Merge pull request #844 from reasonerjt/master

filter access should work when user use email to docker login
2024-09-30 06:18:02 +02:00 · 2016-09-28 17:13:46 +08:00 · 2016-09-28 17:13:46 +08:00 · e08555d99f
commit e08555d99f
parent dde0ea1fde f22f102654
3 changed files with 23 additions and 32 deletions
--- a/service/notification.go
+++ b/service/notification.go
@ -71,12 +71,6 @@ func (n *NotificationHandler) Post() {
 			}
 		}()
 		if action == "push" {
-			go func() {
-				if err := cache.RefreshCatalogCache(); err != nil {
-					log.Errorf("failed to refresh cache: %v", err)
-				}
-			}()
-
 			go func() {
 				exist := dao.RepositoryExists(repository)
 				if exist {
@ -87,14 +81,11 @@ func (n *NotificationHandler) Post() {
 				if err := dao.AddRepository(repoRecord); err != nil {
 					log.Errorf("Error happens when adding repository: %v", err)
 				}
+				if err := cache.RefreshCatalogCache(); err != nil {
+					log.Errorf("failed to refresh cache: %v", err)
+				}
 			}()
-
-			operation := ""
-			if action == "push" {
-				operation = models.RepOpTransfer
-			}
-
-			go api.TriggerReplicationByRepository(repository, []string{tag}, operation)
+			go api.TriggerReplicationByRepository(repository, []string{tag}, models.RepOpTransfer)
 		}
 		if action == "pull" {
 			go func() {
--- a/service/token/authutils.go
+++ b/service/token/authutils.go
@ -95,8 +95,7 @@ func GetResourceActions(scopes []string) []*token.ResourceActions {
 }

 // FilterAccess modify the action list in access based on permission
-// determine if the request needs to be authenticated.
-func FilterAccess(username string, authenticated bool, a *token.ResourceActions) {
+func FilterAccess(username string, a *token.ResourceActions) {

 	if a.Type == "registry" && a.Name == "catalog" {
 		log.Infof("current access, type: %s, name:%s, actions:%v \n", a.Type, a.Name, a.Actions)
@ -109,7 +108,7 @@ func FilterAccess(username string, authenticated bool, a *token.ResourceActions)
 		if strings.Contains(a.Name, "/") { //Only check the permission when the requested image has a namespace, i.e. project
 			projectName := a.Name[0:strings.LastIndex(a.Name, "/")]
 			var permission string
-			if authenticated {
+			if len(username) > 0 {
 				isAdmin, err := dao.IsAdminRole(username)
 				if err != nil {
 					log.Errorf("Error occurred in IsAdminRole: %v", err)
@ -152,7 +151,7 @@ func FilterAccess(username string, authenticated bool, a *token.ResourceActions)
 func GenTokenForUI(username string, service string, scopes []string) (token string, expiresIn int, issuedAt *time.Time, err error) {
 	access := GetResourceActions(scopes)
 	for _, a := range access {
-		FilterAccess(username, true, a)
+		FilterAccess(username, a)
 	}
 	return MakeToken(username, service, access)
 }
--- a/service/token/token.go
+++ b/service/token/token.go
@ -38,7 +38,7 @@ type Handler struct {
 // checkes the permission agains local DB and generates jwt token.
 func (h *Handler) Get() {

-	var username, password string
+	var uid, password, username string
 	request := h.Ctx.Request
 	service := h.GetString("service")
 	scopes := h.GetStrings("scope")
@ -49,15 +49,20 @@ func (h *Handler) Get() {
 		log.Debugf("Will grant all access as this request is from job service with legal secret.")
 		username = "job-service-user"
 	} else {
-		username, password, _ = request.BasicAuth()
-		authenticated := authenticate(username, password)
-
-		if len(scopes) == 0 && !authenticated {
-			log.Info("login request with invalid credentials")
-			h.CustomAbort(http.StatusUnauthorized, "")
+		uid, password, _ = request.BasicAuth()
+		log.Debugf("uid for logging: %s", uid)
+		user := authenticate(uid, password)
+		if user == nil {
+			log.Warningf("login request with invalid credentials in token service, uid: %s", uid)
+			if len(scopes) == 0 {
+				h.CustomAbort(http.StatusUnauthorized, "")
+			}
+		} else {
+			username = user.Username
 		}
+		log.Debugf("username for filtering access: %s.", username)
 		for _, a := range access {
-			FilterAccess(username, authenticated, a)
+			FilterAccess(username, a)
 		}
 	}
 	h.serveToken(username, service, access)
@ -80,18 +85,14 @@ func (h *Handler) serveToken(username, service string, access []*token.ResourceA
 	h.ServeJSON()
 }

-func authenticate(principal, password string) bool {
+func authenticate(principal, password string) *models.User {
 	user, err := auth.Login(models.AuthModel{
 		Principal: principal,
 		Password:  password,
 	})
 	if err != nil {
 		log.Errorf("Error occurred in UserLogin: %v", err)
-		return false
+		return nil
 	}
-	if user == nil {
-		return false
-	}
-
-	return true
+	return user
 }