From a1858098c5224127de933caa347eb9fa8877925d Mon Sep 17 00:00:00 2001 From: Wenkai Yin Date: Thu, 23 Feb 2017 18:02:19 +0800 Subject: [PATCH] using different secret to mark himself when communicates with other components --- make/common/templates/adminserver/env | 2 +- make/common/templates/jobservice/env | 1 + make/common/templates/ui/env | 1 + make/prepare | 9 ++++++--- src/adminserver/api/cfg.go | 6 ++++-- src/common/models/replication_job.go | 2 +- src/jobservice/api/replication.go | 2 +- src/jobservice/config/config.go | 12 +++++++++--- src/jobservice/job/statemachine.go | 2 +- src/ui/api/repository.go | 2 +- src/ui/config/config.go | 10 ++++++++-- src/ui/service/token/token.go | 7 ++++--- src/ui/service/utils/utils.go | 8 +++----- 13 files changed, 41 insertions(+), 23 deletions(-) diff --git a/make/common/templates/adminserver/env b/make/common/templates/adminserver/env index ff0153215..d537720f8 100644 --- a/make/common/templates/adminserver/env +++ b/make/common/templates/adminserver/env @@ -31,7 +31,7 @@ VERIFY_REMOTE_CERT=$verify_remote_cert MAX_JOB_WORKERS=$max_job_workers LOG_DIR=/var/log/jobs UI_SECRET=$ui_secret -SECRET_KEY=$secret_key +JOBSERVICE_SECRET=$jobservice_secret TOKEN_EXPIRATION=$token_expiration CFG_EXPIRATION=5 USE_COMPRESSED_JS=$use_compressed_js diff --git a/make/common/templates/jobservice/env b/make/common/templates/jobservice/env index 06c8b0f22..c5e37fc0f 100644 --- a/make/common/templates/jobservice/env +++ b/make/common/templates/jobservice/env @@ -1,4 +1,5 @@ LOG_LEVEL=debug CONFIG_PATH=/etc/jobservice/app.conf UI_SECRET=$ui_secret +JOBSERVICE_SECRET=$jobservice_secret GODEBUG=netdns=cgo diff --git a/make/common/templates/ui/env b/make/common/templates/ui/env index fc0d133ab..1f457e257 100644 --- a/make/common/templates/ui/env +++ b/make/common/templates/ui/env @@ -1,4 +1,5 @@ LOG_LEVEL=debug CONFIG_PATH=/etc/ui/app.conf UI_SECRET=$ui_secret +JOBSERVICE_SECRET=$jobservice_secret GODEBUG=netdns=cgo diff --git a/make/prepare b/make/prepare index 28d46a376..7fb47671e 100755 --- a/make/prepare +++ b/make/prepare @@ -125,6 +125,7 @@ secret_key = get_secret_key(secretkey_path) ######## ui_secret = ''.join(random.choice(string.ascii_letters+string.digits) for i in range(16)) +jobservice_secret = ''.join(random.choice(string.ascii_letters+string.digits) for i in range(16)) adminserver_config_dir = os.path.join(config_dir,"adminserver") if not os.path.exists(adminserver_config_dir): @@ -219,14 +220,15 @@ render(os.path.join(templates_dir, "adminserver", "env"), verify_remote_cert=verify_remote_cert, max_job_workers=max_job_workers, ui_secret=ui_secret, - secret_key=secret_key, + jobservice_secret=jobservice_secret, token_expiration=token_expiration, use_compressed_js=use_compressed_js ) render(os.path.join(templates_dir, "ui", "env"), ui_conf_env, - ui_secret=ui_secret) + ui_secret=ui_secret, + jobservice_secret=jobservice_secret,) render(os.path.join(templates_dir, "registry", "config.yml"), @@ -239,7 +241,8 @@ render(os.path.join(templates_dir, "db", "env"), render(os.path.join(templates_dir, "jobservice", "env"), job_conf_env, - ui_secret=ui_secret) + ui_secret=ui_secret, + jobservice_secret=jobservice_secret) print("Generated configuration file: %s" % jobservice_conf) shutil.copyfile(os.path.join(templates_dir, "jobservice", "app.conf"), jobservice_conf) diff --git a/src/adminserver/api/cfg.go b/src/adminserver/api/cfg.go index 6a2198c6e..23469eef8 100644 --- a/src/adminserver/api/cfg.go +++ b/src/adminserver/api/cfg.go @@ -26,7 +26,8 @@ import ( ) func isAuthenticated(r *http.Request) (bool, error) { - secret := os.Getenv("UI_SECRET") + uiSecret := os.Getenv("UI_SECRET") + jobserviceSecret := os.Getenv("JOBSERVICE_SECRET") c, err := r.Cookie("secret") if err != nil { if err == http.ErrNoCookie { @@ -34,7 +35,8 @@ func isAuthenticated(r *http.Request) (bool, error) { } return false, err } - return c != nil && c.Value == secret, nil + return c != nil && (c.Value == uiSecret || + c.Value == jobserviceSecret), nil } // ListCfgs lists configurations diff --git a/src/common/models/replication_job.go b/src/common/models/replication_job.go index 2908e4569..ae47371fd 100644 --- a/src/common/models/replication_job.go +++ b/src/common/models/replication_job.go @@ -44,7 +44,7 @@ const ( //RepOpDelete represents the operation of a job to remove repository from a remote registry/harbor instance. RepOpDelete string = "delete" //UISecretCookie is the cookie name to contain the UI secret - UISecretCookie string = "uisecret" + UISecretCookie string = "secret" ) // RepPolicy is the model for a replication policy, which associate to a project and a target (destination) diff --git a/src/jobservice/api/replication.go b/src/jobservice/api/replication.go index 25aef81e4..bfe7dd5c5 100644 --- a/src/jobservice/api/replication.go +++ b/src/jobservice/api/replication.go @@ -194,7 +194,7 @@ func getRepoList(projectID int64) ([]string, error) { return repositories, err } - req.AddCookie(&http.Cookie{Name: models.UISecretCookie, Value: config.UISecret()}) + req.AddCookie(&http.Cookie{Name: models.UISecretCookie, Value: config.JobserviceSecret()}) resp, err := client.Do(req) if err != nil { diff --git a/src/jobservice/config/config.go b/src/jobservice/config/config.go index 0a13ab5d4..c58f20b78 100644 --- a/src/jobservice/config/config.go +++ b/src/jobservice/config/config.go @@ -41,7 +41,7 @@ func Init() error { if len(adminServerURL) == 0 { adminServerURL = "http://adminserver" } - mg = comcfg.NewManager(adminServerURL, UISecret(), true) + mg = comcfg.NewManager(adminServerURL, JobserviceSecret(), true) if err := mg.Init(); err != nil { return err @@ -132,12 +132,18 @@ func SecretKey() (string, error) { return keyProvider.Get(nil) } -// UISecret returns a secret used for communication of UI, JobService -// and Adminserver +// UISecret returns a secret to mark UI when communicate with other +// component func UISecret() string { return os.Getenv("UI_SECRET") } +// JobserviceSecret returns a secret to mark Jobservice when communicate with +// other component +func JobserviceSecret() string { + return os.Getenv("JOBSERVICE_SECRET") +} + // ExtEndpoint ... func ExtEndpoint() (string, error) { cfg, err := mg.Get() diff --git a/src/jobservice/job/statemachine.go b/src/jobservice/job/statemachine.go index b6c9cd47a..db0d79a79 100644 --- a/src/jobservice/job/statemachine.go +++ b/src/jobservice/job/statemachine.go @@ -285,7 +285,7 @@ func addTestTransition(sm *SM) error { } func addImgTransferTransition(sm *SM) { - base := replication.InitBaseHandler(sm.Parms.Repository, sm.Parms.LocalRegURL, config.UISecret(), + base := replication.InitBaseHandler(sm.Parms.Repository, sm.Parms.LocalRegURL, config.JobserviceSecret(), sm.Parms.TargetURL, sm.Parms.TargetUsername, sm.Parms.TargetPassword, sm.Parms.Insecure, sm.Parms.Tags, sm.Logger) diff --git a/src/ui/api/repository.go b/src/ui/api/repository.go index 012ced2d3..94aa302ee 100644 --- a/src/ui/api/repository.go +++ b/src/ui/api/repository.go @@ -66,7 +66,7 @@ func (ra *RepositoryAPI) Get() { if project.Public == 0 { var userID int - if svc_utils.VerifySecret(ra.Ctx.Request) { + if svc_utils.VerifySecret(ra.Ctx.Request, config.JobserviceSecret()) { userID = 1 } else { userID = ra.ValidateUser() diff --git a/src/ui/config/config.go b/src/ui/config/config.go index fb100fe7f..d6d34b906 100644 --- a/src/ui/config/config.go +++ b/src/ui/config/config.go @@ -242,8 +242,14 @@ func Database() (*models.Database, error) { return database, nil } -// UISecret returns a secret used for communication of UI, JobService -// and Adminserver +// UISecret returns a secret to mark UI when communicate with +// other component func UISecret() string { return os.Getenv("UI_SECRET") } + +// JobserviceSecret returns a secret to mark Jobservice when communicate with +// other component +func JobserviceSecret() string { + return os.Getenv("JOBSERVICE_SECRET") +} diff --git a/src/ui/service/token/token.go b/src/ui/service/token/token.go index 2d408cbc5..b144e322a 100644 --- a/src/ui/service/token/token.go +++ b/src/ui/service/token/token.go @@ -19,10 +19,11 @@ import ( "net/http" "time" - "github.com/vmware/harbor/src/ui/auth" "github.com/vmware/harbor/src/common/models" - svc_utils "github.com/vmware/harbor/src/ui/service/utils" "github.com/vmware/harbor/src/common/utils/log" + "github.com/vmware/harbor/src/ui/auth" + "github.com/vmware/harbor/src/ui/config" + svc_utils "github.com/vmware/harbor/src/ui/service/utils" "github.com/astaxie/beego" "github.com/docker/distribution/registry/auth/token" @@ -45,7 +46,7 @@ func (h *Handler) Get() { access := GetResourceActions(scopes) log.Infof("request url: %v", request.URL.String()) - if svc_utils.VerifySecret(request) { + if svc_utils.VerifySecret(request, config.JobserviceSecret()) { log.Debugf("Will grant all access as this request is from job service with legal secret.") username = "job-service-user" } else { diff --git a/src/ui/service/utils/utils.go b/src/ui/service/utils/utils.go index 007b9b720..44674d127 100644 --- a/src/ui/service/utils/utils.go +++ b/src/ui/service/utils/utils.go @@ -20,15 +20,13 @@ import ( "net/http" "github.com/vmware/harbor/src/common/utils/log" - "github.com/vmware/harbor/src/ui/config" ) // VerifySecret verifies the UI_SECRET cookie in a http request. -func VerifySecret(r *http.Request) bool { - secret := config.UISecret() - c, err := r.Cookie("uisecret") +func VerifySecret(r *http.Request, expectedSecret string) bool { + c, err := r.Cookie("secret") if err != nil { log.Warningf("Failed to get secret cookie, error: %v", err) } - return c != nil && c.Value == secret + return c != nil && c.Value == expectedSecret }