Make sure middleware handle scanner-pull claim for v2token

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2024-11-27 12:46:03 +01:00 · 2020-04-05 01:10:45 +08:00 · 2020-04-05 01:10:45 +08:00 · e8f98259dd
commit e8f98259dd
parent 08f9ffa000
3 changed files with 3 additions and 3 deletions
--- a/src/common/security/v2token/context.go
+++ b/src/common/security/v2token/context.go
@ -24,7 +24,7 @@ type tokenSecurityCtx struct {
 }

 func (t *tokenSecurityCtx) Name() string {
-	return "internal_token"
+	return "v2token"
 }

 func (t *tokenSecurityCtx) IsAuthenticated() bool {
--- a/src/server/middleware/contenttrust/contenttrust.go
+++ b/src/server/middleware/contenttrust/contenttrust.go
@ -44,7 +44,7 @@ func Middleware() func(http.Handler) http.Handler {
 		securityCtx, ok := security.FromContext(ctx)
 		// only authenticated robot account with scanner pull access can bypass.
 		if ok && securityCtx.IsAuthenticated() &&
-			securityCtx.Name() == "robot" &&
+			(securityCtx.Name() == "robot" || securityCtx.Name() == "v2token") &&
 			securityCtx.Can(rbac.ActionScannerPull, rbac.NewProjectNamespace(pro.ProjectID).Resource(rbac.ResourceRepository)) {
 			// the artifact is pulling by the scanner, skip the checking
 			logger.Debugf("artifact %s@%s is pulling by the scanner, skip the checking", af.Repository, af.Digest)
--- a/src/server/middleware/vulnerable/vulnerable.go
+++ b/src/server/middleware/vulnerable/vulnerable.go
@ -73,7 +73,7 @@ func Middleware() func(http.Handler) http.Handler {

 		securityCtx, ok := security.FromContext(ctx)
 		if ok &&
-			securityCtx.Name() == "robot" &&
+			(securityCtx.Name() == "robot" || securityCtx.Name() == "v2token") &&
 			securityCtx.Can(rbac.ActionScannerPull, rbac.NewProjectNamespace(proj.ProjectID).Resource(rbac.ResourceRepository)) {
 			// the artifact is pulling by the scanner, skip the checking
 			logger.Debugf("artifact %s@%s is pulling by the scanner, skip the checking", art.RepositoryName, art.Digest)