diff --git a/Makefile b/Makefile index a0725465a69..1ae7971cbac 100644 --- a/Makefile +++ b/Makefile @@ -104,8 +104,8 @@ PREPARE_VERSION_NAME=versions #versions REGISTRYVERSION=v2.8.2-patch-redis -TRIVYVERSION=v0.46.1 -TRIVYADAPTERVERSION=v0.30.18 +TRIVYVERSION=v0.47.0 +TRIVYADAPTERVERSION=v0.30.19 # version of registry for pulling the source code REGISTRY_SRC_TAG=v2.8.2 diff --git a/src/common/security/robot/context.go b/src/common/security/robot/context.go index 2754f90fb28..5c175046d94 100644 --- a/src/common/security/robot/context.go +++ b/src/common/security/robot/context.go @@ -111,7 +111,8 @@ func (s *SecurityContext) Can(ctx context.Context, action types.Action, resource } if len(sysPolicies) != 0 { evaluators = evaluators.Add(system.NewEvaluator(s.GetUsername(), sysPolicies)) - } else if len(proPolicies) != 0 { + } + if len(proPolicies) != 0 { evaluators = evaluators.Add(rbac_project.NewEvaluator(s.ctl, rbac_project.NewBuilderForPolicies(s.GetUsername(), proPolicies))) } s.evaluator = evaluators @@ -119,7 +120,6 @@ func (s *SecurityContext) Can(ctx context.Context, action types.Action, resource s.evaluator = rbac_project.NewEvaluator(s.ctl, rbac_project.NewBuilderForPolicies(s.GetUsername(), accesses, filterRobotPolicies)) } }) - return s.evaluator != nil && s.evaluator.HasPermission(ctx, resource, action) } diff --git a/src/common/security/robot/context_test.go b/src/common/security/robot/context_test.go index c499ed24b7d..32e760d62b4 100644 --- a/src/common/security/robot/context_test.go +++ b/src/common/security/robot/context_test.go @@ -24,6 +24,7 @@ import ( "github.com/goharbor/harbor/src/common/rbac" "github.com/goharbor/harbor/src/common/rbac/project" + "github.com/goharbor/harbor/src/common/rbac/system" "github.com/goharbor/harbor/src/controller/robot" "github.com/goharbor/harbor/src/pkg/permission/types" proModels "github.com/goharbor/harbor/src/pkg/project/models" @@ -198,6 +199,57 @@ func TestHasPushPullPerm(t *testing.T) { assert.True(t, ctx.Can(context.TODO(), rbac.ActionPush, resource) && ctx.Can(context.TODO(), rbac.ActionPull, resource)) } +func TestSysAndProPerm(t *testing.T) { + robot := &robot.Robot{ + Level: "system", + Robot: model.Robot{ + Name: "test_robot_4", + Description: "desc", + }, + Permissions: []*robot.Permission{ + { + Kind: "system", + Namespace: "/", + Access: []*types.Policy{ + { + Resource: rbac.Resource(fmt.Sprintf("system/%s", rbac.ResourceRepository)), + Action: rbac.ActionList, + }, + { + Resource: rbac.Resource(fmt.Sprintf("system/%s", rbac.ResourceGarbageCollection)), + Action: rbac.ActionCreate, + }, + }, + }, + { + Kind: "project", + Namespace: "library", + Access: []*types.Policy{ + { + Resource: rbac.Resource(fmt.Sprintf("project/%d/repository", private.ProjectID)), + Action: rbac.ActionPush, + }, + { + Resource: rbac.Resource(fmt.Sprintf("project/%d/repository", private.ProjectID)), + Action: rbac.ActionPull, + }, + }, + }, + }, + } + + ctl := &projecttesting.Controller{} + mock.OnAnything(ctl, "Get").Return(private, nil) + + ctx := NewSecurityContext(robot) + ctx.ctl = ctl + resource := project.NewNamespace(private.ProjectID).Resource(rbac.ResourceRepository) + assert.True(t, ctx.Can(context.TODO(), rbac.ActionPush, resource) && ctx.Can(context.TODO(), rbac.ActionPull, resource)) + + resource = system.NewNamespace().Resource(rbac.ResourceGarbageCollection) + assert.True(t, ctx.Can(context.TODO(), rbac.ActionCreate, resource)) +} + func Test_filterRobotPolicies(t *testing.T) { type args struct { p *proModels.Project diff --git a/tests/robot-cases/Group1-Nightly/Common.robot b/tests/robot-cases/Group1-Nightly/Common.robot index 9fdcd2b5e1b..ce36f7ca674 100644 --- a/tests/robot-cases/Group1-Nightly/Common.robot +++ b/tests/robot-cases/Group1-Nightly/Common.robot @@ -69,6 +69,8 @@ Test Case - Push CNAB Bundle and Display Wait Until Page Contains test${d}/cnab${d} Go Into Repo test${d} cnab${d} Go Into Index And Contain Artifacts cnab_tag${d} total_artifact_count=3 archive_count=2 + Retry Element Click //artifact-list-tab//clr-datagrid//clr-dg-row[1]//clr-dg-cell[1]//clr-icon + Retry Wait Element Count //artifact-list-tab//clr-datagrid//clr-dg-row 2 Close Browser Test Case - Create An New Project