mirror of
https://github.com/goharbor/harbor
synced 2024-09-20 16:25:37 +00:00
fix robot account access issue (#19627)
fixes #19622 Resolve the 403 issue occurring when a robot account, equipped with both system and project scope, attempts to access project resources. Signed-off-by: wang yan <wangyan@vmware.com>
This commit is contained in:
parent
4fbcf92da9
commit
3f72604d57
|
@ -111,7 +111,8 @@ func (s *SecurityContext) Can(ctx context.Context, action types.Action, resource
|
|||
}
|
||||
if len(sysPolicies) != 0 {
|
||||
evaluators = evaluators.Add(system.NewEvaluator(s.GetUsername(), sysPolicies))
|
||||
} else if len(proPolicies) != 0 {
|
||||
}
|
||||
if len(proPolicies) != 0 {
|
||||
evaluators = evaluators.Add(rbac_project.NewEvaluator(s.ctl, rbac_project.NewBuilderForPolicies(s.GetUsername(), proPolicies)))
|
||||
}
|
||||
s.evaluator = evaluators
|
||||
|
@ -119,7 +120,6 @@ func (s *SecurityContext) Can(ctx context.Context, action types.Action, resource
|
|||
s.evaluator = rbac_project.NewEvaluator(s.ctl, rbac_project.NewBuilderForPolicies(s.GetUsername(), accesses, filterRobotPolicies))
|
||||
}
|
||||
})
|
||||
|
||||
return s.evaluator != nil && s.evaluator.HasPermission(ctx, resource, action)
|
||||
}
|
||||
|
||||
|
|
|
@ -24,6 +24,7 @@ import (
|
|||
|
||||
"github.com/goharbor/harbor/src/common/rbac"
|
||||
"github.com/goharbor/harbor/src/common/rbac/project"
|
||||
"github.com/goharbor/harbor/src/common/rbac/system"
|
||||
"github.com/goharbor/harbor/src/controller/robot"
|
||||
"github.com/goharbor/harbor/src/pkg/permission/types"
|
||||
proModels "github.com/goharbor/harbor/src/pkg/project/models"
|
||||
|
@ -198,6 +199,57 @@ func TestHasPushPullPerm(t *testing.T) {
|
|||
assert.True(t, ctx.Can(context.TODO(), rbac.ActionPush, resource) && ctx.Can(context.TODO(), rbac.ActionPull, resource))
|
||||
}
|
||||
|
||||
func TestSysAndProPerm(t *testing.T) {
|
||||
robot := &robot.Robot{
|
||||
Level: "system",
|
||||
Robot: model.Robot{
|
||||
Name: "test_robot_4",
|
||||
Description: "desc",
|
||||
},
|
||||
Permissions: []*robot.Permission{
|
||||
{
|
||||
Kind: "system",
|
||||
Namespace: "/",
|
||||
Access: []*types.Policy{
|
||||
{
|
||||
Resource: rbac.Resource(fmt.Sprintf("system/%s", rbac.ResourceRepository)),
|
||||
Action: rbac.ActionList,
|
||||
},
|
||||
{
|
||||
Resource: rbac.Resource(fmt.Sprintf("system/%s", rbac.ResourceGarbageCollection)),
|
||||
Action: rbac.ActionCreate,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
Kind: "project",
|
||||
Namespace: "library",
|
||||
Access: []*types.Policy{
|
||||
{
|
||||
Resource: rbac.Resource(fmt.Sprintf("project/%d/repository", private.ProjectID)),
|
||||
Action: rbac.ActionPush,
|
||||
},
|
||||
{
|
||||
Resource: rbac.Resource(fmt.Sprintf("project/%d/repository", private.ProjectID)),
|
||||
Action: rbac.ActionPull,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
ctl := &projecttesting.Controller{}
|
||||
mock.OnAnything(ctl, "Get").Return(private, nil)
|
||||
|
||||
ctx := NewSecurityContext(robot)
|
||||
ctx.ctl = ctl
|
||||
resource := project.NewNamespace(private.ProjectID).Resource(rbac.ResourceRepository)
|
||||
assert.True(t, ctx.Can(context.TODO(), rbac.ActionPush, resource) && ctx.Can(context.TODO(), rbac.ActionPull, resource))
|
||||
|
||||
resource = system.NewNamespace().Resource(rbac.ResourceGarbageCollection)
|
||||
assert.True(t, ctx.Can(context.TODO(), rbac.ActionCreate, resource))
|
||||
}
|
||||
|
||||
func Test_filterRobotPolicies(t *testing.T) {
|
||||
type args struct {
|
||||
p *proModels.Project
|
||||
|
|
Loading…
Reference in New Issue
Block a user