Merge remote-tracking branch 'upstream/master' into new-version-of-ui

Deploy/log/Dockerfile

@@ -2,15 +2,9 @@ FROM library/ubuntu:14.04
 
 # run logrotate hourly, disable imklog model, provides TCP/UDP syslog reception
 RUN mv /etc/cron.daily/logrotate /etc/cron.hourly/ \
-	&& sed 's/$ModLoad imklog/#$ModLoad imklog/' -i /etc/rsyslog.conf \
-	&& sed 's/$KLogPermitNonKernelFacility on/#$KLogPermitNonKernelFacility on/' -i /etc/rsyslog.conf \
-	&& sed 's/#$ModLoad imudp/$ModLoad imudp/' -i /etc/rsyslog.conf \
-	&& sed 's/#$UDPServerRun 514/$UDPServerRun 514/' -i /etc/rsyslog.conf \
-	&& sed 's/#$ModLoad imtcp/$ModLoad imtcp/' -i /etc/rsyslog.conf \
-	&& sed 's/#$InputTCPServerRun 514/$InputTCPServerRun 514/' -i /etc/rsyslog.conf \
-	&& sed 's/$PrivDropToUser syslog/#$PrivDropToUser syslog/' -i /etc/rsyslog.conf \
-	&& sed 's/$PrivDropToGroup syslog/#$PrivDropToGroup syslog/' -i /etc/rsyslog.conf \
-	&& rm /etc/rsyslog.d/*
+	&& rm /etc/rsyslog.d/* \
+        && rm /etc/rsyslog.conf
+ADD rsyslog.conf /etc/rsyslog.conf
 
 # logrotate configuration file for docker
 ADD logrotate_docker.conf /etc/logrotate.d/
@@ -23,4 +17,3 @@ VOLUME /var/log/docker/
 EXPOSE 514
 
 CMD cron && rsyslogd -n
-

Deploy/log/rsyslog.conf

@@ -0,0 +1,60 @@
+#  /etc/rsyslog.conf	Configuration file for rsyslog.
+#
+#			For more information see
+#			/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
+#
+#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf
+
+
+#################
+#### MODULES ####
+#################
+
+$ModLoad imuxsock # provides support for local system logging
+#$ModLoad imklog   # provides kernel logging support
+#$ModLoad immark  # provides --MARK-- message capability
+
+# provides UDP syslog reception
+$ModLoad imudp
+$UDPServerRun 514
+
+# provides TCP syslog reception
+$ModLoad imtcp
+$InputTCPServerRun 514
+             
+# Enable non-kernel facility klog messages
+#$KLogPermitNonKernelFacility on
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+
+#
+# Use traditional timestamp format.
+# To enable high precision timestamps, comment out the following line.
+#
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+# Filter duplicated messages
+$RepeatedMsgReduction on
+
+#
+# Set the default permissions for all log files.
+#
+$FileOwner syslog
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+#$PrivDropToUser syslog
+#$PrivDropToGroup syslog
+
+#
+# Where to place spool and state files
+#
+$WorkDirectory /var/spool/rsyslog
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf

api/member.go

@@ -114,23 +114,10 @@ func (pma *ProjectMemberAPI) Get() {
 
 // Post ...
 func (pma *ProjectMemberAPI) Post() {
-	pid := pma.project.ProjectID
-
-	//userQuery := models.User{UserID: pma.currentUserID, RoleID: models.PROJECTADMIN}
-	rolelist, err := dao.GetUserProjectRoles(pma.currentUserID, pid)
-	if err != nil {
-		log.Errorf("Error occurred in GetUserProjectRoles, error: %v", err)
-		pma.CustomAbort(http.StatusInternalServerError, "Internal error.")
-	}
-	hasProjectAdminRole := false
-	for _, role := range rolelist {
-		if role.RoleID == models.PROJECTADMIN {
-			hasProjectAdminRole = true
-			break
-		}
-	}
-	if !hasProjectAdminRole {
-		log.Warningf("Current user, id: %d does not have project admin role for project, id:", pma.currentUserID, pid)
+	currentUserID := pma.currentUserID
+	projectID := pma.project.ProjectID
+	if !hasProjectAdminRole(currentUserID, projectID) {
+		log.Warningf("Current user, id: %d does not have project admin role for project, id:", currentUserID, projectID)
 		pma.RenderError(http.StatusForbidden, "")
 		return
 	}
@@ -144,21 +131,21 @@ func (pma *ProjectMemberAPI) Post() {
 		pma.RenderError(http.StatusNotFound, "User does not exist")
 		return
 	}
-	rolelist, err = dao.GetUserProjectRoles(userID, pid)
+	rolelist, err := dao.GetUserProjectRoles(userID, projectID)
 	if err != nil {
 		log.Errorf("Error occurred in GetUserProjectRoles, error: %v", err)
 		pma.CustomAbort(http.StatusInternalServerError, "Internal error.")
 	}
 	if len(rolelist) > 0 {
-		log.Warningf("user is already added to project, user id: %d, project id: %d", userID, pid)
+		log.Warningf("user is already added to project, user id: %d, project id: %d", userID, projectID)
 		pma.RenderError(http.StatusConflict, "user is ready in project")
 		return
 	}
 
 	for _, rid := range req.Roles {
-		err = dao.AddProjectMember(pid, userID, int(rid))
+		err = dao.AddProjectMember(projectID, userID, int(rid))
 		if err != nil {
-			log.Errorf("Failed to update DB to add project user role, project id: %d, user id: %d, role id: %d", pid, userID, rid)
+			log.Errorf("Failed to update DB to add project user role, project id: %d, user id: %d, role id: %d", projectID, userID, rid)
 			pma.RenderError(http.StatusInternalServerError, "Failed to update data in database")
 			return
 		}
@@ -167,27 +154,16 @@ func (pma *ProjectMemberAPI) Post() {
 
 // Put ...
 func (pma *ProjectMemberAPI) Put() {
+	currentUserID := pma.currentUserID
 	pid := pma.project.ProjectID
-	mid := pma.memberID
-
-	rolelist, err := dao.GetUserProjectRoles(pma.currentUserID, pid)
-	if err != nil {
-		log.Errorf("Error occurred in GetUserProjectRoles, error: %v", err)
-		pma.CustomAbort(http.StatusInternalServerError, "Internal error.")
-	}
-	hasProjectAdminRole := false
-	for _, role := range rolelist {
-		if role.RoleID == models.PROJECTADMIN {
-			hasProjectAdminRole = true
-			break
-		}
-	}
-
-	if !hasProjectAdminRole {
-		log.Warningf("Current user, id: %d does not have project admin role for project, id: %d", pma.currentUserID, pid)
+	if !hasProjectAdminRole(currentUserID, pid) {
+		log.Warningf("Current user, id: %d does not have project admin role for project, id:", currentUserID, pid)
 		pma.RenderError(http.StatusForbidden, "")
 		return
 	}
+
+	mid := pma.memberID
+
 	var req memberReq
 	pma.DecodeJSONReq(&req)
 	roleList, err := dao.GetUserProjectRoles(mid, pid)
@@ -217,51 +193,20 @@ func (pma *ProjectMemberAPI) Put() {
 
 // Delete ...
 func (pma *ProjectMemberAPI) Delete() {
+	currentUserID := pma.currentUserID
 	pid := pma.project.ProjectID
-	mid := pma.memberID
-
-	rolelist, err := dao.GetUserProjectRoles(pma.currentUserID, pid)
-	hasProjectAdminRole := false
-	for _, role := range rolelist {
-		if role.RoleID == models.PROJECTADMIN {
-			hasProjectAdminRole = true
-			break
-		}
-	}
-
-	if !hasProjectAdminRole {
-		log.Warningf("Current user, id: %d does not have project admin role for project, id: %d", pma.currentUserID, pid)
+	if !hasProjectAdminRole(currentUserID, pid) {
+		log.Warningf("Current user, id: %d does not have project admin role for project, id:", currentUserID, pid)
 		pma.RenderError(http.StatusForbidden, "")
 		return
 	}
-	err = dao.DeleteProjectMember(pid, mid)
+
+	mid := pma.memberID
+
+	err := dao.DeleteProjectMember(pid, mid)
 	if err != nil {
 		log.Errorf("Failed to delete project roles for user, user id: %d, project id: %d, error: %v", mid, pid, err)
 		pma.RenderError(http.StatusInternalServerError, "Failed to update data in DB")
 		return
 	}
 }
-
-//sysadmin has all privileges to all projects
-func listRoles(userID int, projectID int64) ([]models.Role, error) {
-	roles := make([]models.Role, 1)
-	isSysAdmin, err := dao.IsAdminRole(userID)
-	if err != nil {
-		return roles, err
-	}
-	if isSysAdmin {
-		role, err := dao.GetRoleByID(models.PROJECTADMIN)
-		if err != nil {
-			return roles, err
-		}
-		roles = append(roles, *role)
-		return roles, nil
-	}
-
-	rs, err := dao.GetUserProjectRoles(userID, projectID)
-	if err != nil {
-		return roles, err
-	}
-	roles = append(roles, rs...)
-	return roles, nil
-}

api/project.go

@@ -43,7 +43,6 @@ const projectNameMaxLen int = 30
 
 // Prepare validates the URL and the user
 func (p *ProjectAPI) Prepare() {
-	p.userID = p.ValidateUser()
 	idStr := p.Ctx.Input.Param(":id")
 	if len(idStr) > 0 {
 		var err error
@@ -65,6 +64,8 @@ func (p *ProjectAPI) Prepare() {
 
 // Post ...
 func (p *ProjectAPI) Post() {
+	p.userID = p.ValidateUser()
+
 	var req projectReq
 	var public int
 	p.DecodeJSONReq(&req)
@@ -99,20 +100,52 @@ func (p *ProjectAPI) Post() {
 // Head ...
 func (p *ProjectAPI) Head() {
 	projectName := p.GetString("project_name")
-	result, err := dao.ProjectExists(projectName)
+	if len(projectName) == 0 {
+		p.CustomAbort(http.StatusBadRequest, "project_name is needed")
+	}
+
+	project, err := dao.GetProjectByName(projectName)
 	if err != nil {
-		log.Errorf("Error while communicating with DB, error: %v", err)
-		p.RenderError(http.StatusInternalServerError, "Error while communicating with DB")
+		log.Errorf("error occurred in GetProjectByName: %v", err)
+		p.CustomAbort(http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError))
+	}
+
+	// only public project can be Headed by user without login
+	if project != nil && project.Public == 1 {
 		return
 	}
-	if !result {
-		p.RenderError(http.StatusNotFound, "")
-		return
+
+	userID := p.ValidateUser()
+	if project == nil {
+		p.CustomAbort(http.StatusNotFound, http.StatusText(http.StatusNotFound))
+	}
+
+	if !checkProjectPermission(userID, project.ProjectID) {
+		p.CustomAbort(http.StatusForbidden, http.StatusText(http.StatusForbidden))
 	}
 }
 
 // Get ...
 func (p *ProjectAPI) Get() {
+	project, err := dao.GetProjectByID(p.projectID)
+	if err != nil {
+		log.Errorf("failed to get project %d: %v", p.projectID, err)
+		p.CustomAbort(http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError))
+	}
+
+	if project.Public == 0 {
+		userID := p.ValidateUser()
+		if !checkProjectPermission(userID, p.projectID) {
+			p.CustomAbort(http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized))
+		}
+	}
+
+	p.Data["json"] = project
+	p.ServeJSON()
+}
+
+// List ...
+func (p *ProjectAPI) List() {
 	var projectList []models.Project
 	projectName := p.GetString("project_name")
 	if len(projectName) > 0 {
@@ -132,6 +165,8 @@ func (p *ProjectAPI) Get() {
 	if public == 1 {
 		projectList, err = dao.GetPublicProjects(projectName)
 	} else {
+		//if the request is not for public projects, user must login or provide credential
+		p.userID = p.ValidateUser()
 		isAdmin, err = dao.IsAdminRole(p.userID)
 		if err != nil {
 			log.Errorf("Error occured in check admin, error: %v", err)
@@ -164,6 +199,8 @@ func (p *ProjectAPI) Get() {
 
 // Put ...
 func (p *ProjectAPI) Put() {
+	p.userID = p.ValidateUser()
+
 	var req projectReq
 	var public int
 
@@ -192,6 +229,7 @@ func (p *ProjectAPI) Put() {
 
 // FilterAccessLog handles GET to /api/projects/{}/logs
 func (p *ProjectAPI) FilterAccessLog() {
+	p.userID = p.ValidateUser()
 
 	var filter models.AccessLog
 	p.DecodeJSONReq(&filter)

api/repository.go

@@ -19,6 +19,7 @@ import (
 	"encoding/json"
 	"net/http"
 	"os"
+	"sort"
 	"strconv"
 	"strings"
 	"time"
@@ -29,6 +30,7 @@ import (
 	svc_utils "github.com/vmware/harbor/service/utils"
 	"github.com/vmware/harbor/utils/log"
 	"github.com/vmware/harbor/utils/registry"
+	"github.com/vmware/harbor/utils/registry/auth"
 	"github.com/vmware/harbor/utils/registry/errors"
 )
 
@@ -38,19 +40,13 @@ import (
 // the security of registry
 type RepositoryAPI struct {
 	BaseAPI
-	userID int
-}
-
-// Prepare will set a non existent user ID in case the request tries to view repositories under a project he doesn't has permission.
-func (ra *RepositoryAPI) Prepare() {
-	ra.userID = ra.ValidateUser()
 }
 
 // Get ...
 func (ra *RepositoryAPI) Get() {
-	projectID, err0 := ra.GetInt64("project_id")
-	if err0 != nil {
-		log.Errorf("Failed to get project id, error: %v", err0)
+	projectID, err := ra.GetInt64("project_id")
+	if err != nil {
+		log.Errorf("Failed to get project id, error: %v", err)
 		ra.RenderError(http.StatusBadRequest, "Invalid project id")
 		return
 	}
@@ -64,9 +60,14 @@ func (ra *RepositoryAPI) Get() {
 		ra.RenderError(http.StatusNotFound, "")
 		return
 	}
-	if p.Public == 0 && !checkProjectPermission(ra.userID, projectID) {
-		ra.RenderError(http.StatusForbidden, "")
-		return
+
+	if p.Public == 0 {
+		userID := ra.ValidateUser()
+
+		if !checkProjectPermission(userID, projectID) {
+			ra.RenderError(http.StatusForbidden, "")
+			return
+		}
 	}
 
 	repoList, err := svc_utils.GetRepoFromCache()
@@ -105,7 +106,7 @@ func (ra *RepositoryAPI) Delete() {
 		ra.CustomAbort(http.StatusBadRequest, "repo_name is nil")
 	}
 
-	rc, err := ra.initializeRepositoryClient(repoName)
+	rc, err := ra.initRepositoryClient(repoName)
 	if err != nil {
 		log.Errorf("error occurred while initializing repository client for %s: %v", repoName, err)
 		ra.CustomAbort(http.StatusInternalServerError, "internal error")
@@ -164,7 +165,7 @@ func (ra *RepositoryAPI) GetTags() {
 		ra.CustomAbort(http.StatusBadRequest, "repo_name is nil")
 	}
 
-	rc, err := ra.initializeRepositoryClient(repoName)
+	rc, err := ra.initRepositoryClient(repoName)
 	if err != nil {
 		log.Errorf("error occurred while initializing repository client for %s: %v", repoName, err)
 		ra.CustomAbort(http.StatusInternalServerError, "internal error")
@@ -185,6 +186,8 @@ func (ra *RepositoryAPI) GetTags() {
 
 	tags = append(tags, ts...)
 
+	sort.Strings(tags)
+
 	ra.Data["json"] = tags
 	ra.ServeJSON()
 }
@@ -198,7 +201,7 @@ func (ra *RepositoryAPI) GetManifests() {
 		ra.CustomAbort(http.StatusBadRequest, "repo_name or tag is nil")
 	}
 
-	rc, err := ra.initializeRepositoryClient(repoName)
+	rc, err := ra.initRepositoryClient(repoName)
 	if err != nil {
 		log.Errorf("error occurred while initializing repository client for %s: %v", repoName, err)
 		ra.CustomAbort(http.StatusInternalServerError, "internal error")
@@ -238,16 +241,50 @@ func (ra *RepositoryAPI) GetManifests() {
 	ra.ServeJSON()
 }
 
-func (ra *RepositoryAPI) initializeRepositoryClient(repoName string) (r *registry.Repository, err error) {
-	u := models.User{
-		UserID: ra.userID,
+func (ra *RepositoryAPI) initRepositoryClient(repoName string) (r *registry.Repository, err error) {
+	endpoint := os.Getenv("REGISTRY_URL")
+
+	username, password, ok := ra.Ctx.Request.BasicAuth()
+	if ok {
+		credential := auth.NewBasicAuthCredential(username, password)
+		return registry.NewRepositoryWithCredential(repoName, endpoint, credential)
 	}
-	user, err := dao.GetUser(u)
+
+	username, err = ra.getUsername()
 	if err != nil {
 		return nil, err
 	}
 
-	endpoint := os.Getenv("REGISTRY_URL")
-
-	return registry.NewRepositoryWithUsername(repoName, endpoint, user.Username)
+	return registry.NewRepositoryWithUsername(repoName, endpoint, username)
+}
+
+func (ra *RepositoryAPI) getUsername() (string, error) {
+	// get username from session
+	sessionUsername := ra.GetSession("username")
+	if sessionUsername != nil {
+		username, ok := sessionUsername.(string)
+		if ok {
+			return username, nil
+		}
+	}
+
+	// if username does not exist in session, try to get userId from sessiion
+	// and then get username from DB according to the userId
+	sessionUserID := ra.GetSession("userId")
+	if sessionUserID != nil {
+		userID, ok := sessionUserID.(int)
+		if ok {
+			u := models.User{
+				UserID: userID,
+			}
+			user, err := dao.GetUser(u)
+			if err != nil {
+				return "", err
+			}
+
+			return user.Username, nil
+		}
+	}
+
+	return "", nil
 }

api/utils.go

@@ -22,20 +22,52 @@ import (
 )
 
 func checkProjectPermission(userID int, projectID int64) bool {
-	exist, err := dao.IsAdminRole(userID)
+	roles, err := listRoles(userID, projectID)
 	if err != nil {
-		log.Errorf("Error occurred in IsAdminRole, error: %v", err)
+		log.Errorf("error occurred in getProjectPermission: %v", err)
 		return false
 	}
-	if exist {
-		return true
-	}
-	roleList, err := dao.GetUserProjectRoles(userID, projectID)
+	return len(roles) > 0
+}
+
+func hasProjectAdminRole(userID int, projectID int64) bool {
+	roles, err := listRoles(userID, projectID)
 	if err != nil {
-		log.Errorf("Error occurred in GetUserProjectRoles, error: %v", err)
+		log.Errorf("error occurred in getProjectPermission: %v", err)
 		return false
 	}
-	return len(roleList) > 0
+
+	for _, role := range roles {
+		if role.RoleID == models.PROJECTADMIN {
+			return true
+		}
+	}
+
+	return false
+}
+
+//sysadmin has all privileges to all projects
+func listRoles(userID int, projectID int64) ([]models.Role, error) {
+	roles := make([]models.Role, 0, 1)
+	isSysAdmin, err := dao.IsAdminRole(userID)
+	if err != nil {
+		return roles, err
+	}
+	if isSysAdmin {
+		role, err := dao.GetRoleByID(models.PROJECTADMIN)
+		if err != nil {
+			return roles, err
+		}
+		roles = append(roles, *role)
+		return roles, nil
+	}
+
+	rs, err := dao.GetUserProjectRoles(userID, projectID)
+	if err != nil {
+		return roles, err
+	}
+	roles = append(roles, rs...)
+	return roles, nil
 }
 
 func checkUserExists(name string) int {

dao/project.go

@@ -249,7 +249,6 @@ func getProjects(public int, projectName string) ([]models.Project, error) {
 	}
 	sql += " order by name "
 	var projects []models.Project
-	log.Debugf("sql xxx", sql)
 	if _, err := o.Raw(sql, queryParam).QueryRows(&projects); err != nil {
 		return nil, err
 	}

service/token/authutils.go

@@ -46,10 +46,24 @@ func GetResourceActions(scopes []string) []*token.ResourceActions {
 			continue
 		}
 		items := strings.Split(s, ":")
+		length := len(items)
+
+		typee := items[0]
+
+		name := ""
+		if length > 1 {
+			name = items[1]
+		}
+
+		actions := []string{}
+		if length > 2 {
+			actions = strings.Split(items[2], ",")
+		}
+
 		res = append(res, &token.ResourceActions{
-			Type:    items[0],
-			Name:    items[1],
-			Actions: strings.Split(items[2], ","),
+			Type:    typee,
+			Name:    name,
+			Actions: actions,
 		})
 	}
 	return res

ui/router.go

@@ -53,6 +53,7 @@ func initRouters() {
 	//API:
 	beego.Router("/api/search", &api.SearchAPI{})
 	beego.Router("/api/projects/:pid/members/?:mid", &api.ProjectMemberAPI{})
+	beego.Router("/api/projects/", &api.ProjectAPI{}, "get:List")
 	beego.Router("/api/projects/?:id", &api.ProjectAPI{})
 	beego.Router("/api/statistics", &api.StatisticAPI{})
 	beego.Router("/api/projects/:id/logs/filter", &api.ProjectAPI{}, "post:FilterAccessLog")