mirror of
https://github.com/goharbor/harbor.git
synced 2024-11-22 10:15:35 +01:00
Merge pull request #2148 from ywk253100/170425_authN_interface
Abstract security context interface and enable security filter
This commit is contained in:
commit
e4af15048d
59
src/ui/filter/security.go
Normal file
59
src/ui/filter/security.go
Normal file
@ -0,0 +1,59 @@
|
||||
// Copyright (c) 2017 VMware, Inc. All Rights Reserved.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package filter
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"strings"
|
||||
|
||||
"github.com/astaxie/beego/context"
|
||||
"github.com/vmware/harbor/src/common/utils/log"
|
||||
"github.com/vmware/harbor/src/ui/security"
|
||||
)
|
||||
|
||||
const (
|
||||
// HarborSecurityContext is the name of security context passed to handlers
|
||||
HarborSecurityContext = "harbor_security_context"
|
||||
)
|
||||
|
||||
// SecurityFilter authenticates the request and passes a security context with it
|
||||
// which can be used to do some authorization
|
||||
func SecurityFilter(ctx *context.Context) {
|
||||
if ctx == nil {
|
||||
return
|
||||
}
|
||||
|
||||
req := ctx.Request
|
||||
if req == nil {
|
||||
return
|
||||
}
|
||||
|
||||
if !strings.HasPrefix(req.RequestURI, "/api/") &&
|
||||
!strings.HasPrefix(req.RequestURI, "/service/") {
|
||||
return
|
||||
}
|
||||
|
||||
securityCtx, err := createSecurityContext(req)
|
||||
if err != nil {
|
||||
log.Warningf("failed to create security context: %v", err)
|
||||
return
|
||||
}
|
||||
|
||||
ctx.Input.SetData(HarborSecurityContext, securityCtx)
|
||||
}
|
||||
|
||||
func createSecurityContext(req *http.Request) (security.Context, error) {
|
||||
return nil, nil
|
||||
}
|
50
src/ui/filter/security_test.go
Normal file
50
src/ui/filter/security_test.go
Normal file
@ -0,0 +1,50 @@
|
||||
// Copyright (c) 2017 VMware, Inc. All Rights Reserved.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package filter
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"testing"
|
||||
|
||||
"github.com/astaxie/beego/context"
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
func TestSecurityFilter(t *testing.T) {
|
||||
// nil request
|
||||
ctx := &context.Context{
|
||||
Request: nil,
|
||||
Input: context.NewInput(),
|
||||
}
|
||||
SecurityFilter(ctx)
|
||||
securityContext := ctx.Input.GetData(HarborSecurityContext)
|
||||
assert.Nil(t, securityContext)
|
||||
|
||||
// the pattern of request does not need security check
|
||||
req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1/static/index.html", nil)
|
||||
if err != nil {
|
||||
t.Fatalf("failed to create request: %v", req)
|
||||
}
|
||||
|
||||
ctx = &context.Context{
|
||||
Request: req,
|
||||
Input: context.NewInput(),
|
||||
}
|
||||
SecurityFilter(ctx)
|
||||
securityContext = ctx.Input.GetData(HarborSecurityContext)
|
||||
assert.Nil(t, securityContext)
|
||||
|
||||
//TODO add a case to test normal process
|
||||
}
|
@ -30,6 +30,7 @@ import (
|
||||
_ "github.com/vmware/harbor/src/ui/auth/db"
|
||||
_ "github.com/vmware/harbor/src/ui/auth/ldap"
|
||||
"github.com/vmware/harbor/src/ui/config"
|
||||
"github.com/vmware/harbor/src/ui/filter"
|
||||
"github.com/vmware/harbor/src/ui/service/token"
|
||||
)
|
||||
|
||||
@ -95,6 +96,9 @@ func main() {
|
||||
if err := updateInitPassword(adminUserID, password); err != nil {
|
||||
log.Error(err)
|
||||
}
|
||||
|
||||
beego.InsertFilter("/*", beego.BeforeRouter, filter.SecurityFilter)
|
||||
|
||||
initRouters()
|
||||
if err := api.SyncRegistry(); err != nil {
|
||||
log.Error(err)
|
||||
|
32
src/ui/security/context.go
Normal file
32
src/ui/security/context.go
Normal file
@ -0,0 +1,32 @@
|
||||
// Copyright (c) 2017 VMware, Inc. All Rights Reserved.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package security
|
||||
|
||||
// Context abstracts the operations related with authN and authZ
|
||||
type Context interface {
|
||||
// IsAuthenticated returns whether the context has been authenticated or not
|
||||
IsAuthenticated() bool
|
||||
// IsSysAdmin returns whether the user is system admin
|
||||
IsSysAdmin() bool
|
||||
// HasReadPerm returns whether the user has read permission to the project
|
||||
// whose ID is projectID
|
||||
HasReadPerm(projectID int64) bool
|
||||
// HasWritePerm returns whether the user has write permission to the project
|
||||
// whose ID is projectID
|
||||
HasWritePerm(projectID int64) bool
|
||||
// HasAllPerm returns whether the user has all permissions to the project
|
||||
// whose ID is projectID
|
||||
HasAllPerm(projectID int64) bool
|
||||
}
|
15
src/ui/security/db/context.go
Normal file
15
src/ui/security/db/context.go
Normal file
@ -0,0 +1,15 @@
|
||||
// Copyright (c) 2017 VMware, Inc. All Rights Reserved.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package db
|
15
src/ui/security/rbac/context.go
Normal file
15
src/ui/security/rbac/context.go
Normal file
@ -0,0 +1,15 @@
|
||||
// Copyright (c) 2017 VMware, Inc. All Rights Reserved.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package rbac
|
15
src/ui/security/secret/context.go
Normal file
15
src/ui/security/secret/context.go
Normal file
@ -0,0 +1,15 @@
|
||||
// Copyright (c) 2017 VMware, Inc. All Rights Reserved.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package secret
|
Loading…
Reference in New Issue
Block a user