From ef72c76e0e9fd6e675caa520c8f76e300f3e48fc Mon Sep 17 00:00:00 2001
From: Daniel Jiang <jiangd@vmware.com>
Date: Tue, 2 Mar 2021 17:12:00 +0800
Subject: [PATCH] Add "*" to the claim set in the token for /v2 apis

The "*" is used by notary server for permission checking:
https://github.com/theupdateframework/notary/blob/84287fd8df4f172c9a8289641cdfa355fc86989d/server/server.go#L200
Hence, we need to add this into the JWT token such that actions like key
rotation can be executed.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
---
 src/core/service/token/creator.go    | 10 ++++++++++
 src/core/service/token/token_test.go |  1 +
 2 files changed, 11 insertions(+)

diff --git a/src/core/service/token/creator.go b/src/core/service/token/creator.go
index 45d58e949..a7aa5a86a 100644
--- a/src/core/service/token/creator.go
+++ b/src/core/service/token/creator.go
@@ -200,6 +200,16 @@ func resourceScopes(ctx context.Context, rc rbac.Resource) map[string]struct{} {
 			res[s] = struct{}{}
 		}
 	}
+
+	// "*" is needed in the token for some API in notary server
+	// see https://github.com/goharbor/harbor/issues/14303#issuecomment-788010900
+	// and https://github.com/theupdateframework/notary/blob/84287fd8df4f172c9a8289641cdfa355fc86989d/server/server.go#L200
+	_, ok1 := res["push"]
+	_, ok2 := res["pull"]
+	_, ok3 := res["delete"]
+	if ok1 && ok2 && ok3 {
+		res["*"] = struct{}{}
+	}
 	return res
 }
 
diff --git a/src/core/service/token/token_test.go b/src/core/service/token/token_test.go
index ec5b98c20..86f761d09 100644
--- a/src/core/service/token/token_test.go
+++ b/src/core/service/token/token_test.go
@@ -336,6 +336,7 @@ func TestResourceScopes(t *testing.T) {
 				"scanner-pull": {},
 				"push":         {},
 				"delete":       {},
+				"*":            {},
 			},
 		},
 		{