Merge pull request #10970 from wy65701436/remove-regtoken

remove middleware regtoken
2024-09-21 03:02:07 +00:00 · 2020-03-09 09:41:46 +08:00 · 2020-03-09 09:41:46 +08:00 · e4bee937ff
commit e4bee937ff
parent e86d3a728c ddc0f83ccd
6 changed files with 0 additions and 151 deletions
--- a/src/server/middleware/contenttrust/contenttrust.go
+++ b/src/server/middleware/contenttrust/contenttrust.go
@ -49,9 +49,6 @@ func validate(req *http.Request) (bool, middleware.ArtifactInfo) {
 	if !ok {
 		return false, none
 	}
-	if scannerPull, ok := middleware.ScannerPullFromContext(req.Context()); ok && scannerPull {
-		return false, none
-	}
 	if !middleware.GetPolicyChecker().ContentTrustEnabled(af.ProjectName) {
 		return false, af
 	}
--- a/src/server/middleware/regtoken/regtoken.go
+++ b/src/server/middleware/regtoken/regtoken.go
@ -1,66 +0,0 @@
-package regtoken
-
-import (
-	"errors"
-	"github.com/docker/distribution/registry/auth"
-	"github.com/goharbor/harbor/src/common/rbac"
-	"github.com/goharbor/harbor/src/common/utils/log"
-	pkg_token "github.com/goharbor/harbor/src/pkg/token"
-	"github.com/goharbor/harbor/src/pkg/token/claims/registry"
-	serror "github.com/goharbor/harbor/src/server/error"
-	"github.com/goharbor/harbor/src/server/middleware"
-	"net/http"
-	"strings"
-)
-
-// Middleware parses the docker pull bearer token and check whether it's a scanner pull.
-func Middleware() func(http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
-			err := parseToken(req)
-			if err != nil {
-				serror.SendError(rw, err)
-				return
-			}
-			next.ServeHTTP(rw, req)
-		})
-	}
-}
-
-func parseToken(req *http.Request) error {
-	art, ok := middleware.ArtifactInfoFromContext(req.Context())
-	if !ok {
-		return errors.New("cannot get the manifest information from request context")
-	}
-
-	parts := strings.Split(req.Header.Get("Authorization"), " ")
-	if len(parts) != 2 || strings.ToLower(parts[0]) != "bearer" {
-		return nil
-	}
-
-	rawToken := parts[1]
-	opt := pkg_token.DefaultTokenOptions()
-	regTK, err := pkg_token.Parse(opt, rawToken, &registry.Claim{})
-	if err != nil {
-		log.Errorf("failed to decode reg token: %v, the error is skipped and round the request to native registry.", err)
-		return nil
-	}
-
-	accessItems := []auth.Access{}
-	accessItems = append(accessItems, auth.Access{
-		Resource: auth.Resource{
-			Type: rbac.ResourceRepository.String(),
-			Name: art.Repository,
-		},
-		Action: rbac.ActionScannerPull.String(),
-	})
-
-	accessSet := regTK.Claims.(*registry.Claim).GetAccess()
-	for _, access := range accessItems {
-		if accessSet.Contains(access) {
-			*req = *(req.WithContext(middleware.NewScannerPullContext(req.Context(), true)))
-		}
-	}
-
-	return nil
-}
--- a/src/server/middleware/regtoken/regtoken_test.go
+++ b/src/server/middleware/regtoken/regtoken_test.go
@ -1,64 +0,0 @@
-package regtoken
-
-import (
-	"context"
-	"fmt"
-	"github.com/goharbor/harbor/src/core/middlewares/util"
-	"github.com/goharbor/harbor/src/server/middleware"
-	"github.com/stretchr/testify/suite"
-	"net/http"
-	"net/http/httptest"
-	"os"
-	"testing"
-)
-
-type HandlerSuite struct {
-	suite.Suite
-}
-
-func doPullManifestRequest(projectName, name, tag string, next ...http.HandlerFunc) int {
-	repository := fmt.Sprintf("%s/%s", projectName, name)
-
-	url := fmt.Sprintf("/v2/%s/manifests/%s", repository, tag)
-	req, _ := http.NewRequest("GET", url, nil)
-
-	token := "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IkNWUTc6REM3NTpHVEROOkxTTUs6VUFJTjpIUUVWOlZVSDQ6Q0lRRDpRV01COlM0Qzc6U0c0STpGRUhYIn0.eyJpc3MiOiJoYXJib3ItdG9rZW4taXNzdWVyIiwic3ViIjoicm9ib3QkZGVtbzExIiwiYXVkIjoiaGFyYm9yLXJlZ2lzdHJ5IiwiZXhwIjoxNTcxNzYzOTI2LCJuYmYiOjE1NzE3NjM4NjYsImlhdCI6MTU3MTc2Mzg2NiwianRpIjoiTnRaZWx4Z01KTUU1MXlEMCIsImFjY2VzcyI6W3sidHlwZSI6InJlcG9zaXRvcnkiLCJuYW1lIjoibGlicmFyeS9oZWxsby13b3JsZCIsImFjdGlvbnMiOlsicHVzaCIsIioiLCJwdWxsIiwic2Nhbm5lcnB1bGwiXX1dfQ.GlWuvtoxmChnpvbWaG5901Z9-g63DrzyNUREWlDbR5gnNeuOKjLNyE4QpogAQKx2yYtcGxbqNL3VfJkExJ_gMS0Qw8e10utGOawwqD4oqf_J06eKq4HzpZJengZfcjMA4g2RoeOlqdVdwimB_PdX9vkBO1od0wX0Cc2v0p2w5TkibcThKRoeLeVs2oRewkKLuVHNSM8wwRIlAvpWJuNnvRCFlHRkLcZM_KpGXqT7H-PZETTisWCi1pMxeYEwIsDFLlTKdV8LaiDeDmH-RaLOsuyAySYEW9Ynk5K3P_dUl2c_SYQXloPyi0MvXxSn6EWE4eHF2oQDM_SvIzR9sOVB8TtjMjKKMQ4yr_mqgMcfEpnInJATExBR56wmxNdLESncHl8rUYCe2jCjQFuR9NGQA1tGdjI4NoBN-OVD0dBs9rm_mkb2tgD-3gEhyzAw6hg0uzDsF7bj5Aq8scoi42UurhX2bZM89s4-TWBp4DWuBG0HDiwpOiBvB3RMm6MpQxsqrl0hQm_WH18L6QCknAW2e3d_6DJWJ0eBzISrhDr7LkqJKl1J8pv4zqoh_EUVeLyzTmjEULm-VbnpVF4wW5yTLF3S6F7Ox4vwWtVfi1XQNVOcJDB3VPUsRgiTTuCW-ZGcBLw-OdIcwaJ3T_QZkEjUw1f6i1JcGa0Mpgl83aLiSdQ 0xc0003c77c0 map[alg:RS256 kid:CVQ7:DC75:GTDN:LSMK:UAIN:HQEV:VUH4:CIQD:QWMB:S4C7:SG4I:FEHX typ:JWT] 0xc000496000 GlWuvtoxmChnpvbWaG5901Z9-g63DrzyNUREWlDbR5gnNeuOKjLNyE4QpogAQKx2yYtcGxbqNL3VfJkExJ_gMS0Qw8e10utGOawwqD4oqf_J06eKq4HzpZJengZfcjMA4g2RoeOlqdVdwimB_PdX9vkBO1od0wX0Cc2v0p2w5TkibcThKRoeLeVs2oRewkKLuVHNSM8wwRIlAvpWJuNnvRCFlHRkLcZM_KpGXqT7H-PZETTisWCi1pMxeYEwIsDFLlTKdV8LaiDeDmH-RaLOsuyAySYEW9Ynk5K3P_dUl2c_SYQXloPyi0MvXxSn6EWE4eHF2oQDM_SvIzR9sOVB8TtjMjKKMQ4yr_mqgMcfEpnInJATExBR56wmxNdLESncHl8rUYCe2jCjQFuR9NGQA1tGdjI4NoBN-OVD0dBs9rm_mkb2tgD-3gEhyzAw6hg0uzDsF7bj5Aq8scoi42UurhX2bZM89s4-TWBp4DWuBG0HDiwpOiBvB3RMm6MpQxsqrl0hQm_WH18L6QCknAW2e3d_6DJWJ0eBzISrhDr7LkqJKl1J8pv4zqoh_EUVeLyzTmjEULm-VbnpVF4wW5yTLF3S6F7Ox4vwWtVfi1XQNVOcJDB3VPUsRgiTTuCW-ZGcBLw-OdIcwaJ3T_QZkEjUw1f6i1JcGa0Mpgl83aLiSdQ"
-	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
-	rr := httptest.NewRecorder()
-
-	af := &middleware.ArtifactInfo{
-		Repository: name,
-		Reference:  tag,
-		Tag:        tag,
-		Digest:     "",
-	}
-
-	var n http.HandlerFunc
-	if len(next) > 0 {
-		n = next[0]
-	} else {
-		n = func(w http.ResponseWriter, req *http.Request) {
-			w.WriteHeader(http.StatusNotFound)
-		}
-	}
-	ctx := context.WithValue(req.Context(), middleware.ArtifactInfoKey, af)
-	*req = *(req.WithContext(ctx))
-	n.ServeHTTP(util.NewCustomResponseWriter(rr), req)
-
-	return rr.Code
-}
-
-func (suite *HandlerSuite) TestPullManifest() {
-	code1 := doPullManifestRequest("library", "photon", "release-1.10")
-	suite.Equal(http.StatusNotFound, code1)
-}
-
-func TestMain(m *testing.M) {
-	if result := m.Run(); result != 0 {
-		os.Exit(result)
-	}
-}
-
-func TestRunHandlerSuite(t *testing.T) {
-	suite.Run(t, new(HandlerSuite))
-}
--- a/src/server/middleware/util.go
+++ b/src/server/middleware/util.go
@ -29,8 +29,6 @@ const (
 	DigestSubexp = "digest"
 	// ArtifactInfoKey the context key for artifact info
 	ArtifactInfoKey = contextKey("artifactInfo")
-	// ScannerPullCtxKey the context key for robot account to bypass the pull policy check.
-	ScannerPullCtxKey = contextKey("ScannerPullCheck")
 )

 var (
@ -86,17 +84,6 @@ func EnsureArtifactDigest(ctx context.Context) error {
 	return nil
 }

-// NewScannerPullContext returns context with policy check info
-func NewScannerPullContext(ctx context.Context, scannerPull bool) context.Context {
-	return context.WithValue(ctx, ScannerPullCtxKey, scannerPull)
-}
-
-// ScannerPullFromContext returns whether to bypass policy check
-func ScannerPullFromContext(ctx context.Context) (bool, bool) {
-	info, ok := ctx.Value(ScannerPullCtxKey).(bool)
-	return info, ok
-}
-
 // CopyResp ...
 func CopyResp(rec *httptest.ResponseRecorder, rw http.ResponseWriter) {
 	for k, v := range rec.Header() {
--- a/src/server/middleware/vulnerable/vulnerable.go
+++ b/src/server/middleware/vulnerable/vulnerable.go
@ -105,9 +105,6 @@ func validate(req *http.Request) (bool, middleware.ArtifactInfo, vuln.Severity,
 		return false, af, vs, wl
 	}

-	if scannerPull, ok := middleware.ScannerPullFromContext(req.Context()); ok && scannerPull {
-		return false, af, vs, wl
-	}
 	// Is vulnerable policy set?
 	projectVulnerableEnabled, projectVulnerableSeverity, wl := middleware.GetPolicyChecker().VulnerablePolicy(af.ProjectName)
 	if !projectVulnerableEnabled {
--- a/src/server/registry/route.go
+++ b/src/server/registry/route.go
@ -21,7 +21,6 @@ import (
 	"github.com/goharbor/harbor/src/server/middleware/blob"
 	"github.com/goharbor/harbor/src/server/middleware/contenttrust"
 	"github.com/goharbor/harbor/src/server/middleware/immutable"
-	"github.com/goharbor/harbor/src/server/middleware/regtoken"
 	"github.com/goharbor/harbor/src/server/middleware/v2auth"
 	"github.com/goharbor/harbor/src/server/middleware/vulnerable"
 	"github.com/goharbor/harbor/src/server/router"
@ -47,7 +46,6 @@ func RegisterRoutes() {
 	root.NewRoute().
 		Method(http.MethodGet).
 		Path("/*/manifests/:reference").
-		Middleware(regtoken.Middleware()).
 		Middleware(contenttrust.Middleware()).
 		Middleware(vulnerable.Middleware()).
 		HandlerFunc(getManifest)