root
/
harbor
mirror of https://github.com/goharbor/harbor.git
1
0
Fork 0
Code Issues Actions 6 Packages Projects Releases Wiki Activity

fix robot issue-21406 (#22387)
Build Package Workflow / BUILD_PACKAGE (push) Waiting to run Details
Code scanning - action / CodeQL-Build (push) Waiting to run Details 

fixes #21406

The changes are target to fix the system robot to create a project level robots.
It should not to get the creator robot with the createe robot's project id, and updates the code get the creator robot from the security context.

Signed-off-by: wang yan <yan-yw.wang@broadcom.com>
Co-authored-by: wang yan <yan-yw.wang@broadcom.com>
This commit is contained in:
Wang Yan 2025-09-29 15:28:41 +08:00 committed by GitHub
parent 1a7eb31a5f
commit 4da6070872
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 6 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
src/server/v2.0/handler/robot.go
View File

@ -31,10 +31,8 @@ import (
"github.com/goharbor/harbor/src/common/utils"
"github.com/goharbor/harbor/src/controller/robot"
"github.com/goharbor/harbor/src/lib"
"github.com/goharbor/harbor/src/lib/config"
"github.com/goharbor/harbor/src/lib/errors"
"github.com/goharbor/harbor/src/lib/log"
"github.com/goharbor/harbor/src/lib/q"
"github.com/goharbor/harbor/src/pkg/permission/types"
pkg "github.com/goharbor/harbor/src/pkg/robot/model"
"github.com/goharbor/harbor/src/server/v2.0/handler/model"
@ -87,6 +85,12 @@ func (rAPI *robotAPI) CreateRobot(ctx context.Context, params operation.CreateRo
case *local.SecurityContext:
creatorRef = int64(s.User().UserID)
case *robotSc.SecurityContext:
if s.User() == nil {
return rAPI.SendError(ctx, errors.New(nil).WithMessage("invalid security context: empty robot account"))
}
if !isValidPermissionScope(params.Robot.Permissions, s.User().Permissions) {
return rAPI.SendError(ctx, errors.New(nil).WithMessagef("permission scope is invalid. It must be equal to or more restrictive than the creator robot's permissions: %s", s.User().Name).WithCode(errors.DENIED))
}
creatorRef = s.User().ID
default:
return rAPI.SendError(ctx, errors.New(nil).WithMessage("invalid security context"))
@ -102,25 +106,6 @@ func (rAPI *robotAPI) CreateRobot(ctx context.Context, params operation.CreateRo
return rAPI.SendError(ctx, err)
}
if _, ok := sc.(*robotSc.SecurityContext); ok {
creatorRobots, err := rAPI.robotCtl.List(ctx, q.New(q.KeyWords{
"name": strings.TrimPrefix(sc.GetUsername(), config.RobotPrefix(ctx)),
"project_id": r.ProjectID,
}), &robot.Option{
WithPermission: true,
})
if err != nil {
return rAPI.SendError(ctx, err)
}
if len(creatorRobots) == 0 {
return rAPI.SendError(ctx, errors.DeniedError(nil))
}
if !isValidPermissionScope(params.Robot.Permissions, creatorRobots[0].Permissions) {
return rAPI.SendError(ctx, errors.New(nil).WithMessagef("permission scope is invalid. It must be equal to or more restrictive than the creator robot's permissions: %s", creatorRobots[0].Name).WithCode(errors.DENIED))
}
}
rid, pwd, err := rAPI.robotCtl.Create(ctx, r)
if err != nil {
return rAPI.SendError(ctx, err)