From 022416c5024a196c36acf78e05d7d0f45346c25c Mon Sep 17 00:00:00 2001 From: Derek McGowan Date: Tue, 12 Jul 2016 17:13:43 -0700 Subject: [PATCH] Add support for registry type in scope Signed-off-by: Derek McGowan (github: dmcgowan) --- contrib/token-server/main.go | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/contrib/token-server/main.go b/contrib/token-server/main.go index edd894f4..6a4c1778 100644 --- a/contrib/token-server/main.go +++ b/contrib/token-server/main.go @@ -163,14 +163,21 @@ func filterAccessList(ctx context.Context, scope string, requestedAccessList []a } grantedAccessList := make([]auth.Access, 0, len(requestedAccessList)) for _, access := range requestedAccessList { - if access.Type != "repository" { + if access.Type == "repository" { + if !strings.HasPrefix(access.Name, scope) { + context.GetLogger(ctx).Debugf("Resource scope not allowed: %s", access.Name) + continue + } + } else if access.Type == "registry" { + if access.Name != "catalog" { + context.GetLogger(ctx).Debugf("Unknown registry resource: %s", access.Name) + continue + } + // TODO: Limit some actions to "admin" users + } else { context.GetLogger(ctx).Debugf("Skipping unsupported resource type: %s", access.Type) continue } - if !strings.HasPrefix(access.Name, scope) { - context.GetLogger(ctx).Debugf("Resource scope not allowed: %s", access.Name) - continue - } grantedAccessList = append(grantedAccessList, access) } return grantedAccessList