fix robot account creation issue (#21310)

fixes #21251 Signed-off-by: wang yan <wangyan@vmware.com>
2024-12-22 16:48:30 +01:00 · 2024-12-13 11:11:44 +08:00 · 2024-12-13 11:11:44 +08:00 · c7cf57bdf8
commit c7cf57bdf8
parent 29bd094732
2 changed files with 96 additions and 3 deletions
--- a/src/server/v2.0/handler/robot.go
+++ b/src/server/v2.0/handler/robot.go
@ -481,11 +481,14 @@ func isValidPermissionScope(creating []*models.RobotPermission, creator []*robot

 	for _, pCreating := range creating {
 		key := fmt.Sprintf("%s:%s", pCreating.Kind, pCreating.Namespace)
-		creatingPerm, found := creatorMap[key]
+		creatorPerm, found := creatorMap[key]
 		if !found {
-			return false
+			allProjects := fmt.Sprintf("%s:*", pCreating.Kind)
+			if creatorPerm, found = creatorMap[allProjects]; !found {
+				return false
+			}
 		}
-		if !hasLessThanOrEqualAccess(pCreating.Access, creatingPerm.Access) {
+		if !hasLessThanOrEqualAccess(pCreating.Access, creatorPerm.Access) {
 			return false
 		}
 	}
--- a/src/server/v2.0/handler/robot_test.go
+++ b/src/server/v2.0/handler/robot_test.go
@ -382,6 +382,96 @@ func TestValidPermissionScope(t *testing.T) {
 			},
 			expected: false,
 		},
+		{
+			name: "System - subset project",
+			creatingPerms: []*models.RobotPermission{
+				{
+					Kind:      "project",
+					Namespace: "test1",
+					Access: []*models.Access{
+						{Resource: "user", Action: "delete", Effect: "allow"},
+					},
+				},
+			},
+			creatorPerms: []*robot.Permission{
+				{
+					Kind:      "system",
+					Namespace: "/",
+					Access: []*types.Policy{
+						{Resource: "robot", Action: "create", Effect: "allow"},
+					},
+				},
+				{
+					Kind:      "project",
+					Namespace: "test1",
+					Access: []*types.Policy{
+						{Resource: "user", Action: "create", Effect: "allow"},
+						{Resource: "user", Action: "delete", Effect: "allow"},
+					},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "System - cover all",
+			creatingPerms: []*models.RobotPermission{
+				{
+					Kind:      "project",
+					Namespace: "test1",
+					Access: []*models.Access{
+						{Resource: "user", Action: "delete", Effect: "allow"},
+					},
+				},
+			},
+			creatorPerms: []*robot.Permission{
+				{
+					Kind:      "system",
+					Namespace: "/",
+					Access: []*types.Policy{
+						{Resource: "robot", Action: "create", Effect: "allow"},
+					},
+				},
+				{
+					Kind:      "project",
+					Namespace: "*",
+					Access: []*types.Policy{
+						{Resource: "user", Action: "create", Effect: "allow"},
+						{Resource: "user", Action: "delete", Effect: "allow"},
+					},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "System - cover all 2",
+			creatingPerms: []*models.RobotPermission{
+				{
+					Kind:      "project",
+					Namespace: "test1",
+					Access: []*models.Access{
+						{Resource: "user", Action: "update", Effect: "allow"},
+					},
+				},
+			},
+			creatorPerms: []*robot.Permission{
+				{
+					Kind:      "system",
+					Namespace: "/",
+					Access: []*types.Policy{
+						{Resource: "robot", Action: "create", Effect: "allow"},
+					},
+				},
+				{
+					Kind:      "project",
+					Namespace: "*",
+					Access: []*types.Policy{
+						{Resource: "user", Action: "create", Effect: "allow"},
+						{Resource: "user", Action: "delete", Effect: "allow"},
+					},
+				},
+			},
+			expected: false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {