Merge pull request #9802 from wy65701436/disable-without-bearer

Disable policy check when pull without bearer token
goharbor · Nov 8, 2019 · 6a99cee · 6a99cee
2 parents b1a756e + 415bdfa
commit 6a99cee
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 0 deletions.
diff --git a/src/core/middlewares/contenttrust/handler.go b/src/core/middlewares/contenttrust/handler.go
@@ -49,6 +49,10 @@ func (cth contentTrustHandler) ServeHTTP(rw http.ResponseWriter, req *http.Reque
 		cth.next.ServeHTTP(rw, req)
 		return
 	}
+	if pullWithBearer, ok := util.DockerPullAuthFromContext(req.Context()); ok && !pullWithBearer {
+		cth.next.ServeHTTP(rw, req)
+		return
+	}
 	if scannerPull, ok := util.ScannerPullFromContext(req.Context()); ok && scannerPull {
 		cth.next.ServeHTTP(rw, req)
 		return

diff --git a/src/core/middlewares/regtoken/handler.go b/src/core/middlewares/regtoken/handler.go
@@ -43,6 +43,8 @@ func (r *regTokenHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		r.next.ServeHTTP(rw, req)
 		return
 	}
+	*req = *(req.WithContext(util.NewDockerPullAuthContext(req.Context(), true)))
+
 	rawToken := parts[1]
 	opt := pkg_token.DefaultTokenOptions()
 	regTK, err := pkg_token.Parse(opt, rawToken, &registry.Claim{})

diff --git a/src/core/middlewares/util/util.go b/src/core/middlewares/util/util.go
@@ -51,6 +51,8 @@ const (
 	ImageInfoCtxKey = contextKey("ImageInfo")
 	// ScannerPullCtxKey the context key for robot account to bypass the pull policy check.
 	ScannerPullCtxKey = contextKey("ScannerPullCheck")
+	// DockerPullAuthCtxKey the context key to index whether docker pull request with bearer token
+	DockerPullAuthCtxKey = contextKey("DockerPullWithBearer")
 	// TokenUsername ...
 	// TODO: temp solution, remove after vmware/harbor#2242 is resolved.
 	TokenUsername = "harbor-core"
@@ -457,6 +459,17 @@ func ScannerPullFromContext(ctx context.Context) (bool, bool) {
 	return info, ok
 }
 
+// NewDockerPullAuthContext returns context with bearer token
+func NewDockerPullAuthContext(ctx context.Context, withBearer bool) context.Context {
+	return context.WithValue(ctx, DockerPullAuthCtxKey, withBearer)
+}
+
+// DockerPullAuthFromContext returns whether the docker pull with bearer
+func DockerPullAuthFromContext(ctx context.Context) (bool, bool) {
+	info, ok := ctx.Value(DockerPullAuthCtxKey).(bool)
+	return info, ok
+}
+
 // NewBlobInfoContext returns context with blob info
 func NewBlobInfoContext(ctx context.Context, info *BlobInfo) context.Context {
 	return context.WithValue(ctx, blobInfoKey, info)

diff --git a/src/core/middlewares/vulnerable/handler.go b/src/core/middlewares/vulnerable/handler.go
@@ -52,6 +52,11 @@ func (vh vulnerableHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request)
 		return
 	}
 
+	if pullWithBearer, ok := util.DockerPullAuthFromContext(req.Context()); ok && !pullWithBearer {
+		vh.next.ServeHTTP(rw, req)
+		return
+	}
+
 	if scannerPull, ok := util.ScannerPullFromContext(req.Context()); ok && scannerPull {
 		vh.next.ServeHTTP(rw, req)
 		return