mirror of
https://github.com/goharbor/harbor.git
synced 2024-11-26 20:26:13 +01:00
Add Can method to securty.Context interface (#6779)
* Add Can method to securty.Context interface Signed-off-by: He Weiwei <hweiwei@vmware.com> * Improve mockSecurityContext Can method Signed-off-by: He Weiwei <hweiwei@vmware.com>
This commit is contained in:
parent
5abfa2de3a
commit
ae061482ae
@ -16,6 +16,7 @@ package security
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"github.com/goharbor/harbor/src/common/models"
|
"github.com/goharbor/harbor/src/common/models"
|
||||||
|
"github.com/goharbor/harbor/src/common/rbac"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Context abstracts the operations related with authN and authZ
|
// Context abstracts the operations related with authN and authZ
|
||||||
@ -38,4 +39,6 @@ type Context interface {
|
|||||||
GetMyProjects() ([]*models.Project, error)
|
GetMyProjects() ([]*models.Project, error)
|
||||||
// Get user's role in provided project
|
// Get user's role in provided project
|
||||||
GetProjectRoles(projectIDOrName interface{}) []int
|
GetProjectRoles(projectIDOrName interface{}) []int
|
||||||
|
// Can returns whether the user can do action on resource
|
||||||
|
Can(action rbac.Action, resource rbac.Resource) bool
|
||||||
}
|
}
|
||||||
|
@ -8,6 +8,8 @@ import (
|
|||||||
|
|
||||||
"github.com/goharbor/harbor/src/chartserver"
|
"github.com/goharbor/harbor/src/chartserver"
|
||||||
"github.com/goharbor/harbor/src/common/models"
|
"github.com/goharbor/harbor/src/common/models"
|
||||||
|
"github.com/goharbor/harbor/src/common/rbac"
|
||||||
|
"github.com/goharbor/harbor/src/common/rbac/project"
|
||||||
"github.com/goharbor/harbor/src/core/promgr/metamgr"
|
"github.com/goharbor/harbor/src/core/promgr/metamgr"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -311,32 +313,12 @@ func (msc *mockSecurityContext) IsSolutionUser() bool {
|
|||||||
|
|
||||||
// HasReadPerm returns whether the user has read permission to the project
|
// HasReadPerm returns whether the user has read permission to the project
|
||||||
func (msc *mockSecurityContext) HasReadPerm(projectIDOrName interface{}) bool {
|
func (msc *mockSecurityContext) HasReadPerm(projectIDOrName interface{}) bool {
|
||||||
if projectIDOrName == nil {
|
return msc.Can(project.ActionPull, rbac.NewProjectNamespace(projectIDOrName, false).Resource(project.ResourceImage))
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
if ns, ok := projectIDOrName.(string); ok {
|
|
||||||
if ns == "library" {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return false
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// HasWritePerm returns whether the user has write permission to the project
|
// HasWritePerm returns whether the user has write permission to the project
|
||||||
func (msc *mockSecurityContext) HasWritePerm(projectIDOrName interface{}) bool {
|
func (msc *mockSecurityContext) HasWritePerm(projectIDOrName interface{}) bool {
|
||||||
if projectIDOrName == nil {
|
return msc.Can(project.ActionPush, rbac.NewProjectNamespace(projectIDOrName, false).Resource(project.ResourceImage))
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
if ns, ok := projectIDOrName.(string); ok {
|
|
||||||
if ns == "library" {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return false
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// HasAllPerm returns whether the user has all permissions to the project
|
// HasAllPerm returns whether the user has all permissions to the project
|
||||||
@ -344,6 +326,28 @@ func (msc *mockSecurityContext) HasAllPerm(projectIDOrName interface{}) bool {
|
|||||||
return msc.HasReadPerm(projectIDOrName) && msc.HasWritePerm(projectIDOrName)
|
return msc.HasReadPerm(projectIDOrName) && msc.HasWritePerm(projectIDOrName)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Can returns whether the user can do action on resource
|
||||||
|
func (msc *mockSecurityContext) Can(action rbac.Action, resource rbac.Resource) bool {
|
||||||
|
namespace, err := resource.GetNamespace()
|
||||||
|
if err != nil || namespace.Kind() != "project" {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
projectIDOrName := namespace.Identity()
|
||||||
|
|
||||||
|
if projectIDOrName == nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
if ns, ok := projectIDOrName.(string); ok {
|
||||||
|
if ns == "library" {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
// Get current user's all project
|
// Get current user's all project
|
||||||
func (msc *mockSecurityContext) GetMyProjects() ([]*models.Project, error) {
|
func (msc *mockSecurityContext) GetMyProjects() ([]*models.Project, error) {
|
||||||
return []*models.Project{{ProjectID: 0, Name: "library"}}, nil
|
return []*models.Project{{ProjectID: 0, Name: "library"}}, nil
|
||||||
|
@ -30,6 +30,7 @@ import (
|
|||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/goharbor/harbor/src/common/models"
|
"github.com/goharbor/harbor/src/common/models"
|
||||||
|
"github.com/goharbor/harbor/src/common/rbac"
|
||||||
"github.com/goharbor/harbor/src/common/utils/test"
|
"github.com/goharbor/harbor/src/common/utils/test"
|
||||||
"github.com/goharbor/harbor/src/core/config"
|
"github.com/goharbor/harbor/src/core/config"
|
||||||
)
|
)
|
||||||
@ -260,6 +261,9 @@ func (f *fakeSecurityContext) HasWritePerm(projectIDOrName interface{}) bool {
|
|||||||
func (f *fakeSecurityContext) HasAllPerm(projectIDOrName interface{}) bool {
|
func (f *fakeSecurityContext) HasAllPerm(projectIDOrName interface{}) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
func (f *fakeSecurityContext) Can(action rbac.Action, resource rbac.Resource) bool {
|
||||||
|
return false
|
||||||
|
}
|
||||||
func (f *fakeSecurityContext) GetMyProjects() ([]*models.Project, error) {
|
func (f *fakeSecurityContext) GetMyProjects() ([]*models.Project, error) {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user