diff --git a/src/server/middleware/contenttrust/contenttrust.go b/src/server/middleware/contenttrust/contenttrust.go index dd313b328..838b28b14 100644 --- a/src/server/middleware/contenttrust/contenttrust.go +++ b/src/server/middleware/contenttrust/contenttrust.go @@ -49,9 +49,6 @@ func validate(req *http.Request) (bool, middleware.ArtifactInfo) { if !ok { return false, none } - if scannerPull, ok := middleware.ScannerPullFromContext(req.Context()); ok && scannerPull { - return false, none - } if !middleware.GetPolicyChecker().ContentTrustEnabled(af.ProjectName) { return false, af } diff --git a/src/server/middleware/regtoken/regtoken.go b/src/server/middleware/regtoken/regtoken.go deleted file mode 100644 index b81383bdd..000000000 --- a/src/server/middleware/regtoken/regtoken.go +++ /dev/null @@ -1,66 +0,0 @@ -package regtoken - -import ( - "errors" - "github.com/docker/distribution/registry/auth" - "github.com/goharbor/harbor/src/common/rbac" - "github.com/goharbor/harbor/src/common/utils/log" - pkg_token "github.com/goharbor/harbor/src/pkg/token" - "github.com/goharbor/harbor/src/pkg/token/claims/registry" - serror "github.com/goharbor/harbor/src/server/error" - "github.com/goharbor/harbor/src/server/middleware" - "net/http" - "strings" -) - -// Middleware parses the docker pull bearer token and check whether it's a scanner pull. -func Middleware() func(http.Handler) http.Handler { - return func(next http.Handler) http.Handler { - return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) { - err := parseToken(req) - if err != nil { - serror.SendError(rw, err) - return - } - next.ServeHTTP(rw, req) - }) - } -} - -func parseToken(req *http.Request) error { - art, ok := middleware.ArtifactInfoFromContext(req.Context()) - if !ok { - return errors.New("cannot get the manifest information from request context") - } - - parts := strings.Split(req.Header.Get("Authorization"), " ") - if len(parts) != 2 || strings.ToLower(parts[0]) != "bearer" { - return nil - } - - rawToken := parts[1] - opt := pkg_token.DefaultTokenOptions() - regTK, err := pkg_token.Parse(opt, rawToken, ®istry.Claim{}) - if err != nil { - log.Errorf("failed to decode reg token: %v, the error is skipped and round the request to native registry.", err) - return nil - } - - accessItems := []auth.Access{} - accessItems = append(accessItems, auth.Access{ - Resource: auth.Resource{ - Type: rbac.ResourceRepository.String(), - Name: art.Repository, - }, - Action: rbac.ActionScannerPull.String(), - }) - - accessSet := regTK.Claims.(*registry.Claim).GetAccess() - for _, access := range accessItems { - if accessSet.Contains(access) { - *req = *(req.WithContext(middleware.NewScannerPullContext(req.Context(), true))) - } - } - - return nil -} diff --git a/src/server/middleware/regtoken/regtoken_test.go b/src/server/middleware/regtoken/regtoken_test.go deleted file mode 100644 index 260ce9545..000000000 --- a/src/server/middleware/regtoken/regtoken_test.go +++ /dev/null @@ -1,64 +0,0 @@ -package regtoken - -import ( - "context" - "fmt" - "github.com/goharbor/harbor/src/core/middlewares/util" - "github.com/goharbor/harbor/src/server/middleware" - "github.com/stretchr/testify/suite" - "net/http" - "net/http/httptest" - "os" - "testing" -) - -type HandlerSuite struct { - suite.Suite -} - -func doPullManifestRequest(projectName, name, tag string, next ...http.HandlerFunc) int { - repository := fmt.Sprintf("%s/%s", projectName, name) - - url := fmt.Sprintf("/v2/%s/manifests/%s", repository, tag) - req, _ := http.NewRequest("GET", url, nil) - - token := "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkNWUTc6REM3NTpHVEROOkxTTUs6VUFJTjpIUUVWOlZVSDQ6Q0lRRDpRV01COlM0Qzc6U0c0STpGRUhYIn0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoicm9ib3QkZGVtbzExIiwiYXVkIjoiaGFyYm9yLXJlZ2lzdHJ5IiwiZXhwIjoxNTcxNzYzOTI2LCJuYmYiOjE1NzE3NjM4NjYsImlhdCI6MTU3MTc2Mzg2NiwianRpIjoiTnRaZWx4Z01KTUU1MXlEMCIsImFjY2VzcyI6W3sidHlwZSI6InJlcG9zaXRvcnkiLCJuYW1lIjoibGlicmFyeS9oZWxsby13b3JsZCIsImFjdGlvbnMiOlsicHVzaCIsIioiLCJwdWxsIiwic2Nhbm5lcnB1bGwiXX1dfQ.GlWuvtoxmChnpvbWaG5901Z9-g63DrzyNUREWlDbR5gnNeuOKjLNyE4QpogAQKx2yYtcGxbqNL3VfJkExJ_gMS0Qw8e10utGOawwqD4oqf_J06eKq4HzpZJengZfcjMA4g2RoeOlqdVdwimB_PdX9vkBO1od0wX0Cc2v0p2w5TkibcThKRoeLeVs2oRewkKLuVHNSM8wwRIlAvpWJuNnvRCFlHRkLcZM_KpGXqT7H-PZETTisWCi1pMxeYEwIsDFLlTKdV8LaiDeDmH-RaLOsuyAySYEW9Ynk5K3P_dUl2c_SYQXloPyi0MvXxSn6EWE4eHF2oQDM_SvIzR9sOVB8TtjMjKKMQ4yr_mqgMcfEpnInJATExBR56wmxNdLESncHl8rUYCe2jCjQFuR9NGQA1tGdjI4NoBN-OVD0dBs9rm_mkb2tgD-3gEhyzAw6hg0uzDsF7bj5Aq8scoi42UurhX2bZM89s4-TWBp4DWuBG0HDiwpOiBvB3RMm6MpQxsqrl0hQm_WH18L6QCknAW2e3d_6DJWJ0eBzISrhDr7LkqJKl1J8pv4zqoh_EUVeLyzTmjEULm-VbnpVF4wW5yTLF3S6F7Ox4vwWtVfi1XQNVOcJDB3VPUsRgiTTuCW-ZGcBLw-OdIcwaJ3T_QZkEjUw1f6i1JcGa0Mpgl83aLiSdQ 0xc0003c77c0 map[alg:RS256 kid:CVQ7:DC75:GTDN:LSMK:UAIN:HQEV:VUH4:CIQD:QWMB:S4C7:SG4I:FEHX typ:JWT] 0xc000496000 GlWuvtoxmChnpvbWaG5901Z9-g63DrzyNUREWlDbR5gnNeuOKjLNyE4QpogAQKx2yYtcGxbqNL3VfJkExJ_gMS0Qw8e10utGOawwqD4oqf_J06eKq4HzpZJengZfcjMA4g2RoeOlqdVdwimB_PdX9vkBO1od0wX0Cc2v0p2w5TkibcThKRoeLeVs2oRewkKLuVHNSM8wwRIlAvpWJuNnvRCFlHRkLcZM_KpGXqT7H-PZETTisWCi1pMxeYEwIsDFLlTKdV8LaiDeDmH-RaLOsuyAySYEW9Ynk5K3P_dUl2c_SYQXloPyi0MvXxSn6EWE4eHF2oQDM_SvIzR9sOVB8TtjMjKKMQ4yr_mqgMcfEpnInJATExBR56wmxNdLESncHl8rUYCe2jCjQFuR9NGQA1tGdjI4NoBN-OVD0dBs9rm_mkb2tgD-3gEhyzAw6hg0uzDsF7bj5Aq8scoi42UurhX2bZM89s4-TWBp4DWuBG0HDiwpOiBvB3RMm6MpQxsqrl0hQm_WH18L6QCknAW2e3d_6DJWJ0eBzISrhDr7LkqJKl1J8pv4zqoh_EUVeLyzTmjEULm-VbnpVF4wW5yTLF3S6F7Ox4vwWtVfi1XQNVOcJDB3VPUsRgiTTuCW-ZGcBLw-OdIcwaJ3T_QZkEjUw1f6i1JcGa0Mpgl83aLiSdQ" - req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token)) - rr := httptest.NewRecorder() - - af := &middleware.ArtifactInfo{ - Repository: name, - Reference: tag, - Tag: tag, - Digest: "", - } - - var n http.HandlerFunc - if len(next) > 0 { - n = next[0] - } else { - n = func(w http.ResponseWriter, req *http.Request) { - w.WriteHeader(http.StatusNotFound) - } - } - ctx := context.WithValue(req.Context(), middleware.ArtifactInfoKey, af) - *req = *(req.WithContext(ctx)) - n.ServeHTTP(util.NewCustomResponseWriter(rr), req) - - return rr.Code -} - -func (suite *HandlerSuite) TestPullManifest() { - code1 := doPullManifestRequest("library", "photon", "release-1.10") - suite.Equal(http.StatusNotFound, code1) -} - -func TestMain(m *testing.M) { - if result := m.Run(); result != 0 { - os.Exit(result) - } -} - -func TestRunHandlerSuite(t *testing.T) { - suite.Run(t, new(HandlerSuite)) -} diff --git a/src/server/middleware/util.go b/src/server/middleware/util.go index e4f4597ea..8de78db37 100644 --- a/src/server/middleware/util.go +++ b/src/server/middleware/util.go @@ -29,8 +29,6 @@ const ( DigestSubexp = "digest" // ArtifactInfoKey the context key for artifact info ArtifactInfoKey = contextKey("artifactInfo") - // ScannerPullCtxKey the context key for robot account to bypass the pull policy check. - ScannerPullCtxKey = contextKey("ScannerPullCheck") ) var ( @@ -86,17 +84,6 @@ func EnsureArtifactDigest(ctx context.Context) error { return nil } -// NewScannerPullContext returns context with policy check info -func NewScannerPullContext(ctx context.Context, scannerPull bool) context.Context { - return context.WithValue(ctx, ScannerPullCtxKey, scannerPull) -} - -// ScannerPullFromContext returns whether to bypass policy check -func ScannerPullFromContext(ctx context.Context) (bool, bool) { - info, ok := ctx.Value(ScannerPullCtxKey).(bool) - return info, ok -} - // CopyResp ... func CopyResp(rec *httptest.ResponseRecorder, rw http.ResponseWriter) { for k, v := range rec.Header() { diff --git a/src/server/middleware/vulnerable/vulnerable.go b/src/server/middleware/vulnerable/vulnerable.go index 79451d755..d700e7178 100644 --- a/src/server/middleware/vulnerable/vulnerable.go +++ b/src/server/middleware/vulnerable/vulnerable.go @@ -105,9 +105,6 @@ func validate(req *http.Request) (bool, middleware.ArtifactInfo, vuln.Severity, return false, af, vs, wl } - if scannerPull, ok := middleware.ScannerPullFromContext(req.Context()); ok && scannerPull { - return false, af, vs, wl - } // Is vulnerable policy set? projectVulnerableEnabled, projectVulnerableSeverity, wl := middleware.GetPolicyChecker().VulnerablePolicy(af.ProjectName) if !projectVulnerableEnabled { diff --git a/src/server/registry/route.go b/src/server/registry/route.go index 97fa12f0c..499427b91 100644 --- a/src/server/registry/route.go +++ b/src/server/registry/route.go @@ -21,7 +21,6 @@ import ( "github.com/goharbor/harbor/src/server/middleware/blob" "github.com/goharbor/harbor/src/server/middleware/contenttrust" "github.com/goharbor/harbor/src/server/middleware/immutable" - "github.com/goharbor/harbor/src/server/middleware/regtoken" "github.com/goharbor/harbor/src/server/middleware/v2auth" "github.com/goharbor/harbor/src/server/middleware/vulnerable" "github.com/goharbor/harbor/src/server/router" @@ -47,7 +46,6 @@ func RegisterRoutes() { root.NewRoute(). Method(http.MethodGet). Path("/*/manifests/:reference"). - Middleware(regtoken.Middleware()). Middleware(contenttrust.Middleware()). Middleware(vulnerable.Middleware()). HandlerFunc(getManifest)