fix robot account list project (#18304)

Fixes #17636, to determine permissions for the project resource, the path should be /project instead of /project/project. Signed-off-by: Wang Yan <wangyan@vmware.com>
2025-04-19 05:54:33 +00:00 · 2023-03-09 14:16:18 +08:00 · 2023-03-09 14:16:18 +08:00 · 5a065d1cd8
commit 5a065d1cd8
parent 295260b7a3
2 changed files with 95 additions and 1 deletions
--- a/src/common/security/robot/context.go
+++ b/src/common/security/robot/context.go
@ -93,7 +93,7 @@ func (s *SecurityContext) Can(ctx context.Context, action types.Action, resource
 				accesses = append(accesses, &types.Policy{
 					Action:   a.Action,
 					Effect:   a.Effect,
-					Resource: types.Resource(fmt.Sprintf("%s/%s", p.Scope, a.Resource)),
+					Resource: types.Resource(getPolicyResource(p, a)),
 				})
 			}
 		}
@ -138,3 +138,11 @@ func filterRobotPolicies(p *models.Project, policies []*types.Policy) []*types.P
 	}
 	return results
 }
+
+// getPolicyResource to determine permissions for the project resource, the path should be /project instead of /project/project.
+func getPolicyResource(perm *robot.Permission, pol *types.Policy) string {
+	if strings.HasPrefix(perm.Scope, robot.SCOPEPROJECT) && pol.Resource == rbac.ResourceProject {
+		return perm.Scope
+	}
+	return fmt.Sprintf("%s/%s", perm.Scope, pol.Resource)
+}
--- a/src/common/security/robot/context_test.go
+++ b/src/common/security/robot/context_test.go
@ -242,3 +242,89 @@ func Test_filterRobotPolicies(t *testing.T) {
 		})
 	}
 }
+
+func Test_getPolicyResource(t *testing.T) {
+	type args struct {
+		perm *robot.Permission
+		poli *types.Policy
+	}
+	tests := []struct {
+		name string
+		args args
+		want string
+	}{
+		{
+			"project resource",
+			args{
+				&robot.Permission{
+					Kind:      "project",
+					Namespace: "library",
+					Access: []*types.Policy{
+						{
+							Resource: rbac.Resource(fmt.Sprintf("project/%d/repository", private.ProjectID)),
+							Action:   rbac.ActionPush,
+						},
+						{
+							Resource: rbac.Resource(fmt.Sprintf("project/%d/repository", private.ProjectID)),
+							Action:   rbac.ActionPull,
+						},
+					},
+					Scope: fmt.Sprintf("/project/%d", private.ProjectID),
+				},
+				&types.Policy{Resource: "project", Action: "pull", Effect: "allow"},
+			},
+			fmt.Sprintf("/project/%d", private.ProjectID),
+		},
+		{
+			"project resource",
+			args{
+				&robot.Permission{
+					Kind:      "project",
+					Namespace: "library",
+					Access: []*types.Policy{
+						{
+							Resource: rbac.Resource(fmt.Sprintf("project/%d/repository", private.ProjectID)),
+							Action:   rbac.ActionPush,
+						},
+						{
+							Resource: rbac.Resource(fmt.Sprintf("project/%d/repository", private.ProjectID)),
+							Action:   rbac.ActionPull,
+						},
+					},
+					Scope: fmt.Sprintf("/project/%d", private.ProjectID),
+				},
+				&types.Policy{Resource: "repository", Action: "get", Effect: "allow"},
+			},
+			fmt.Sprintf("/project/%d/repository", private.ProjectID),
+		},
+		{
+			"system resource",
+			args{
+				&robot.Permission{
+					Kind:      "project",
+					Namespace: "library",
+					Access: []*types.Policy{
+						{
+							Resource: rbac.Resource(fmt.Sprintf("project/%d/repository", private.ProjectID)),
+							Action:   rbac.ActionPush,
+						},
+						{
+							Resource: rbac.Resource(fmt.Sprintf("project/%d/repository", private.ProjectID)),
+							Action:   rbac.ActionPull,
+						},
+					},
+					Scope: "/system",
+				},
+				&types.Policy{Resource: "repository", Action: "get", Effect: "allow"},
+			},
+			"/system/repository",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := getPolicyResource(tt.args.perm, tt.args.poli); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("getPolicyResource() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}