Extend oidc_cli security context generator to include calls to the v2…

… API, remove idtoken security context generator, rename and consolidate tests and names accordingly Signed-off-by: Fittkau Luis <[email protected]>
goharbor · Aug 14, 2024 · 4aa7b29 · 4aa7b29
1 parent ccceacf
commit 4aa7b29
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 134 deletions.
diff --git a/src/server/middleware/security/idtoken.go b/src/server/middleware/security/idtoken.go
diff --git a/src/server/middleware/security/idtoken_test.go b/src/server/middleware/security/idtoken_test.go
diff --git a/src/server/middleware/security/oidc_cli.go → ...er/middleware/security/oidc_cli_or_api.go b/src/server/middleware/security/oidc_cli.go → ...er/middleware/security/oidc_cli_or_api.go
@@ -43,9 +43,9 @@ var (
 	uctl           = user.Ctl
 )
 
-type oidcCli struct{}
+type oidcCliOrAPI struct{}
 
-func (o *oidcCli) Generate(req *http.Request) security.Context {
+func (o *oidcCliOrAPI) Generate(req *http.Request) security.Context {
 	ctx := req.Context()
 	if lib.GetAuthMode(ctx) != common.OIDCAuth {
 		return nil
@@ -78,7 +78,7 @@ func (o *oidcCli) Generate(req *http.Request) security.Context {
 	return local.NewSecurityContext(u)
 }
 
-func (o *oidcCli) valid(req *http.Request) bool {
+func (o *oidcCliOrAPI) valid(req *http.Request) bool {
 	path := strings.TrimSuffix(req.URL.Path, "/")
 
 	if path == "/service/token" ||
@@ -104,5 +104,10 @@ func (o *oidcCli) valid(req *http.Request) bool {
 	if req.Method == http.MethodDelete && tagsAPIRe.MatchString(path) { // deleting tags
 		return true
 	}
+
+	// The request was sent to the v2 API directly
+	if strings.HasPrefix(req.URL.Path, "/api") || req.URL.Path == "/service/token" {
+		return true
+	}
 	return false
 }
diff --git a/...rver/middleware/security/oidc_cli_test.go → ...ddleware/security/oidc_cli_or_api_test.go b/...rver/middleware/security/oidc_cli_test.go → ...ddleware/security/oidc_cli_or_api_test.go
@@ -31,17 +31,12 @@ import (
 )
 
 func TestOIDCCli(t *testing.T) {
-	oidcCli := &oidcCli{}
-	// not the candidate request
-	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1/api/v2.0/users/", nil)
-	require.Nil(t, err)
-	ctx := oidcCli.Generate(req)
-	assert.Nil(t, ctx)
+	oc := &oidcCliOrAPI{}
 
 	// the auth mode isn't OIDC
-	req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1/service/token", nil)
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1/service/token", nil)
 	require.Nil(t, err)
-	ctx = oidcCli.Generate(req)
+	ctx := oc.Generate(req)
 	assert.Nil(t, ctx)
 
 	// pass
@@ -57,12 +52,12 @@ func TestOIDCCli(t *testing.T) {
 	oidc.SetHardcodeVerifierForTest(password)
 	req = req.WithContext(lib.WithAuthMode(req.Context(), common.OIDCAuth))
 	req.SetBasicAuth(username, password)
-	ctx = oidcCli.Generate(req)
+	ctx = oc.Generate(req)
 	assert.NotNil(t, ctx)
 }
 
 func TestOIDCCliValid(t *testing.T) {
-	oc := &oidcCli{}
+	oc := &oidcCliOrAPI{}
 	req1, _ := http.NewRequest(http.MethodPost, "https://test.goharbor.io/api/v2.0/projects", nil)
 	req2, _ := http.NewRequest(http.MethodGet, "https://test.goharbor.io/api/v2.0/projects?name=test", nil)
 	req3, _ := http.NewRequest(http.MethodGet, "https://test.goharbor.io/api/v2.0/projects/library/repositories/", nil)
@@ -97,3 +92,27 @@ func TestOIDCCliValid(t *testing.T) {
 	}
 
 }
+
+func TestOIDCAPI(t *testing.T) {
+	oc := &oidcCliOrAPI{}
+
+	// not the OIDC mode
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1/api/projects/", nil)
+	require.Nil(t, err)
+	ctx := oc.Generate(req)
+	assert.Nil(t, ctx)
+
+	// contains no authorization header
+	req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1/api/projects/", nil)
+	require.Nil(t, err)
+	req = req.WithContext(lib.WithAuthMode(req.Context(), common.OIDCAuth))
+	ctx = oc.Generate(req)
+	assert.Nil(t, ctx)
+
+	// contains no authorization header
+	req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1/service/token?service=harbor-registry&scope=repository:foo/bar:pull", nil)
+	require.Nil(t, err)
+	req = req.WithContext(lib.WithAuthMode(req.Context(), common.OIDCAuth))
+	ctx = oc.Generate(req)
+	assert.Nil(t, ctx)
+}
diff --git a/src/server/middleware/security/security.go b/src/server/middleware/security/security.go
@@ -27,9 +27,8 @@ import (
 var (
 	generators = []generator{
 		&secret{},
-		&oidcCli{},
+		&oidcCliOrAPI{},
 		&v2Token{},
-		&idToken{},
 		&authProxy{},
 		&robot{},
 		&basicAuth{},