fix robot account creation issue

fixes #21251 Signed-off-by: wang yan <[email protected]>
goharbor · Dec 12, 2024 · 414056a · 414056a
1 parent 29bd094
commit 414056a
Show file tree

Hide file tree

Showing 2 changed files with 102 additions and 6 deletions.
diff --git a/src/server/v2.0/handler/robot.go b/src/server/v2.0/handler/robot.go
@@ -471,21 +471,27 @@ func isValidPermissionScope(creating []*models.RobotPermission, creator []*robot
 			creatorMap[key] = creatorP
 		}
 		for _, creatingP := range creating {
-			key := fmt.Sprintf("%s:%s:%s", creatingP.Resource, creatingP.Action, creatingP.Effect)
-			if _, found := creatorMap[key]; !found {
-				return false
+			key1 := fmt.Sprintf("%s:%s:%s", creatingP.Resource, creatingP.Action, creatingP.Effect)
+			if _, found := creatorMap[key1]; !found {
+				key2 := fmt.Sprintf("*:%s:%s", creatingP.Action, creatingP.Effect)
+				if _, found = creatorMap[key2]; !found {
+					return false
+				}
 			}
 		}
 		return true
 	}
 
 	for _, pCreating := range creating {
 		key := fmt.Sprintf("%s:%s", pCreating.Kind, pCreating.Namespace)
-		creatingPerm, found := creatorMap[key]
+		creatorPerm, found := creatorMap[key]
 		if !found {
-			return false
+			allProjects := fmt.Sprintf("%s:*", pCreating.Kind)
+			if creatorPerm, found = creatorMap[allProjects]; !found {
+				return false
+			}
 		}
-		if !hasLessThanOrEqualAccess(pCreating.Access, creatingPerm.Access) {
+		if !hasLessThanOrEqualAccess(pCreating.Access, creatorPerm.Access) {
 			return false
 		}
 	}

diff --git a/src/server/v2.0/handler/robot_test.go b/src/server/v2.0/handler/robot_test.go
@@ -382,6 +382,96 @@ func TestValidPermissionScope(t *testing.T) {
 			},
 			expected: false,
 		},
+		{
+			name: "System - subset project",
+			creatingPerms: []*models.RobotPermission{
+				{
+					Kind:      "project",
+					Namespace: "test1",
+					Access: []*models.Access{
+						{Resource: "user", Action: "delete", Effect: "allow"},
+					},
+				},
+			},
+			creatorPerms: []*robot.Permission{
+				{
+					Kind:      "system",
+					Namespace: "/",
+					Access: []*types.Policy{
+						{Resource: "robot", Action: "create", Effect: "allow"},
+					},
+				},
+				{
+					Kind:      "project",
+					Namespace: "test1",
+					Access: []*types.Policy{
+						{Resource: "user", Action: "create", Effect: "allow"},
+						{Resource: "user", Action: "delete", Effect: "allow"},
+					},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "System - cover all",
+			creatingPerms: []*models.RobotPermission{
+				{
+					Kind:      "project",
+					Namespace: "test1",
+					Access: []*models.Access{
+						{Resource: "user", Action: "delete", Effect: "allow"},
+					},
+				},
+			},
+			creatorPerms: []*robot.Permission{
+				{
+					Kind:      "system",
+					Namespace: "/",
+					Access: []*types.Policy{
+						{Resource: "robot", Action: "create", Effect: "allow"},
+					},
+				},
+				{
+					Kind:      "project",
+					Namespace: "*",
+					Access: []*types.Policy{
+						{Resource: "user", Action: "create", Effect: "allow"},
+						{Resource: "user", Action: "delete", Effect: "allow"},
+					},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "System - cover all 2",
+			creatingPerms: []*models.RobotPermission{
+				{
+					Kind:      "project",
+					Namespace: "test1",
+					Access: []*models.Access{
+						{Resource: "user", Action: "update", Effect: "allow"},
+					},
+				},
+			},
+			creatorPerms: []*robot.Permission{
+				{
+					Kind:      "system",
+					Namespace: "/",
+					Access: []*types.Policy{
+						{Resource: "robot", Action: "create", Effect: "allow"},
+					},
+				},
+				{
+					Kind:      "project",
+					Namespace: "*",
+					Access: []*types.Policy{
+						{Resource: "user", Action: "create", Effect: "allow"},
+						{Resource: "user", Action: "delete", Effect: "allow"},
+					},
+				},
+			},
+			expected: false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {