diff --git a/src/server/v2.0/handler/robot.go b/src/server/v2.0/handler/robot.go index 221a072577..a49d52cc7b 100644 --- a/src/server/v2.0/handler/robot.go +++ b/src/server/v2.0/handler/robot.go @@ -31,10 +31,8 @@ import ( "github.com/goharbor/harbor/src/common/utils" "github.com/goharbor/harbor/src/controller/robot" "github.com/goharbor/harbor/src/lib" - "github.com/goharbor/harbor/src/lib/config" "github.com/goharbor/harbor/src/lib/errors" "github.com/goharbor/harbor/src/lib/log" - "github.com/goharbor/harbor/src/lib/q" "github.com/goharbor/harbor/src/pkg/permission/types" pkg "github.com/goharbor/harbor/src/pkg/robot/model" "github.com/goharbor/harbor/src/server/v2.0/handler/model" @@ -87,6 +85,12 @@ func (rAPI *robotAPI) CreateRobot(ctx context.Context, params operation.CreateRo case *local.SecurityContext: creatorRef = int64(s.User().UserID) case *robotSc.SecurityContext: + if s.User() == nil { + return rAPI.SendError(ctx, errors.New(nil).WithMessage("invalid security context: empty robot account")) + } + if !isValidPermissionScope(params.Robot.Permissions, s.User().Permissions) { + return rAPI.SendError(ctx, errors.New(nil).WithMessagef("permission scope is invalid. It must be equal to or more restrictive than the creator robot's permissions: %s", s.User().Name).WithCode(errors.DENIED)) + } creatorRef = s.User().ID default: return rAPI.SendError(ctx, errors.New(nil).WithMessage("invalid security context")) @@ -102,25 +106,6 @@ func (rAPI *robotAPI) CreateRobot(ctx context.Context, params operation.CreateRo return rAPI.SendError(ctx, err) } - if _, ok := sc.(*robotSc.SecurityContext); ok { - creatorRobots, err := rAPI.robotCtl.List(ctx, q.New(q.KeyWords{ - "name": strings.TrimPrefix(sc.GetUsername(), config.RobotPrefix(ctx)), - "project_id": r.ProjectID, - }), &robot.Option{ - WithPermission: true, - }) - if err != nil { - return rAPI.SendError(ctx, err) - } - if len(creatorRobots) == 0 { - return rAPI.SendError(ctx, errors.DeniedError(nil)) - } - - if !isValidPermissionScope(params.Robot.Permissions, creatorRobots[0].Permissions) { - return rAPI.SendError(ctx, errors.New(nil).WithMessagef("permission scope is invalid. It must be equal to or more restrictive than the creator robot's permissions: %s", creatorRobots[0].Name).WithCode(errors.DENIED)) - } - } - rid, pwd, err := rAPI.robotCtl.Create(ctx, r) if err != nil { return rAPI.SendError(ctx, err)