Upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor.git synced 2025-02-27 17:21:58 +01:00
Code Issues Projects Releases Wiki Activity

Use system configuration resource for permission checking

Browse Source 
This commit uses system configuration resource for permission check
against API to ping OIDC and update systen CVE allowlist.
Fixes #14386

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit is contained in:
Daniel Jiang 2021-05-18 16:06:58 +08:00
parent 0a8ff4c1f9
commit c41d75fb31
4 changed files with 4 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/common/rbac/const.go
View File

@ -73,6 +73,4 @@ const (
ResourceReplicationPolicy = Resource("replication-policy") ResourceReplicationPolicy = Resource("replication-policy")
ResourceScanAll = Resource("scan-all") ResourceScanAll = Resource("scan-all")
ResourceSystemVolumes = Resource("system-volumes") ResourceSystemVolumes = Resource("system-volumes")
ResourceOIDCEndpoint = Resource("oidc-endpoint")
ResourceSystemCVEAllowList = Resource("system-cve-allowlist")
) )

6
src/common/rbac/system/policies.go
View File

@ -61,11 +61,9 @@ var (
{Resource: rbac.ResourceSystemVolumes, Action: rbac.ActionRead}, {Resource: rbac.ResourceSystemVolumes, Action: rbac.ActionRead},
{Resource: rbac.ResourceOIDCEndpoint, Action: rbac.ActionUpdate},
{Resource: rbac.ResourceOIDCEndpoint, Action: rbac.ActionRead},
{Resource: rbac.ResourceLdapUser, Action: rbac.ActionCreate}, {Resource: rbac.ResourceLdapUser, Action: rbac.ActionCreate},
{Resource: rbac.ResourceLdapUser, Action: rbac.ActionList}, {Resource: rbac.ResourceLdapUser, Action: rbac.ActionList},
{Resource: rbac.ResourceSystemCVEAllowList, Action: rbac.ActionRead}, {Resource: rbac.ResourceConfiguration, Action: rbac.ActionRead},
{Resource: rbac.ResourceSystemCVEAllowList, Action: rbac.ActionUpdate}, {Resource: rbac.ResourceConfiguration, Action: rbac.ActionUpdate},
} }
) )

2
src/server/v2.0/handler/oidc.go
View File

@ -20,7 +20,7 @@ func newOIDCAPI() *oidcAPI {
} }
func (o oidcAPI) PingOIDC(ctx context.Context, params oidc.PingOIDCParams) middleware.Responder { func (o oidcAPI) PingOIDC(ctx context.Context, params oidc.PingOIDCParams) middleware.Responder {
if err := o.RequireSystemAccess(ctx, rbac.ActionUpdate, rbac.ResourceOIDCEndpoint); err != nil { if err := o.RequireSystemAccess(ctx, rbac.ActionUpdate, rbac.ResourceConfiguration); err != nil {
return o.SendError(ctx, err) return o.SendError(ctx, err)
} }
err := oidcpkg.TestEndpoint(oidcpkg.Conn{ err := oidcpkg.TestEndpoint(oidcpkg.Conn{

2
src/server/v2.0/handler/sys_cve_allowlist.go
View File

@ -38,7 +38,7 @@ func newSystemCVEAllowListAPI() *systemCVEAllowListAPI {
} }
func (s systemCVEAllowListAPI) PutSystemCVEAllowlist(ctx context.Context, params system_cve_allowlist.PutSystemCVEAllowlistParams) middleware.Responder { func (s systemCVEAllowListAPI) PutSystemCVEAllowlist(ctx context.Context, params system_cve_allowlist.PutSystemCVEAllowlistParams) middleware.Responder {
if err := s.RequireSystemAccess(ctx, rbac.ActionUpdate, rbac.ResourceSystemCVEAllowList); err != nil { if err := s.RequireSystemAccess(ctx, rbac.ActionUpdate, rbac.ResourceConfiguration); err != nil {
return s.SendError(ctx, err) return s.SendError(ctx, err)
} }
l := models.CVEAllowlist{} l := models.CVEAllowlist{}