search

goharbor / harbor

An open source trusted cloud native registry project that stores, signs, and scans content.
https://goharbor.io
Apache License 2.0
23.82k stars 4.74k forks source link

Making a robot via /projects/{project_name_or_id}/robots is broken #20692

Open Kajot-dev opened 3 months ago

Kajot-dev commented 3 months ago

This endpoint does not parse permissions correctly: Try to create a robot in your project via /projects/{project_name_or_id}/robots with this payload:

{
  "name": "puller",
  "description": "Project puller. Created automatically.",
  "expires_at": -1,
  "access": [
    {
      "resource": "repository",
      "action": "pull",
      "effect": null
    }
  ]
}

This returns 400 with pull action of repository resource not exist in project <project_name>

However creating exactly the same robot via /robots endpoint works perfectly. Working payload:

{
  "name": "puller",
  "description": "Project puller. Created automatically.",
  "level": "project",
  "duration": -1,
  "permissions": [
    {
      "access": [
        {
          "resource": "repository",
          "action": "pull",
          "effect": null
        }
      ],
      "kind": "project",
      "namespace": "<project_name>"
    }
  ]
}
wy65701436 commented 3 months ago

can you clarify the problem? It seems that the creation was successfully with the correct payload.

Kajot-dev commented 2 months ago

Payload is correct in both examples (it is different since it uses different api ednpoints). But endpoint /robots works, but /projects/{project_name_or_id}/robots does not.

It should succeed in both examples.

Kajot-dev commented 2 months ago

To reproduce just try to create a robot via /projects/{project_name_or_id}/robots (a one which haves some permissions) - it's not possible from my testing

dmakeienko commented 1 month ago

I've encountered same problem along with the inability to create project robot accounts under non-admin user (user has Project Admin privilege)