goharbor · stonezdj · Apr 19, 2024 · Apr 18, 2024
@@ -28,6 +28,7 @@ import (
 	"github.com/goharbor/harbor/src/controller/proxy"
 	"github.com/goharbor/harbor/src/controller/registry"
 	"github.com/goharbor/harbor/src/lib"
+	"github.com/goharbor/harbor/src/lib/config"
 	"github.com/goharbor/harbor/src/lib/errors"
 	httpLib "github.com/goharbor/harbor/src/lib/http"
 	"github.com/goharbor/harbor/src/lib/log"
@@ -259,16 +260,21 @@ func setHeaders(w http.ResponseWriter, size int64, mediaType string, dig string)
 }
 
 // isProxySession check if current security context is proxy session
-func isProxySession(ctx context.Context) bool {
+func isProxySession(ctx context.Context, projectName string) bool {
 	sc, ok := security.FromContext(ctx)
 	if !ok {
 		log.Error("Failed to get security context")
 		return false
 	}
-	if sc.GetUsername() == proxycachesecret.ProxyCacheService {
+	username := sc.GetUsername()
+	if username == proxycachesecret.ProxyCacheService {
 		return true
 	}
-	return false
+	// it should include the auto generate SBOM session, so that it could generate SBOM accessory in proxy cache project
+	robotPrefix := config.RobotPrefix(ctx)
+	scannerPrefix := config.ScannerRobotPrefix(ctx)
+	prefix := fmt.Sprintf("%s%s+%s", robotPrefix, projectName, scannerPrefix)
+	return strings.HasPrefix(username, prefix)
 }
 
 // DisableBlobAndManifestUploadMiddleware disable push artifact to a proxy project with a non-proxy session
@@ -281,7 +287,7 @@ func DisableBlobAndManifestUploadMiddleware() func(http.Handler) http.Handler {
 			httpLib.SendError(w, err)
 			return
 		}
-		if p.IsProxy() && !isProxySession(ctx) {
+		if p.IsProxy() && !isProxySession(ctx, art.ProjectName) {
 			httpLib.SendError(w,
 				errors.DeniedError(
 					errors.Errorf("can not push artifact to a proxy project: %v", p.Name)))

@@ -18,7 +18,9 @@ import (
 	"context"
 	"testing"
 
+	"github.com/goharbor/harbor/src/common/models"
 	"github.com/goharbor/harbor/src/common/security"
+	"github.com/goharbor/harbor/src/common/security/local"
 	"github.com/goharbor/harbor/src/common/security/proxycachesecret"
 	securitySecret "github.com/goharbor/harbor/src/common/security/secret"
 )
@@ -29,6 +31,19 @@ func TestIsProxySession(t *testing.T) {
 
 	sc2 := proxycachesecret.NewSecurityContext("library/hello-world")
 	proxyCtx := security.NewContext(context.Background(), sc2)
+
+	user := &models.User{
+		Username: "robot$library+scanner-8ec3b47a-fd29-11ee-9681-0242c0a87009",
+	}
+	userSc := local.NewSecurityContext(user)
+	scannerCtx := security.NewContext(context.Background(), userSc)
+
+	otherRobot := &models.User{
+		Username: "robot$library+test-8ec3b47a-fd29-11ee-9681-0242c0a87009",
+	}
+	userSc2 := local.NewSecurityContext(otherRobot)
+	nonScannerCtx := security.NewContext(context.Background(), userSc2)
+
 	cases := []struct {
 		name string
 		in   context.Context
@@ -44,15 +59,24 @@ func TestIsProxySession(t *testing.T) {
 			in:   proxyCtx,
 			want: true,
 		},
+		{
+			name: `robot account`,
+			in:   scannerCtx,
+			want: true,
+		},
+		{
+			name: `non scanner robot`,
+			in:   nonScannerCtx,
+			want: false,
+		},
 	}
 
 	for _, tt := range cases {
 		t.Run(tt.name, func(t *testing.T) {
-			got := isProxySession(tt.in)
+			got := isProxySession(tt.in, "library")
 			if got != tt.want {
 				t.Errorf(`(%v) = %v; want "%v"`, tt.in, got, tt.want)
 			}
-
 		})
 	}
 }