mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-24 17:47:46 +01:00
Merge pull request #7244 from wy65701436/oidc_user
add the dao funcs for OIDC onboard user
This commit is contained in:
commit
0c171c642b
@ -13,6 +13,25 @@ CREATE TABLE robot (
|
||||
|
||||
CREATE TRIGGER robot_update_time_at_modtime BEFORE UPDATE ON robot FOR EACH ROW EXECUTE PROCEDURE update_update_time_at_column();
|
||||
|
||||
CREATE TABLE oidc_user (
|
||||
id SERIAL NOT NULL,
|
||||
user_id int NOT NULL,
|
||||
secret varchar(255) NOT NULL,
|
||||
/*
|
||||
Subject and Issuer
|
||||
Subject: Subject Identifier.
|
||||
Issuer: Issuer Identifier for the Issuer of the response.
|
||||
The sub (subject) and iss (issuer) Claims, used together, are the only Claims that an RP can rely upon as a stable identifier for the End-User
|
||||
*/
|
||||
subiss varchar(255) NOT NULL,
|
||||
creation_time timestamp default CURRENT_TIMESTAMP,
|
||||
update_time timestamp default CURRENT_TIMESTAMP,
|
||||
PRIMARY KEY (id),
|
||||
UNIQUE (subiss)
|
||||
);
|
||||
|
||||
CREATE TRIGGER odic_user_update_time_at_modtime BEFORE UPDATE ON oidc_user FOR EACH ROW EXECUTE PROCEDURE update_update_time_at_column();
|
||||
|
||||
/*add master role*/
|
||||
INSERT INTO role (role_code, name) VALUES ('DRWS', 'master');
|
||||
|
||||
|
168
src/common/dao/oidc_user.go
Normal file
168
src/common/dao/oidc_user.go
Normal file
@ -0,0 +1,168 @@
|
||||
// Copyright Project Harbor Authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package dao
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/astaxie/beego/orm"
|
||||
"github.com/goharbor/harbor/src/common/models"
|
||||
"github.com/goharbor/harbor/src/common/utils/log"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
var (
|
||||
// ErrDupUser ...
|
||||
ErrDupUser = errors.New("sql: duplicate user in harbor_user")
|
||||
|
||||
// ErrRollBackUser ...
|
||||
ErrRollBackUser = errors.New("sql: transaction roll back error in harbor_user")
|
||||
|
||||
// ErrDupOIDCUser ...
|
||||
ErrDupOIDCUser = errors.New("sql: duplicate user in oicd_user")
|
||||
|
||||
// ErrRollBackOIDCUser ...
|
||||
ErrRollBackOIDCUser = errors.New("sql: transaction roll back error in oicd_user")
|
||||
)
|
||||
|
||||
// GetOIDCUserByID ...
|
||||
func GetOIDCUserByID(id int64) (*models.OIDCUser, error) {
|
||||
oidcUser := &models.OIDCUser{
|
||||
ID: id,
|
||||
}
|
||||
if err := GetOrmer().Read(oidcUser); err != nil {
|
||||
if err == orm.ErrNoRows {
|
||||
return nil, nil
|
||||
}
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return oidcUser, nil
|
||||
}
|
||||
|
||||
// GetUserBySubIss ...
|
||||
func GetUserBySubIss(sub, issuer string) (*models.User, error) {
|
||||
var oidcUsers []models.OIDCUser
|
||||
n, err := GetOrmer().Raw(`select * from oidc_user where subiss = ? `, sub+issuer).QueryRows(&oidcUsers)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if n == 0 {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
user, err := GetUser(models.User{
|
||||
UserID: oidcUsers[0].UserID,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if user == nil {
|
||||
return nil, fmt.Errorf("can not get user %d", oidcUsers[0].UserID)
|
||||
}
|
||||
|
||||
return user, nil
|
||||
}
|
||||
|
||||
// GetOIDCUserByUserID ...
|
||||
func GetOIDCUserByUserID(userID int) (*models.OIDCUser, error) {
|
||||
var oidcUsers []models.OIDCUser
|
||||
n, err := GetOrmer().Raw(`select * from oidc_user where user_id = ? `, userID).QueryRows(&oidcUsers)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if n == 0 {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
return &oidcUsers[0], nil
|
||||
}
|
||||
|
||||
// UpdateOIDCUser ...
|
||||
func UpdateOIDCUser(oidcUser *models.OIDCUser) error {
|
||||
oidcUser.UpdateTime = time.Now()
|
||||
_, err := GetOrmer().Update(oidcUser)
|
||||
return err
|
||||
}
|
||||
|
||||
// DeleteOIDCUser ...
|
||||
func DeleteOIDCUser(id int64) error {
|
||||
_, err := GetOrmer().QueryTable(&models.OIDCUser{}).Filter("ID", id).Delete()
|
||||
return err
|
||||
}
|
||||
|
||||
// OnBoardOIDCUser onboard OIDC user
|
||||
// For the api caller, should only care about the ErrDupUser. It could lead to http.StatusConflict.
|
||||
func OnBoardOIDCUser(u *models.User) error {
|
||||
if u.OIDCUserMeta == nil {
|
||||
return errors.New("unable to onboard as empty oidc user")
|
||||
}
|
||||
|
||||
o := orm.NewOrm()
|
||||
err := o.Begin()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
var errInsert error
|
||||
|
||||
// insert user
|
||||
now := time.Now()
|
||||
u.CreationTime = now
|
||||
userID, err := o.Insert(u)
|
||||
if err != nil {
|
||||
errInsert = err
|
||||
log.Errorf("fail to insert user, %v", err)
|
||||
if strings.Contains(err.Error(), "duplicate key value violates unique constraint") {
|
||||
errInsert = errors.Wrap(errInsert, ErrDupUser.Error())
|
||||
}
|
||||
err := o.Rollback()
|
||||
if err != nil {
|
||||
log.Errorf("fail to rollback when to onboard oidc user, %v", err)
|
||||
errInsert = errors.Wrap(errInsert, err.Error())
|
||||
return errors.Wrap(errInsert, ErrRollBackUser.Error())
|
||||
}
|
||||
return errInsert
|
||||
|
||||
}
|
||||
u.UserID = int(userID)
|
||||
u.OIDCUserMeta.UserID = int(userID)
|
||||
|
||||
// insert oidc user
|
||||
now = time.Now()
|
||||
u.OIDCUserMeta.CreationTime = now
|
||||
_, err = o.Insert(u.OIDCUserMeta)
|
||||
if err != nil {
|
||||
errInsert = err
|
||||
log.Errorf("fail to insert oidc user, %v", err)
|
||||
if strings.Contains(err.Error(), "duplicate key value violates unique constraint") {
|
||||
errInsert = errors.Wrap(errInsert, ErrDupOIDCUser.Error())
|
||||
}
|
||||
err := o.Rollback()
|
||||
if err != nil {
|
||||
errInsert = errors.Wrap(errInsert, err.Error())
|
||||
return errors.Wrap(errInsert, ErrRollBackOIDCUser.Error())
|
||||
}
|
||||
return errInsert
|
||||
}
|
||||
err = o.Commit()
|
||||
if err != nil {
|
||||
log.Errorf("fail to commit when to onboard oidc user, %v", err)
|
||||
return fmt.Errorf("fail to commit when to onboard oidc user, %v", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
186
src/common/dao/oidc_user_test.go
Normal file
186
src/common/dao/oidc_user_test.go
Normal file
@ -0,0 +1,186 @@
|
||||
// Copyright Project Harbor Authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package dao
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/goharbor/harbor/src/common/models"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestOIDCUserMetaDaoMethods(t *testing.T) {
|
||||
|
||||
user111 := models.User{
|
||||
Username: "user111",
|
||||
Email: "user111@email.com",
|
||||
}
|
||||
user222 := models.User{
|
||||
Username: "user222",
|
||||
Email: "user222@email.com",
|
||||
}
|
||||
userEmptyOuMeta := models.User{
|
||||
Username: "userEmptyOuMeta",
|
||||
Email: "userEmptyOuMeta@email.com",
|
||||
}
|
||||
ou111 := models.OIDCUser{
|
||||
SubIss: "QWE123123RT1",
|
||||
Secret: "QWEQWE1",
|
||||
}
|
||||
ou222 := models.OIDCUser{
|
||||
SubIss: "QWE123123RT2",
|
||||
Secret: "QWEQWE2",
|
||||
}
|
||||
|
||||
// onboard OIDC ...
|
||||
user111.OIDCUserMeta = &ou111
|
||||
err := OnBoardOIDCUser(&user111)
|
||||
require.Nil(t, err)
|
||||
defer CleanUser(int64(user111.UserID))
|
||||
user222.OIDCUserMeta = &ou222
|
||||
err = OnBoardOIDCUser(&user222)
|
||||
require.Nil(t, err)
|
||||
defer CleanUser(int64(user222.UserID))
|
||||
|
||||
// empty OIDC user meta ...
|
||||
err = OnBoardOIDCUser(&userEmptyOuMeta)
|
||||
require.NotNil(t, err)
|
||||
assert.Equal(t, "unable to onboard as empty oidc user", err.Error())
|
||||
|
||||
// test get by ID
|
||||
oidcUser1, err := GetOIDCUserByID(ou111.ID)
|
||||
require.Nil(t, err)
|
||||
assert.Equal(t, ou111.UserID, oidcUser1.UserID)
|
||||
|
||||
// test get by userID
|
||||
oidcUser2, err := GetOIDCUserByUserID(user111.UserID)
|
||||
require.Nil(t, err)
|
||||
assert.Equal(t, "QWE123123RT1", oidcUser2.SubIss)
|
||||
|
||||
// test get by sub and iss
|
||||
userGetBySubIss, err := GetUserBySubIss("QWE123", "123RT1")
|
||||
require.Nil(t, err)
|
||||
assert.Equal(t, "user111@email.com", userGetBySubIss.Email)
|
||||
|
||||
// test update
|
||||
meta3 := &models.OIDCUser{
|
||||
ID: ou111.ID,
|
||||
UserID: ou111.UserID,
|
||||
SubIss: "newSub",
|
||||
}
|
||||
require.Nil(t, UpdateOIDCUser(meta3))
|
||||
oidcUser1Update, err := GetOIDCUserByID(ou111.ID)
|
||||
require.Nil(t, err)
|
||||
assert.Equal(t, "newSub", oidcUser1Update.SubIss)
|
||||
|
||||
user, err := GetUserBySubIss("new", "Sub")
|
||||
require.Nil(t, err)
|
||||
assert.Equal(t, "user111", user.Username)
|
||||
|
||||
// clear data
|
||||
defer func() {
|
||||
_, err := GetOrmer().Raw(`delete from oidc_user`).Exec()
|
||||
require.Nil(t, err)
|
||||
}()
|
||||
}
|
||||
|
||||
func TestOIDCOnboard(t *testing.T) {
|
||||
user333 := models.User{
|
||||
Username: "user333",
|
||||
Email: "user333@email.com",
|
||||
}
|
||||
user555 := models.User{
|
||||
Username: "user555",
|
||||
Email: "user555@email.com",
|
||||
}
|
||||
user666 := models.User{
|
||||
Username: "user666",
|
||||
Email: "user666@email.com",
|
||||
}
|
||||
userDup := models.User{
|
||||
Username: "user333",
|
||||
Email: "userDup@email.com",
|
||||
}
|
||||
|
||||
ou333 := &models.OIDCUser{
|
||||
SubIss: "QWE123123RT3",
|
||||
Secret: "QWEQWE333",
|
||||
}
|
||||
ou555 := &models.OIDCUser{
|
||||
SubIss: "QWE123123RT5",
|
||||
Secret: "QWEQWE555",
|
||||
}
|
||||
ouDup := &models.OIDCUser{
|
||||
SubIss: "QWE123123RT3",
|
||||
Secret: "QWEQWE333",
|
||||
}
|
||||
ouDupSub := &models.OIDCUser{
|
||||
SubIss: "QWE123123RT3",
|
||||
Secret: "ouDupSub",
|
||||
}
|
||||
|
||||
// data prepare ...
|
||||
user333.OIDCUserMeta = ou333
|
||||
err := OnBoardOIDCUser(&user333)
|
||||
require.Nil(t, err)
|
||||
defer CleanUser(int64(user333.UserID))
|
||||
|
||||
// duplicate user -- ErrDupRows
|
||||
// userDup is duplicate with user333
|
||||
userDup.OIDCUserMeta = ou555
|
||||
err = OnBoardOIDCUser(&userDup)
|
||||
require.NotNil(t, err)
|
||||
require.Contains(t, err.Error(), ErrDupUser.Error())
|
||||
exist, err := UserExists(userDup, "email")
|
||||
require.Nil(t, err)
|
||||
require.False(t, exist)
|
||||
|
||||
// duplicate OIDC user -- ErrDupRows
|
||||
// ouDup is duplicate with ou333
|
||||
user555.OIDCUserMeta = ouDup
|
||||
err = OnBoardOIDCUser(&user555)
|
||||
require.NotNil(t, err)
|
||||
require.Contains(t, err.Error(), ErrDupOIDCUser.Error())
|
||||
exist, err = UserExists(user555, "username")
|
||||
require.Nil(t, err)
|
||||
require.False(t, exist)
|
||||
|
||||
// success
|
||||
user555.OIDCUserMeta = ou555
|
||||
err = OnBoardOIDCUser(&user555)
|
||||
require.Nil(t, err)
|
||||
exist, err = UserExists(user555, "username")
|
||||
require.Nil(t, err)
|
||||
require.True(t, exist)
|
||||
defer CleanUser(int64(user555.UserID))
|
||||
|
||||
// duplicate OIDC user's sub -- ErrDupRows
|
||||
// ouDup is duplicate with ou333
|
||||
user666.OIDCUserMeta = ouDupSub
|
||||
err = OnBoardOIDCUser(&user666)
|
||||
require.NotNil(t, err)
|
||||
require.Contains(t, err.Error(), ErrDupOIDCUser.Error())
|
||||
exist, err = UserExists(user666, "username")
|
||||
require.Nil(t, err)
|
||||
require.False(t, exist)
|
||||
|
||||
// clear data
|
||||
defer func() {
|
||||
_, err := GetOrmer().Raw(`delete from oidc_user`).Exec()
|
||||
require.Nil(t, err)
|
||||
}()
|
||||
|
||||
}
|
@ -38,5 +38,6 @@ func init() {
|
||||
new(UserGroup),
|
||||
new(AdminJob),
|
||||
new(JobLog),
|
||||
new(Robot))
|
||||
new(Robot),
|
||||
new(OIDCUser))
|
||||
}
|
||||
|
20
src/common/models/oidc_user.go
Normal file
20
src/common/models/oidc_user.go
Normal file
@ -0,0 +1,20 @@
|
||||
package models
|
||||
|
||||
import (
|
||||
"time"
|
||||
)
|
||||
|
||||
// OIDCUser ...
|
||||
type OIDCUser struct {
|
||||
ID int64 `orm:"pk;auto;column(id)" json:"id"`
|
||||
UserID int `orm:"column(user_id)" json:"user_id"`
|
||||
Secret string `orm:"column(secret)" json:"secret"`
|
||||
SubIss string `orm:"column(subiss)" json:"subiss"`
|
||||
CreationTime time.Time `orm:"column(creation_time);auto_now_add" json:"creation_time"`
|
||||
UpdateTime time.Time `orm:"column(update_time);auto_now" json:"update_time"`
|
||||
}
|
||||
|
||||
// TableName ...
|
||||
func (o *OIDCUser) TableName() string {
|
||||
return "oidc_user"
|
||||
}
|
@ -41,6 +41,7 @@ type User struct {
|
||||
CreationTime time.Time `orm:"column(creation_time);auto_now_add" json:"creation_time"`
|
||||
UpdateTime time.Time `orm:"column(update_time);auto_now" json:"update_time"`
|
||||
GroupList []*UserGroup `orm:"-" json:"-"`
|
||||
OIDCUserMeta *OIDCUser `orm:"-" json:"oidc_user_meta,omitempty"`
|
||||
}
|
||||
|
||||
// UserQuery ...
|
||||
|
@ -138,4 +138,5 @@ func TestAll(t *testing.T) {
|
||||
w = httptest.NewRecorder()
|
||||
beego.BeeApp.Handlers.ServeHTTP(w, r)
|
||||
assert.Equal(int(404), w.Code, "GET v2/noproject/manifests/1.0 should get a 404 response")
|
||||
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user