mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-22 00:27:44 +01:00
Merge pull request #12960 from heww/ignore-enable-content-trust-for-proxy-cache
feat(project): ignore enable_content_trust for proxy project
This commit is contained in:
commit
4267570e99
src
common/models
server
@ -80,6 +80,11 @@ func (p *Project) IsPublic() bool {
|
|||||||
return isTrue(public)
|
return isTrue(public)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// IsProxy returns true when the project type is proxy cache
|
||||||
|
func (p *Project) IsProxy() bool {
|
||||||
|
return p.RegistryID > 0
|
||||||
|
}
|
||||||
|
|
||||||
// ContentTrustEnabled ...
|
// ContentTrustEnabled ...
|
||||||
func (p *Project) ContentTrustEnabled() bool {
|
func (p *Project) ContentTrustEnabled() bool {
|
||||||
enabled, exist := p.GetMetadata(ProMetaEnableContentTrust)
|
enabled, exist := p.GetMetadata(ProMetaEnableContentTrust)
|
||||||
|
@ -17,20 +17,20 @@ package repoproxy
|
|||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
"github.com/goharbor/harbor/src/common/security"
|
|
||||||
"github.com/goharbor/harbor/src/common/security/proxycachesecret"
|
|
||||||
"github.com/goharbor/harbor/src/lib/errors"
|
|
||||||
httpLib "github.com/goharbor/harbor/src/lib/http"
|
|
||||||
"github.com/goharbor/harbor/src/replication/model"
|
|
||||||
"github.com/goharbor/harbor/src/replication/registry"
|
|
||||||
"io"
|
"io"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
|
||||||
"github.com/goharbor/harbor/src/common/models"
|
"github.com/goharbor/harbor/src/common/models"
|
||||||
|
"github.com/goharbor/harbor/src/common/security"
|
||||||
|
"github.com/goharbor/harbor/src/common/security/proxycachesecret"
|
||||||
"github.com/goharbor/harbor/src/controller/project"
|
"github.com/goharbor/harbor/src/controller/project"
|
||||||
"github.com/goharbor/harbor/src/controller/proxy"
|
"github.com/goharbor/harbor/src/controller/proxy"
|
||||||
"github.com/goharbor/harbor/src/lib"
|
"github.com/goharbor/harbor/src/lib"
|
||||||
|
"github.com/goharbor/harbor/src/lib/errors"
|
||||||
|
httpLib "github.com/goharbor/harbor/src/lib/http"
|
||||||
"github.com/goharbor/harbor/src/lib/log"
|
"github.com/goharbor/harbor/src/lib/log"
|
||||||
|
"github.com/goharbor/harbor/src/replication/model"
|
||||||
|
"github.com/goharbor/harbor/src/replication/registry"
|
||||||
"github.com/goharbor/harbor/src/server/middleware"
|
"github.com/goharbor/harbor/src/server/middleware"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -163,14 +163,6 @@ func setHeaders(w http.ResponseWriter, size int64, mediaType string, dig string)
|
|||||||
h.Set("Etag", dig)
|
h.Set("Etag", dig)
|
||||||
}
|
}
|
||||||
|
|
||||||
// isProxyProject check the project is a proxy project
|
|
||||||
func isProxyProject(p *models.Project) bool {
|
|
||||||
if p == nil {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
return p.RegistryID > 0
|
|
||||||
}
|
|
||||||
|
|
||||||
// isProxySession check if current security context is proxy session
|
// isProxySession check if current security context is proxy session
|
||||||
func isProxySession(ctx context.Context) bool {
|
func isProxySession(ctx context.Context) bool {
|
||||||
sc, ok := security.FromContext(ctx)
|
sc, ok := security.FromContext(ctx)
|
||||||
@ -194,7 +186,7 @@ func DisableBlobAndManifestUploadMiddleware() func(http.Handler) http.Handler {
|
|||||||
httpLib.SendError(w, err)
|
httpLib.SendError(w, err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if isProxyProject(p) && !isProxySession(ctx) {
|
if p.IsProxy() && !isProxySession(ctx) {
|
||||||
httpLib.SendError(w,
|
httpLib.SendError(w,
|
||||||
errors.DeniedError(
|
errors.DeniedError(
|
||||||
errors.Errorf("can not push artifact to a proxy project: %v", p.Name)))
|
errors.Errorf("can not push artifact to a proxy project: %v", p.Name)))
|
||||||
|
@ -18,44 +18,12 @@ import (
|
|||||||
"context"
|
"context"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/goharbor/harbor/src/common/models"
|
|
||||||
"github.com/goharbor/harbor/src/common/security"
|
"github.com/goharbor/harbor/src/common/security"
|
||||||
"github.com/goharbor/harbor/src/common/security/proxycachesecret"
|
"github.com/goharbor/harbor/src/common/security/proxycachesecret"
|
||||||
securitySecret "github.com/goharbor/harbor/src/common/security/secret"
|
securitySecret "github.com/goharbor/harbor/src/common/security/secret"
|
||||||
"github.com/goharbor/harbor/src/core/config"
|
"github.com/goharbor/harbor/src/core/config"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestIsProxyProject(t *testing.T) {
|
|
||||||
cases := []struct {
|
|
||||||
name string
|
|
||||||
in *models.Project
|
|
||||||
want bool
|
|
||||||
}{
|
|
||||||
{
|
|
||||||
name: `no proxy`,
|
|
||||||
in: &models.Project{RegistryID: 0},
|
|
||||||
want: false,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: `normal proxy`,
|
|
||||||
in: &models.Project{RegistryID: 1},
|
|
||||||
want: true,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, tt := range cases {
|
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
|
||||||
|
|
||||||
got := isProxyProject(tt.in)
|
|
||||||
|
|
||||||
if got != tt.want {
|
|
||||||
t.Errorf(`(%v) = %v; want "%v"`, tt.in, got, tt.want)
|
|
||||||
}
|
|
||||||
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestIsProxySession(t *testing.T) {
|
func TestIsProxySession(t *testing.T) {
|
||||||
config.Init()
|
config.Init()
|
||||||
sc1 := securitySecret.NewSecurityContext("123456789", config.SecretStore)
|
sc1 := securitySecret.NewSecurityContext("123456789", config.SecretStore)
|
||||||
|
@ -17,9 +17,6 @@ package handler
|
|||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
"github.com/goharbor/harbor/src/controller/event/metadata"
|
|
||||||
"github.com/goharbor/harbor/src/controller/project"
|
|
||||||
"github.com/goharbor/harbor/src/pkg/notification"
|
|
||||||
"net/http"
|
"net/http"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
@ -31,10 +28,13 @@ import (
|
|||||||
"github.com/goharbor/harbor/src/common/utils"
|
"github.com/goharbor/harbor/src/common/utils"
|
||||||
"github.com/goharbor/harbor/src/controller/artifact"
|
"github.com/goharbor/harbor/src/controller/artifact"
|
||||||
"github.com/goharbor/harbor/src/controller/artifact/processor"
|
"github.com/goharbor/harbor/src/controller/artifact/processor"
|
||||||
|
"github.com/goharbor/harbor/src/controller/event/metadata"
|
||||||
|
"github.com/goharbor/harbor/src/controller/project"
|
||||||
"github.com/goharbor/harbor/src/controller/repository"
|
"github.com/goharbor/harbor/src/controller/repository"
|
||||||
"github.com/goharbor/harbor/src/controller/scan"
|
"github.com/goharbor/harbor/src/controller/scan"
|
||||||
"github.com/goharbor/harbor/src/controller/tag"
|
"github.com/goharbor/harbor/src/controller/tag"
|
||||||
"github.com/goharbor/harbor/src/lib/errors"
|
"github.com/goharbor/harbor/src/lib/errors"
|
||||||
|
"github.com/goharbor/harbor/src/pkg/notification"
|
||||||
"github.com/goharbor/harbor/src/server/v2.0/handler/assembler"
|
"github.com/goharbor/harbor/src/server/v2.0/handler/assembler"
|
||||||
"github.com/goharbor/harbor/src/server/v2.0/handler/model"
|
"github.com/goharbor/harbor/src/server/v2.0/handler/model"
|
||||||
"github.com/goharbor/harbor/src/server/v2.0/models"
|
"github.com/goharbor/harbor/src/server/v2.0/models"
|
||||||
@ -244,7 +244,7 @@ func (a *artifactAPI) requireNonProxyCacheProject(ctx context.Context, name stri
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if pro.RegistryID > 0 {
|
if pro.IsProxy() {
|
||||||
return errors.New(nil).WithCode(errors.MethodNotAllowedCode).
|
return errors.New(nil).WithCode(errors.MethodNotAllowedCode).
|
||||||
WithMessage("the operation isn't supported for a proxy cache project")
|
WithMessage("the operation isn't supported for a proxy cache project")
|
||||||
}
|
}
|
||||||
|
@ -119,6 +119,12 @@ func (a *projectAPI) CreateProject(ctx context.Context, params operation.CreateP
|
|||||||
req.Metadata.Public = strconv.FormatBool(false)
|
req.Metadata.Public = strconv.FormatBool(false)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ignore enable_content_trust metadata for proxy cache project
|
||||||
|
// see https://github.com/goharbor/harbor/issues/12940 to get more info
|
||||||
|
if req.RegistryID != nil {
|
||||||
|
req.Metadata.EnableContentTrust = nil
|
||||||
|
}
|
||||||
|
|
||||||
// validate the RegistryID and StorageLimit in the body of the request
|
// validate the RegistryID and StorageLimit in the body of the request
|
||||||
if err := a.validateProjectReq(ctx, req); err != nil {
|
if err := a.validateProjectReq(ctx, req); err != nil {
|
||||||
return a.SendError(ctx, err)
|
return a.SendError(ctx, err)
|
||||||
@ -314,7 +320,7 @@ func (a *projectAPI) GetProjectSummary(ctx context.Context, params operation.Get
|
|||||||
fetchSummaries = append(fetchSummaries, getProjectMemberSummary)
|
fetchSummaries = append(fetchSummaries, getProjectMemberSummary)
|
||||||
}
|
}
|
||||||
|
|
||||||
if p.RegistryID > 0 {
|
if p.IsProxy() {
|
||||||
fetchSummaries = append(fetchSummaries, getProjectRegistrySummary)
|
fetchSummaries = append(fetchSummaries, getProjectRegistrySummary)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -458,6 +464,11 @@ func (a *projectAPI) UpdateProject(ctx context.Context, params operation.UpdateP
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ignore enable_content_trust metadata for proxy cache project
|
||||||
|
// see https://github.com/goharbor/harbor/issues/12940 to get more info
|
||||||
|
if params.Project.Metadata != nil && p.IsProxy() {
|
||||||
|
params.Project.Metadata.EnableContentTrust = nil
|
||||||
|
}
|
||||||
lib.JSONCopy(&p.Metadata, params.Project.Metadata)
|
lib.JSONCopy(&p.Metadata, params.Project.Metadata)
|
||||||
|
|
||||||
if err := a.projectCtl.Update(ctx, p); err != nil {
|
if err := a.projectCtl.Update(ctx, p); err != nil {
|
||||||
|
Loading…
Reference in New Issue
Block a user