using different secret to mark himself when communicates with other components

2025-01-03 14:37:44 +01:00 · 2017-02-23 18:02:19 +08:00 · 2017-02-23 18:02:19 +08:00 · a1858098c5
commit a1858098c5
parent 2b5777b490
13 changed files with 41 additions and 23 deletions
--- a/make/common/templates/adminserver/env
+++ b/make/common/templates/adminserver/env
@ -31,7 +31,7 @@ VERIFY_REMOTE_CERT=$verify_remote_cert
 MAX_JOB_WORKERS=$max_job_workers
 LOG_DIR=/var/log/jobs
 UI_SECRET=$ui_secret
-SECRET_KEY=$secret_key
+JOBSERVICE_SECRET=$jobservice_secret
 TOKEN_EXPIRATION=$token_expiration
 CFG_EXPIRATION=5
 USE_COMPRESSED_JS=$use_compressed_js
--- a/make/common/templates/jobservice/env
+++ b/make/common/templates/jobservice/env
@ -1,4 +1,5 @@
 LOG_LEVEL=debug
 CONFIG_PATH=/etc/jobservice/app.conf
 UI_SECRET=$ui_secret
 JOBSERVICE_SECRET=$jobservice_secret
 GODEBUG=netdns=cgo
--- a/make/common/templates/ui/env
+++ b/make/common/templates/ui/env
@ -1,4 +1,5 @@
 LOG_LEVEL=debug
 CONFIG_PATH=/etc/ui/app.conf
 UI_SECRET=$ui_secret
 JOBSERVICE_SECRET=$jobservice_secret
 GODEBUG=netdns=cgo
--- a/make/prepare
+++ b/make/prepare
@ -125,6 +125,7 @@ secret_key = get_secret_key(secretkey_path)
 ########
 ui_secret = ''.join(random.choice(string.ascii_letters+string.digits) for i in range(16))  
 jobservice_secret = ''.join(random.choice(string.ascii_letters+string.digits) for i in range(16))  
 adminserver_config_dir = os.path.join(config_dir,"adminserver")
 if not os.path.exists(adminserver_config_dir):
@ -219,14 +220,15 @@ render(os.path.join(templates_dir, "adminserver", "env"),
 		verify_remote_cert=verify_remote_cert,
 		max_job_workers=max_job_workers,
 		ui_secret=ui_secret,
-        secret_key=secret_key,
+		jobservice_secret=jobservice_secret,
 		token_expiration=token_expiration,
 		use_compressed_js=use_compressed_js
 	)
 render(os.path.join(templates_dir, "ui", "env"), 
 		ui_conf_env, 
-		ui_secret=ui_secret)
+		ui_secret=ui_secret,
 		jobservice_secret=jobservice_secret,)
 render(os.path.join(templates_dir, "registry", 
 		"config.yml"),
@ -239,7 +241,8 @@ render(os.path.join(templates_dir, "db", "env"),
 render(os.path.join(templates_dir, "jobservice", "env"),
        job_conf_env,
-        ui_secret=ui_secret)
+        ui_secret=ui_secret,
 		jobservice_secret=jobservice_secret)
 print("Generated configuration file: %s" % jobservice_conf)
 shutil.copyfile(os.path.join(templates_dir, "jobservice", "app.conf"), jobservice_conf)
--- a/src/adminserver/api/cfg.go
+++ b/src/adminserver/api/cfg.go
@ -26,7 +26,8 @@ import (
 )
 func isAuthenticated(r *http.Request) (bool, error) {
-	secret := os.Getenv("UI_SECRET")
+	uiSecret := os.Getenv("UI_SECRET")
 	jobserviceSecret := os.Getenv("JOBSERVICE_SECRET")
 	c, err := r.Cookie("secret")
 	if err != nil {
 		if err == http.ErrNoCookie {
@ -34,7 +35,8 @@ func isAuthenticated(r *http.Request) (bool, error) {
 		}
 		return false, err
 	}
-	return c != nil && c.Value == secret, nil
+	return c != nil && (c.Value == uiSecret ||
 		c.Value == jobserviceSecret), nil
 }
 // ListCfgs lists configurations
--- a/src/common/models/replication_job.go
+++ b/src/common/models/replication_job.go
@ -44,7 +44,7 @@ const (
 	//RepOpDelete represents the operation of a job to remove repository from a remote registry/harbor instance.
 	RepOpDelete string = "delete"
 	//UISecretCookie is the cookie name to contain the UI secret
-	UISecretCookie string = "uisecret"
+	UISecretCookie string = "secret"
 )
 // RepPolicy is the model for a replication policy, which associate to a project and a target (destination)
--- a/src/jobservice/api/replication.go
+++ b/src/jobservice/api/replication.go
@ -194,7 +194,7 @@ func getRepoList(projectID int64) ([]string, error) {
 			return repositories, err
 		}
-		req.AddCookie(&http.Cookie{Name: models.UISecretCookie, Value: config.UISecret()})
+		req.AddCookie(&http.Cookie{Name: models.UISecretCookie, Value: config.JobserviceSecret()})
 		resp, err := client.Do(req)
 		if err != nil {
--- a/src/jobservice/config/config.go
+++ b/src/jobservice/config/config.go
@ -41,7 +41,7 @@ func Init() error {
 	if len(adminServerURL) == 0 {
 		adminServerURL = "http://adminserver"
 	}
-	mg = comcfg.NewManager(adminServerURL, UISecret(), true)
+	mg = comcfg.NewManager(adminServerURL, JobserviceSecret(), true)
 	if err := mg.Init(); err != nil {
 		return err
@ -132,12 +132,18 @@ func SecretKey() (string, error) {
 	return keyProvider.Get(nil)
 }
-// UISecret returns a secret used for communication of UI, JobService
+// UISecret returns a secret to mark UI when communicate with other
-// and Adminserver
+// component
 func UISecret() string {
 	return os.Getenv("UI_SECRET")
 }
 // JobserviceSecret returns a secret to mark Jobservice when communicate with
 // other component
 func JobserviceSecret() string {
 	return os.Getenv("JOBSERVICE_SECRET")
 }
 // ExtEndpoint ...
 func ExtEndpoint() (string, error) {
 	cfg, err := mg.Get()
--- a/src/jobservice/job/statemachine.go
+++ b/src/jobservice/job/statemachine.go
@ -285,7 +285,7 @@ func addTestTransition(sm *SM) error {
 }
 func addImgTransferTransition(sm *SM) {
-	base := replication.InitBaseHandler(sm.Parms.Repository, sm.Parms.LocalRegURL, config.UISecret(),
+	base := replication.InitBaseHandler(sm.Parms.Repository, sm.Parms.LocalRegURL, config.JobserviceSecret(),
 		sm.Parms.TargetURL, sm.Parms.TargetUsername, sm.Parms.TargetPassword,
 		sm.Parms.Insecure, sm.Parms.Tags, sm.Logger)
--- a/src/ui/api/repository.go
+++ b/src/ui/api/repository.go
@ -66,7 +66,7 @@ func (ra *RepositoryAPI) Get() {
 	if project.Public == 0 {
 		var userID int
-		if svc_utils.VerifySecret(ra.Ctx.Request) {
+		if svc_utils.VerifySecret(ra.Ctx.Request, config.JobserviceSecret()) {
 			userID = 1
 		} else {
 			userID = ra.ValidateUser()
--- a/src/ui/config/config.go
+++ b/src/ui/config/config.go
@ -242,8 +242,14 @@ func Database() (*models.Database, error) {
 	return database, nil
 }
-// UISecret returns a secret used for communication of UI, JobService
+// UISecret returns a secret to mark UI when communicate with
-// and Adminserver
+// other component
 func UISecret() string {
 	return os.Getenv("UI_SECRET")
 }
 // JobserviceSecret returns a secret to mark Jobservice when communicate with
 // other component
 func JobserviceSecret() string {
 	return os.Getenv("JOBSERVICE_SECRET")
 }
--- a/src/ui/service/token/token.go
+++ b/src/ui/service/token/token.go
@ -19,10 +19,11 @@ import (
 	"net/http"
 	"time"
 	"github.com/vmware/harbor/src/ui/auth"
 	"github.com/vmware/harbor/src/common/models"
 	svc_utils "github.com/vmware/harbor/src/ui/service/utils"
 	"github.com/vmware/harbor/src/common/utils/log"
 	"github.com/vmware/harbor/src/ui/auth"
 	"github.com/vmware/harbor/src/ui/config"
 	svc_utils "github.com/vmware/harbor/src/ui/service/utils"
 	"github.com/astaxie/beego"
 	"github.com/docker/distribution/registry/auth/token"
@ -45,7 +46,7 @@ func (h *Handler) Get() {
 	access := GetResourceActions(scopes)
 	log.Infof("request url: %v", request.URL.String())
-	if svc_utils.VerifySecret(request) {
+	if svc_utils.VerifySecret(request, config.JobserviceSecret()) {
 		log.Debugf("Will grant all access as this request is from job service with legal secret.")
 		username = "job-service-user"
 	} else {
--- a/src/ui/service/utils/utils.go
+++ b/src/ui/service/utils/utils.go
@ -20,15 +20,13 @@ import (
 	"net/http"
 	"github.com/vmware/harbor/src/common/utils/log"
 	"github.com/vmware/harbor/src/ui/config"
 )
 // VerifySecret verifies the UI_SECRET cookie in a http request.
-func VerifySecret(r *http.Request) bool {
+func VerifySecret(r *http.Request, expectedSecret string) bool {
-	secret := config.UISecret()
+	c, err := r.Cookie("secret")
 	c, err := r.Cookie("uisecret")
 	if err != nil {
 		log.Warningf("Failed to get secret cookie, error: %v", err)
 	}
-	return c != nil && c.Value == secret
+	return c != nil && c.Value == expectedSecret
 }