remove the robot update permission (#21028)

from the perspective of preventing privilege escalation, remove the robot update permission from the possilbe permission set Signed-off-by: wang yan <[email protected]>
goharbor · Oct 12, 2024 · 66ccf30 · 66ccf30
1 parent c4bad32
commit 66ccf30
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 38 deletions.
diff --git a/src/common/rbac/const.go b/src/common/rbac/const.go
@@ -121,7 +121,6 @@ func (n *NolimitProvider) GetPermissions(s scope) []*types.Policy {
  return append(n.BaseProvider.GetPermissions(ScopeSystem),
  &types.Policy{Resource: ResourceRobot, Action: ActionCreate},
  &types.Policy{Resource: ResourceRobot, Action: ActionRead},
- &types.Policy{Resource: ResourceRobot, Action: ActionUpdate},
  &types.Policy{Resource: ResourceRobot, Action: ActionList},
  &types.Policy{Resource: ResourceRobot, Action: ActionDelete},
 
@@ -149,7 +148,6 @@ func (n *NolimitProvider) GetPermissions(s scope) []*types.Policy {
  return append(n.BaseProvider.GetPermissions(ScopeProject),
  &types.Policy{Resource: ResourceRobot, Action: ActionCreate},
  &types.Policy{Resource: ResourceRobot, Action: ActionRead},
- &types.Policy{Resource: ResourceRobot, Action: ActionUpdate},
  &types.Policy{Resource: ResourceRobot, Action: ActionList},
  &types.Policy{Resource: ResourceRobot, Action: ActionDelete},
 

diff --git a/src/server/v2.0/handler/robot.go b/src/server/v2.0/handler/robot.go
@@ -421,42 +421,6 @@ func (rAPI *robotAPI) updateV2Robot(ctx context.Context, params operation.Update
  }
  }
 
- creatorRobot, err := rAPI.robotCtl.Get(ctx, r.CreatorRef, &robot.Option{
- WithPermission: true,
- })
- if err != nil && !errors.IsErr(err, errors.NotFoundCode) {
- return err
- }
-
- // for nested robot only
- if creatorRobot != nil && r.CreatorType == "robot" {
- sc, err := rAPI.GetSecurityContext(ctx)
- if err != nil {
- return err
- }
- if _, ok := sc.(*robotSc.SecurityContext); ok {
- scRobots, err := rAPI.robotCtl.List(ctx, q.New(q.KeyWords{
- "name": strings.TrimPrefix(sc.GetUsername(), config.RobotPrefix(ctx)),
- "project_id": r.ProjectID,
- }), &robot.Option{
- WithPermission: true,
- })
- if err != nil {
- return err
- }
- if len(scRobots) == 0 {
- return errors.DeniedError(nil)
- }
- if scRobots[0].ID != creatorRobot.ID && scRobots[0].ID != r.ID {
- return errors.New(nil).WithMessage("as for a nested robot account, only person who has the right permission or the creator robot or nested robot itself has the permission to update").WithCode(errors.DENIED)
- }
- }
-
- if !isValidPermissionScope(params.Robot.Permissions, creatorRobot.Permissions) {
- return errors.New(nil).WithMessagef("permission scope is invalid. It must be equal to or more restrictive than the creator robot's permissions: %s", creatorRobot.Name).WithCode(errors.DENIED)
- }
- }
-
  if err := rAPI.robotCtl.Update(ctx, r, &robot.Option{
  WithPermission: true,
  }); err != nil {