From 66ccf302f3c78d59cae4df07497e3c243387db86 Mon Sep 17 00:00:00 2001
From: Wang Yan <wangyan@vmware.com>
Date: Sat, 12 Oct 2024 18:08:50 +0800
Subject: [PATCH] remove the robot update permission (#21028)

from the perspective of preventing privilege escalation, remove the robot update permission from the possilbe permission set

Signed-off-by: wang yan <wangyan@vmware.com>
---
 src/common/rbac/const.go         |  2 --
 src/server/v2.0/handler/robot.go | 36 --------------------------------
 2 files changed, 38 deletions(-)

diff --git a/src/common/rbac/const.go b/src/common/rbac/const.go
index 7594efb997c..0cc4fc1ba64 100644
--- a/src/common/rbac/const.go
+++ b/src/common/rbac/const.go
@@ -121,7 +121,6 @@ func (n *NolimitProvider) GetPermissions(s scope) []*types.Policy {
 		return append(n.BaseProvider.GetPermissions(ScopeSystem),
 			&types.Policy{Resource: ResourceRobot, Action: ActionCreate},
 			&types.Policy{Resource: ResourceRobot, Action: ActionRead},
-			&types.Policy{Resource: ResourceRobot, Action: ActionUpdate},
 			&types.Policy{Resource: ResourceRobot, Action: ActionList},
 			&types.Policy{Resource: ResourceRobot, Action: ActionDelete},
 
@@ -149,7 +148,6 @@ func (n *NolimitProvider) GetPermissions(s scope) []*types.Policy {
 		return append(n.BaseProvider.GetPermissions(ScopeProject),
 			&types.Policy{Resource: ResourceRobot, Action: ActionCreate},
 			&types.Policy{Resource: ResourceRobot, Action: ActionRead},
-			&types.Policy{Resource: ResourceRobot, Action: ActionUpdate},
 			&types.Policy{Resource: ResourceRobot, Action: ActionList},
 			&types.Policy{Resource: ResourceRobot, Action: ActionDelete},
 
diff --git a/src/server/v2.0/handler/robot.go b/src/server/v2.0/handler/robot.go
index 5b9cac637c2..fd73ccb4da3 100644
--- a/src/server/v2.0/handler/robot.go
+++ b/src/server/v2.0/handler/robot.go
@@ -421,42 +421,6 @@ func (rAPI *robotAPI) updateV2Robot(ctx context.Context, params operation.Update
 		}
 	}
 
-	creatorRobot, err := rAPI.robotCtl.Get(ctx, r.CreatorRef, &robot.Option{
-		WithPermission: true,
-	})
-	if err != nil && !errors.IsErr(err, errors.NotFoundCode) {
-		return err
-	}
-
-	// for nested robot only
-	if creatorRobot != nil && r.CreatorType == "robot" {
-		sc, err := rAPI.GetSecurityContext(ctx)
-		if err != nil {
-			return err
-		}
-		if _, ok := sc.(*robotSc.SecurityContext); ok {
-			scRobots, err := rAPI.robotCtl.List(ctx, q.New(q.KeyWords{
-				"name":       strings.TrimPrefix(sc.GetUsername(), config.RobotPrefix(ctx)),
-				"project_id": r.ProjectID,
-			}), &robot.Option{
-				WithPermission: true,
-			})
-			if err != nil {
-				return err
-			}
-			if len(scRobots) == 0 {
-				return errors.DeniedError(nil)
-			}
-			if scRobots[0].ID != creatorRobot.ID && scRobots[0].ID != r.ID {
-				return errors.New(nil).WithMessage("as for a nested robot account, only person who has the right permission or the creator robot or nested robot itself has the permission to update").WithCode(errors.DENIED)
-			}
-		}
-
-		if !isValidPermissionScope(params.Robot.Permissions, creatorRobot.Permissions) {
-			return errors.New(nil).WithMessagef("permission scope is invalid. It must be equal to or more restrictive than the creator robot's permissions: %s", creatorRobot.Name).WithCode(errors.DENIED)
-		}
-	}
-
 	if err := rAPI.robotCtl.Update(ctx, r, &robot.Option{
 		WithPermission: true,
 	}); err != nil {