From bef4ccc782709fbf73aeffb3591ab6c4329a3c71 Mon Sep 17 00:00:00 2001 From: Wang Yan Date: Mon, 31 Jul 2023 15:11:21 +0800 Subject: [PATCH] fixes 19043 (#19054) fixes #19043 Skip the policy checking when to pull the notation signature Signed-off-by: wang yan --- src/server/middleware/util/util.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/server/middleware/util/util.go b/src/server/middleware/util/util.go index 9e04e7b4b87..3da05752650 100644 --- a/src/server/middleware/util/util.go +++ b/src/server/middleware/util/util.go @@ -64,7 +64,7 @@ func SkipPolicyChecking(r *http.Request, projectID, artID int64) (bool, error) { // 1, scanner pull access can bypass. // 2, cosign/notation pull can bypass, it needs to pull the manifest before pushing the signature. - // 3, pull cosign signature can bypass. + // 3, pull cosign/notation signature can bypass. if ok && secCtx.Name() == "v2token" { if secCtx.Can(r.Context(), rbac.ActionScannerPull, project.NewNamespace(projectID).Resource(rbac.ResourceRepository)) || (secCtx.Can(r.Context(), rbac.ActionPush, project.NewNamespace(projectID).Resource(rbac.ResourceRepository)) && @@ -79,7 +79,7 @@ func SkipPolicyChecking(r *http.Request, projectID, artID int64) (bool, error) { if err != nil { return false, err } - if len(accs) > 0 && accs[0].GetData().Type == model.TypeCosignSignature { + if len(accs) > 0 && (accs[0].GetData().Type == model.TypeCosignSignature || accs[0].GetData().Type == model.TypeNotationSignature) { return true, nil }