Make sure middleware handle scanner-pull claim for v2token

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit is contained in:
Daniel Jiang 2020-04-05 01:10:45 +08:00
parent 08f9ffa000
commit e8f98259dd
3 changed files with 3 additions and 3 deletions

View File

@ -24,7 +24,7 @@ type tokenSecurityCtx struct {
}
func (t *tokenSecurityCtx) Name() string {
return "internal_token"
return "v2token"
}
func (t *tokenSecurityCtx) IsAuthenticated() bool {

View File

@ -44,7 +44,7 @@ func Middleware() func(http.Handler) http.Handler {
securityCtx, ok := security.FromContext(ctx)
// only authenticated robot account with scanner pull access can bypass.
if ok && securityCtx.IsAuthenticated() &&
securityCtx.Name() == "robot" &&
(securityCtx.Name() == "robot" || securityCtx.Name() == "v2token") &&
securityCtx.Can(rbac.ActionScannerPull, rbac.NewProjectNamespace(pro.ProjectID).Resource(rbac.ResourceRepository)) {
// the artifact is pulling by the scanner, skip the checking
logger.Debugf("artifact %s@%s is pulling by the scanner, skip the checking", af.Repository, af.Digest)

View File

@ -73,7 +73,7 @@ func Middleware() func(http.Handler) http.Handler {
securityCtx, ok := security.FromContext(ctx)
if ok &&
securityCtx.Name() == "robot" &&
(securityCtx.Name() == "robot" || securityCtx.Name() == "v2token") &&
securityCtx.Can(rbac.ActionScannerPull, rbac.NewProjectNamespace(proj.ProjectID).Resource(rbac.ResourceRepository)) {
// the artifact is pulling by the scanner, skip the checking
logger.Debugf("artifact %s@%s is pulling by the scanner, skip the checking", art.RepositoryName, art.Digest)