fixes 19043 (goharbor#19054)

fixes goharbor#19043 Skip the policy checking when to pull the notation signature Signed-off-by: wang yan <wangyan@vmware.com>
LiuShuaiyi · Jul 31, 2023 · bef4ccc · bef4ccc
1 parent 638c26c
commit bef4ccc
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/src/server/middleware/util/util.go b/src/server/middleware/util/util.go
@@ -64,7 +64,7 @@ func SkipPolicyChecking(r *http.Request, projectID, artID int64) (bool, error) {
 
 	// 1, scanner pull access can bypass.
 	// 2, cosign/notation pull can bypass, it needs to pull the manifest before pushing the signature.
-	// 3, pull cosign signature can bypass.
+	// 3, pull cosign/notation signature can bypass.
 	if ok && secCtx.Name() == "v2token" {
 		if secCtx.Can(r.Context(), rbac.ActionScannerPull, project.NewNamespace(projectID).Resource(rbac.ResourceRepository)) ||
 			(secCtx.Can(r.Context(), rbac.ActionPush, project.NewNamespace(projectID).Resource(rbac.ResourceRepository)) &&
@@ -79,7 +79,7 @@ func SkipPolicyChecking(r *http.Request, projectID, artID int64) (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	if len(accs) > 0 && accs[0].GetData().Type == model.TypeCosignSignature {
+	if len(accs) > 0 && (accs[0].GetData().Type == model.TypeCosignSignature || accs[0].GetData().Type == model.TypeNotationSignature) {
 		return true, nil
 	}