mirror of
https://github.com/goharbor/harbor.git
synced 2025-01-03 14:37:44 +01:00
Merge pull request #10970 from wy65701436/remove-regtoken
remove middleware regtoken
This commit is contained in:
commit
e4bee937ff
@ -49,9 +49,6 @@ func validate(req *http.Request) (bool, middleware.ArtifactInfo) {
|
|||||||
if !ok {
|
if !ok {
|
||||||
return false, none
|
return false, none
|
||||||
}
|
}
|
||||||
if scannerPull, ok := middleware.ScannerPullFromContext(req.Context()); ok && scannerPull {
|
|
||||||
return false, none
|
|
||||||
}
|
|
||||||
if !middleware.GetPolicyChecker().ContentTrustEnabled(af.ProjectName) {
|
if !middleware.GetPolicyChecker().ContentTrustEnabled(af.ProjectName) {
|
||||||
return false, af
|
return false, af
|
||||||
}
|
}
|
||||||
|
@ -1,66 +0,0 @@
|
|||||||
package regtoken
|
|
||||||
|
|
||||||
import (
|
|
||||||
"errors"
|
|
||||||
"github.com/docker/distribution/registry/auth"
|
|
||||||
"github.com/goharbor/harbor/src/common/rbac"
|
|
||||||
"github.com/goharbor/harbor/src/common/utils/log"
|
|
||||||
pkg_token "github.com/goharbor/harbor/src/pkg/token"
|
|
||||||
"github.com/goharbor/harbor/src/pkg/token/claims/registry"
|
|
||||||
serror "github.com/goharbor/harbor/src/server/error"
|
|
||||||
"github.com/goharbor/harbor/src/server/middleware"
|
|
||||||
"net/http"
|
|
||||||
"strings"
|
|
||||||
)
|
|
||||||
|
|
||||||
// Middleware parses the docker pull bearer token and check whether it's a scanner pull.
|
|
||||||
func Middleware() func(http.Handler) http.Handler {
|
|
||||||
return func(next http.Handler) http.Handler {
|
|
||||||
return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
|
|
||||||
err := parseToken(req)
|
|
||||||
if err != nil {
|
|
||||||
serror.SendError(rw, err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
next.ServeHTTP(rw, req)
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func parseToken(req *http.Request) error {
|
|
||||||
art, ok := middleware.ArtifactInfoFromContext(req.Context())
|
|
||||||
if !ok {
|
|
||||||
return errors.New("cannot get the manifest information from request context")
|
|
||||||
}
|
|
||||||
|
|
||||||
parts := strings.Split(req.Header.Get("Authorization"), " ")
|
|
||||||
if len(parts) != 2 || strings.ToLower(parts[0]) != "bearer" {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
rawToken := parts[1]
|
|
||||||
opt := pkg_token.DefaultTokenOptions()
|
|
||||||
regTK, err := pkg_token.Parse(opt, rawToken, ®istry.Claim{})
|
|
||||||
if err != nil {
|
|
||||||
log.Errorf("failed to decode reg token: %v, the error is skipped and round the request to native registry.", err)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
accessItems := []auth.Access{}
|
|
||||||
accessItems = append(accessItems, auth.Access{
|
|
||||||
Resource: auth.Resource{
|
|
||||||
Type: rbac.ResourceRepository.String(),
|
|
||||||
Name: art.Repository,
|
|
||||||
},
|
|
||||||
Action: rbac.ActionScannerPull.String(),
|
|
||||||
})
|
|
||||||
|
|
||||||
accessSet := regTK.Claims.(*registry.Claim).GetAccess()
|
|
||||||
for _, access := range accessItems {
|
|
||||||
if accessSet.Contains(access) {
|
|
||||||
*req = *(req.WithContext(middleware.NewScannerPullContext(req.Context(), true)))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
|
@ -1,64 +0,0 @@
|
|||||||
package regtoken
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
"fmt"
|
|
||||||
"github.com/goharbor/harbor/src/core/middlewares/util"
|
|
||||||
"github.com/goharbor/harbor/src/server/middleware"
|
|
||||||
"github.com/stretchr/testify/suite"
|
|
||||||
"net/http"
|
|
||||||
"net/http/httptest"
|
|
||||||
"os"
|
|
||||||
"testing"
|
|
||||||
)
|
|
||||||
|
|
||||||
type HandlerSuite struct {
|
|
||||||
suite.Suite
|
|
||||||
}
|
|
||||||
|
|
||||||
func doPullManifestRequest(projectName, name, tag string, next ...http.HandlerFunc) int {
|
|
||||||
repository := fmt.Sprintf("%s/%s", projectName, name)
|
|
||||||
|
|
||||||
url := fmt.Sprintf("/v2/%s/manifests/%s", repository, tag)
|
|
||||||
req, _ := http.NewRequest("GET", url, nil)
|
|
||||||
|
|
||||||
token := "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkNWUTc6REM3NTpHVEROOkxTTUs6VUFJTjpIUUVWOlZVSDQ6Q0lRRDpRV01COlM0Qzc6U0c0STpGRUhYIn0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoicm9ib3QkZGVtbzExIiwiYXVkIjoiaGFyYm9yLXJlZ2lzdHJ5IiwiZXhwIjoxNTcxNzYzOTI2LCJuYmYiOjE1NzE3NjM4NjYsImlhdCI6MTU3MTc2Mzg2NiwianRpIjoiTnRaZWx4Z01KTUU1MXlEMCIsImFjY2VzcyI6W3sidHlwZSI6InJlcG9zaXRvcnkiLCJuYW1lIjoibGlicmFyeS9oZWxsby13b3JsZCIsImFjdGlvbnMiOlsicHVzaCIsIioiLCJwdWxsIiwic2Nhbm5lcnB1bGwiXX1dfQ.GlWuvtoxmChnpvbWaG5901Z9-g63DrzyNUREWlDbR5gnNeuOKjLNyE4QpogAQKx2yYtcGxbqNL3VfJkExJ_gMS0Qw8e10utGOawwqD4oqf_J06eKq4HzpZJengZfcjMA4g2RoeOlqdVdwimB_PdX9vkBO1od0wX0Cc2v0p2w5TkibcThKRoeLeVs2oRewkKLuVHNSM8wwRIlAvpWJuNnvRCFlHRkLcZM_KpGXqT7H-PZETTisWCi1pMxeYEwIsDFLlTKdV8LaiDeDmH-RaLOsuyAySYEW9Ynk5K3P_dUl2c_SYQXloPyi0MvXxSn6EWE4eHF2oQDM_SvIzR9sOVB8TtjMjKKMQ4yr_mqgMcfEpnInJATExBR56wmxNdLESncHl8rUYCe2jCjQFuR9NGQA1tGdjI4NoBN-OVD0dBs9rm_mkb2tgD-3gEhyzAw6hg0uzDsF7bj5Aq8scoi42UurhX2bZM89s4-TWBp4DWuBG0HDiwpOiBvB3RMm6MpQxsqrl0hQm_WH18L6QCknAW2e3d_6DJWJ0eBzISrhDr7LkqJKl1J8pv4zqoh_EUVeLyzTmjEULm-VbnpVF4wW5yTLF3S6F7Ox4vwWtVfi1XQNVOcJDB3VPUsRgiTTuCW-ZGcBLw-OdIcwaJ3T_QZkEjUw1f6i1JcGa0Mpgl83aLiSdQ 0xc0003c77c0 map[alg:RS256 kid:CVQ7:DC75:GTDN:LSMK:UAIN:HQEV:VUH4:CIQD:QWMB:S4C7:SG4I:FEHX typ:JWT] 0xc000496000 GlWuvtoxmChnpvbWaG5901Z9-g63DrzyNUREWlDbR5gnNeuOKjLNyE4QpogAQKx2yYtcGxbqNL3VfJkExJ_gMS0Qw8e10utGOawwqD4oqf_J06eKq4HzpZJengZfcjMA4g2RoeOlqdVdwimB_PdX9vkBO1od0wX0Cc2v0p2w5TkibcThKRoeLeVs2oRewkKLuVHNSM8wwRIlAvpWJuNnvRCFlHRkLcZM_KpGXqT7H-PZETTisWCi1pMxeYEwIsDFLlTKdV8LaiDeDmH-RaLOsuyAySYEW9Ynk5K3P_dUl2c_SYQXloPyi0MvXxSn6EWE4eHF2oQDM_SvIzR9sOVB8TtjMjKKMQ4yr_mqgMcfEpnInJATExBR56wmxNdLESncHl8rUYCe2jCjQFuR9NGQA1tGdjI4NoBN-OVD0dBs9rm_mkb2tgD-3gEhyzAw6hg0uzDsF7bj5Aq8scoi42UurhX2bZM89s4-TWBp4DWuBG0HDiwpOiBvB3RMm6MpQxsqrl0hQm_WH18L6QCknAW2e3d_6DJWJ0eBzISrhDr7LkqJKl1J8pv4zqoh_EUVeLyzTmjEULm-VbnpVF4wW5yTLF3S6F7Ox4vwWtVfi1XQNVOcJDB3VPUsRgiTTuCW-ZGcBLw-OdIcwaJ3T_QZkEjUw1f6i1JcGa0Mpgl83aLiSdQ"
|
|
||||||
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
|
|
||||||
rr := httptest.NewRecorder()
|
|
||||||
|
|
||||||
af := &middleware.ArtifactInfo{
|
|
||||||
Repository: name,
|
|
||||||
Reference: tag,
|
|
||||||
Tag: tag,
|
|
||||||
Digest: "",
|
|
||||||
}
|
|
||||||
|
|
||||||
var n http.HandlerFunc
|
|
||||||
if len(next) > 0 {
|
|
||||||
n = next[0]
|
|
||||||
} else {
|
|
||||||
n = func(w http.ResponseWriter, req *http.Request) {
|
|
||||||
w.WriteHeader(http.StatusNotFound)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
ctx := context.WithValue(req.Context(), middleware.ArtifactInfoKey, af)
|
|
||||||
*req = *(req.WithContext(ctx))
|
|
||||||
n.ServeHTTP(util.NewCustomResponseWriter(rr), req)
|
|
||||||
|
|
||||||
return rr.Code
|
|
||||||
}
|
|
||||||
|
|
||||||
func (suite *HandlerSuite) TestPullManifest() {
|
|
||||||
code1 := doPullManifestRequest("library", "photon", "release-1.10")
|
|
||||||
suite.Equal(http.StatusNotFound, code1)
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestMain(m *testing.M) {
|
|
||||||
if result := m.Run(); result != 0 {
|
|
||||||
os.Exit(result)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestRunHandlerSuite(t *testing.T) {
|
|
||||||
suite.Run(t, new(HandlerSuite))
|
|
||||||
}
|
|
@ -29,8 +29,6 @@ const (
|
|||||||
DigestSubexp = "digest"
|
DigestSubexp = "digest"
|
||||||
// ArtifactInfoKey the context key for artifact info
|
// ArtifactInfoKey the context key for artifact info
|
||||||
ArtifactInfoKey = contextKey("artifactInfo")
|
ArtifactInfoKey = contextKey("artifactInfo")
|
||||||
// ScannerPullCtxKey the context key for robot account to bypass the pull policy check.
|
|
||||||
ScannerPullCtxKey = contextKey("ScannerPullCheck")
|
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
@ -86,17 +84,6 @@ func EnsureArtifactDigest(ctx context.Context) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewScannerPullContext returns context with policy check info
|
|
||||||
func NewScannerPullContext(ctx context.Context, scannerPull bool) context.Context {
|
|
||||||
return context.WithValue(ctx, ScannerPullCtxKey, scannerPull)
|
|
||||||
}
|
|
||||||
|
|
||||||
// ScannerPullFromContext returns whether to bypass policy check
|
|
||||||
func ScannerPullFromContext(ctx context.Context) (bool, bool) {
|
|
||||||
info, ok := ctx.Value(ScannerPullCtxKey).(bool)
|
|
||||||
return info, ok
|
|
||||||
}
|
|
||||||
|
|
||||||
// CopyResp ...
|
// CopyResp ...
|
||||||
func CopyResp(rec *httptest.ResponseRecorder, rw http.ResponseWriter) {
|
func CopyResp(rec *httptest.ResponseRecorder, rw http.ResponseWriter) {
|
||||||
for k, v := range rec.Header() {
|
for k, v := range rec.Header() {
|
||||||
|
@ -105,9 +105,6 @@ func validate(req *http.Request) (bool, middleware.ArtifactInfo, vuln.Severity,
|
|||||||
return false, af, vs, wl
|
return false, af, vs, wl
|
||||||
}
|
}
|
||||||
|
|
||||||
if scannerPull, ok := middleware.ScannerPullFromContext(req.Context()); ok && scannerPull {
|
|
||||||
return false, af, vs, wl
|
|
||||||
}
|
|
||||||
// Is vulnerable policy set?
|
// Is vulnerable policy set?
|
||||||
projectVulnerableEnabled, projectVulnerableSeverity, wl := middleware.GetPolicyChecker().VulnerablePolicy(af.ProjectName)
|
projectVulnerableEnabled, projectVulnerableSeverity, wl := middleware.GetPolicyChecker().VulnerablePolicy(af.ProjectName)
|
||||||
if !projectVulnerableEnabled {
|
if !projectVulnerableEnabled {
|
||||||
|
@ -21,7 +21,6 @@ import (
|
|||||||
"github.com/goharbor/harbor/src/server/middleware/blob"
|
"github.com/goharbor/harbor/src/server/middleware/blob"
|
||||||
"github.com/goharbor/harbor/src/server/middleware/contenttrust"
|
"github.com/goharbor/harbor/src/server/middleware/contenttrust"
|
||||||
"github.com/goharbor/harbor/src/server/middleware/immutable"
|
"github.com/goharbor/harbor/src/server/middleware/immutable"
|
||||||
"github.com/goharbor/harbor/src/server/middleware/regtoken"
|
|
||||||
"github.com/goharbor/harbor/src/server/middleware/v2auth"
|
"github.com/goharbor/harbor/src/server/middleware/v2auth"
|
||||||
"github.com/goharbor/harbor/src/server/middleware/vulnerable"
|
"github.com/goharbor/harbor/src/server/middleware/vulnerable"
|
||||||
"github.com/goharbor/harbor/src/server/router"
|
"github.com/goharbor/harbor/src/server/router"
|
||||||
@ -47,7 +46,6 @@ func RegisterRoutes() {
|
|||||||
root.NewRoute().
|
root.NewRoute().
|
||||||
Method(http.MethodGet).
|
Method(http.MethodGet).
|
||||||
Path("/*/manifests/:reference").
|
Path("/*/manifests/:reference").
|
||||||
Middleware(regtoken.Middleware()).
|
|
||||||
Middleware(contenttrust.Middleware()).
|
Middleware(contenttrust.Middleware()).
|
||||||
Middleware(vulnerable.Middleware()).
|
Middleware(vulnerable.Middleware()).
|
||||||
HandlerFunc(getManifest)
|
HandlerFunc(getManifest)
|
||||||
|
Loading…
Reference in New Issue
Block a user