Skip to content

Commit 9c3fc28

Browse files
authored
Allow generate sbom in proxy cache project (goharbor#20298)
Signed-off-by: stonezdj <stone.zhang@broadcom.com>
1 parent e8907a4 commit 9c3fc28

File tree

2 files changed

+36
-6
lines changed

2 files changed

+36
-6
lines changed

src/server/middleware/repoproxy/proxy.go

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ import (
2828
"github.com/goharbor/harbor/src/controller/proxy"
2929
"github.com/goharbor/harbor/src/controller/registry"
3030
"github.com/goharbor/harbor/src/lib"
31+
"github.com/goharbor/harbor/src/lib/config"
3132
"github.com/goharbor/harbor/src/lib/errors"
3233
httpLib "github.com/goharbor/harbor/src/lib/http"
3334
"github.com/goharbor/harbor/src/lib/log"
@@ -259,16 +260,21 @@ func setHeaders(w http.ResponseWriter, size int64, mediaType string, dig string)
259260
}
260261

261262
// isProxySession check if current security context is proxy session
262-
func isProxySession(ctx context.Context) bool {
263+
func isProxySession(ctx context.Context, projectName string) bool {
263264
sc, ok := security.FromContext(ctx)
264265
if !ok {
265266
log.Error("Failed to get security context")
266267
return false
267268
}
268-
if sc.GetUsername() == proxycachesecret.ProxyCacheService {
269+
username := sc.GetUsername()
270+
if username == proxycachesecret.ProxyCacheService {
269271
return true
270272
}
271-
return false
273+
// it should include the auto generate SBOM session, so that it could generate SBOM accessory in proxy cache project
274+
robotPrefix := config.RobotPrefix(ctx)
275+
scannerPrefix := config.ScannerRobotPrefix(ctx)
276+
prefix := fmt.Sprintf("%s%s+%s", robotPrefix, projectName, scannerPrefix)
277+
return strings.HasPrefix(username, prefix)
272278
}
273279

274280
// DisableBlobAndManifestUploadMiddleware disable push artifact to a proxy project with a non-proxy session
@@ -281,7 +287,7 @@ func DisableBlobAndManifestUploadMiddleware() func(http.Handler) http.Handler {
281287
httpLib.SendError(w, err)
282288
return
283289
}
284-
if p.IsProxy() && !isProxySession(ctx) {
290+
if p.IsProxy() && !isProxySession(ctx, art.ProjectName) {
285291
httpLib.SendError(w,
286292
errors.DeniedError(
287293
errors.Errorf("can not push artifact to a proxy project: %v", p.Name)))

src/server/middleware/repoproxy/proxy_test.go

Lines changed: 26 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,9 @@ import (
1818
"context"
1919
"testing"
2020

21+
"github.com/goharbor/harbor/src/common/models"
2122
"github.com/goharbor/harbor/src/common/security"
23+
"github.com/goharbor/harbor/src/common/security/local"
2224
"github.com/goharbor/harbor/src/common/security/proxycachesecret"
2325
securitySecret "github.com/goharbor/harbor/src/common/security/secret"
2426
)
@@ -29,6 +31,19 @@ func TestIsProxySession(t *testing.T) {
2931

3032
sc2 := proxycachesecret.NewSecurityContext("library/hello-world")
3133
proxyCtx := security.NewContext(context.Background(), sc2)
34+
35+
user := &models.User{
36+
Username: "robot$library+scanner-8ec3b47a-fd29-11ee-9681-0242c0a87009",
37+
}
38+
userSc := local.NewSecurityContext(user)
39+
scannerCtx := security.NewContext(context.Background(), userSc)
40+
41+
otherRobot := &models.User{
42+
Username: "robot$library+test-8ec3b47a-fd29-11ee-9681-0242c0a87009",
43+
}
44+
userSc2 := local.NewSecurityContext(otherRobot)
45+
nonScannerCtx := security.NewContext(context.Background(), userSc2)
46+
3247
cases := []struct {
3348
name string
3449
in context.Context
@@ -44,15 +59,24 @@ func TestIsProxySession(t *testing.T) {
4459
in: proxyCtx,
4560
want: true,
4661
},
62+
{
63+
name: `robot account`,
64+
in: scannerCtx,
65+
want: true,
66+
},
67+
{
68+
name: `non scanner robot`,
69+
in: nonScannerCtx,
70+
want: false,
71+
},
4772
}
4873

4974
for _, tt := range cases {
5075
t.Run(tt.name, func(t *testing.T) {
51-
got := isProxySession(tt.in)
76+
got := isProxySession(tt.in, "library")
5277
if got != tt.want {
5378
t.Errorf(`(%v) = %v; want "%v"`, tt.in, got, tt.want)
5479
}
55-
5680
})
5781
}
5882
}

0 commit comments

Comments
 (0)