mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-31 21:18:21 +01:00
fix robot account creation issue (#21310)
fixes #21251 Signed-off-by: wang yan <wangyan@vmware.com>
This commit is contained in:
parent
29bd094732
commit
c7cf57bdf8
@ -481,11 +481,14 @@ func isValidPermissionScope(creating []*models.RobotPermission, creator []*robot
|
||||
|
||||
for _, pCreating := range creating {
|
||||
key := fmt.Sprintf("%s:%s", pCreating.Kind, pCreating.Namespace)
|
||||
creatingPerm, found := creatorMap[key]
|
||||
creatorPerm, found := creatorMap[key]
|
||||
if !found {
|
||||
return false
|
||||
allProjects := fmt.Sprintf("%s:*", pCreating.Kind)
|
||||
if creatorPerm, found = creatorMap[allProjects]; !found {
|
||||
return false
|
||||
}
|
||||
}
|
||||
if !hasLessThanOrEqualAccess(pCreating.Access, creatingPerm.Access) {
|
||||
if !hasLessThanOrEqualAccess(pCreating.Access, creatorPerm.Access) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
@ -382,6 +382,96 @@ func TestValidPermissionScope(t *testing.T) {
|
||||
},
|
||||
expected: false,
|
||||
},
|
||||
{
|
||||
name: "System - subset project",
|
||||
creatingPerms: []*models.RobotPermission{
|
||||
{
|
||||
Kind: "project",
|
||||
Namespace: "test1",
|
||||
Access: []*models.Access{
|
||||
{Resource: "user", Action: "delete", Effect: "allow"},
|
||||
},
|
||||
},
|
||||
},
|
||||
creatorPerms: []*robot.Permission{
|
||||
{
|
||||
Kind: "system",
|
||||
Namespace: "/",
|
||||
Access: []*types.Policy{
|
||||
{Resource: "robot", Action: "create", Effect: "allow"},
|
||||
},
|
||||
},
|
||||
{
|
||||
Kind: "project",
|
||||
Namespace: "test1",
|
||||
Access: []*types.Policy{
|
||||
{Resource: "user", Action: "create", Effect: "allow"},
|
||||
{Resource: "user", Action: "delete", Effect: "allow"},
|
||||
},
|
||||
},
|
||||
},
|
||||
expected: true,
|
||||
},
|
||||
{
|
||||
name: "System - cover all",
|
||||
creatingPerms: []*models.RobotPermission{
|
||||
{
|
||||
Kind: "project",
|
||||
Namespace: "test1",
|
||||
Access: []*models.Access{
|
||||
{Resource: "user", Action: "delete", Effect: "allow"},
|
||||
},
|
||||
},
|
||||
},
|
||||
creatorPerms: []*robot.Permission{
|
||||
{
|
||||
Kind: "system",
|
||||
Namespace: "/",
|
||||
Access: []*types.Policy{
|
||||
{Resource: "robot", Action: "create", Effect: "allow"},
|
||||
},
|
||||
},
|
||||
{
|
||||
Kind: "project",
|
||||
Namespace: "*",
|
||||
Access: []*types.Policy{
|
||||
{Resource: "user", Action: "create", Effect: "allow"},
|
||||
{Resource: "user", Action: "delete", Effect: "allow"},
|
||||
},
|
||||
},
|
||||
},
|
||||
expected: true,
|
||||
},
|
||||
{
|
||||
name: "System - cover all 2",
|
||||
creatingPerms: []*models.RobotPermission{
|
||||
{
|
||||
Kind: "project",
|
||||
Namespace: "test1",
|
||||
Access: []*models.Access{
|
||||
{Resource: "user", Action: "update", Effect: "allow"},
|
||||
},
|
||||
},
|
||||
},
|
||||
creatorPerms: []*robot.Permission{
|
||||
{
|
||||
Kind: "system",
|
||||
Namespace: "/",
|
||||
Access: []*types.Policy{
|
||||
{Resource: "robot", Action: "create", Effect: "allow"},
|
||||
},
|
||||
},
|
||||
{
|
||||
Kind: "project",
|
||||
Namespace: "*",
|
||||
Access: []*types.Policy{
|
||||
{Resource: "user", Action: "create", Effect: "allow"},
|
||||
{Resource: "user", Action: "delete", Effect: "allow"},
|
||||
},
|
||||
},
|
||||
},
|
||||
expected: false,
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
|
Loading…
Reference in New Issue
Block a user