mirror of
https://github.com/goharbor/harbor
synced 2024-09-20 20:15:30 +00:00
Merge pull request #15018 from reasonerjt/v2auth-enhancement-v2.2
[Cherrypick - v2.2]: Make v2auth more strict
This commit is contained in:
commit
b333bff9ee
|
@ -17,13 +17,14 @@ package v2auth
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
rbac_project "github.com/goharbor/harbor/src/common/rbac/project"
|
|
||||||
"github.com/goharbor/harbor/src/common/rbac/system"
|
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
"strings"
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
|
|
||||||
|
rbac_project "github.com/goharbor/harbor/src/common/rbac/project"
|
||||||
|
"github.com/goharbor/harbor/src/common/rbac/system"
|
||||||
|
|
||||||
"github.com/goharbor/harbor/src/common/rbac"
|
"github.com/goharbor/harbor/src/common/rbac"
|
||||||
"github.com/goharbor/harbor/src/common/security"
|
"github.com/goharbor/harbor/src/common/security"
|
||||||
"github.com/goharbor/harbor/src/controller/project"
|
"github.com/goharbor/harbor/src/controller/project"
|
||||||
|
@ -49,7 +50,9 @@ func (rc *reqChecker) check(req *http.Request) (string, error) {
|
||||||
return "", fmt.Errorf("the security context got from request is nil")
|
return "", fmt.Errorf("the security context got from request is nil")
|
||||||
}
|
}
|
||||||
al := accessList(req)
|
al := accessList(req)
|
||||||
|
if len(al) == 0 {
|
||||||
|
return "", fmt.Errorf("un-recognized request: %s %s", req.Method, req.URL.Path)
|
||||||
|
}
|
||||||
for _, a := range al {
|
for _, a := range al {
|
||||||
if a.target == login && !securityCtx.IsAuthenticated() {
|
if a.target == login && !securityCtx.IsAuthenticated() {
|
||||||
return getChallenge(req, al), errors.New("unauthorized")
|
return getChallenge(req, al), errors.New("unauthorized")
|
||||||
|
|
|
@ -154,6 +154,7 @@ func TestMiddleware(t *testing.T) {
|
||||||
req4, _ := http.NewRequest(http.MethodPost, "/v2/project_1/ubuntu/blobs/uploads/mount=?mount=sha256:08e4a417ff4e3913d8723a05cc34055db01c2fd165b588e049c5bad16ce6094f&from=project_2/ubuntu", nil)
|
req4, _ := http.NewRequest(http.MethodPost, "/v2/project_1/ubuntu/blobs/uploads/mount=?mount=sha256:08e4a417ff4e3913d8723a05cc34055db01c2fd165b588e049c5bad16ce6094f&from=project_2/ubuntu", nil)
|
||||||
req5, _ := http.NewRequest(http.MethodPost, "/v2/project_1/ubuntu/blobs/uploads/mount=?mount=sha256:08e4a417ff4e3913d8723a05cc34055db01c2fd165b588e049c5bad16ce6094f&from=project_3/ubuntu", nil)
|
req5, _ := http.NewRequest(http.MethodPost, "/v2/project_1/ubuntu/blobs/uploads/mount=?mount=sha256:08e4a417ff4e3913d8723a05cc34055db01c2fd165b588e049c5bad16ce6094f&from=project_3/ubuntu", nil)
|
||||||
req6, _ := http.NewRequest(http.MethodPost, "/v2/project_1/ubuntu/blobs/uploads/mount=?mount=sha256:08e4a417ff4e3913d8723a05cc34055db01c2fd165b588e049c5bad16ce6094f&from=project_0/ubuntu", nil)
|
req6, _ := http.NewRequest(http.MethodPost, "/v2/project_1/ubuntu/blobs/uploads/mount=?mount=sha256:08e4a417ff4e3913d8723a05cc34055db01c2fd165b588e049c5bad16ce6094f&from=project_0/ubuntu", nil)
|
||||||
|
req7, _ := http.NewRequest(http.MethodPost, "/v2/uploads/mount=?mount=sha256:08e4a417ff4e3913d8723a05cc34055db01c2fd165b588e049c5bad16ce6094f&from=project_0/ubuntu", nil)
|
||||||
|
|
||||||
cases := []struct {
|
cases := []struct {
|
||||||
input *http.Request
|
input *http.Request
|
||||||
|
@ -191,6 +192,10 @@ func TestMiddleware(t *testing.T) {
|
||||||
input: req6.WithContext(ctx5),
|
input: req6.WithContext(ctx5),
|
||||||
status: http.StatusUnauthorized,
|
status: http.StatusUnauthorized,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
input: req7.WithContext(ctx5),
|
||||||
|
status: http.StatusUnauthorized,
|
||||||
|
},
|
||||||
}
|
}
|
||||||
for _, c := range cases {
|
for _, c := range cases {
|
||||||
rec := httptest.NewRecorder()
|
rec := httptest.NewRecorder()
|
||||||
|
|
Loading…
Reference in New Issue
Block a user