Merge pull request #2977 from ywk253100/170807_token

Check the existence of project when generating token
This commit is contained in:
Wenkai Yin 2017-08-07 14:43:49 +08:00 committed by GitHub
commit e3e722b1f8
3 changed files with 28 additions and 9 deletions

View File

@ -29,6 +29,7 @@ import (
"github.com/vmware/harbor/src/common/security"
"github.com/vmware/harbor/src/common/utils/log"
"github.com/vmware/harbor/src/ui/config"
promgr "github.com/vmware/harbor/src/ui/projectmanager"
)
const (
@ -75,7 +76,7 @@ func GetResourceActions(scopes []string) []*token.ResourceActions {
//filterAccess iterate a list of resource actions and try to use the filter that matches the resource type to filter the actions.
func filterAccess(access []*token.ResourceActions, ctx security.Context,
filters map[string]accessFilter) error {
pm promgr.ProjectManager, filters map[string]accessFilter) error {
var err error
for _, a := range access {
f, ok := filters[a.Type]
@ -84,7 +85,7 @@ func filterAccess(access []*token.ResourceActions, ctx security.Context,
log.Warningf("No filter found for access type: %s, skip filter, the access of resource '%s' will be set empty.", a.Type, a.Name)
continue
}
err = f.filter(ctx, a)
err = f.filter(ctx, pm, a)
log.Debugf("user: %s, access: %v", ctx.GetUsername(), a)
if err != nil {
return err

View File

@ -26,6 +26,7 @@ import (
"github.com/vmware/harbor/src/common/utils/log"
"github.com/vmware/harbor/src/ui/config"
"github.com/vmware/harbor/src/ui/filter"
promgr "github.com/vmware/harbor/src/ui/projectmanager"
)
var creatorMap map[string]Creator
@ -126,13 +127,13 @@ func parseImg(s string) (*image, error) {
// An accessFilter will filter access based on userinfo
type accessFilter interface {
filter(ctx security.Context, a *token.ResourceActions) error
filter(ctx security.Context, pm promgr.ProjectManager, a *token.ResourceActions) error
}
type registryFilter struct {
}
func (reg registryFilter) filter(ctx security.Context,
func (reg registryFilter) filter(ctx security.Context, pm promgr.ProjectManager,
a *token.ResourceActions) error {
//Do not filter if the request is to access registry catalog
if a.Name != "catalog" {
@ -150,7 +151,8 @@ type repositoryFilter struct {
parser imageParser
}
func (rep repositoryFilter) filter(ctx security.Context, a *token.ResourceActions) error {
func (rep repositoryFilter) filter(ctx security.Context, pm promgr.ProjectManager,
a *token.ResourceActions) error {
//clear action list to assign to new acess element after perm check.
img, err := rep.parser.parse(a.Name)
if err != nil {
@ -158,6 +160,17 @@ func (rep repositoryFilter) filter(ctx security.Context, a *token.ResourceAction
}
project := img.namespace
permission := ""
exist, err := pm.Exist(project)
if err != nil {
return err
}
if !exist {
log.Debugf("project %s does not exist, set empty permission", project)
a.Actions = []string{}
return nil
}
if ctx.HasAllPerm(project) {
permission = "RWM"
} else if ctx.HasWritePerm(project) {
@ -191,6 +204,11 @@ func (g generalCreator) Create(r *http.Request) (*models.Token, error) {
return nil, fmt.Errorf("failed to get security context from request")
}
pm, err := filter.GetProjectManager(r)
if err != nil {
return nil, fmt.Errorf("failed to get project manager from request")
}
// for docker login
if !ctx.IsAuthenticated() {
if len(scopes) == 0 {
@ -198,7 +216,7 @@ func (g generalCreator) Create(r *http.Request) (*models.Token, error) {
}
}
access := GetResourceActions(scopes)
err = filterAccess(access, ctx, g.filterMap)
err = filterAccess(access, ctx, pm, g.filterMap)
if err != nil {
return nil, err
}

View File

@ -256,19 +256,19 @@ func TestFilterAccess(t *testing.T) {
}
err = filterAccess(a1, &fakeSecurityContext{
isAdmin: true,
}, registryFilterMap)
}, nil, registryFilterMap)
assert.Nil(t, err, "Unexpected error: %v", err)
assert.Equal(t, ra1, *a1[0], "Mismatch after registry filter Map")
err = filterAccess(a2, &fakeSecurityContext{
isAdmin: true,
}, notaryFilterMap)
}, nil, notaryFilterMap)
assert.Nil(t, err, "Unexpected error: %v", err)
assert.Equal(t, ra2, *a2[0], "Mismatch after notary filter Map")
err = filterAccess(a3, &fakeSecurityContext{
isAdmin: false,
}, registryFilterMap)
}, nil, registryFilterMap)
assert.Nil(t, err, "Unexpected error: %v", err)
assert.Equal(t, ra2, *a3[0], "Mismatch after registry filter Map")
}