filter access should work when user use email to docker login

goharbor · Sep 27, 2016 · a6d88d7 · a6d88d7
1 parent ec9e217
commit a6d88d7
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 19 deletions.
diff --git a/service/token/authutils.go b/service/token/authutils.go
@@ -95,8 +95,7 @@ func GetResourceActions(scopes []string) []*token.ResourceActions {
 }
 
 // FilterAccess modify the action list in access based on permission
-// determine if the request needs to be authenticated.
-func FilterAccess(username string, authenticated bool, a *token.ResourceActions) {
+func FilterAccess(username string, a *token.ResourceActions) {
 
 	if a.Type == "registry" && a.Name == "catalog" {
 		log.Infof("current access, type: %s, name:%s, actions:%v \n", a.Type, a.Name, a.Actions)
@@ -109,7 +108,7 @@ func FilterAccess(username string, authenticated bool, a *token.ResourceActions)
 		if strings.Contains(a.Name, "/") { //Only check the permission when the requested image has a namespace, i.e. project
 			projectName := a.Name[0:strings.LastIndex(a.Name, "/")]
 			var permission string
-			if authenticated {
+			if len(username) > 0 {
 				isAdmin, err := dao.IsAdminRole(username)
 				if err != nil {
 					log.Errorf("Error occurred in IsAdminRole: %v", err)
@@ -152,7 +151,7 @@ func FilterAccess(username string, authenticated bool, a *token.ResourceActions)
 func GenTokenForUI(username string, service string, scopes []string) (token string, expiresIn int, issuedAt *time.Time, err error) {
 	access := GetResourceActions(scopes)
 	for _, a := range access {
-		FilterAccess(username, true, a)
+		FilterAccess(username, a)
 	}
 	return MakeToken(username, service, access)
 }

diff --git a/service/token/token.go b/service/token/token.go
@@ -38,7 +38,7 @@ type Handler struct {
 // checkes the permission agains local DB and generates jwt token.
 func (h *Handler) Get() {
 
-	var username, password string
+	var uid, password, username string
 	request := h.Ctx.Request
 	service := h.GetString("service")
 	scopes := h.GetStrings("scope")
@@ -49,15 +49,20 @@ func (h *Handler) Get() {
 		log.Debugf("Will grant all access as this request is from job service with legal secret.")
 		username = "job-service-user"
 	} else {
-		username, password, _ = request.BasicAuth()
-		authenticated := authenticate(username, password)
-
-		if len(scopes) == 0 && !authenticated {
-			log.Info("login request with invalid credentials")
-			h.CustomAbort(http.StatusUnauthorized, "")
+		uid, password, _ = request.BasicAuth()
+		log.Debugf("uid for logging: %s", uid)
+		user := authenticate(uid, password)
+		if user == nil {
+			log.Warningf("login request with invalid credentials in token service, uid: %s", uid)
+			if len(scopes) == 0 {
+				h.CustomAbort(http.StatusUnauthorized, "")
+			}
+		} else {
+			username = user.Username
 		}
+		log.Debugf("username for filtering access: %s.", username)
 		for _, a := range access {
-			FilterAccess(username, authenticated, a)
+			FilterAccess(username, a)
 		}
 	}
 	h.serveToken(username, service, access)
@@ -80,18 +85,14 @@ func (h *Handler) serveToken(username, service string, access []*token.ResourceA
 	h.ServeJSON()
 }
 
-func authenticate(principal, password string) bool {
+func authenticate(principal, password string) *models.User {
 	user, err := auth.Login(models.AuthModel{
 		Principal: principal,
 		Password:  password,
 	})
 	if err != nil {
 		log.Errorf("Error occurred in UserLogin: %v", err)
-		return false
-	}
-	if user == nil {
-		return false
+		return nil
 	}
-
-	return true
+	return user
 }