From a6d88d70745332c3b3b1ca4c00361a9847ff9c3d Mon Sep 17 00:00:00 2001 From: Tan Jiang Date: Tue, 27 Sep 2016 13:29:44 +0800 Subject: [PATCH] filter access should work when user use email to docker login --- service/token/authutils.go | 7 +++---- service/token/token.go | 31 ++++++++++++++++--------------- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/service/token/authutils.go b/service/token/authutils.go index 7e914c732..08f976bbf 100644 --- a/service/token/authutils.go +++ b/service/token/authutils.go @@ -95,8 +95,7 @@ func GetResourceActions(scopes []string) []*token.ResourceActions { } // FilterAccess modify the action list in access based on permission -// determine if the request needs to be authenticated. -func FilterAccess(username string, authenticated bool, a *token.ResourceActions) { +func FilterAccess(username string, a *token.ResourceActions) { if a.Type == "registry" && a.Name == "catalog" { log.Infof("current access, type: %s, name:%s, actions:%v \n", a.Type, a.Name, a.Actions) @@ -109,7 +108,7 @@ func FilterAccess(username string, authenticated bool, a *token.ResourceActions) if strings.Contains(a.Name, "/") { //Only check the permission when the requested image has a namespace, i.e. project projectName := a.Name[0:strings.LastIndex(a.Name, "/")] var permission string - if authenticated { + if len(username) > 0 { isAdmin, err := dao.IsAdminRole(username) if err != nil { log.Errorf("Error occurred in IsAdminRole: %v", err) @@ -152,7 +151,7 @@ func FilterAccess(username string, authenticated bool, a *token.ResourceActions) func GenTokenForUI(username string, service string, scopes []string) (token string, expiresIn int, issuedAt *time.Time, err error) { access := GetResourceActions(scopes) for _, a := range access { - FilterAccess(username, true, a) + FilterAccess(username, a) } return MakeToken(username, service, access) } diff --git a/service/token/token.go b/service/token/token.go index 50cff39a6..0c2290ab4 100644 --- a/service/token/token.go +++ b/service/token/token.go @@ -38,7 +38,7 @@ type Handler struct { // checkes the permission agains local DB and generates jwt token. func (h *Handler) Get() { - var username, password string + var uid, password, username string request := h.Ctx.Request service := h.GetString("service") scopes := h.GetStrings("scope") @@ -49,15 +49,20 @@ func (h *Handler) Get() { log.Debugf("Will grant all access as this request is from job service with legal secret.") username = "job-service-user" } else { - username, password, _ = request.BasicAuth() - authenticated := authenticate(username, password) - - if len(scopes) == 0 && !authenticated { - log.Info("login request with invalid credentials") - h.CustomAbort(http.StatusUnauthorized, "") + uid, password, _ = request.BasicAuth() + log.Debugf("uid for logging: %s", uid) + user := authenticate(uid, password) + if user == nil { + log.Warningf("login request with invalid credentials in token service, uid: %s", uid) + if len(scopes) == 0 { + h.CustomAbort(http.StatusUnauthorized, "") + } + } else { + username = user.Username } + log.Debugf("username for filtering access: %s.", username) for _, a := range access { - FilterAccess(username, authenticated, a) + FilterAccess(username, a) } } h.serveToken(username, service, access) @@ -80,18 +85,14 @@ func (h *Handler) serveToken(username, service string, access []*token.ResourceA h.ServeJSON() } -func authenticate(principal, password string) bool { +func authenticate(principal, password string) *models.User { user, err := auth.Login(models.AuthModel{ Principal: principal, Password: password, }) if err != nil { log.Errorf("Error occurred in UserLogin: %v", err) - return false + return nil } - if user == nil { - return false - } - - return true + return user }