*token.ResourceActions {
|
||||
}
|
||||
|
||||
// FilterAccess modify the action list in access based on permission
|
||||
// determine if the request needs to be authenticated.
|
||||
func FilterAccess(username string, authenticated bool, a *token.ResourceActions) {
|
||||
func FilterAccess(username string, a *token.ResourceActions) {
|
||||
|
||||
if a.Type == "registry" && a.Name == "catalog" {
|
||||
log.Infof("current access, type: %s, name:%s, actions:%v \n", a.Type, a.Name, a.Actions)
|
||||
@ -109,7 +108,7 @@ func FilterAccess(username string, authenticated bool, a *token.ResourceActions)
|
||||
if strings.Contains(a.Name, "/") { //Only check the permission when the requested image has a namespace, i.e. project
|
||||
projectName := a.Name[0:strings.LastIndex(a.Name, "/")]
|
||||
var permission string
|
||||
if authenticated {
|
||||
if len(username) > 0 {
|
||||
isAdmin, err := dao.IsAdminRole(username)
|
||||
if err != nil {
|
||||
log.Errorf("Error occurred in IsAdminRole: %v", err)
|
||||
@ -152,7 +151,7 @@ func FilterAccess(username string, authenticated bool, a *token.ResourceActions)
|
||||
func GenTokenForUI(username string, service string, scopes []string) (token string, expiresIn int, issuedAt *time.Time, err error) {
|
||||
access := GetResourceActions(scopes)
|
||||
for _, a := range access {
|
||||
FilterAccess(username, true, a)
|
||||
FilterAccess(username, a)
|
||||
}
|
||||
return MakeToken(username, service, access)
|
||||
}
|
||||
|
@ -38,7 +38,7 @@ type Handler struct {
|
||||
// checkes the permission agains local DB and generates jwt token.
|
||||
func (h *Handler) Get() {
|
||||
|
||||
var username, password string
|
||||
var uid, password, username string
|
||||
request := h.Ctx.Request
|
||||
service := h.GetString("service")
|
||||
scopes := h.GetStrings("scope")
|
||||
@ -49,15 +49,20 @@ func (h *Handler) Get() {
|
||||
log.Debugf("Will grant all access as this request is from job service with legal secret.")
|
||||
username = "job-service-user"
|
||||
} else {
|
||||
username, password, _ = request.BasicAuth()
|
||||
authenticated := authenticate(username, password)
|
||||
|
||||
if len(scopes) == 0 && !authenticated {
|
||||
log.Info("login request with invalid credentials")
|
||||
h.CustomAbort(http.StatusUnauthorized, "")
|
||||
uid, password, _ = request.BasicAuth()
|
||||
log.Debugf("uid for logging: %s", uid)
|
||||
user := authenticate(uid, password)
|
||||
if user == nil {
|
||||
log.Warningf("login request with invalid credentials in token service, uid: %s", uid)
|
||||
if len(scopes) == 0 {
|
||||
h.CustomAbort(http.StatusUnauthorized, "")
|
||||
}
|
||||
} else {
|
||||
username = user.Username
|
||||
}
|
||||
log.Debugf("username for filtering access: %s.", username)
|
||||
for _, a := range access {
|
||||
FilterAccess(username, authenticated, a)
|
||||
FilterAccess(username, a)
|
||||
}
|
||||
}
|
||||
h.serveToken(username, service, access)
|
||||
@ -80,18 +85,14 @@ func (h *Handler) serveToken(username, service string, access []*token.ResourceA
|
||||
h.ServeJSON()
|
||||
}
|
||||
|
||||
func authenticate(principal, password string) bool {
|
||||
func authenticate(principal, password string) *models.User {
|
||||
user, err := auth.Login(models.AuthModel{
|
||||
Principal: principal,
|
||||
Password: password,
|
||||
})
|
||||
if err != nil {
|
||||
log.Errorf("Error occurred in UserLogin: %v", err)
|
||||
return false
|
||||
return nil
|
||||
}
|
||||
if user == nil {
|
||||
return false
|
||||
}
|
||||
|
||||
return true
|
||||
return user
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user