robot account permission enhancement

Update codes according to the proposal of goharbor/community#249 Signed-off-by: wang yan <[email protected]>
wy65701436 · Sep 26, 2024 · 6f207d8 · 6f207d8
1 parent bcb7337
commit 6f207d8
Show file tree

Hide file tree

Showing 11 changed files with 357 additions and 96 deletions.
diff --git a/src/common/const.go b/src/common/const.go
@@ -247,7 +247,4 @@ const (
 
 	// Global Leeway used for token validation
 	JwtLeeway = 60 * time.Second
-
-	// Global Leeway used for token validation
-	EnableRobotFullAccess = "enable_robot_full_access"
 )
diff --git a/src/common/rbac/const.go b/src/common/rbac/const.go
@@ -15,9 +15,6 @@
 package rbac
 
 import (
-	"context"
-
-	"github.com/goharbor/harbor/src/lib/config"
 	"github.com/goharbor/harbor/src/pkg/permission/types"
 )
 
@@ -99,13 +96,9 @@ type RobotPermissionProvider interface {
 }
 
 // GetPermissionProvider gives the robot permission provider
-func GetPermissionProvider(ctx context.Context) RobotPermissionProvider {
-	var permissionProvider RobotPermissionProvider
-	permissionProvider = &BaseProvider{}
-	if config.RobotFullAccess(ctx) {
-		permissionProvider = &NolimitProvider{}
-	}
-	return permissionProvider
+func GetPermissionProvider() RobotPermissionProvider {
+	// TODO will determine by the ui configuration
+	return &NolimitProvider{}
 }
 
 // BaseProvider ...
@@ -141,6 +134,9 @@ func (n *NolimitProvider) GetPermissions(s scope) []*types.Policy {
 			&types.Policy{Resource: ResourceLdapUser, Action: ActionCreate},
 			&types.Policy{Resource: ResourceLdapUser, Action: ActionList},
 
+			&types.Policy{Resource: ResourceExportCVE, Action: ActionCreate},
+			&types.Policy{Resource: ResourceExportCVE, Action: ActionRead},
+
 			&types.Policy{Resource: ResourceQuota, Action: ActionUpdate},
 
 			&types.Policy{Resource: ResourceUserGroup, Action: ActionCreate},

diff --git a/src/common/rbac/const_test.go b/src/common/rbac/const_test.go
@@ -1,10 +1,6 @@
 package rbac
 
 import (
-	"context"
-
-	"github.com/goharbor/harbor/src/common"
-	"github.com/goharbor/harbor/src/lib/config"
 	_ "github.com/goharbor/harbor/src/pkg/config/inmemory"
 
 	"github.com/stretchr/testify/assert"
@@ -34,21 +30,7 @@ func TestNolimitProvider(t *testing.T) {
 }
 
 func TestGetPermissionProvider(t *testing.T) {
-	cfg := map[string]interface{}{
-		common.EnableRobotFullAccess: "false",
-	}
-	config.InitWithSettings(cfg)
-
-	defaultPro := GetPermissionProvider(context.Background())
-	_, ok := defaultPro.(*BaseProvider)
+	defaultPro := GetPermissionProvider()
+	_, ok := defaultPro.(*NolimitProvider)
 	assert.True(t, ok)
-
-	cfg = map[string]interface{}{
-		common.EnableRobotFullAccess: "true",
-	}
-	config.InitWithSettings(cfg)
-	defaultPro = GetPermissionProvider(context.Background())
-	_, ok = defaultPro.(*NolimitProvider)
-	assert.True(t, ok)
-
 }
diff --git a/src/controller/robot/controller.go b/src/controller/robot/controller.go
@@ -97,10 +97,6 @@ func (d *controller) Count(ctx context.Context, query *q.Query) (int64, error) {
 
 // Create ...
 func (d *controller) Create(ctx context.Context, r *Robot) (int64, string, error) {
-	if err := d.setProject(ctx, r); err != nil {
-		return 0, "", err
-	}
-
 	var expiresAt int64
 	if r.Duration == -1 {
 		expiresAt = -1
@@ -327,22 +323,6 @@ func (d *controller) populatePermissions(ctx context.Context, r *Robot) error {
 	return nil
 }
 
-// set the project info if it's a project level robot
-func (d *controller) setProject(ctx context.Context, r *Robot) error {
-	if r == nil {
-		return nil
-	}
-	if r.Level == LEVELPROJECT {
-		pro, err := d.proMgr.Get(ctx, r.Permissions[0].Namespace)
-		if err != nil {
-			return err
-		}
-		r.ProjectName = pro.Name
-		r.ProjectID = pro.ProjectID
-	}
-	return nil
-}
-
 // convertScope converts the db scope into robot model
 // /system    =>  Kind: system  Namespace: /
 // /project/* =>  Kind: project Namespace: *
@@ -394,6 +374,22 @@ func (d *controller) toScope(ctx context.Context, p *Permission) (string, error)
 	return "", errors.New(nil).WithMessage("unknown robot kind").WithCode(errors.BadRequestCode)
 }
 
+// set the project info if it's a project level robot
+func SetProject(ctx context.Context, r *Robot) error {
+	if r == nil {
+		return nil
+	}
+	if r.Level == LEVELPROJECT {
+		pro, err := project.New().Get(ctx, r.Permissions[0].Namespace)
+		if err != nil {
+			return err
+		}
+		r.ProjectName = pro.Name
+		r.ProjectID = pro.ProjectID
+	}
+	return nil
+}
+
 func CreateSec(salt ...string) (string, string, string, error) {
 	var secret, pwd string
 	options := []retry.Option{

diff --git a/src/controller/robot/model.go b/src/controller/robot/model.go
@@ -39,10 +39,11 @@ const (
 // Robot ...
 type Robot struct {
 	model.Robot
-	ProjectName string
-	Level       string
-	Editable    bool          `json:"editable"`
-	Permissions []*Permission `json:"permissions"`
+	ProjectName     string
+	ProjectNameOrID interface{}
+	Level           string
+	Editable        bool          `json:"editable"`
+	Permissions     []*Permission `json:"permissions"`
 }
 
 // IsSysLevel, true is a system level robot, others are project level.

diff --git a/src/controller/scan/base_controller.go b/src/controller/scan/base_controller.go
@@ -867,7 +867,8 @@ func (bc *basicController) makeRobotAccount(ctx context.Context, projectID int64
 			CreatorType: "local",
 			CreatorRef:  int64(0),
 		},
-		Level: robot.LEVELPROJECT,
+		ProjectName: projectName,
+		Level:       robot.LEVELPROJECT,
 		Permissions: []*robot.Permission{
 			{
 				Kind:      "project",

diff --git a/src/lib/config/metadata/metadatalist.go b/src/lib/config/metadata/metadatalist.go
@@ -201,7 +201,5 @@ var (
 
 		{Name: common.BeegoMaxMemoryBytes, Scope: SystemScope, Group: BasicGroup, EnvKey: "BEEGO_MAX_MEMORY_BYTES", DefaultValue: fmt.Sprintf("%d", common.DefaultBeegoMaxMemoryBytes), ItemType: &Int64Type{}, Editable: false, Description: `The bytes for limiting the beego max memory, default is 128GB`},
 		{Name: common.BeegoMaxUploadSizeBytes, Scope: SystemScope, Group: BasicGroup, EnvKey: "BEEGO_MAX_UPLOAD_SIZE_BYTES", DefaultValue: fmt.Sprintf("%d", common.DefaultBeegoMaxUploadSizeBytes), ItemType: &Int64Type{}, Editable: false, Description: `The bytes for limiting the beego max upload size, default it 128GB`},
-
-		{Name: common.EnableRobotFullAccess, Scope: SystemScope, Group: BasicGroup, EnvKey: "ENABLE_ROBOT_FULL_ACCESS", DefaultValue: "false", ItemType: &BoolType{}, Editable: true, Description: `The flag indicates if a robot is able to access full entry points of harbor`},
 	}
 )
diff --git a/src/lib/config/userconfig.go b/src/lib/config/userconfig.go
@@ -257,11 +257,6 @@ func ScannerSkipUpdatePullTime(ctx context.Context) bool {
 	return DefaultMgr().Get(ctx, common.ScannerSkipUpdatePullTime).GetBool()
 }
 
-// RobotFullAccess returns a bool to indicate if the robot can access full entry points
-func RobotFullAccess(ctx context.Context) bool {
-	return DefaultMgr().Get(ctx, common.EnableRobotFullAccess).GetBool()
-}
-
 // BannerMessage returns the customized banner message
 func BannerMessage(ctx context.Context) string {
 	return DefaultMgr().Get(ctx, common.BannerMessage).GetString()

diff --git a/src/server/v2.0/handler/permissions.go b/src/server/v2.0/handler/permissions.go
@@ -71,7 +71,7 @@ func (p *permissionsAPI) GetPermissions(ctx context.Context, _ permissions.GetPe
 		return p.SendError(ctx, errors.ForbiddenError(errors.New("only admins(system and project) can access permissions")))
 	}
 
-	provider := rbac.GetPermissionProvider(ctx)
+	provider := rbac.GetPermissionProvider()
 	sysPermissions := make([]*types.Policy, 0)
 	proPermissions := provider.GetPermissions(rbac.ScopeProject)
 	if isSystemAdmin {