Merge pull request #2148 from ywk253100/170425_authN_interface

Abstract security context interface and enable security filter
This commit is contained in:
Daniel Jiang 2017-04-27 11:35:22 +08:00 committed by GitHub
commit e4af15048d
7 changed files with 190 additions and 0 deletions

59
src/ui/filter/security.go Normal file
View File

@ -0,0 +1,59 @@
// Copyright (c) 2017 VMware, Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package filter
import (
"net/http"
"strings"
"github.com/astaxie/beego/context"
"github.com/vmware/harbor/src/common/utils/log"
"github.com/vmware/harbor/src/ui/security"
)
const (
// HarborSecurityContext is the name of security context passed to handlers
HarborSecurityContext = "harbor_security_context"
)
// SecurityFilter authenticates the request and passes a security context with it
// which can be used to do some authorization
func SecurityFilter(ctx *context.Context) {
if ctx == nil {
return
}
req := ctx.Request
if req == nil {
return
}
if !strings.HasPrefix(req.RequestURI, "/api/") &&
!strings.HasPrefix(req.RequestURI, "/service/") {
return
}
securityCtx, err := createSecurityContext(req)
if err != nil {
log.Warningf("failed to create security context: %v", err)
return
}
ctx.Input.SetData(HarborSecurityContext, securityCtx)
}
func createSecurityContext(req *http.Request) (security.Context, error) {
return nil, nil
}

View File

@ -0,0 +1,50 @@
// Copyright (c) 2017 VMware, Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package filter
import (
"net/http"
"testing"
"github.com/astaxie/beego/context"
"github.com/stretchr/testify/assert"
)
func TestSecurityFilter(t *testing.T) {
// nil request
ctx := &context.Context{
Request: nil,
Input: context.NewInput(),
}
SecurityFilter(ctx)
securityContext := ctx.Input.GetData(HarborSecurityContext)
assert.Nil(t, securityContext)
// the pattern of request does not need security check
req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1/static/index.html", nil)
if err != nil {
t.Fatalf("failed to create request: %v", req)
}
ctx = &context.Context{
Request: req,
Input: context.NewInput(),
}
SecurityFilter(ctx)
securityContext = ctx.Input.GetData(HarborSecurityContext)
assert.Nil(t, securityContext)
//TODO add a case to test normal process
}

View File

@ -30,6 +30,7 @@ import (
_ "github.com/vmware/harbor/src/ui/auth/db"
_ "github.com/vmware/harbor/src/ui/auth/ldap"
"github.com/vmware/harbor/src/ui/config"
"github.com/vmware/harbor/src/ui/filter"
"github.com/vmware/harbor/src/ui/service/token"
)
@ -95,6 +96,9 @@ func main() {
if err := updateInitPassword(adminUserID, password); err != nil {
log.Error(err)
}
beego.InsertFilter("/*", beego.BeforeRouter, filter.SecurityFilter)
initRouters()
if err := api.SyncRegistry(); err != nil {
log.Error(err)

View File

@ -0,0 +1,32 @@
// Copyright (c) 2017 VMware, Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package security
// Context abstracts the operations related with authN and authZ
type Context interface {
// IsAuthenticated returns whether the context has been authenticated or not
IsAuthenticated() bool
// IsSysAdmin returns whether the user is system admin
IsSysAdmin() bool
// HasReadPerm returns whether the user has read permission to the project
// whose ID is projectID
HasReadPerm(projectID int64) bool
// HasWritePerm returns whether the user has write permission to the project
// whose ID is projectID
HasWritePerm(projectID int64) bool
// HasAllPerm returns whether the user has all permissions to the project
// whose ID is projectID
HasAllPerm(projectID int64) bool
}

View File

@ -0,0 +1,15 @@
// Copyright (c) 2017 VMware, Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package db

View File

@ -0,0 +1,15 @@
// Copyright (c) 2017 VMware, Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package rbac

View File

@ -0,0 +1,15 @@
// Copyright (c) 2017 VMware, Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package secret