mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-23 00:57:44 +01:00
Merge pull request #2977 from ywk253100/170807_token
Check the existence of project when generating token
This commit is contained in:
commit
e3e722b1f8
@ -29,6 +29,7 @@ import (
|
||||
"github.com/vmware/harbor/src/common/security"
|
||||
"github.com/vmware/harbor/src/common/utils/log"
|
||||
"github.com/vmware/harbor/src/ui/config"
|
||||
promgr "github.com/vmware/harbor/src/ui/projectmanager"
|
||||
)
|
||||
|
||||
const (
|
||||
@ -75,7 +76,7 @@ func GetResourceActions(scopes []string) []*token.ResourceActions {
|
||||
|
||||
//filterAccess iterate a list of resource actions and try to use the filter that matches the resource type to filter the actions.
|
||||
func filterAccess(access []*token.ResourceActions, ctx security.Context,
|
||||
filters map[string]accessFilter) error {
|
||||
pm promgr.ProjectManager, filters map[string]accessFilter) error {
|
||||
var err error
|
||||
for _, a := range access {
|
||||
f, ok := filters[a.Type]
|
||||
@ -84,7 +85,7 @@ func filterAccess(access []*token.ResourceActions, ctx security.Context,
|
||||
log.Warningf("No filter found for access type: %s, skip filter, the access of resource '%s' will be set empty.", a.Type, a.Name)
|
||||
continue
|
||||
}
|
||||
err = f.filter(ctx, a)
|
||||
err = f.filter(ctx, pm, a)
|
||||
log.Debugf("user: %s, access: %v", ctx.GetUsername(), a)
|
||||
if err != nil {
|
||||
return err
|
||||
|
@ -26,6 +26,7 @@ import (
|
||||
"github.com/vmware/harbor/src/common/utils/log"
|
||||
"github.com/vmware/harbor/src/ui/config"
|
||||
"github.com/vmware/harbor/src/ui/filter"
|
||||
promgr "github.com/vmware/harbor/src/ui/projectmanager"
|
||||
)
|
||||
|
||||
var creatorMap map[string]Creator
|
||||
@ -126,13 +127,13 @@ func parseImg(s string) (*image, error) {
|
||||
|
||||
// An accessFilter will filter access based on userinfo
|
||||
type accessFilter interface {
|
||||
filter(ctx security.Context, a *token.ResourceActions) error
|
||||
filter(ctx security.Context, pm promgr.ProjectManager, a *token.ResourceActions) error
|
||||
}
|
||||
|
||||
type registryFilter struct {
|
||||
}
|
||||
|
||||
func (reg registryFilter) filter(ctx security.Context,
|
||||
func (reg registryFilter) filter(ctx security.Context, pm promgr.ProjectManager,
|
||||
a *token.ResourceActions) error {
|
||||
//Do not filter if the request is to access registry catalog
|
||||
if a.Name != "catalog" {
|
||||
@ -150,7 +151,8 @@ type repositoryFilter struct {
|
||||
parser imageParser
|
||||
}
|
||||
|
||||
func (rep repositoryFilter) filter(ctx security.Context, a *token.ResourceActions) error {
|
||||
func (rep repositoryFilter) filter(ctx security.Context, pm promgr.ProjectManager,
|
||||
a *token.ResourceActions) error {
|
||||
//clear action list to assign to new acess element after perm check.
|
||||
img, err := rep.parser.parse(a.Name)
|
||||
if err != nil {
|
||||
@ -158,6 +160,17 @@ func (rep repositoryFilter) filter(ctx security.Context, a *token.ResourceAction
|
||||
}
|
||||
project := img.namespace
|
||||
permission := ""
|
||||
|
||||
exist, err := pm.Exist(project)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if !exist {
|
||||
log.Debugf("project %s does not exist, set empty permission", project)
|
||||
a.Actions = []string{}
|
||||
return nil
|
||||
}
|
||||
|
||||
if ctx.HasAllPerm(project) {
|
||||
permission = "RWM"
|
||||
} else if ctx.HasWritePerm(project) {
|
||||
@ -191,6 +204,11 @@ func (g generalCreator) Create(r *http.Request) (*models.Token, error) {
|
||||
return nil, fmt.Errorf("failed to get security context from request")
|
||||
}
|
||||
|
||||
pm, err := filter.GetProjectManager(r)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to get project manager from request")
|
||||
}
|
||||
|
||||
// for docker login
|
||||
if !ctx.IsAuthenticated() {
|
||||
if len(scopes) == 0 {
|
||||
@ -198,7 +216,7 @@ func (g generalCreator) Create(r *http.Request) (*models.Token, error) {
|
||||
}
|
||||
}
|
||||
access := GetResourceActions(scopes)
|
||||
err = filterAccess(access, ctx, g.filterMap)
|
||||
err = filterAccess(access, ctx, pm, g.filterMap)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -256,19 +256,19 @@ func TestFilterAccess(t *testing.T) {
|
||||
}
|
||||
err = filterAccess(a1, &fakeSecurityContext{
|
||||
isAdmin: true,
|
||||
}, registryFilterMap)
|
||||
}, nil, registryFilterMap)
|
||||
assert.Nil(t, err, "Unexpected error: %v", err)
|
||||
assert.Equal(t, ra1, *a1[0], "Mismatch after registry filter Map")
|
||||
|
||||
err = filterAccess(a2, &fakeSecurityContext{
|
||||
isAdmin: true,
|
||||
}, notaryFilterMap)
|
||||
}, nil, notaryFilterMap)
|
||||
assert.Nil(t, err, "Unexpected error: %v", err)
|
||||
assert.Equal(t, ra2, *a2[0], "Mismatch after notary filter Map")
|
||||
|
||||
err = filterAccess(a3, &fakeSecurityContext{
|
||||
isAdmin: false,
|
||||
}, registryFilterMap)
|
||||
}, nil, registryFilterMap)
|
||||
assert.Nil(t, err, "Unexpected error: %v", err)
|
||||
assert.Equal(t, ra2, *a3[0], "Mismatch after registry filter Map")
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user