Skip to content

Commit

Permalink
robot account permission enhancement
Browse files Browse the repository at this point in the history
Update codes according to the proposal of goharbor/community#249

Signed-off-by: wang yan <[email protected]>
  • Loading branch information
wy65701436 committed Sep 26, 2024
1 parent bcb7337 commit 150756f
Show file tree
Hide file tree
Showing 12 changed files with 359 additions and 97 deletions.
3 changes: 0 additions & 3 deletions src/common/const.go
Original file line number Diff line number Diff line change
Expand Up @@ -247,7 +247,4 @@ const (

// Global Leeway used for token validation
JwtLeeway = 60 * time.Second

// Global Leeway used for token validation
EnableRobotFullAccess = "enable_robot_full_access"
)
16 changes: 6 additions & 10 deletions src/common/rbac/const.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,6 @@
package rbac

import (
"context"

"github.com/goharbor/harbor/src/lib/config"
"github.com/goharbor/harbor/src/pkg/permission/types"
)

Expand Down Expand Up @@ -99,13 +96,9 @@ type RobotPermissionProvider interface {
}

// GetPermissionProvider gives the robot permission provider
func GetPermissionProvider(ctx context.Context) RobotPermissionProvider {
var permissionProvider RobotPermissionProvider
permissionProvider = &BaseProvider{}
if config.RobotFullAccess(ctx) {
permissionProvider = &NolimitProvider{}
}
return permissionProvider
func GetPermissionProvider() RobotPermissionProvider {
// TODO will determine by the ui configuration
return &NolimitProvider{}
}

// BaseProvider ...
Expand Down Expand Up @@ -141,6 +134,9 @@ func (n *NolimitProvider) GetPermissions(s scope) []*types.Policy {
&types.Policy{Resource: ResourceLdapUser, Action: ActionCreate},
&types.Policy{Resource: ResourceLdapUser, Action: ActionList},

&types.Policy{Resource: ResourceExportCVE, Action: ActionCreate},
&types.Policy{Resource: ResourceExportCVE, Action: ActionRead},

&types.Policy{Resource: ResourceQuota, Action: ActionUpdate},

&types.Policy{Resource: ResourceUserGroup, Action: ActionCreate},
Expand Down
22 changes: 2 additions & 20 deletions src/common/rbac/const_test.go
Original file line number Diff line number Diff line change
@@ -1,10 +1,6 @@
package rbac

import (
"context"

"github.com/goharbor/harbor/src/common"
"github.com/goharbor/harbor/src/lib/config"
_ "github.com/goharbor/harbor/src/pkg/config/inmemory"

"github.com/stretchr/testify/assert"
Expand Down Expand Up @@ -34,21 +30,7 @@ func TestNolimitProvider(t *testing.T) {
}

func TestGetPermissionProvider(t *testing.T) {
cfg := map[string]interface{}{
common.EnableRobotFullAccess: "false",
}
config.InitWithSettings(cfg)

defaultPro := GetPermissionProvider(context.Background())
_, ok := defaultPro.(*BaseProvider)
defaultPro := GetPermissionProvider()
_, ok := defaultPro.(*NolimitProvider)
assert.True(t, ok)

cfg = map[string]interface{}{
common.EnableRobotFullAccess: "true",
}
config.InitWithSettings(cfg)
defaultPro = GetPermissionProvider(context.Background())
_, ok = defaultPro.(*NolimitProvider)
assert.True(t, ok)

}
36 changes: 16 additions & 20 deletions src/controller/robot/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -97,10 +97,6 @@ func (d *controller) Count(ctx context.Context, query *q.Query) (int64, error) {

// Create ...
func (d *controller) Create(ctx context.Context, r *Robot) (int64, string, error) {
if err := d.setProject(ctx, r); err != nil {
return 0, "", err
}

var expiresAt int64
if r.Duration == -1 {
expiresAt = -1
Expand Down Expand Up @@ -327,22 +323,6 @@ func (d *controller) populatePermissions(ctx context.Context, r *Robot) error {
return nil
}

// set the project info if it's a project level robot
func (d *controller) setProject(ctx context.Context, r *Robot) error {
if r == nil {
return nil
}
if r.Level == LEVELPROJECT {
pro, err := d.proMgr.Get(ctx, r.Permissions[0].Namespace)
if err != nil {
return err
}
r.ProjectName = pro.Name
r.ProjectID = pro.ProjectID
}
return nil
}

// convertScope converts the db scope into robot model
// /system => Kind: system Namespace: /
// /project/* => Kind: project Namespace: *
Expand Down Expand Up @@ -394,6 +374,22 @@ func (d *controller) toScope(ctx context.Context, p *Permission) (string, error)
return "", errors.New(nil).WithMessage("unknown robot kind").WithCode(errors.BadRequestCode)
}

// set the project info if it's a project level robot
func SetProject(ctx context.Context, r *Robot) error {
if r == nil {
return nil
}
if r.Level == LEVELPROJECT {
pro, err := project.New().Get(ctx, r.Permissions[0].Namespace)
if err != nil {
return err
}
r.ProjectName = pro.Name
r.ProjectID = pro.ProjectID
}
return nil
}

func CreateSec(salt ...string) (string, string, string, error) {
var secret, pwd string
options := []retry.Option{
Expand Down
9 changes: 5 additions & 4 deletions src/controller/robot/model.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,10 +39,11 @@ const (
// Robot ...
type Robot struct {
model.Robot
ProjectName string
Level string
Editable bool `json:"editable"`
Permissions []*Permission `json:"permissions"`
ProjectName string
ProjectNameOrID interface{}
Level string
Editable bool `json:"editable"`
Permissions []*Permission `json:"permissions"`
}

// IsSysLevel, true is a system level robot, others are project level.
Expand Down
3 changes: 2 additions & 1 deletion src/controller/scan/base_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -867,7 +867,8 @@ func (bc *basicController) makeRobotAccount(ctx context.Context, projectID int64
CreatorType: "local",
CreatorRef: int64(0),
},
Level: robot.LEVELPROJECT,
ProjectName: projectName,
Level: robot.LEVELPROJECT,
Permissions: []*robot.Permission{
{
Kind: "project",
Expand Down
3 changes: 2 additions & 1 deletion src/controller/scan/base_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -238,7 +238,8 @@ func (suite *ControllerTestSuite) SetupSuite() {
CreatorType: "local",
CreatorRef: int64(0),
},
Level: robot.LEVELPROJECT,
ProjectName: "library",
Level: robot.LEVELPROJECT,
Permissions: []*robot.Permission{
{
Kind: "project",
Expand Down
2 changes: 0 additions & 2 deletions src/lib/config/metadata/metadatalist.go
Original file line number Diff line number Diff line change
Expand Up @@ -201,7 +201,5 @@ var (

{Name: common.BeegoMaxMemoryBytes, Scope: SystemScope, Group: BasicGroup, EnvKey: "BEEGO_MAX_MEMORY_BYTES", DefaultValue: fmt.Sprintf("%d", common.DefaultBeegoMaxMemoryBytes), ItemType: &Int64Type{}, Editable: false, Description: `The bytes for limiting the beego max memory, default is 128GB`},
{Name: common.BeegoMaxUploadSizeBytes, Scope: SystemScope, Group: BasicGroup, EnvKey: "BEEGO_MAX_UPLOAD_SIZE_BYTES", DefaultValue: fmt.Sprintf("%d", common.DefaultBeegoMaxUploadSizeBytes), ItemType: &Int64Type{}, Editable: false, Description: `The bytes for limiting the beego max upload size, default it 128GB`},

{Name: common.EnableRobotFullAccess, Scope: SystemScope, Group: BasicGroup, EnvKey: "ENABLE_ROBOT_FULL_ACCESS", DefaultValue: "false", ItemType: &BoolType{}, Editable: true, Description: `The flag indicates if a robot is able to access full entry points of harbor`},
}
)
5 changes: 0 additions & 5 deletions src/lib/config/userconfig.go
Original file line number Diff line number Diff line change
Expand Up @@ -257,11 +257,6 @@ func ScannerSkipUpdatePullTime(ctx context.Context) bool {
return DefaultMgr().Get(ctx, common.ScannerSkipUpdatePullTime).GetBool()
}

// RobotFullAccess returns a bool to indicate if the robot can access full entry points
func RobotFullAccess(ctx context.Context) bool {
return DefaultMgr().Get(ctx, common.EnableRobotFullAccess).GetBool()
}

// BannerMessage returns the customized banner message
func BannerMessage(ctx context.Context) string {
return DefaultMgr().Get(ctx, common.BannerMessage).GetString()
Expand Down
2 changes: 1 addition & 1 deletion src/server/v2.0/handler/permissions.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ func (p *permissionsAPI) GetPermissions(ctx context.Context, _ permissions.GetPe
return p.SendError(ctx, errors.ForbiddenError(errors.New("only admins(system and project) can access permissions")))
}

provider := rbac.GetPermissionProvider(ctx)
provider := rbac.GetPermissionProvider()
sysPermissions := make([]*types.Policy, 0)
proPermissions := provider.GetPermissions(rbac.ScopeProject)
if isSystemAdmin {
Expand Down
Loading

0 comments on commit 150756f

Please sign in to comment.