mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-20 07:37:38 +01:00
Merge pull request #255 from ywk253100/modify_authentication_of_repository_api
Some modifications for implements of API
This commit is contained in:
commit
f7de4c5841
@ -114,23 +114,10 @@ func (pma *ProjectMemberAPI) Get() {
|
||||
|
||||
// Post ...
|
||||
func (pma *ProjectMemberAPI) Post() {
|
||||
pid := pma.project.ProjectID
|
||||
|
||||
//userQuery := models.User{UserID: pma.currentUserID, RoleID: models.PROJECTADMIN}
|
||||
rolelist, err := dao.GetUserProjectRoles(pma.currentUserID, pid)
|
||||
if err != nil {
|
||||
log.Errorf("Error occurred in GetUserProjectRoles, error: %v", err)
|
||||
pma.CustomAbort(http.StatusInternalServerError, "Internal error.")
|
||||
}
|
||||
hasProjectAdminRole := false
|
||||
for _, role := range rolelist {
|
||||
if role.RoleID == models.PROJECTADMIN {
|
||||
hasProjectAdminRole = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !hasProjectAdminRole {
|
||||
log.Warningf("Current user, id: %d does not have project admin role for project, id:", pma.currentUserID, pid)
|
||||
currentUserID := pma.currentUserID
|
||||
projectID := pma.project.ProjectID
|
||||
if !hasProjectAdminRole(currentUserID, projectID) {
|
||||
log.Warningf("Current user, id: %d does not have project admin role for project, id:", currentUserID, projectID)
|
||||
pma.RenderError(http.StatusForbidden, "")
|
||||
return
|
||||
}
|
||||
@ -144,21 +131,21 @@ func (pma *ProjectMemberAPI) Post() {
|
||||
pma.RenderError(http.StatusNotFound, "User does not exist")
|
||||
return
|
||||
}
|
||||
rolelist, err = dao.GetUserProjectRoles(userID, pid)
|
||||
rolelist, err := dao.GetUserProjectRoles(userID, projectID)
|
||||
if err != nil {
|
||||
log.Errorf("Error occurred in GetUserProjectRoles, error: %v", err)
|
||||
pma.CustomAbort(http.StatusInternalServerError, "Internal error.")
|
||||
}
|
||||
if len(rolelist) > 0 {
|
||||
log.Warningf("user is already added to project, user id: %d, project id: %d", userID, pid)
|
||||
log.Warningf("user is already added to project, user id: %d, project id: %d", userID, projectID)
|
||||
pma.RenderError(http.StatusConflict, "user is ready in project")
|
||||
return
|
||||
}
|
||||
|
||||
for _, rid := range req.Roles {
|
||||
err = dao.AddProjectMember(pid, userID, int(rid))
|
||||
err = dao.AddProjectMember(projectID, userID, int(rid))
|
||||
if err != nil {
|
||||
log.Errorf("Failed to update DB to add project user role, project id: %d, user id: %d, role id: %d", pid, userID, rid)
|
||||
log.Errorf("Failed to update DB to add project user role, project id: %d, user id: %d, role id: %d", projectID, userID, rid)
|
||||
pma.RenderError(http.StatusInternalServerError, "Failed to update data in database")
|
||||
return
|
||||
}
|
||||
@ -167,27 +154,16 @@ func (pma *ProjectMemberAPI) Post() {
|
||||
|
||||
// Put ...
|
||||
func (pma *ProjectMemberAPI) Put() {
|
||||
currentUserID := pma.currentUserID
|
||||
pid := pma.project.ProjectID
|
||||
mid := pma.memberID
|
||||
|
||||
rolelist, err := dao.GetUserProjectRoles(pma.currentUserID, pid)
|
||||
if err != nil {
|
||||
log.Errorf("Error occurred in GetUserProjectRoles, error: %v", err)
|
||||
pma.CustomAbort(http.StatusInternalServerError, "Internal error.")
|
||||
}
|
||||
hasProjectAdminRole := false
|
||||
for _, role := range rolelist {
|
||||
if role.RoleID == models.PROJECTADMIN {
|
||||
hasProjectAdminRole = true
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if !hasProjectAdminRole {
|
||||
log.Warningf("Current user, id: %d does not have project admin role for project, id: %d", pma.currentUserID, pid)
|
||||
if !hasProjectAdminRole(currentUserID, pid) {
|
||||
log.Warningf("Current user, id: %d does not have project admin role for project, id:", currentUserID, pid)
|
||||
pma.RenderError(http.StatusForbidden, "")
|
||||
return
|
||||
}
|
||||
|
||||
mid := pma.memberID
|
||||
|
||||
var req memberReq
|
||||
pma.DecodeJSONReq(&req)
|
||||
roleList, err := dao.GetUserProjectRoles(mid, pid)
|
||||
@ -217,51 +193,20 @@ func (pma *ProjectMemberAPI) Put() {
|
||||
|
||||
// Delete ...
|
||||
func (pma *ProjectMemberAPI) Delete() {
|
||||
currentUserID := pma.currentUserID
|
||||
pid := pma.project.ProjectID
|
||||
mid := pma.memberID
|
||||
|
||||
rolelist, err := dao.GetUserProjectRoles(pma.currentUserID, pid)
|
||||
hasProjectAdminRole := false
|
||||
for _, role := range rolelist {
|
||||
if role.RoleID == models.PROJECTADMIN {
|
||||
hasProjectAdminRole = true
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if !hasProjectAdminRole {
|
||||
log.Warningf("Current user, id: %d does not have project admin role for project, id: %d", pma.currentUserID, pid)
|
||||
if !hasProjectAdminRole(currentUserID, pid) {
|
||||
log.Warningf("Current user, id: %d does not have project admin role for project, id:", currentUserID, pid)
|
||||
pma.RenderError(http.StatusForbidden, "")
|
||||
return
|
||||
}
|
||||
err = dao.DeleteProjectMember(pid, mid)
|
||||
|
||||
mid := pma.memberID
|
||||
|
||||
err := dao.DeleteProjectMember(pid, mid)
|
||||
if err != nil {
|
||||
log.Errorf("Failed to delete project roles for user, user id: %d, project id: %d, error: %v", mid, pid, err)
|
||||
pma.RenderError(http.StatusInternalServerError, "Failed to update data in DB")
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
//sysadmin has all privileges to all projects
|
||||
func listRoles(userID int, projectID int64) ([]models.Role, error) {
|
||||
roles := make([]models.Role, 1)
|
||||
isSysAdmin, err := dao.IsAdminRole(userID)
|
||||
if err != nil {
|
||||
return roles, err
|
||||
}
|
||||
if isSysAdmin {
|
||||
role, err := dao.GetRoleByID(models.PROJECTADMIN)
|
||||
if err != nil {
|
||||
return roles, err
|
||||
}
|
||||
roles = append(roles, *role)
|
||||
return roles, nil
|
||||
}
|
||||
|
||||
rs, err := dao.GetUserProjectRoles(userID, projectID)
|
||||
if err != nil {
|
||||
return roles, err
|
||||
}
|
||||
roles = append(roles, rs...)
|
||||
return roles, nil
|
||||
}
|
||||
|
@ -43,7 +43,6 @@ const projectNameMaxLen int = 30
|
||||
|
||||
// Prepare validates the URL and the user
|
||||
func (p *ProjectAPI) Prepare() {
|
||||
p.userID = p.ValidateUser()
|
||||
idStr := p.Ctx.Input.Param(":id")
|
||||
if len(idStr) > 0 {
|
||||
var err error
|
||||
@ -65,6 +64,8 @@ func (p *ProjectAPI) Prepare() {
|
||||
|
||||
// Post ...
|
||||
func (p *ProjectAPI) Post() {
|
||||
p.userID = p.ValidateUser()
|
||||
|
||||
var req projectReq
|
||||
var public int
|
||||
p.DecodeJSONReq(&req)
|
||||
@ -99,20 +100,52 @@ func (p *ProjectAPI) Post() {
|
||||
// Head ...
|
||||
func (p *ProjectAPI) Head() {
|
||||
projectName := p.GetString("project_name")
|
||||
result, err := dao.ProjectExists(projectName)
|
||||
if len(projectName) == 0 {
|
||||
p.CustomAbort(http.StatusBadRequest, "project_name is needed")
|
||||
}
|
||||
|
||||
project, err := dao.GetProjectByName(projectName)
|
||||
if err != nil {
|
||||
log.Errorf("Error while communicating with DB, error: %v", err)
|
||||
p.RenderError(http.StatusInternalServerError, "Error while communicating with DB")
|
||||
log.Errorf("error occurred in GetProjectByName: %v", err)
|
||||
p.CustomAbort(http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError))
|
||||
}
|
||||
|
||||
// only public project can be Headed by user without login
|
||||
if project != nil && project.Public == 1 {
|
||||
return
|
||||
}
|
||||
if !result {
|
||||
p.RenderError(http.StatusNotFound, "")
|
||||
return
|
||||
|
||||
userID := p.ValidateUser()
|
||||
if project == nil {
|
||||
p.CustomAbort(http.StatusNotFound, http.StatusText(http.StatusNotFound))
|
||||
}
|
||||
|
||||
if !checkProjectPermission(userID, project.ProjectID) {
|
||||
p.CustomAbort(http.StatusForbidden, http.StatusText(http.StatusForbidden))
|
||||
}
|
||||
}
|
||||
|
||||
// Get ...
|
||||
func (p *ProjectAPI) Get() {
|
||||
project, err := dao.GetProjectByID(p.projectID)
|
||||
if err != nil {
|
||||
log.Errorf("failed to get project %d: %v", p.projectID, err)
|
||||
p.CustomAbort(http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError))
|
||||
}
|
||||
|
||||
if project.Public == 0 {
|
||||
userID := p.ValidateUser()
|
||||
if !checkProjectPermission(userID, p.projectID) {
|
||||
p.CustomAbort(http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized))
|
||||
}
|
||||
}
|
||||
|
||||
p.Data["json"] = project
|
||||
p.ServeJSON()
|
||||
}
|
||||
|
||||
// List ...
|
||||
func (p *ProjectAPI) List() {
|
||||
var projectList []models.Project
|
||||
projectName := p.GetString("project_name")
|
||||
if len(projectName) > 0 {
|
||||
@ -132,6 +165,8 @@ func (p *ProjectAPI) Get() {
|
||||
if public == 1 {
|
||||
projectList, err = dao.GetPublicProjects(projectName)
|
||||
} else {
|
||||
//if the request is not for public projects, user must login or provide credential
|
||||
p.userID = p.ValidateUser()
|
||||
isAdmin, err = dao.IsAdminRole(p.userID)
|
||||
if err != nil {
|
||||
log.Errorf("Error occured in check admin, error: %v", err)
|
||||
@ -164,6 +199,8 @@ func (p *ProjectAPI) Get() {
|
||||
|
||||
// Put ...
|
||||
func (p *ProjectAPI) Put() {
|
||||
p.userID = p.ValidateUser()
|
||||
|
||||
var req projectReq
|
||||
var public int
|
||||
|
||||
@ -192,6 +229,7 @@ func (p *ProjectAPI) Put() {
|
||||
|
||||
// FilterAccessLog handles GET to /api/projects/{}/logs
|
||||
func (p *ProjectAPI) FilterAccessLog() {
|
||||
p.userID = p.ValidateUser()
|
||||
|
||||
var filter models.AccessLog
|
||||
p.DecodeJSONReq(&filter)
|
||||
|
@ -19,6 +19,7 @@ import (
|
||||
"encoding/json"
|
||||
"net/http"
|
||||
"os"
|
||||
"sort"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
@ -38,19 +39,13 @@ import (
|
||||
// the security of registry
|
||||
type RepositoryAPI struct {
|
||||
BaseAPI
|
||||
userID int
|
||||
}
|
||||
|
||||
// Prepare will set a non existent user ID in case the request tries to view repositories under a project he doesn't has permission.
|
||||
func (ra *RepositoryAPI) Prepare() {
|
||||
ra.userID = ra.ValidateUser()
|
||||
}
|
||||
|
||||
// Get ...
|
||||
func (ra *RepositoryAPI) Get() {
|
||||
projectID, err0 := ra.GetInt64("project_id")
|
||||
if err0 != nil {
|
||||
log.Errorf("Failed to get project id, error: %v", err0)
|
||||
projectID, err := ra.GetInt64("project_id")
|
||||
if err != nil {
|
||||
log.Errorf("Failed to get project id, error: %v", err)
|
||||
ra.RenderError(http.StatusBadRequest, "Invalid project id")
|
||||
return
|
||||
}
|
||||
@ -64,9 +59,14 @@ func (ra *RepositoryAPI) Get() {
|
||||
ra.RenderError(http.StatusNotFound, "")
|
||||
return
|
||||
}
|
||||
if p.Public == 0 && !checkProjectPermission(ra.userID, projectID) {
|
||||
ra.RenderError(http.StatusForbidden, "")
|
||||
return
|
||||
|
||||
if p.Public == 0 {
|
||||
userID := ra.ValidateUser()
|
||||
|
||||
if !checkProjectPermission(userID, projectID) {
|
||||
ra.RenderError(http.StatusForbidden, "")
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
repoList, err := svc_utils.GetRepoFromCache()
|
||||
@ -105,7 +105,7 @@ func (ra *RepositoryAPI) Delete() {
|
||||
ra.CustomAbort(http.StatusBadRequest, "repo_name is nil")
|
||||
}
|
||||
|
||||
rc, err := ra.initializeRepositoryClient(repoName)
|
||||
rc, err := ra.initRepositoryClient(repoName)
|
||||
if err != nil {
|
||||
log.Errorf("error occurred while initializing repository client for %s: %v", repoName, err)
|
||||
ra.CustomAbort(http.StatusInternalServerError, "internal error")
|
||||
@ -164,7 +164,7 @@ func (ra *RepositoryAPI) GetTags() {
|
||||
ra.CustomAbort(http.StatusBadRequest, "repo_name is nil")
|
||||
}
|
||||
|
||||
rc, err := ra.initializeRepositoryClient(repoName)
|
||||
rc, err := ra.initRepositoryClient(repoName)
|
||||
if err != nil {
|
||||
log.Errorf("error occurred while initializing repository client for %s: %v", repoName, err)
|
||||
ra.CustomAbort(http.StatusInternalServerError, "internal error")
|
||||
@ -185,6 +185,8 @@ func (ra *RepositoryAPI) GetTags() {
|
||||
|
||||
tags = append(tags, ts...)
|
||||
|
||||
sort.Strings(tags)
|
||||
|
||||
ra.Data["json"] = tags
|
||||
ra.ServeJSON()
|
||||
}
|
||||
@ -198,7 +200,7 @@ func (ra *RepositoryAPI) GetManifests() {
|
||||
ra.CustomAbort(http.StatusBadRequest, "repo_name or tag is nil")
|
||||
}
|
||||
|
||||
rc, err := ra.initializeRepositoryClient(repoName)
|
||||
rc, err := ra.initRepositoryClient(repoName)
|
||||
if err != nil {
|
||||
log.Errorf("error occurred while initializing repository client for %s: %v", repoName, err)
|
||||
ra.CustomAbort(http.StatusInternalServerError, "internal error")
|
||||
@ -238,16 +240,50 @@ func (ra *RepositoryAPI) GetManifests() {
|
||||
ra.ServeJSON()
|
||||
}
|
||||
|
||||
func (ra *RepositoryAPI) initializeRepositoryClient(repoName string) (r *registry.Repository, err error) {
|
||||
u := models.User{
|
||||
UserID: ra.userID,
|
||||
}
|
||||
user, err := dao.GetUser(u)
|
||||
func (ra *RepositoryAPI) initRepositoryClient(repoName string) (r *registry.Repository, err error) {
|
||||
username, err := ra.getUsername()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
endpoint := os.Getenv("REGISTRY_URL")
|
||||
|
||||
return registry.NewRepositoryWithUsername(repoName, endpoint, user.Username)
|
||||
return registry.NewRepositoryWithUsername(repoName, endpoint, username)
|
||||
}
|
||||
|
||||
func (ra *RepositoryAPI) getUsername() (string, error) {
|
||||
// get username from basic auth
|
||||
username, _, ok := ra.Ctx.Request.BasicAuth()
|
||||
if ok {
|
||||
return username, nil
|
||||
}
|
||||
|
||||
// get username from session
|
||||
sessionUsername := ra.GetSession("username")
|
||||
if sessionUsername != nil {
|
||||
username, ok = sessionUsername.(string)
|
||||
if ok {
|
||||
return username, nil
|
||||
}
|
||||
}
|
||||
|
||||
// if username does not exist in session, try to get userId from sessiion
|
||||
// and then get username from DB according to the userId
|
||||
sessionUserID := ra.GetSession("userId")
|
||||
if sessionUserID != nil {
|
||||
userID, ok := sessionUserID.(int)
|
||||
if ok {
|
||||
u := models.User{
|
||||
UserID: userID,
|
||||
}
|
||||
user, err := dao.GetUser(u)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
return user.Username, nil
|
||||
}
|
||||
}
|
||||
|
||||
return "", nil
|
||||
}
|
||||
|
48
api/utils.go
48
api/utils.go
@ -22,20 +22,52 @@ import (
|
||||
)
|
||||
|
||||
func checkProjectPermission(userID int, projectID int64) bool {
|
||||
exist, err := dao.IsAdminRole(userID)
|
||||
roles, err := listRoles(userID, projectID)
|
||||
if err != nil {
|
||||
log.Errorf("Error occurred in IsAdminRole, error: %v", err)
|
||||
log.Errorf("error occurred in getProjectPermission: %v", err)
|
||||
return false
|
||||
}
|
||||
if exist {
|
||||
return true
|
||||
}
|
||||
roleList, err := dao.GetUserProjectRoles(userID, projectID)
|
||||
return len(roles) > 0
|
||||
}
|
||||
|
||||
func hasProjectAdminRole(userID int, projectID int64) bool {
|
||||
roles, err := listRoles(userID, projectID)
|
||||
if err != nil {
|
||||
log.Errorf("Error occurred in GetUserProjectRoles, error: %v", err)
|
||||
log.Errorf("error occurred in getProjectPermission: %v", err)
|
||||
return false
|
||||
}
|
||||
return len(roleList) > 0
|
||||
|
||||
for _, role := range roles {
|
||||
if role.RoleID == models.PROJECTADMIN {
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
//sysadmin has all privileges to all projects
|
||||
func listRoles(userID int, projectID int64) ([]models.Role, error) {
|
||||
roles := make([]models.Role, 1)
|
||||
isSysAdmin, err := dao.IsAdminRole(userID)
|
||||
if err != nil {
|
||||
return roles, err
|
||||
}
|
||||
if isSysAdmin {
|
||||
role, err := dao.GetRoleByID(models.PROJECTADMIN)
|
||||
if err != nil {
|
||||
return roles, err
|
||||
}
|
||||
roles = append(roles, *role)
|
||||
return roles, nil
|
||||
}
|
||||
|
||||
rs, err := dao.GetUserProjectRoles(userID, projectID)
|
||||
if err != nil {
|
||||
return roles, err
|
||||
}
|
||||
roles = append(roles, rs...)
|
||||
return roles, nil
|
||||
}
|
||||
|
||||
func checkUserExists(name string) int {
|
||||
|
@ -249,7 +249,6 @@ func getProjects(public int, projectName string) ([]models.Project, error) {
|
||||
}
|
||||
sql += " order by name "
|
||||
var projects []models.Project
|
||||
log.Debugf("sql xxx", sql)
|
||||
if _, err := o.Raw(sql, queryParam).QueryRows(&projects); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -53,6 +53,7 @@ func initRouters() {
|
||||
//API:
|
||||
beego.Router("/api/search", &api.SearchAPI{})
|
||||
beego.Router("/api/projects/:pid/members/?:mid", &api.ProjectMemberAPI{})
|
||||
beego.Router("/api/projects/", &api.ProjectAPI{}, "get:List")
|
||||
beego.Router("/api/projects/?:id", &api.ProjectAPI{})
|
||||
beego.Router("/api/statistics", &api.StatisticAPI{})
|
||||
beego.Router("/api/projects/:id/logs/filter", &api.ProjectAPI{}, "post:FilterAccessLog")
|
||||
|
Loading…
Reference in New Issue
Block a user