upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor synced 2024-09-20 20:15:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #15018 from reasonerjt/v2auth-enhancement-v2.2

Browse Source 
[Cherrypick - v2.2]: Make v2auth more strict
This commit is contained in:
Wenkai Yin(尹文开) 2021-06-01 09:14:53 +08:00 committed by GitHub
commit b333bff9ee
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/server/middleware/v2auth/auth.go
View File

@ -17,13 +17,14 @@ package v2auth
import ( import (
"context" "context"
"fmt" "fmt"
rbac_project "github.com/goharbor/harbor/src/common/rbac/project"
"github.com/goharbor/harbor/src/common/rbac/system"
"net/http" "net/http"
"net/url" "net/url"
"strings" "strings"
"sync" "sync"
rbac_project "github.com/goharbor/harbor/src/common/rbac/project"
"github.com/goharbor/harbor/src/common/rbac/system"
"github.com/goharbor/harbor/src/common/rbac" "github.com/goharbor/harbor/src/common/rbac"
"github.com/goharbor/harbor/src/common/security" "github.com/goharbor/harbor/src/common/security"
"github.com/goharbor/harbor/src/controller/project" "github.com/goharbor/harbor/src/controller/project"
@ -49,7 +50,9 @@ func (rc *reqChecker) check(req *http.Request) (string, error) {
return "", fmt.Errorf("the security context got from request is nil") return "", fmt.Errorf("the security context got from request is nil")
} }
al := accessList(req) al := accessList(req)
if len(al) == 0 {
return "", fmt.Errorf("un-recognized request: %s %s", req.Method, req.URL.Path)
}
for _, a := range al { for _, a := range al {
if a.target == login && !securityCtx.IsAuthenticated() { if a.target == login && !securityCtx.IsAuthenticated() {
return getChallenge(req, al), errors.New("unauthorized") return getChallenge(req, al), errors.New("unauthorized")

5
src/server/middleware/v2auth/auth_test.go
View File

@ -154,6 +154,7 @@ func TestMiddleware(t *testing.T) {
req4, _ := http.NewRequest(http.MethodPost, "/v2/project_1/ubuntu/blobs/uploads/mount=?mount=sha256:08e4a417ff4e3913d8723a05cc34055db01c2fd165b588e049c5bad16ce6094f&from=project_2/ubuntu", nil) req4, _ := http.NewRequest(http.MethodPost, "/v2/project_1/ubuntu/blobs/uploads/mount=?mount=sha256:08e4a417ff4e3913d8723a05cc34055db01c2fd165b588e049c5bad16ce6094f&from=project_2/ubuntu", nil)
req5, _ := http.NewRequest(http.MethodPost, "/v2/project_1/ubuntu/blobs/uploads/mount=?mount=sha256:08e4a417ff4e3913d8723a05cc34055db01c2fd165b588e049c5bad16ce6094f&from=project_3/ubuntu", nil) req5, _ := http.NewRequest(http.MethodPost, "/v2/project_1/ubuntu/blobs/uploads/mount=?mount=sha256:08e4a417ff4e3913d8723a05cc34055db01c2fd165b588e049c5bad16ce6094f&from=project_3/ubuntu", nil)
req6, _ := http.NewRequest(http.MethodPost, "/v2/project_1/ubuntu/blobs/uploads/mount=?mount=sha256:08e4a417ff4e3913d8723a05cc34055db01c2fd165b588e049c5bad16ce6094f&from=project_0/ubuntu", nil) req6, _ := http.NewRequest(http.MethodPost, "/v2/project_1/ubuntu/blobs/uploads/mount=?mount=sha256:08e4a417ff4e3913d8723a05cc34055db01c2fd165b588e049c5bad16ce6094f&from=project_0/ubuntu", nil)
req7, _ := http.NewRequest(http.MethodPost, "/v2/uploads/mount=?mount=sha256:08e4a417ff4e3913d8723a05cc34055db01c2fd165b588e049c5bad16ce6094f&from=project_0/ubuntu", nil)
cases := []struct { cases := []struct {
input *http.Request input *http.Request
@ -191,6 +192,10 @@ func TestMiddleware(t *testing.T) {
input: req6.WithContext(ctx5), input: req6.WithContext(ctx5),
status: http.StatusUnauthorized, status: http.StatusUnauthorized,
}, },
{
input: req7.WithContext(ctx5),
status: http.StatusUnauthorized,
},
} }
for _, c := range cases { for _, c := range cases {
rec := httptest.NewRecorder() rec := httptest.NewRecorder()