mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-31 13:08:05 +01:00
remove middleware regtoken
Remove it since we don's use bearer token as the registry token and the skipper of scanner pull will be covered in the robot account access scope. Signed-off-by: wang yan <wangyan@vmware.com>
This commit is contained in:
parent
50e9d1a56e
commit
ddc0f83ccd
@ -49,9 +49,6 @@ func validate(req *http.Request) (bool, middleware.ArtifactInfo) {
|
||||
if !ok {
|
||||
return false, none
|
||||
}
|
||||
if scannerPull, ok := middleware.ScannerPullFromContext(req.Context()); ok && scannerPull {
|
||||
return false, none
|
||||
}
|
||||
if !middleware.GetPolicyChecker().ContentTrustEnabled(af.ProjectName) {
|
||||
return false, af
|
||||
}
|
||||
|
@ -1,66 +0,0 @@
|
||||
package regtoken
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"github.com/docker/distribution/registry/auth"
|
||||
"github.com/goharbor/harbor/src/common/rbac"
|
||||
"github.com/goharbor/harbor/src/common/utils/log"
|
||||
pkg_token "github.com/goharbor/harbor/src/pkg/token"
|
||||
"github.com/goharbor/harbor/src/pkg/token/claims/registry"
|
||||
serror "github.com/goharbor/harbor/src/server/error"
|
||||
"github.com/goharbor/harbor/src/server/middleware"
|
||||
"net/http"
|
||||
"strings"
|
||||
)
|
||||
|
||||
// Middleware parses the docker pull bearer token and check whether it's a scanner pull.
|
||||
func Middleware() func(http.Handler) http.Handler {
|
||||
return func(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
|
||||
err := parseToken(req)
|
||||
if err != nil {
|
||||
serror.SendError(rw, err)
|
||||
return
|
||||
}
|
||||
next.ServeHTTP(rw, req)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func parseToken(req *http.Request) error {
|
||||
art, ok := middleware.ArtifactInfoFromContext(req.Context())
|
||||
if !ok {
|
||||
return errors.New("cannot get the manifest information from request context")
|
||||
}
|
||||
|
||||
parts := strings.Split(req.Header.Get("Authorization"), " ")
|
||||
if len(parts) != 2 || strings.ToLower(parts[0]) != "bearer" {
|
||||
return nil
|
||||
}
|
||||
|
||||
rawToken := parts[1]
|
||||
opt := pkg_token.DefaultTokenOptions()
|
||||
regTK, err := pkg_token.Parse(opt, rawToken, ®istry.Claim{})
|
||||
if err != nil {
|
||||
log.Errorf("failed to decode reg token: %v, the error is skipped and round the request to native registry.", err)
|
||||
return nil
|
||||
}
|
||||
|
||||
accessItems := []auth.Access{}
|
||||
accessItems = append(accessItems, auth.Access{
|
||||
Resource: auth.Resource{
|
||||
Type: rbac.ResourceRepository.String(),
|
||||
Name: art.Repository,
|
||||
},
|
||||
Action: rbac.ActionScannerPull.String(),
|
||||
})
|
||||
|
||||
accessSet := regTK.Claims.(*registry.Claim).GetAccess()
|
||||
for _, access := range accessItems {
|
||||
if accessSet.Contains(access) {
|
||||
*req = *(req.WithContext(middleware.NewScannerPullContext(req.Context(), true)))
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
@ -1,64 +0,0 @@
|
||||
package regtoken
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"github.com/goharbor/harbor/src/core/middlewares/util"
|
||||
"github.com/goharbor/harbor/src/server/middleware"
|
||||
"github.com/stretchr/testify/suite"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"os"
|
||||
"testing"
|
||||
)
|
||||
|
||||
type HandlerSuite struct {
|
||||
suite.Suite
|
||||
}
|
||||
|
||||
func doPullManifestRequest(projectName, name, tag string, next ...http.HandlerFunc) int {
|
||||
repository := fmt.Sprintf("%s/%s", projectName, name)
|
||||
|
||||
url := fmt.Sprintf("/v2/%s/manifests/%s", repository, tag)
|
||||
req, _ := http.NewRequest("GET", url, nil)
|
||||
|
||||
token := "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkNWUTc6REM3NTpHVEROOkxTTUs6VUFJTjpIUUVWOlZVSDQ6Q0lRRDpRV01COlM0Qzc6U0c0STpGRUhYIn0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoicm9ib3QkZGVtbzExIiwiYXVkIjoiaGFyYm9yLXJlZ2lzdHJ5IiwiZXhwIjoxNTcxNzYzOTI2LCJuYmYiOjE1NzE3NjM4NjYsImlhdCI6MTU3MTc2Mzg2NiwianRpIjoiTnRaZWx4Z01KTUU1MXlEMCIsImFjY2VzcyI6W3sidHlwZSI6InJlcG9zaXRvcnkiLCJuYW1lIjoibGlicmFyeS9oZWxsby13b3JsZCIsImFjdGlvbnMiOlsicHVzaCIsIioiLCJwdWxsIiwic2Nhbm5lcnB1bGwiXX1dfQ.GlWuvtoxmChnpvbWaG5901Z9-g63DrzyNUREWlDbR5gnNeuOKjLNyE4QpogAQKx2yYtcGxbqNL3VfJkExJ_gMS0Qw8e10utGOawwqD4oqf_J06eKq4HzpZJengZfcjMA4g2RoeOlqdVdwimB_PdX9vkBO1od0wX0Cc2v0p2w5TkibcThKRoeLeVs2oRewkKLuVHNSM8wwRIlAvpWJuNnvRCFlHRkLcZM_KpGXqT7H-PZETTisWCi1pMxeYEwIsDFLlTKdV8LaiDeDmH-RaLOsuyAySYEW9Ynk5K3P_dUl2c_SYQXloPyi0MvXxSn6EWE4eHF2oQDM_SvIzR9sOVB8TtjMjKKMQ4yr_mqgMcfEpnInJATExBR56wmxNdLESncHl8rUYCe2jCjQFuR9NGQA1tGdjI4NoBN-OVD0dBs9rm_mkb2tgD-3gEhyzAw6hg0uzDsF7bj5Aq8scoi42UurhX2bZM89s4-TWBp4DWuBG0HDiwpOiBvB3RMm6MpQxsqrl0hQm_WH18L6QCknAW2e3d_6DJWJ0eBzISrhDr7LkqJKl1J8pv4zqoh_EUVeLyzTmjEULm-VbnpVF4wW5yTLF3S6F7Ox4vwWtVfi1XQNVOcJDB3VPUsRgiTTuCW-ZGcBLw-OdIcwaJ3T_QZkEjUw1f6i1JcGa0Mpgl83aLiSdQ 0xc0003c77c0 map[alg:RS256 kid:CVQ7:DC75:GTDN:LSMK:UAIN:HQEV:VUH4:CIQD:QWMB:S4C7:SG4I:FEHX typ:JWT] 0xc000496000 GlWuvtoxmChnpvbWaG5901Z9-g63DrzyNUREWlDbR5gnNeuOKjLNyE4QpogAQKx2yYtcGxbqNL3VfJkExJ_gMS0Qw8e10utGOawwqD4oqf_J06eKq4HzpZJengZfcjMA4g2RoeOlqdVdwimB_PdX9vkBO1od0wX0Cc2v0p2w5TkibcThKRoeLeVs2oRewkKLuVHNSM8wwRIlAvpWJuNnvRCFlHRkLcZM_KpGXqT7H-PZETTisWCi1pMxeYEwIsDFLlTKdV8LaiDeDmH-RaLOsuyAySYEW9Ynk5K3P_dUl2c_SYQXloPyi0MvXxSn6EWE4eHF2oQDM_SvIzR9sOVB8TtjMjKKMQ4yr_mqgMcfEpnInJATExBR56wmxNdLESncHl8rUYCe2jCjQFuR9NGQA1tGdjI4NoBN-OVD0dBs9rm_mkb2tgD-3gEhyzAw6hg0uzDsF7bj5Aq8scoi42UurhX2bZM89s4-TWBp4DWuBG0HDiwpOiBvB3RMm6MpQxsqrl0hQm_WH18L6QCknAW2e3d_6DJWJ0eBzISrhDr7LkqJKl1J8pv4zqoh_EUVeLyzTmjEULm-VbnpVF4wW5yTLF3S6F7Ox4vwWtVfi1XQNVOcJDB3VPUsRgiTTuCW-ZGcBLw-OdIcwaJ3T_QZkEjUw1f6i1JcGa0Mpgl83aLiSdQ"
|
||||
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
|
||||
rr := httptest.NewRecorder()
|
||||
|
||||
af := &middleware.ArtifactInfo{
|
||||
Repository: name,
|
||||
Reference: tag,
|
||||
Tag: tag,
|
||||
Digest: "",
|
||||
}
|
||||
|
||||
var n http.HandlerFunc
|
||||
if len(next) > 0 {
|
||||
n = next[0]
|
||||
} else {
|
||||
n = func(w http.ResponseWriter, req *http.Request) {
|
||||
w.WriteHeader(http.StatusNotFound)
|
||||
}
|
||||
}
|
||||
ctx := context.WithValue(req.Context(), middleware.ArtifactInfoKey, af)
|
||||
*req = *(req.WithContext(ctx))
|
||||
n.ServeHTTP(util.NewCustomResponseWriter(rr), req)
|
||||
|
||||
return rr.Code
|
||||
}
|
||||
|
||||
func (suite *HandlerSuite) TestPullManifest() {
|
||||
code1 := doPullManifestRequest("library", "photon", "release-1.10")
|
||||
suite.Equal(http.StatusNotFound, code1)
|
||||
}
|
||||
|
||||
func TestMain(m *testing.M) {
|
||||
if result := m.Run(); result != 0 {
|
||||
os.Exit(result)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRunHandlerSuite(t *testing.T) {
|
||||
suite.Run(t, new(HandlerSuite))
|
||||
}
|
@ -29,8 +29,6 @@ const (
|
||||
DigestSubexp = "digest"
|
||||
// ArtifactInfoKey the context key for artifact info
|
||||
ArtifactInfoKey = contextKey("artifactInfo")
|
||||
// ScannerPullCtxKey the context key for robot account to bypass the pull policy check.
|
||||
ScannerPullCtxKey = contextKey("ScannerPullCheck")
|
||||
)
|
||||
|
||||
var (
|
||||
@ -86,17 +84,6 @@ func EnsureArtifactDigest(ctx context.Context) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// NewScannerPullContext returns context with policy check info
|
||||
func NewScannerPullContext(ctx context.Context, scannerPull bool) context.Context {
|
||||
return context.WithValue(ctx, ScannerPullCtxKey, scannerPull)
|
||||
}
|
||||
|
||||
// ScannerPullFromContext returns whether to bypass policy check
|
||||
func ScannerPullFromContext(ctx context.Context) (bool, bool) {
|
||||
info, ok := ctx.Value(ScannerPullCtxKey).(bool)
|
||||
return info, ok
|
||||
}
|
||||
|
||||
// CopyResp ...
|
||||
func CopyResp(rec *httptest.ResponseRecorder, rw http.ResponseWriter) {
|
||||
for k, v := range rec.Header() {
|
||||
|
@ -105,9 +105,6 @@ func validate(req *http.Request) (bool, middleware.ArtifactInfo, vuln.Severity,
|
||||
return false, af, vs, wl
|
||||
}
|
||||
|
||||
if scannerPull, ok := middleware.ScannerPullFromContext(req.Context()); ok && scannerPull {
|
||||
return false, af, vs, wl
|
||||
}
|
||||
// Is vulnerable policy set?
|
||||
projectVulnerableEnabled, projectVulnerableSeverity, wl := middleware.GetPolicyChecker().VulnerablePolicy(af.ProjectName)
|
||||
if !projectVulnerableEnabled {
|
||||
|
@ -21,7 +21,6 @@ import (
|
||||
"github.com/goharbor/harbor/src/server/middleware/blob"
|
||||
"github.com/goharbor/harbor/src/server/middleware/contenttrust"
|
||||
"github.com/goharbor/harbor/src/server/middleware/immutable"
|
||||
"github.com/goharbor/harbor/src/server/middleware/regtoken"
|
||||
"github.com/goharbor/harbor/src/server/middleware/v2auth"
|
||||
"github.com/goharbor/harbor/src/server/middleware/vulnerable"
|
||||
"github.com/goharbor/harbor/src/server/router"
|
||||
@ -47,7 +46,6 @@ func RegisterRoutes() {
|
||||
root.NewRoute().
|
||||
Method(http.MethodGet).
|
||||
Path("/*/manifests/:reference").
|
||||
Middleware(regtoken.Middleware()).
|
||||
Middleware(contenttrust.Middleware()).
|
||||
Middleware(vulnerable.Middleware()).
|
||||
HandlerFunc(getManifest)
|
||||
|
Loading…
Reference in New Issue
Block a user