Add HTTP group feature

Signed-off-by: stonezdj <stonezdj@gmail.com>
This commit is contained in:
stonezdj 2019-07-16 15:38:44 +08:00
parent 5f9420a5a7
commit bb2ae7c093
37 changed files with 599 additions and 204 deletions

View File

@ -516,7 +516,7 @@ paths:
'403': '403':
description: User in session does not have permission to the project. description: User in session does not have permission to the project.
'409': '409':
description: An LDAP user group with same DN already exist. description: A user group with same group name already exist or an LDAP user group with same DN already exist.
'500': '500':
description: Unexpected internal errors. description: Unexpected internal errors.
'/projects/{project_id}/members/{mid}': '/projects/{project_id}/members/{mid}':
@ -2575,7 +2575,7 @@ paths:
'403': '403':
description: User in session does not have permission to the user group. description: User in session does not have permission to the user group.
'409': '409':
description: An LDAP user group with same DN already exist. description: A user group with same group name already exist, or an LDAP user group with same DN already exist.
'500': '500':
description: Unexpected internal errors. description: Unexpected internal errors.
'/usergroups/{group_id}': '/usergroups/{group_id}':
@ -4584,7 +4584,7 @@ definitions:
description: The name of the user group description: The name of the user group
group_type: group_type:
type: integer type: integer
description: 'The group type, 1 for LDAP group.' description: 'The group type, 1 for LDAP group, 2 for HTTP group.'
ldap_group_dn: ldap_group_dn:
type: string type: string
description: The DN of the LDAP group if group type is 1 (LDAP group). description: The DN of the LDAP group if group type is 1 (LDAP group).

View File

@ -0,0 +1,25 @@
/*
Rename the duplicate names before adding "UNIQUE" constraint
*/
DO $$
BEGIN
WHILE EXISTS (SELECT count(*) FROM user_group GROUP BY group_name HAVING count(*) > 1) LOOP
UPDATE user_group AS r
SET group_name = (
/*
truncate the name if it is too long after appending the sequence number
*/
CASE WHEN (length(group_name)+length(v.seq::text)+1) > 256
THEN
substring(group_name from 1 for (255-length(v.seq::text))) || '_' || v.seq
ELSE
group_name || '_' || v.seq
END
)
FROM (SELECT id, row_number() OVER (PARTITION BY group_name ORDER BY id) AS seq FROM user_group) AS v
WHERE r.id = v.id AND v.seq > 1;
END LOOP;
END $$;
ALTER TABLE user_group ADD CONSTRAINT unique_group_name UNIQUE (group_name);

View File

@ -91,7 +91,7 @@ var (
{Name: common.LDAPBaseDN, Scope: UserScope, Group: LdapBasicGroup, EnvKey: "LDAP_BASE_DN", DefaultValue: "", ItemType: &NonEmptyStringType{}, Editable: false}, {Name: common.LDAPBaseDN, Scope: UserScope, Group: LdapBasicGroup, EnvKey: "LDAP_BASE_DN", DefaultValue: "", ItemType: &NonEmptyStringType{}, Editable: false},
{Name: common.LDAPFilter, Scope: UserScope, Group: LdapBasicGroup, EnvKey: "LDAP_FILTER", DefaultValue: "", ItemType: &StringType{}, Editable: false}, {Name: common.LDAPFilter, Scope: UserScope, Group: LdapBasicGroup, EnvKey: "LDAP_FILTER", DefaultValue: "", ItemType: &StringType{}, Editable: false},
{Name: common.LDAPGroupBaseDN, Scope: UserScope, Group: LdapGroupGroup, EnvKey: "LDAP_GROUP_BASE_DN", DefaultValue: "", ItemType: &StringType{}, Editable: false}, {Name: common.LDAPGroupBaseDN, Scope: UserScope, Group: LdapGroupGroup, EnvKey: "LDAP_GROUP_BASE_DN", DefaultValue: "", ItemType: &StringType{}, Editable: false},
{Name: common.LdapGroupAdminDn, Scope: UserScope, Group: LdapGroupGroup, EnvKey: "LDAP_GROUP_ADMIN_DN", DefaultValue: "", ItemType: &StringType{}, Editable: false}, {Name: common.LDAPGroupAdminDn, Scope: UserScope, Group: LdapGroupGroup, EnvKey: "LDAP_GROUP_ADMIN_DN", DefaultValue: "", ItemType: &StringType{}, Editable: false},
{Name: common.LDAPGroupAttributeName, Scope: UserScope, Group: LdapGroupGroup, EnvKey: "LDAP_GROUP_GID", DefaultValue: "", ItemType: &StringType{}, Editable: false}, {Name: common.LDAPGroupAttributeName, Scope: UserScope, Group: LdapGroupGroup, EnvKey: "LDAP_GROUP_GID", DefaultValue: "", ItemType: &StringType{}, Editable: false},
{Name: common.LDAPGroupSearchFilter, Scope: UserScope, Group: LdapGroupGroup, EnvKey: "LDAP_GROUP_FILTER", DefaultValue: "", ItemType: &StringType{}, Editable: false}, {Name: common.LDAPGroupSearchFilter, Scope: UserScope, Group: LdapGroupGroup, EnvKey: "LDAP_GROUP_FILTER", DefaultValue: "", ItemType: &StringType{}, Editable: false},
{Name: common.LDAPGroupSearchScope, Scope: UserScope, Group: LdapGroupGroup, EnvKey: "LDAP_GROUP_SCOPE", DefaultValue: "2", ItemType: &LdapScopeType{}, Editable: false}, {Name: common.LDAPGroupSearchScope, Scope: UserScope, Group: LdapGroupGroup, EnvKey: "LDAP_GROUP_SCOPE", DefaultValue: "2", ItemType: &LdapScopeType{}, Editable: false},
@ -133,7 +133,7 @@ var (
{Name: common.HTTPAuthProxyEndpoint, Scope: UserScope, Group: HTTPAuthGroup, ItemType: &StringType{}}, {Name: common.HTTPAuthProxyEndpoint, Scope: UserScope, Group: HTTPAuthGroup, ItemType: &StringType{}},
{Name: common.HTTPAuthProxyTokenReviewEndpoint, Scope: UserScope, Group: HTTPAuthGroup, ItemType: &StringType{}}, {Name: common.HTTPAuthProxyTokenReviewEndpoint, Scope: UserScope, Group: HTTPAuthGroup, ItemType: &StringType{}},
{Name: common.HTTPAuthProxyVerifyCert, Scope: UserScope, Group: HTTPAuthGroup, DefaultValue: "true", ItemType: &BoolType{}}, {Name: common.HTTPAuthProxyVerifyCert, Scope: UserScope, Group: HTTPAuthGroup, DefaultValue: "true", ItemType: &BoolType{}},
{Name: common.HTTPAuthProxyAlwaysOnboard, Scope: UserScope, Group: HTTPAuthGroup, DefaultValue: "false", ItemType: &BoolType{}}, {Name: common.HTTPAuthProxySkipSearch, Scope: UserScope, Group: HTTPAuthGroup, DefaultValue: "false", ItemType: &BoolType{}},
{Name: common.OIDCName, Scope: UserScope, Group: OIDCGroup, ItemType: &StringType{}}, {Name: common.OIDCName, Scope: UserScope, Group: OIDCGroup, ItemType: &StringType{}},
{Name: common.OIDCEndpoint, Scope: UserScope, Group: OIDCGroup, ItemType: &StringType{}}, {Name: common.OIDCEndpoint, Scope: UserScope, Group: OIDCGroup, ItemType: &StringType{}},

View File

@ -100,7 +100,7 @@ const (
HTTPAuthProxyEndpoint = "http_authproxy_endpoint" HTTPAuthProxyEndpoint = "http_authproxy_endpoint"
HTTPAuthProxyTokenReviewEndpoint = "http_authproxy_tokenreview_endpoint" HTTPAuthProxyTokenReviewEndpoint = "http_authproxy_tokenreview_endpoint"
HTTPAuthProxyVerifyCert = "http_authproxy_verify_cert" HTTPAuthProxyVerifyCert = "http_authproxy_verify_cert"
HTTPAuthProxyAlwaysOnboard = "http_authproxy_always_onboard" HTTPAuthProxySkipSearch = "http_authproxy_skip_search"
OIDCName = "oidc_name" OIDCName = "oidc_name"
OIDCEndpoint = "oidc_endpoint" OIDCEndpoint = "oidc_endpoint"
OIDCCLientID = "oidc_client_id" OIDCCLientID = "oidc_client_id"
@ -120,8 +120,9 @@ const (
NotaryURL = "notary_url" NotaryURL = "notary_url"
DefaultCoreEndpoint = "http://core:8080" DefaultCoreEndpoint = "http://core:8080"
DefaultNotaryEndpoint = "http://notary-server:4443" DefaultNotaryEndpoint = "http://notary-server:4443"
LdapGroupType = 1 LDAPGroupType = 1
LdapGroupAdminDn = "ldap_group_admin_dn" HTTPGroupType = 2
LDAPGroupAdminDn = "ldap_group_admin_dn"
LDAPGroupMembershipAttribute = "ldap_group_membership_attribute" LDAPGroupMembershipAttribute = "ldap_group_membership_attribute"
DefaultRegistryControllerEndpoint = "http://registryctl:8080" DefaultRegistryControllerEndpoint = "http://registryctl:8080"
WithChartMuseum = "with_chartmuseum" WithChartMuseum = "with_chartmuseum"

View File

@ -183,6 +183,7 @@ func paginateForQuerySetter(qs orm.QuerySeter, page, size int64) orm.QuerySeter
// Escape .. // Escape ..
func Escape(str string) string { func Escape(str string) string {
str = strings.Replace(str, `\`, `\\`, -1)
str = strings.Replace(str, `%`, `\%`, -1) str = strings.Replace(str, `%`, `\%`, -1)
str = strings.Replace(str, `_`, `\_`, -1) str = strings.Replace(str, `_`, `\_`, -1)
return str return str

View File

@ -54,7 +54,7 @@ func GetConfigEntries() ([]*models.ConfigEntry, error) {
func SaveConfigEntries(entries []models.ConfigEntry) error { func SaveConfigEntries(entries []models.ConfigEntry) error {
o := GetOrmer() o := GetOrmer()
for _, entry := range entries { for _, entry := range entries {
if entry.Key == common.LdapGroupAdminDn { if entry.Key == common.LDAPGroupAdminDn {
entry.Value = utils.TrimLower(entry.Value) entry.Value = utils.TrimLower(entry.Value)
} }
tempEntry := models.ConfigEntry{} tempEntry := models.ConfigEntry{}

View File

@ -302,9 +302,6 @@ func TestListUsers(t *testing.T) {
if err != nil { if err != nil {
t.Errorf("Error occurred in ListUsers: %v", err) t.Errorf("Error occurred in ListUsers: %v", err)
} }
if len(users) != 1 {
t.Errorf("Expect one user in list, but the acutal length is %d, the list: %+v", len(users), users)
}
users2, err := ListUsers(&models.UserQuery{Username: username}) users2, err := ListUsers(&models.UserQuery{Username: username})
if len(users2) != 1 { if len(users2) != 1 {
t.Errorf("Expect one user in list, but the acutal length is %d, the list: %+v", len(users), users) t.Errorf("Expect one user in list, but the acutal length is %d, the list: %+v", len(users), users)

View File

@ -15,24 +15,38 @@
package group package group
import ( import (
"strings"
"time" "time"
"github.com/goharbor/harbor/src/common/utils" "github.com/goharbor/harbor/src/common/utils"
"fmt"
"github.com/goharbor/harbor/src/common"
"github.com/goharbor/harbor/src/common/dao" "github.com/goharbor/harbor/src/common/dao"
"github.com/goharbor/harbor/src/common/models" "github.com/goharbor/harbor/src/common/models"
"github.com/goharbor/harbor/src/common/utils/log" "github.com/goharbor/harbor/src/common/utils/log"
"github.com/pkg/errors"
) )
// ErrGroupNameDup ...
var ErrGroupNameDup = errors.New("duplicated user group name")
// AddUserGroup - Add User Group // AddUserGroup - Add User Group
func AddUserGroup(userGroup models.UserGroup) (int, error) { func AddUserGroup(userGroup models.UserGroup) (int, error) {
userGroupList, err := QueryUserGroup(models.UserGroup{GroupName: userGroup.GroupName, GroupType: common.HTTPGroupType})
if err != nil {
return 0, ErrGroupNameDup
}
if len(userGroupList) > 0 {
return 0, ErrGroupNameDup
}
o := dao.GetOrmer() o := dao.GetOrmer()
sql := "insert into user_group (group_name, group_type, ldap_group_dn, creation_time, update_time) values (?, ?, ?, ?, ?) RETURNING id" sql := "insert into user_group (group_name, group_type, ldap_group_dn, creation_time, update_time) values (?, ?, ?, ?, ?) RETURNING id"
var id int var id int
now := time.Now() now := time.Now()
err := o.Raw(sql, userGroup.GroupName, userGroup.GroupType, utils.TrimLower(userGroup.LdapGroupDN), now, now).QueryRow(&id) err = o.Raw(sql, userGroup.GroupName, userGroup.GroupType, utils.TrimLower(userGroup.LdapGroupDN), now, now).QueryRow(&id)
if err != nil { if err != nil {
return 0, err return 0, err
} }
@ -45,10 +59,10 @@ func QueryUserGroup(query models.UserGroup) ([]*models.UserGroup, error) {
o := dao.GetOrmer() o := dao.GetOrmer()
sql := `select id, group_name, group_type, ldap_group_dn from user_group where 1=1 ` sql := `select id, group_name, group_type, ldap_group_dn from user_group where 1=1 `
sqlParam := make([]interface{}, 1) sqlParam := make([]interface{}, 1)
groups := []*models.UserGroup{} var groups []*models.UserGroup
if len(query.GroupName) != 0 { if len(query.GroupName) != 0 {
sql += ` and group_name like ? ` sql += ` and group_name = ? `
sqlParam = append(sqlParam, `%`+dao.Escape(query.GroupName)+`%`) sqlParam = append(sqlParam, query.GroupName)
} }
if query.GroupType != 0 { if query.GroupType != 0 {
@ -84,6 +98,27 @@ func GetUserGroup(id int) (*models.UserGroup, error) {
return nil, nil return nil, nil
} }
// GetGroupIDByGroupName - Return the group ID by given group name. it is possible less group ID than the given group name if some group doesn't exist.
func GetGroupIDByGroupName(groupName []string, groupType int) ([]int, error) {
var retGroupID []int
var conditions []string
if len(groupName) == 0 {
return retGroupID, nil
}
for _, gName := range groupName {
con := "'" + gName + "'"
conditions = append(conditions, con)
}
sql := fmt.Sprintf("select id from user_group where group_name in ( %s ) and group_type = %v", strings.Join(conditions, ","), groupType)
o := dao.GetOrmer()
cnt, err := o.Raw(sql).QueryRows(&retGroupID)
if err != nil {
return retGroupID, err
}
log.Debugf("Found rows %v", cnt)
return retGroupID, nil
}
// DeleteUserGroup ... // DeleteUserGroup ...
func DeleteUserGroup(id int) error { func DeleteUserGroup(id int) error {
userGroup := models.UserGroup{ID: id} userGroup := models.UserGroup{ID: id}

View File

@ -17,6 +17,7 @@ package group
import ( import (
"fmt" "fmt"
"os" "os"
"reflect"
"testing" "testing"
"github.com/goharbor/harbor/src/common" "github.com/goharbor/harbor/src/common"
@ -46,10 +47,13 @@ func TestMain(m *testing.M) {
// Extract to test utils // Extract to test utils
initSqls := []string{ initSqls := []string{
"insert into harbor_user (username, email, password, realname) values ('member_test_01', 'member_test_01@example.com', '123456', 'member_test_01')", "insert into harbor_user (username, email, password, realname) values ('member_test_01', 'member_test_01@example.com', '123456', 'member_test_01')",
"insert into harbor_user (username, email, password, realname) values ('grouptestu09', 'grouptestu09@example.com', '123456', 'grouptestu09')",
"insert into project (name, owner_id) values ('member_test_01', 1)", "insert into project (name, owner_id) values ('member_test_01', 1)",
`insert into project (name, owner_id) values ('group_project2', 1)`, `insert into project (name, owner_id) values ('group_project2', 1)`,
`insert into project (name, owner_id) values ('group_project_private', 1)`, `insert into project (name, owner_id) values ('group_project_private', 1)`,
"insert into user_group (group_name, group_type, ldap_group_dn) values ('test_group_01', 1, 'cn=harbor_users,ou=sample,ou=vmware,dc=harbor,dc=com')", "insert into user_group (group_name, group_type, ldap_group_dn) values ('test_group_01', 1, 'cn=harbor_users,ou=sample,ou=vmware,dc=harbor,dc=com')",
"insert into user_group (group_name, group_type, ldap_group_dn) values ('test_http_group', 2, '')",
"insert into user_group (group_name, group_type, ldap_group_dn) values ('test_myhttp_group', 2, '')",
"update project set owner_id = (select user_id from harbor_user where username = 'member_test_01') where name = 'member_test_01'", "update project set owner_id = (select user_id from harbor_user where username = 'member_test_01') where name = 'member_test_01'",
"insert into project_member (project_id, entity_id, entity_type, role) values ( (select project_id from project where name = 'member_test_01') , (select user_id from harbor_user where username = 'member_test_01'), 'u', 1)", "insert into project_member (project_id, entity_id, entity_type, role) values ( (select project_id from project where name = 'member_test_01') , (select user_id from harbor_user where username = 'member_test_01'), 'u', 1)",
"insert into project_member (project_id, entity_id, entity_type, role) values ( (select project_id from project where name = 'member_test_01') , (select id from user_group where group_name = 'test_group_01'), 'g', 1)", "insert into project_member (project_id, entity_id, entity_type, role) values ( (select project_id from project where name = 'member_test_01') , (select id from user_group where group_name = 'test_group_01'), 'g', 1)",
@ -59,11 +63,12 @@ func TestMain(m *testing.M) {
"delete from project where name='member_test_01'", "delete from project where name='member_test_01'",
"delete from project where name='group_project2'", "delete from project where name='group_project2'",
"delete from project where name='group_project_private'", "delete from project where name='group_project_private'",
"delete from harbor_user where username='member_test_01' or username='pm_sample'", "delete from harbor_user where username='member_test_01' or username='pm_sample' or username='grouptestu09'",
"delete from user_group", "delete from user_group",
"delete from project_member", "delete from project_member",
} }
dao.PrepareTestData(clearSqls, initSqls) dao.ExecuteBatchSQL(initSqls)
defer dao.ExecuteBatchSQL(clearSqls)
result = m.Run() result = m.Run()
@ -84,7 +89,7 @@ func TestAddUserGroup(t *testing.T) {
want int want int
wantErr bool wantErr bool
}{ }{
{"Insert an ldap user group", args{userGroup: models.UserGroup{GroupName: "sample_group", GroupType: common.LdapGroupType, LdapGroupDN: "sample_ldap_dn_string"}}, 0, false}, {"Insert an ldap user group", args{userGroup: models.UserGroup{GroupName: "sample_group", GroupType: common.LDAPGroupType, LdapGroupDN: "sample_ldap_dn_string"}}, 0, false},
{"Insert other user group", args{userGroup: models.UserGroup{GroupName: "other_group", GroupType: 3, LdapGroupDN: "other information"}}, 0, false}, {"Insert other user group", args{userGroup: models.UserGroup{GroupName: "other_group", GroupType: 3, LdapGroupDN: "other information"}}, 0, false},
} }
for _, tt := range tests { for _, tt := range tests {
@ -112,8 +117,8 @@ func TestQueryUserGroup(t *testing.T) {
wantErr bool wantErr bool
}{ }{
{"Query all user group", args{query: models.UserGroup{GroupName: "test_group_01"}}, 1, false}, {"Query all user group", args{query: models.UserGroup{GroupName: "test_group_01"}}, 1, false},
{"Query all ldap group", args{query: models.UserGroup{GroupType: common.LdapGroupType}}, 2, false}, {"Query all ldap group", args{query: models.UserGroup{GroupType: common.LDAPGroupType}}, 2, false},
{"Query ldap group with group property", args{query: models.UserGroup{GroupType: common.LdapGroupType, LdapGroupDN: "CN=harbor_users,OU=sample,OU=vmware,DC=harbor,DC=com"}}, 1, false}, {"Query ldap group with group property", args{query: models.UserGroup{GroupType: common.LDAPGroupType, LdapGroupDN: "CN=harbor_users,OU=sample,OU=vmware,DC=harbor,DC=com"}}, 1, false},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
@ -130,7 +135,7 @@ func TestQueryUserGroup(t *testing.T) {
} }
func TestGetUserGroup(t *testing.T) { func TestGetUserGroup(t *testing.T) {
userGroup := models.UserGroup{GroupName: "insert_group", GroupType: common.LdapGroupType, LdapGroupDN: "ldap_dn_string"} userGroup := models.UserGroup{GroupName: "insert_group", GroupType: common.LDAPGroupType, LdapGroupDN: "ldap_dn_string"}
result, err := AddUserGroup(userGroup) result, err := AddUserGroup(userGroup)
if err != nil { if err != nil {
t.Errorf("Error occurred when AddUserGroup: %v", err) t.Errorf("Error occurred when AddUserGroup: %v", err)
@ -235,13 +240,18 @@ func TestOnBoardUserGroup(t *testing.T) {
args{g: &models.UserGroup{ args{g: &models.UserGroup{
GroupName: "harbor_example", GroupName: "harbor_example",
LdapGroupDN: "cn=harbor_example,ou=groups,dc=example,dc=com", LdapGroupDN: "cn=harbor_example,ou=groups,dc=example,dc=com",
GroupType: common.LdapGroupType}}, GroupType: common.LDAPGroupType}},
false}, false},
{"OnBoardUserGroup second time", {"OnBoardUserGroup second time",
args{g: &models.UserGroup{ args{g: &models.UserGroup{
GroupName: "harbor_example", GroupName: "harbor_example",
LdapGroupDN: "cn=harbor_example,ou=groups,dc=example,dc=com", LdapGroupDN: "cn=harbor_example,ou=groups,dc=example,dc=com",
GroupType: common.LdapGroupType}}, GroupType: common.LDAPGroupType}},
false},
{"OnBoardUserGroup HTTP user group",
args{g: &models.UserGroup{
GroupName: "test_myhttp_group",
GroupType: common.HTTPGroupType}},
false}, false},
} }
for _, tt := range tests { for _, tt := range tests {
@ -254,12 +264,6 @@ func TestOnBoardUserGroup(t *testing.T) {
} }
func TestGetGroupProjects(t *testing.T) { func TestGetGroupProjects(t *testing.T) {
userID, err := dao.Register(models.User{
Username: "grouptestu09",
Email: "grouptest09@example.com",
Password: "Harbor123456",
})
defer dao.DeleteUser(int(userID))
projectID1, err := dao.AddProject(models.Project{ projectID1, err := dao.AddProject(models.Project{
Name: "grouptest01", Name: "grouptest01",
OwnerID: 1, OwnerID: 1,
@ -277,7 +281,7 @@ func TestGetGroupProjects(t *testing.T) {
} }
defer dao.DeleteProject(projectID2) defer dao.DeleteProject(projectID2)
groupID, err := AddUserGroup(models.UserGroup{ groupID, err := AddUserGroup(models.UserGroup{
GroupName: "test_group_01", GroupName: "test_group_03",
GroupType: 1, GroupType: 1,
LdapGroupDN: "cn=harbor_users,ou=groups,dc=example,dc=com", LdapGroupDN: "cn=harbor_users,ou=groups,dc=example,dc=com",
}) })
@ -344,7 +348,7 @@ func TestGetTotalGroupProjects(t *testing.T) {
} }
defer dao.DeleteProject(projectID2) defer dao.DeleteProject(projectID2)
groupID, err := AddUserGroup(models.UserGroup{ groupID, err := AddUserGroup(models.UserGroup{
GroupName: "test_group_01", GroupName: "test_group_05",
GroupType: 1, GroupType: 1,
LdapGroupDN: "cn=harbor_users,ou=groups,dc=example,dc=com", LdapGroupDN: "cn=harbor_users,ou=groups,dc=example,dc=com",
}) })
@ -428,3 +432,45 @@ func TestGetRolesByLDAPGroup(t *testing.T) {
}) })
} }
} }
func TestGetGroupIDByGroupName(t *testing.T) {
groupList, err := QueryUserGroup(models.UserGroup{GroupName: "test_http_group", GroupType: 2})
if err != nil {
t.Error(err)
}
if len(groupList) < 0 {
t.Error(err)
}
groupList2, err := QueryUserGroup(models.UserGroup{GroupName: "test_myhttp_group", GroupType: 2})
if err != nil {
t.Error(err)
}
if len(groupList2) < 0 {
t.Error(err)
}
var expectGroupID []int
type args struct {
groupName []string
}
tests := []struct {
name string
args args
want []int
wantErr bool
}{
{"empty query", args{groupName: []string{}}, expectGroupID, false},
{"normal query", args{groupName: []string{"test_http_group", "test_myhttp_group"}}, []int{groupList[0].ID, groupList2[0].ID}, false},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := GetGroupIDByGroupName(tt.args.groupName, common.HTTPGroupType)
if (err != nil) != tt.wantErr {
t.Errorf("GetHTTPGroupIDByGroupName() error = %v, wantErr %v", err, tt.wantErr)
return
}
if !reflect.DeepEqual(got, tt.want) {
t.Errorf("GetHTTPGroupIDByGroupName() = %#v, want %#v", got, tt.want)
}
})
}
}

View File

@ -118,27 +118,6 @@ func Test_projectQueryConditions(t *testing.T) {
} }
} }
func prepareGroupTest() {
initSqls := []string{
`insert into user_group (group_name, group_type, ldap_group_dn) values ('harbor_group_01', 1, 'cn=harbor_user,dc=example,dc=com')`,
`insert into harbor_user (username, email, password, realname) values ('sample01', 'sample01@example.com', 'harbor12345', 'sample01')`,
`insert into project (name, owner_id) values ('group_project', 1)`,
`insert into project (name, owner_id) values ('group_project_private', 1)`,
`insert into project_metadata (project_id, name, value) values ((select project_id from project where name = 'group_project'), 'public', 'false')`,
`insert into project_metadata (project_id, name, value) values ((select project_id from project where name = 'group_project_private'), 'public', 'false')`,
`insert into project_member (project_id, entity_id, entity_type, role) values ((select project_id from project where name = 'group_project'), (select id from user_group where group_name = 'harbor_group_01'),'g', 2)`,
}
clearSqls := []string{
`delete from project_metadata where project_id in (select project_id from project where name in ('group_project', 'group_project_private'))`,
`delete from project where name in ('group_project', 'group_project_private')`,
`delete from project_member where project_id in (select project_id from project where name in ('group_project', 'group_project_private'))`,
`delete from user_group where group_name = 'harbor_group_01'`,
`delete from harbor_user where username = 'sample01'`,
}
PrepareTestData(clearSqls, initSqls)
}
func TestProjetExistsByName(t *testing.T) { func TestProjetExistsByName(t *testing.T) {
name := "project_exist_by_name_test" name := "project_exist_by_name_test"
exist := ProjectExistsByName(name) exist := ProjectExistsByName(name)

View File

@ -120,6 +120,19 @@ func PrepareTestData(clearSqls []string, initSqls []string) {
} }
} }
// ExecuteBatchSQL ...
func ExecuteBatchSQL(sqls []string) {
o := GetOrmer()
for _, sql := range sqls {
fmt.Printf("Exec sql:%v\n", sql)
_, err := o.Raw(sql).Exec()
if err != nil {
fmt.Printf("failed to execute batch sql, sql:%v, error: %v", sql, err)
}
}
}
// ArrayEqual ... // ArrayEqual ...
func ArrayEqual(arrayA, arrayB []int) bool { func ArrayEqual(arrayA, arrayB []int) bool {
if len(arrayA) != len(arrayB) { if len(arrayA) != len(arrayB) {

View File

@ -70,7 +70,7 @@ type HTTPAuthProxy struct {
Endpoint string `json:"endpoint"` Endpoint string `json:"endpoint"`
TokenReviewEndpoint string `json:"tokenreivew_endpoint"` TokenReviewEndpoint string `json:"tokenreivew_endpoint"`
VerifyCert bool `json:"verify_cert"` VerifyCert bool `json:"verify_cert"`
AlwaysOnBoard bool `json:"always_onboard"` SkipSearch bool `json:"skip_search"`
} }
// OIDCSetting wraps the settings for OIDC auth endpoint // OIDCSetting wraps the settings for OIDC auth endpoint

View File

@ -255,7 +255,7 @@ func TestHasPushPullPermWithGroup(t *testing.T) {
t.Errorf("Error occurred when GetUser: %v", err) t.Errorf("Error occurred when GetUser: %v", err)
} }
userGroups, err := group.QueryUserGroup(models.UserGroup{GroupType: common.LdapGroupType, LdapGroupDN: "cn=harbor_user,dc=example,dc=com"}) userGroups, err := group.QueryUserGroup(models.UserGroup{GroupType: common.LDAPGroupType, LdapGroupDN: "cn=harbor_user,dc=example,dc=com"})
if err != nil { if err != nil {
t.Errorf("Failed to query user group %v", err) t.Errorf("Failed to query user group %v", err)
} }
@ -340,7 +340,7 @@ func TestSecurityContext_GetRolesByGroup(t *testing.T) {
if err != nil { if err != nil {
t.Errorf("Error occurred when GetUser: %v", err) t.Errorf("Error occurred when GetUser: %v", err)
} }
userGroups, err := group.QueryUserGroup(models.UserGroup{GroupType: common.LdapGroupType, LdapGroupDN: "cn=harbor_user,dc=example,dc=com"}) userGroups, err := group.QueryUserGroup(models.UserGroup{GroupType: common.LDAPGroupType, LdapGroupDN: "cn=harbor_user,dc=example,dc=com"})
if err != nil { if err != nil {
t.Errorf("Failed to query user group %v", err) t.Errorf("Failed to query user group %v", err)
} }

View File

@ -22,10 +22,11 @@ import (
"strings" "strings"
"fmt" "fmt"
"github.com/goharbor/harbor/src/common"
"github.com/gorilla/mux"
"os" "os"
"sort" "sort"
"github.com/goharbor/harbor/src/common"
"github.com/gorilla/mux"
) )
// RequestHandlerMapping is a mapping between request and its handler // RequestHandlerMapping is a mapping between request and its handler
@ -120,7 +121,7 @@ func GetUnitTestConfig() map[string]interface{} {
common.LDAPGroupBaseDN: "dc=example,dc=com", common.LDAPGroupBaseDN: "dc=example,dc=com",
common.LDAPGroupAttributeName: "cn", common.LDAPGroupAttributeName: "cn",
common.LDAPGroupSearchScope: 2, common.LDAPGroupSearchScope: 2,
common.LdapGroupAdminDn: "cn=harbor_users,ou=groups,dc=example,dc=com", common.LDAPGroupAdminDn: "cn=harbor_users,ou=groups,dc=example,dc=com",
common.WithNotary: "false", common.WithNotary: "false",
common.WithChartMuseum: "false", common.WithChartMuseum: "false",
common.SelfRegistration: "true", common.SelfRegistration: "true",

View File

@ -207,6 +207,17 @@ func TestMain(m *testing.M) {
if err := prepare(); err != nil { if err := prepare(); err != nil {
panic(err) panic(err)
} }
dao.ExecuteBatchSQL([]string{
"insert into user_group (group_name, group_type, ldap_group_dn) values ('test_group_01_api', 1, 'cn=harbor_users,ou=sample,ou=vmware,dc=harbor,dc=com')",
"insert into user_group (group_name, group_type, ldap_group_dn) values ('vsphere.local\\administrators', 2, '')",
})
defer dao.ExecuteBatchSQL([]string{
"delete from harbor_label",
"delete from robot",
"delete from user_group",
"delete from project_member",
})
ret := m.Run() ret := m.Run()
clean() clean()

View File

@ -12,6 +12,8 @@
// See the License for the specific language governing permissions and // See the License for the specific language governing permissions and
// limitations under the License. // limitations under the License.
// +build !darwin
package api package api
import ( import (

View File

@ -23,11 +23,13 @@ import (
"github.com/goharbor/harbor/src/common" "github.com/goharbor/harbor/src/common"
"github.com/goharbor/harbor/src/common/dao" "github.com/goharbor/harbor/src/common/dao"
"github.com/goharbor/harbor/src/common/dao/group"
"github.com/goharbor/harbor/src/common/dao/project" "github.com/goharbor/harbor/src/common/dao/project"
"github.com/goharbor/harbor/src/common/models" "github.com/goharbor/harbor/src/common/models"
"github.com/goharbor/harbor/src/common/rbac" "github.com/goharbor/harbor/src/common/rbac"
"github.com/goharbor/harbor/src/common/utils/log" "github.com/goharbor/harbor/src/common/utils/log"
"github.com/goharbor/harbor/src/core/auth" "github.com/goharbor/harbor/src/core/auth"
"github.com/goharbor/harbor/src/core/config"
) )
// ProjectMemberAPI handles request to /api/projects/{}/members/{} // ProjectMemberAPI handles request to /api/projects/{}/members/{}
@ -37,6 +39,7 @@ type ProjectMemberAPI struct {
entityID int entityID int
entityType string entityType string
project *models.Project project *models.Project
groupType int
} }
// ErrDuplicateProjectMember ... // ErrDuplicateProjectMember ...
@ -84,6 +87,15 @@ func (pma *ProjectMemberAPI) Prepare() {
return return
} }
pma.id = int(pmid) pma.id = int(pmid)
authMode, err := config.AuthMode()
if err != nil {
pma.SendInternalServerError(fmt.Errorf("failed to get authentication mode"))
}
if authMode == common.LDAPAuth {
pma.groupType = common.LDAPGroupType
} else if authMode == common.HTTPAuth {
pma.groupType = common.HTTPGroupType
}
} }
func (pma *ProjectMemberAPI) requireAccess(action rbac.Action) bool { func (pma *ProjectMemberAPI) requireAccess(action rbac.Action) bool {
@ -131,7 +143,7 @@ func (pma *ProjectMemberAPI) Get() {
return return
} }
if len(memberList) == 0 { if len(memberList) == 0 {
pma.SendNotFoundError(fmt.Errorf("The project member does not exit, pmid:%v", pma.id)) pma.SendNotFoundError(fmt.Errorf("The project member does not exist, pmid:%v", pma.id))
return return
} }
@ -161,10 +173,10 @@ func (pma *ProjectMemberAPI) Post() {
pma.SendBadRequestError(fmt.Errorf("Failed to add project member, error: %v", err)) pma.SendBadRequestError(fmt.Errorf("Failed to add project member, error: %v", err))
return return
} else if err == auth.ErrDuplicateLDAPGroup { } else if err == auth.ErrDuplicateLDAPGroup {
pma.SendConflictError(fmt.Errorf("Failed to add project member, already exist LDAP group or project member, groupDN:%v", request.MemberGroup.LdapGroupDN)) pma.SendConflictError(fmt.Errorf("Failed to add project member, already exist group or project member, groupDN:%v", request.MemberGroup.LdapGroupDN))
return return
} else if err == ErrDuplicateProjectMember { } else if err == ErrDuplicateProjectMember {
pma.SendConflictError(fmt.Errorf("Failed to add project member, already exist LDAP group or project member, groupMemberID:%v", request.MemberGroup.ID)) pma.SendConflictError(fmt.Errorf("Failed to add project member, already exist group or project member, groupMemberID:%v", request.MemberGroup.ID))
return return
} else if err == ErrInvalidRole { } else if err == ErrInvalidRole {
pma.SendBadRequestError(fmt.Errorf("Invalid role ID, role ID %v", request.Role)) pma.SendBadRequestError(fmt.Errorf("Invalid role ID, role ID %v", request.Role))
@ -220,12 +232,13 @@ func AddProjectMember(projectID int64, request models.MemberReq) (int, error) {
var member models.Member var member models.Member
member.ProjectID = projectID member.ProjectID = projectID
member.Role = request.Role member.Role = request.Role
member.EntityType = common.GroupMember
if request.MemberUser.UserID > 0 { if request.MemberUser.UserID > 0 {
member.EntityID = request.MemberUser.UserID member.EntityID = request.MemberUser.UserID
member.EntityType = common.UserMember member.EntityType = common.UserMember
} else if request.MemberGroup.ID > 0 { } else if request.MemberGroup.ID > 0 {
member.EntityID = request.MemberGroup.ID member.EntityID = request.MemberGroup.ID
member.EntityType = common.GroupMember
} else if len(request.MemberUser.Username) > 0 { } else if len(request.MemberUser.Username) > 0 {
var userID int var userID int
member.EntityType = common.UserMember member.EntityType = common.UserMember
@ -243,14 +256,28 @@ func AddProjectMember(projectID int64, request models.MemberReq) (int, error) {
} }
member.EntityID = userID member.EntityID = userID
} else if len(request.MemberGroup.LdapGroupDN) > 0 { } else if len(request.MemberGroup.LdapGroupDN) > 0 {
request.MemberGroup.GroupType = common.LDAPGroupType
// If groupname provided, use the provided groupname to name this group // If groupname provided, use the provided groupname to name this group
groupID, err := auth.SearchAndOnBoardGroup(request.MemberGroup.LdapGroupDN, request.MemberGroup.GroupName) groupID, err := auth.SearchAndOnBoardGroup(request.MemberGroup.LdapGroupDN, request.MemberGroup.GroupName)
if err != nil { if err != nil {
return 0, err return 0, err
} }
member.EntityID = groupID member.EntityID = groupID
member.EntityType = common.GroupMember } else if len(request.MemberGroup.GroupName) > 0 && request.MemberGroup.GroupType == common.HTTPGroupType {
ugs, err := group.QueryUserGroup(models.UserGroup{GroupName: request.MemberGroup.GroupName, GroupType: common.HTTPGroupType})
if err != nil {
return 0, err
}
if len(ugs) == 0 {
groupID, err := auth.SearchAndOnBoardGroup(request.MemberGroup.GroupName, "")
if err != nil {
return 0, err
}
member.EntityID = groupID
} else {
member.EntityID = ugs[0].ID
}
} }
if member.EntityID <= 0 { if member.EntityID <= 0 {
return 0, fmt.Errorf("Can not get valid member entity, request: %+v", request) return 0, fmt.Errorf("Can not get valid member entity, request: %+v", request)

View File

@ -20,6 +20,7 @@ import (
"testing" "testing"
"github.com/goharbor/harbor/src/common/dao" "github.com/goharbor/harbor/src/common/dao"
"github.com/goharbor/harbor/src/common/dao/group"
"github.com/goharbor/harbor/src/common/dao/project" "github.com/goharbor/harbor/src/common/dao/project"
"github.com/goharbor/harbor/src/common/models" "github.com/goharbor/harbor/src/common/models"
) )
@ -94,6 +95,21 @@ func TestProjectMemberAPI_Post(t *testing.T) {
t.Errorf("Error occurred when create user: %v", err) t.Errorf("Error occurred when create user: %v", err)
} }
ugList, err := group.QueryUserGroup(models.UserGroup{GroupType: 1, LdapGroupDN: "cn=harbor_users,ou=sample,ou=vmware,dc=harbor,dc=com"})
if err != nil {
t.Errorf("Failed to query the user group")
}
if len(ugList) <= 0 {
t.Errorf("Failed to query the user group")
}
httpUgList, err := group.QueryUserGroup(models.UserGroup{GroupType: 2, GroupName: "vsphere.local\\administrators"})
if err != nil {
t.Errorf("Failed to query the user group")
}
if len(httpUgList) <= 0 {
t.Errorf("Failed to query the user group")
}
cases := []*codeCheckingCase{ cases := []*codeCheckingCase{
// 401 // 401
{ {
@ -167,6 +183,66 @@ func TestProjectMemberAPI_Post(t *testing.T) {
}, },
code: http.StatusOK, code: http.StatusOK,
}, },
{
request: &testingRequest{
method: http.MethodPost,
url: "/api/projects/1/members",
credential: admin,
bodyJSON: &models.MemberReq{
Role: 1,
MemberGroup: models.UserGroup{
GroupType: 1,
LdapGroupDN: "cn=harbor_users,ou=groups,dc=example,dc=com",
},
},
},
code: http.StatusBadRequest,
},
{
request: &testingRequest{
method: http.MethodPost,
url: "/api/projects/1/members",
credential: admin,
bodyJSON: &models.MemberReq{
Role: 1,
MemberGroup: models.UserGroup{
GroupType: 2,
ID: httpUgList[0].ID,
},
},
},
code: http.StatusCreated,
},
{
request: &testingRequest{
method: http.MethodPost,
url: "/api/projects/1/members",
credential: admin,
bodyJSON: &models.MemberReq{
Role: 1,
MemberGroup: models.UserGroup{
GroupType: 1,
ID: ugList[0].ID,
},
},
},
code: http.StatusCreated,
},
{
request: &testingRequest{
method: http.MethodPost,
url: "/api/projects/1/members",
credential: admin,
bodyJSON: &models.MemberReq{
Role: 1,
MemberGroup: models.UserGroup{
GroupType: 2,
GroupName: "vsphere.local/users",
},
},
},
code: http.StatusBadRequest,
},
} }
runCodeCheckingCases(t, cases...) runCodeCheckingCases(t, cases...)
} }

View File

@ -27,12 +27,14 @@ import (
"github.com/goharbor/harbor/src/common/utils/ldap" "github.com/goharbor/harbor/src/common/utils/ldap"
"github.com/goharbor/harbor/src/common/utils/log" "github.com/goharbor/harbor/src/common/utils/log"
"github.com/goharbor/harbor/src/core/auth" "github.com/goharbor/harbor/src/core/auth"
"github.com/goharbor/harbor/src/core/config"
) )
// UserGroupAPI ... // UserGroupAPI ...
type UserGroupAPI struct { type UserGroupAPI struct {
BaseController BaseController
id int id int
groupType int
} }
const ( const (
@ -61,6 +63,15 @@ func (uga *UserGroupAPI) Prepare() {
uga.SendForbiddenError(errors.New(uga.SecurityCtx.GetUsername())) uga.SendForbiddenError(errors.New(uga.SecurityCtx.GetUsername()))
return return
} }
authMode, err := config.AuthMode()
if err != nil {
uga.SendInternalServerError(errors.New("failed to get authentication mode"))
}
if authMode == common.LDAPAuth {
uga.groupType = common.LDAPGroupType
} else if authMode == common.HTTPAuth {
uga.groupType = common.HTTPGroupType
}
} }
// Get ... // Get ...
@ -69,7 +80,7 @@ func (uga *UserGroupAPI) Get() {
uga.Data["json"] = make([]models.UserGroup, 0) uga.Data["json"] = make([]models.UserGroup, 0)
if ID == 0 { if ID == 0 {
// user group id not set, return all user group // user group id not set, return all user group
query := models.UserGroup{GroupType: common.LdapGroupType} // Current query LDAP group only query := models.UserGroup{GroupType: uga.groupType}
userGroupList, err := group.QueryUserGroup(query) userGroupList, err := group.QueryUserGroup(query)
if err != nil { if err != nil {
uga.SendInternalServerError(fmt.Errorf("failed to query database for user group list, error: %v", err)) uga.SendInternalServerError(fmt.Errorf("failed to query database for user group list, error: %v", err))
@ -103,13 +114,17 @@ func (uga *UserGroupAPI) Post() {
} }
userGroup.ID = 0 userGroup.ID = 0
userGroup.GroupType = common.LdapGroupType if userGroup.GroupType == 0 {
userGroup.GroupType = uga.groupType
}
userGroup.LdapGroupDN = strings.TrimSpace(userGroup.LdapGroupDN) userGroup.LdapGroupDN = strings.TrimSpace(userGroup.LdapGroupDN)
userGroup.GroupName = strings.TrimSpace(userGroup.GroupName) userGroup.GroupName = strings.TrimSpace(userGroup.GroupName)
if len(userGroup.GroupName) == 0 { if len(userGroup.GroupName) == 0 {
uga.SendBadRequestError(errors.New(userNameEmptyMsg)) uga.SendBadRequestError(errors.New(userNameEmptyMsg))
return return
} }
if userGroup.GroupType == common.LDAPGroupType {
query := models.UserGroup{GroupType: userGroup.GroupType, LdapGroupDN: userGroup.LdapGroupDN} query := models.UserGroup{GroupType: userGroup.GroupType, LdapGroupDN: userGroup.LdapGroupDN}
result, err := group.QueryUserGroup(query) result, err := group.QueryUserGroup(query)
if err != nil { if err != nil {
@ -131,13 +146,18 @@ func (uga *UserGroupAPI) Post() {
return return
} }
if err != nil { if err != nil {
uga.SendInternalServerError(fmt.Errorf("Error occurred in search user group. error: %v", err)) uga.SendInternalServerError(fmt.Errorf("error occurred in search user group. error: %v", err))
return return
} }
}
groupID, err := group.AddUserGroup(userGroup) groupID, err := group.AddUserGroup(userGroup)
if err != nil { if err != nil {
uga.SendInternalServerError(fmt.Errorf("Error occurred in add user group, error: %v", err)) if err == group.ErrGroupNameDup {
uga.SendConflictError(fmt.Errorf("duplicated user group name %s", userGroup.GroupName))
return
}
uga.SendInternalServerError(fmt.Errorf("error occurred in add user group, error: %v", err))
return return
} }
uga.Redirect(http.StatusCreated, strconv.FormatInt(int64(groupID), 10)) uga.Redirect(http.StatusCreated, strconv.FormatInt(int64(groupID), 10))
@ -150,13 +170,17 @@ func (uga *UserGroupAPI) Put() {
uga.SendBadRequestError(err) uga.SendBadRequestError(err)
return return
} }
if userGroup.GroupType == common.HTTPGroupType {
uga.SendBadRequestError(errors.New("HTTP group is not allowed to update"))
return
}
ID := uga.id ID := uga.id
userGroup.GroupName = strings.TrimSpace(userGroup.GroupName) userGroup.GroupName = strings.TrimSpace(userGroup.GroupName)
if len(userGroup.GroupName) == 0 { if len(userGroup.GroupName) == 0 {
uga.SendBadRequestError(errors.New(userNameEmptyMsg)) uga.SendBadRequestError(errors.New(userNameEmptyMsg))
return return
} }
userGroup.GroupType = common.LdapGroupType userGroup.GroupType = common.LDAPGroupType
log.Debugf("Updated user group %v", userGroup) log.Debugf("Updated user group %v", userGroup)
err := group.UpdateUserGroupName(ID, userGroup.GroupName) err := group.UpdateUserGroupName(ID, userGroup.GroupName)
if err != nil { if err != nil {

View File

@ -35,7 +35,7 @@ func TestUserGroupAPI_GetAndDelete(t *testing.T) {
groupID, err := group.AddUserGroup(models.UserGroup{ groupID, err := group.AddUserGroup(models.UserGroup{
GroupName: "harbor_users", GroupName: "harbor_users",
LdapGroupDN: "cn=harbor_users,ou=groups,dc=example,dc=com", LdapGroupDN: "cn=harbor_users,ou=groups,dc=example,dc=com",
GroupType: common.LdapGroupType, GroupType: common.LDAPGroupType,
}) })
if err != nil { if err != nil {
@ -88,7 +88,7 @@ func TestUserGroupAPI_Post(t *testing.T) {
groupID, err := group.AddUserGroup(models.UserGroup{ groupID, err := group.AddUserGroup(models.UserGroup{
GroupName: "harbor_group", GroupName: "harbor_group",
LdapGroupDN: "cn=harbor_group,ou=groups,dc=example,dc=com", LdapGroupDN: "cn=harbor_group,ou=groups,dc=example,dc=com",
GroupType: common.LdapGroupType, GroupType: common.LDAPGroupType,
}) })
if err != nil { if err != nil {
t.Errorf("Error occurred when AddUserGroup: %v", err) t.Errorf("Error occurred when AddUserGroup: %v", err)
@ -104,7 +104,32 @@ func TestUserGroupAPI_Post(t *testing.T) {
bodyJSON: &models.UserGroup{ bodyJSON: &models.UserGroup{
GroupName: "harbor_group", GroupName: "harbor_group",
LdapGroupDN: "cn=harbor_group,ou=groups,dc=example,dc=com", LdapGroupDN: "cn=harbor_group,ou=groups,dc=example,dc=com",
GroupType: common.LdapGroupType, GroupType: common.LDAPGroupType,
},
credential: admin,
},
code: http.StatusConflict,
},
// 201
{
request: &testingRequest{
method: http.MethodPost,
url: "/api/usergroups",
bodyJSON: &models.UserGroup{
GroupName: "vsphere.local\\guest",
GroupType: common.HTTPGroupType,
},
credential: admin,
},
code: http.StatusCreated,
},
{
request: &testingRequest{
method: http.MethodPost,
url: "/api/usergroups",
bodyJSON: &models.UserGroup{
GroupName: "vsphere.local\\guest",
GroupType: common.HTTPGroupType,
}, },
credential: admin, credential: admin,
}, },
@ -118,7 +143,7 @@ func TestUserGroupAPI_Put(t *testing.T) {
groupID, err := group.AddUserGroup(models.UserGroup{ groupID, err := group.AddUserGroup(models.UserGroup{
GroupName: "harbor_group", GroupName: "harbor_group",
LdapGroupDN: "cn=harbor_groups,ou=groups,dc=example,dc=com", LdapGroupDN: "cn=harbor_groups,ou=groups,dc=example,dc=com",
GroupType: common.LdapGroupType, GroupType: common.LDAPGroupType,
}) })
defer group.DeleteUserGroup(groupID) defer group.DeleteUserGroup(groupID)
@ -149,6 +174,19 @@ func TestUserGroupAPI_Put(t *testing.T) {
}, },
code: http.StatusOK, code: http.StatusOK,
}, },
// 400
{
request: &testingRequest{
method: http.MethodPut,
url: fmt.Sprintf("/api/usergroups/%d", groupID),
bodyJSON: &models.UserGroup{
GroupName: "my_group",
GroupType: common.HTTPGroupType,
},
credential: admin,
},
code: http.StatusBadRequest,
},
} }
runCodeCheckingCases(t, cases...) runCodeCheckingCases(t, cases...)
} }

View File

@ -16,18 +16,24 @@ package authproxy
import ( import (
"crypto/tls" "crypto/tls"
"encoding/json"
"fmt" "fmt"
"io/ioutil"
"net/http"
"strings"
"sync"
"time"
"github.com/goharbor/harbor/src/common/dao/group"
"github.com/goharbor/harbor/src/common" "github.com/goharbor/harbor/src/common"
"github.com/goharbor/harbor/src/common/dao" "github.com/goharbor/harbor/src/common/dao"
"github.com/goharbor/harbor/src/common/models" "github.com/goharbor/harbor/src/common/models"
"github.com/goharbor/harbor/src/common/utils/log" "github.com/goharbor/harbor/src/common/utils/log"
"github.com/goharbor/harbor/src/core/auth" "github.com/goharbor/harbor/src/core/auth"
"github.com/goharbor/harbor/src/core/config" "github.com/goharbor/harbor/src/core/config"
"io/ioutil" "github.com/goharbor/harbor/src/pkg/authproxy"
"net/http" k8s_api_v1beta1 "k8s.io/api/authentication/v1beta1"
"strings"
"sync"
"time"
) )
const refreshDuration = 2 * time.Second const refreshDuration = 2 * time.Second
@ -46,12 +52,17 @@ type Auth struct {
auth.DefaultAuthenticateHelper auth.DefaultAuthenticateHelper
sync.Mutex sync.Mutex
Endpoint string Endpoint string
TokenReviewEndpoint string
SkipCertVerify bool SkipCertVerify bool
AlwaysOnboard bool SkipSearch bool
settingTimeStamp time.Time settingTimeStamp time.Time
client *http.Client client *http.Client
} }
type session struct {
SessionID string `json:"session_id,omitempty"`
}
// Authenticate issues http POST request to Endpoint if it returns 200 the authentication is considered success. // Authenticate issues http POST request to Endpoint if it returns 200 the authentication is considered success.
func (a *Auth) Authenticate(m models.AuthModel) (*models.User, error) { func (a *Auth) Authenticate(m models.AuthModel) (*models.User, error) {
err := a.ensure() err := a.ensure()
@ -72,7 +83,39 @@ func (a *Auth) Authenticate(m models.AuthModel) (*models.User, error) {
} }
defer resp.Body.Close() defer resp.Body.Close()
if resp.StatusCode == http.StatusOK { if resp.StatusCode == http.StatusOK {
return &models.User{Username: m.Principal}, nil user := &models.User{Username: m.Principal}
data, err := ioutil.ReadAll(resp.Body)
if err != nil {
log.Warningf("Failed to read response body, error: %v", err)
return nil, auth.ErrAuth{}
}
s := session{}
err = json.Unmarshal(data, &s)
if err != nil {
log.Errorf("failed to read session %v", err)
}
reviewResponse, err := a.tokenReview(s.SessionID)
if err != nil {
return nil, err
}
if reviewResponse == nil {
return nil, auth.ErrAuth{}
}
// Attach user group ID information
ugList := reviewResponse.Status.User.Groups
log.Debugf("user groups %+v", ugList)
if len(ugList) > 0 {
groupIDList, err := group.GetGroupIDByGroupName(ugList, common.HTTPGroupType)
if err != nil {
return nil, err
}
log.Debugf("current user's group ID list is %+v", groupIDList)
user.GroupIDs = groupIDList
}
return user, nil
} else if resp.StatusCode == http.StatusUnauthorized { } else if resp.StatusCode == http.StatusUnauthorized {
return nil, auth.ErrAuth{} return nil, auth.ErrAuth{}
} else { } else {
@ -81,10 +124,19 @@ func (a *Auth) Authenticate(m models.AuthModel) (*models.User, error) {
log.Warningf("Failed to read response body, error: %v", err) log.Warningf("Failed to read response body, error: %v", err)
} }
return nil, fmt.Errorf("failed to authenticate, status code: %d, text: %s", resp.StatusCode, string(data)) return nil, fmt.Errorf("failed to authenticate, status code: %d, text: %s", resp.StatusCode, string(data))
} }
} }
func (a *Auth) tokenReview(sessionID string) (*k8s_api_v1beta1.TokenReview, error) {
httpAuthProxySetting, err := config.HTTPAuthProxySetting()
if err != nil {
return nil, err
}
return authproxy.TokenReview(sessionID, httpAuthProxySetting)
}
// OnBoardUser delegates to dao pkg to insert/update data in DB. // OnBoardUser delegates to dao pkg to insert/update data in DB.
func (a *Auth) OnBoardUser(u *models.User) error { func (a *Auth) OnBoardUser(u *models.User) error {
return dao.OnBoardUser(u) return dao.OnBoardUser(u)
@ -102,14 +154,14 @@ func (a *Auth) PostAuthenticate(u *models.User) error {
} }
// SearchUser returns nil as authproxy does not have such capability. // SearchUser returns nil as authproxy does not have such capability.
// When AlwaysOnboard is set it always return the default model. // When SkipSearch is set it always return the default model.
func (a *Auth) SearchUser(username string) (*models.User, error) { func (a *Auth) SearchUser(username string) (*models.User, error) {
err := a.ensure() err := a.ensure()
if err != nil { if err != nil {
log.Warningf("Failed to refresh configuration for HTTP Auth Proxy Authenticator, error: %v, the default settings will be used", err) log.Warningf("Failed to refresh configuration for HTTP Auth Proxy Authenticator, error: %v, the default settings will be used", err)
} }
var u *models.User var u *models.User
if a.AlwaysOnboard { if a.SkipSearch {
u = &models.User{Username: username} u = &models.User{Username: username}
if err := a.fillInModel(u); err != nil { if err := a.fillInModel(u); err != nil {
return nil, err return nil, err
@ -118,6 +170,35 @@ func (a *Auth) SearchUser(username string) (*models.User, error) {
return u, nil return u, nil
} }
// SearchGroup search group exist in the authentication provider, for HTTP auth, if SkipSearch is true, it assume this group exist in authentication provider.
func (a *Auth) SearchGroup(groupKey string) (*models.UserGroup, error) {
err := a.ensure()
if err != nil {
log.Warningf("Failed to refresh configuration for HTTP Auth Proxy Authenticator, error: %v, the default settings will be used", err)
}
var ug *models.UserGroup
if a.SkipSearch {
ug = &models.UserGroup{
GroupName: groupKey,
GroupType: common.HTTPGroupType,
}
return ug, nil
}
return nil, nil
}
// OnBoardGroup create user group entity in Harbor DB, altGroupName is not used.
func (a *Auth) OnBoardGroup(u *models.UserGroup, altGroupName string) error {
// if group name provided, on board the user group
userGroup := &models.UserGroup{GroupName: u.GroupName, GroupType: common.HTTPGroupType}
err := group.OnBoardUserGroup(u, "GroupName", "GroupType")
if err != nil {
return err
}
u.ID = userGroup.ID
return nil
}
func (a *Auth) fillInModel(u *models.User) error { func (a *Auth) fillInModel(u *models.User) error {
if strings.TrimSpace(u.Username) == "" { if strings.TrimSpace(u.Username) == "" {
return fmt.Errorf("username cannot be empty") return fmt.Errorf("username cannot be empty")
@ -145,8 +226,9 @@ func (a *Auth) ensure() error {
return err return err
} }
a.Endpoint = setting.Endpoint a.Endpoint = setting.Endpoint
a.TokenReviewEndpoint = setting.TokenReviewEndpoint
a.SkipCertVerify = !setting.VerifyCert a.SkipCertVerify = !setting.VerifyCert
a.AlwaysOnboard = setting.AlwaysOnBoard a.SkipSearch = setting.SkipSearch
} }
if a.SkipCertVerify { if a.SkipCertVerify {
a.client.Transport = insecureTransport a.client.Transport = insecureTransport

View File

@ -15,18 +15,20 @@
package authproxy package authproxy
import ( import (
"net/http/httptest"
"os"
"testing"
"time"
"github.com/goharbor/harbor/src/common" "github.com/goharbor/harbor/src/common"
"github.com/goharbor/harbor/src/common/dao" "github.com/goharbor/harbor/src/common/dao"
"github.com/goharbor/harbor/src/common/dao/group"
"github.com/goharbor/harbor/src/common/models" "github.com/goharbor/harbor/src/common/models"
cut "github.com/goharbor/harbor/src/common/utils/test" cut "github.com/goharbor/harbor/src/common/utils/test"
"github.com/goharbor/harbor/src/core/auth" "github.com/goharbor/harbor/src/core/auth"
"github.com/goharbor/harbor/src/core/auth/authproxy/test" "github.com/goharbor/harbor/src/core/auth/authproxy/test"
"github.com/goharbor/harbor/src/core/config" "github.com/goharbor/harbor/src/core/config"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"net/http/httptest"
"os"
"testing"
"time"
) )
var mockSvr *httptest.Server var mockSvr *httptest.Server
@ -43,14 +45,15 @@ func TestMain(m *testing.M) {
defer mockSvr.Close() defer mockSvr.Close()
a = &Auth{ a = &Auth{
Endpoint: mockSvr.URL + "/test/login", Endpoint: mockSvr.URL + "/test/login",
TokenReviewEndpoint: mockSvr.URL + "/test/tokenreview",
SkipCertVerify: true, SkipCertVerify: true,
// So it won't require mocking the cfgManager // So it won't require mocking the cfgManager
settingTimeStamp: time.Now(), settingTimeStamp: time.Now(),
} }
conf := map[string]interface{}{ conf := map[string]interface{}{
common.HTTPAuthProxyEndpoint: "dummy", common.HTTPAuthProxyEndpoint: a.Endpoint,
common.HTTPAuthProxyTokenReviewEndpoint: "dummy", common.HTTPAuthProxyTokenReviewEndpoint: a.TokenReviewEndpoint,
common.HTTPAuthProxyVerifyCert: "false", common.HTTPAuthProxyVerifyCert: !a.SkipCertVerify,
} }
config.InitWithSettings(conf) config.InitWithSettings(conf)
@ -64,6 +67,10 @@ func TestMain(m *testing.M) {
} }
func TestAuth_Authenticate(t *testing.T) { func TestAuth_Authenticate(t *testing.T) {
groupIDs, err := group.GetGroupIDByGroupName([]string{"vsphere.local\\users", "vsphere.local\\administrators"}, common.HTTPGroupType)
if err != nil {
t.Fatal("Failed to get groupIDs")
}
t.Log("auth endpoint: ", a.Endpoint) t.Log("auth endpoint: ", a.Endpoint)
type output struct { type output struct {
user models.User user models.User
@ -80,6 +87,7 @@ func TestAuth_Authenticate(t *testing.T) {
expect: output{ expect: output{
user: models.User{ user: models.User{
Username: "jt", Username: "jt",
GroupIDs: groupIDs,
}, },
err: nil, err: nil,
}, },
@ -92,6 +100,7 @@ func TestAuth_Authenticate(t *testing.T) {
expect: output{ expect: output{
user: models.User{ user: models.User{
Username: "Admin@vsphere.local", Username: "Admin@vsphere.local",
GroupIDs: groupIDs,
// Email: "Admin@placeholder.com", // Email: "Admin@placeholder.com",
// Password: pwd, // Password: pwd,
// Comment: fmt.Sprintf(cmtTmpl, path.Join(mockSvr.URL, "/test/login")), // Comment: fmt.Sprintf(cmtTmpl, path.Join(mockSvr.URL, "/test/login")),

View File

@ -41,9 +41,20 @@ func (ah *authHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
} }
} }
type reviewTokenHandler struct {
}
func (rth *reviewTokenHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
if req.Method != http.MethodPost {
http.Error(rw, "", http.StatusMethodNotAllowed)
}
rw.Write([]byte(`{"apiVersion": "authentication.k8s.io/v1beta1", "kind": "TokenReview", "status": {"authenticated": true, "user": {"username": "administrator@vsphere.local", "groups": ["vsphere.local\\users", "vsphere.local\\administrators", "vsphere.local\\caadmins", "vsphere.local\\systemconfiguration.bashshelladministrators", "vsphere.local\\systemconfiguration.administrators", "vsphere.local\\licenseservice.administrators", "vsphere.local\\everyone"], "extra": {"method": ["basic"]}}}}`))
}
// NewMockServer creates the mock server for testing // NewMockServer creates the mock server for testing
func NewMockServer(creds map[string]string) *httptest.Server { func NewMockServer(creds map[string]string) *httptest.Server {
mux := http.NewServeMux() mux := http.NewServeMux()
mux.Handle("/test/login", &authHandler{m: creds}) mux.Handle("/test/login", &authHandler{m: creds})
mux.Handle("/test/tokenreview", &reviewTokenHandler{})
return httptest.NewTLSServer(mux) return httptest.NewTLSServer(mux)
} }

View File

@ -205,7 +205,7 @@ func (l *Auth) OnBoardGroup(u *models.UserGroup, altGroupName string) error {
if len(altGroupName) > 0 { if len(altGroupName) > 0 {
u.GroupName = altGroupName u.GroupName = altGroupName
} }
u.GroupType = common.LdapGroupType u.GroupType = common.LDAPGroupType
// Check duplicate LDAP DN in usergroup, if usergroup exist, return error // Check duplicate LDAP DN in usergroup, if usergroup exist, return error
userGroupList, err := group.QueryUserGroup(models.UserGroup{LdapGroupDN: u.LdapGroupDN}) userGroupList, err := group.QueryUserGroup(models.UserGroup{LdapGroupDN: u.LdapGroupDN})
if err != nil { if err != nil {

View File

@ -55,7 +55,7 @@ var ldapTestConfig = map[string]interface{}{
common.LDAPGroupBaseDN: "dc=example,dc=com", common.LDAPGroupBaseDN: "dc=example,dc=com",
common.LDAPGroupAttributeName: "cn", common.LDAPGroupAttributeName: "cn",
common.LDAPGroupSearchScope: 2, common.LDAPGroupSearchScope: 2,
common.LdapGroupAdminDn: "cn=harbor_users,ou=groups,dc=example,dc=com", common.LDAPGroupAdminDn: "cn=harbor_users,ou=groups,dc=example,dc=com",
} }
func TestMain(m *testing.M) { func TestMain(m *testing.M) {
@ -92,8 +92,8 @@ func TestMain(m *testing.M) {
"delete from user_group", "delete from user_group",
"delete from project_member", "delete from project_member",
} }
dao.PrepareTestData(clearSqls, initSqls) dao.ExecuteBatchSQL(initSqls)
defer dao.ExecuteBatchSQL(clearSqls)
retCode := m.Run() retCode := m.Run()
os.Exit(retCode) os.Exit(retCode)
} }
@ -405,6 +405,7 @@ func TestAddProjectMemberWithLdapGroup(t *testing.T) {
ProjectID: currentProject.ProjectID, ProjectID: currentProject.ProjectID,
MemberGroup: models.UserGroup{ MemberGroup: models.UserGroup{
LdapGroupDN: "cn=harbor_users,ou=groups,dc=example,dc=com", LdapGroupDN: "cn=harbor_users,ou=groups,dc=example,dc=com",
GroupType: 1,
}, },
Role: models.PROJECTADMIN, Role: models.PROJECTADMIN,
} }

View File

@ -224,7 +224,7 @@ func LDAPGroupConf() (*models.LdapGroupConf, error) {
LdapGroupFilter: cfgMgr.Get(common.LDAPGroupSearchFilter).GetString(), LdapGroupFilter: cfgMgr.Get(common.LDAPGroupSearchFilter).GetString(),
LdapGroupNameAttribute: cfgMgr.Get(common.LDAPGroupAttributeName).GetString(), LdapGroupNameAttribute: cfgMgr.Get(common.LDAPGroupAttributeName).GetString(),
LdapGroupSearchScope: cfgMgr.Get(common.LDAPGroupSearchScope).GetInt(), LdapGroupSearchScope: cfgMgr.Get(common.LDAPGroupSearchScope).GetInt(),
LdapGroupAdminDN: cfgMgr.Get(common.LdapGroupAdminDn).GetString(), LdapGroupAdminDN: cfgMgr.Get(common.LDAPGroupAdminDn).GetString(),
LdapGroupMembershipAttribute: cfgMgr.Get(common.LDAPGroupMembershipAttribute).GetString(), LdapGroupMembershipAttribute: cfgMgr.Get(common.LDAPGroupMembershipAttribute).GetString(),
}, nil }, nil
} }
@ -482,7 +482,7 @@ func HTTPAuthProxySetting() (*models.HTTPAuthProxy, error) {
Endpoint: cfgMgr.Get(common.HTTPAuthProxyEndpoint).GetString(), Endpoint: cfgMgr.Get(common.HTTPAuthProxyEndpoint).GetString(),
TokenReviewEndpoint: cfgMgr.Get(common.HTTPAuthProxyTokenReviewEndpoint).GetString(), TokenReviewEndpoint: cfgMgr.Get(common.HTTPAuthProxyTokenReviewEndpoint).GetString(),
VerifyCert: cfgMgr.Get(common.HTTPAuthProxyVerifyCert).GetBool(), VerifyCert: cfgMgr.Get(common.HTTPAuthProxyVerifyCert).GetBool(),
AlwaysOnBoard: cfgMgr.Get(common.HTTPAuthProxyAlwaysOnboard).GetBool(), SkipSearch: cfgMgr.Get(common.HTTPAuthProxySkipSearch).GetBool(),
}, nil }, nil
} }

View File

@ -21,6 +21,7 @@ import (
"testing" "testing"
"fmt" "fmt"
"github.com/goharbor/harbor/src/common" "github.com/goharbor/harbor/src/common"
"github.com/goharbor/harbor/src/common/dao" "github.com/goharbor/harbor/src/common/dao"
"github.com/goharbor/harbor/src/common/models" "github.com/goharbor/harbor/src/common/models"
@ -228,7 +229,7 @@ func TestConfigureValue_GetMap(t *testing.T) {
func TestHTTPAuthProxySetting(t *testing.T) { func TestHTTPAuthProxySetting(t *testing.T) {
m := map[string]interface{}{ m := map[string]interface{}{
common.HTTPAuthProxyAlwaysOnboard: "true", common.HTTPAuthProxySkipSearch: "true",
common.HTTPAuthProxyVerifyCert: "true", common.HTTPAuthProxyVerifyCert: "true",
common.HTTPAuthProxyEndpoint: "https://auth.proxy/suffix", common.HTTPAuthProxyEndpoint: "https://auth.proxy/suffix",
} }
@ -237,7 +238,7 @@ func TestHTTPAuthProxySetting(t *testing.T) {
assert.Nil(t, e) assert.Nil(t, e)
assert.Equal(t, *v, models.HTTPAuthProxy{ assert.Equal(t, *v, models.HTTPAuthProxy{
Endpoint: "https://auth.proxy/suffix", Endpoint: "https://auth.proxy/suffix",
AlwaysOnBoard: true, SkipSearch: true,
VerifyCert: true, VerifyCert: true,
}) })
} }

View File

@ -41,15 +41,7 @@ import (
"github.com/goharbor/harbor/src/core/promgr/pmsdriver/admiral" "github.com/goharbor/harbor/src/core/promgr/pmsdriver/admiral"
"strings" "strings"
"encoding/json" "github.com/goharbor/harbor/src/pkg/authproxy"
k8s_api_v1beta1 "k8s.io/api/authentication/v1beta1"
"k8s.io/client-go/kubernetes/scheme"
"k8s.io/client-go/rest"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/runtime/serializer"
) )
// ContextValueKey for content value // ContextValueKey for content value
@ -321,60 +313,17 @@ func (ap *authProxyReqCtxModifier) Modify(ctx *beegoctx.Context) bool {
log.Errorf("User name %s doesn't meet the auth proxy name pattern", proxyUserName) log.Errorf("User name %s doesn't meet the auth proxy name pattern", proxyUserName)
return false return false
} }
httpAuthProxyConf, err := config.HTTPAuthProxySetting() httpAuthProxyConf, err := config.HTTPAuthProxySetting()
if err != nil { if err != nil {
log.Errorf("fail to get auth proxy settings, %v", err) log.Errorf("fail to get auth proxy settings, %v", err)
return false return false
} }
tokenReviewResponse, err := authproxy.TokenReview(proxyPwd, httpAuthProxyConf)
// Init auth client with the auth proxy endpoint.
authClientCfg := &rest.Config{
Host: httpAuthProxyConf.TokenReviewEndpoint,
ContentConfig: rest.ContentConfig{
GroupVersion: &schema.GroupVersion{},
NegotiatedSerializer: serializer.DirectCodecFactory{CodecFactory: scheme.Codecs},
},
BearerToken: proxyPwd,
TLSClientConfig: rest.TLSClientConfig{
Insecure: !httpAuthProxyConf.VerifyCert,
},
}
authClient, err := rest.RESTClientFor(authClientCfg)
if err != nil { if err != nil {
log.Errorf("fail to create auth client, %v", err) log.Errorf("fail to review token, %v", err)
return false return false
} }
// Do auth with the token.
tokenReviewRequest := &k8s_api_v1beta1.TokenReview{
TypeMeta: metav1.TypeMeta{
Kind: "TokenReview",
APIVersion: "authentication.k8s.io/v1beta1",
},
Spec: k8s_api_v1beta1.TokenReviewSpec{
Token: proxyPwd,
},
}
res := authClient.Post().Body(tokenReviewRequest).Do()
err = res.Error()
if err != nil {
log.Errorf("fail to POST auth request, %v", err)
return false
}
resRaw, err := res.Raw()
if err != nil {
log.Errorf("fail to get raw data of token review, %v", err)
return false
}
// Parse the auth response, check the user name and authenticated status.
tokenReviewResponse := &k8s_api_v1beta1.TokenReview{}
err = json.Unmarshal(resRaw, &tokenReviewResponse)
if err != nil {
log.Errorf("fail to decode token review, %v", err)
return false
}
if !tokenReviewResponse.Status.Authenticated { if !tokenReviewResponse.Status.Authenticated {
log.Errorf("fail to auth user: %s", rawUserName) log.Errorf("fail to auth user: %s", rawUserName)
return false return false

View File

@ -16,8 +16,6 @@ package filter
import ( import (
"context" "context"
"github.com/goharbor/harbor/src/common/utils/oidc"
"github.com/stretchr/testify/require"
"log" "log"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
@ -27,6 +25,9 @@ import (
"testing" "testing"
"time" "time"
"github.com/goharbor/harbor/src/common/utils/oidc"
"github.com/stretchr/testify/require"
"github.com/astaxie/beego" "github.com/astaxie/beego"
beegoctx "github.com/astaxie/beego/context" beegoctx "github.com/astaxie/beego/context"
"github.com/astaxie/beego/session" "github.com/astaxie/beego/session"
@ -241,7 +242,7 @@ func TestAuthProxyReqCtxModifier(t *testing.T) {
defer server.Close() defer server.Close()
c := map[string]interface{}{ c := map[string]interface{}{
common.HTTPAuthProxyAlwaysOnboard: "true", common.HTTPAuthProxySkipSearch: "true",
common.HTTPAuthProxyVerifyCert: "false", common.HTTPAuthProxyVerifyCert: "false",
common.HTTPAuthProxyEndpoint: "https://auth.proxy/suffix", common.HTTPAuthProxyEndpoint: "https://auth.proxy/suffix",
common.HTTPAuthProxyTokenReviewEndpoint: server.URL, common.HTTPAuthProxyTokenReviewEndpoint: server.URL,
@ -253,7 +254,7 @@ func TestAuthProxyReqCtxModifier(t *testing.T) {
assert.Nil(t, e) assert.Nil(t, e)
assert.Equal(t, *v, models.HTTPAuthProxy{ assert.Equal(t, *v, models.HTTPAuthProxy{
Endpoint: "https://auth.proxy/suffix", Endpoint: "https://auth.proxy/suffix",
AlwaysOnBoard: true, SkipSearch: true,
VerifyCert: false, VerifyCert: false,
TokenReviewEndpoint: server.URL, TokenReviewEndpoint: server.URL,
}) })

65
src/pkg/authproxy/http.go Normal file
View File

@ -0,0 +1,65 @@
package authproxy
import (
"encoding/json"
"github.com/goharbor/harbor/src/common/models"
"github.com/goharbor/harbor/src/common/utils/log"
k8s_api_v1beta1 "k8s.io/api/authentication/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/runtime/serializer"
"k8s.io/client-go/kubernetes/scheme"
"k8s.io/client-go/rest"
)
// TokenReview ...
func TokenReview(sessionID string, authProxyConfig *models.HTTPAuthProxy) (*k8s_api_v1beta1.TokenReview, error) {
// Init auth client with the auth proxy endpoint.
authClientCfg := &rest.Config{
Host: authProxyConfig.TokenReviewEndpoint,
ContentConfig: rest.ContentConfig{
GroupVersion: &schema.GroupVersion{},
NegotiatedSerializer: serializer.DirectCodecFactory{CodecFactory: scheme.Codecs},
},
BearerToken: sessionID,
TLSClientConfig: rest.TLSClientConfig{
Insecure: !authProxyConfig.VerifyCert,
},
}
authClient, err := rest.RESTClientFor(authClientCfg)
if err != nil {
return nil, err
}
// Do auth with the token.
tokenReviewRequest := &k8s_api_v1beta1.TokenReview{
TypeMeta: metav1.TypeMeta{
Kind: "TokenReview",
APIVersion: "authentication.k8s.io/v1beta1",
},
Spec: k8s_api_v1beta1.TokenReviewSpec{
Token: sessionID,
},
}
res := authClient.Post().Body(tokenReviewRequest).Do()
err = res.Error()
if err != nil {
log.Errorf("fail to POST auth request, %v", err)
return nil, err
}
resRaw, err := res.Raw()
if err != nil {
log.Errorf("fail to get raw data of token review, %v", err)
return nil, err
}
// Parse the auth response, check the user name and authenticated status.
tokenReviewResponse := &k8s_api_v1beta1.TokenReview{}
err = json.Unmarshal(resRaw, &tokenReviewResponse)
if err != nil {
log.Errorf("fail to decode token review, %v", err)
return nil, err
}
return tokenReviewResponse, nil
}

View File

@ -90,7 +90,7 @@ export class Configuration {
http_authproxy_endpoint?: StringValueItem; http_authproxy_endpoint?: StringValueItem;
http_authproxy_tokenreview_endpoint?: StringValueItem; http_authproxy_tokenreview_endpoint?: StringValueItem;
http_authproxy_verify_cert?: BoolValueItem; http_authproxy_verify_cert?: BoolValueItem;
http_authproxy_always_onboard?: BoolValueItem; http_authproxy_skip_search?: BoolValueItem;
oidc_name?: StringValueItem; oidc_name?: StringValueItem;
oidc_endpoint?: StringValueItem; oidc_endpoint?: StringValueItem;
oidc_client_id?: StringValueItem; oidc_client_id?: StringValueItem;
@ -141,7 +141,7 @@ export class Configuration {
this.http_authproxy_endpoint = new StringValueItem("", true); this.http_authproxy_endpoint = new StringValueItem("", true);
this.http_authproxy_tokenreview_endpoint = new StringValueItem("", true); this.http_authproxy_tokenreview_endpoint = new StringValueItem("", true);
this.http_authproxy_verify_cert = new BoolValueItem(false, true); this.http_authproxy_verify_cert = new BoolValueItem(false, true);
this.http_authproxy_always_onboard = new BoolValueItem(false, true); this.http_authproxy_skip_search = new BoolValueItem(false, true);
this.oidc_name = new StringValueItem('', true); this.oidc_name = new StringValueItem('', true);
this.oidc_endpoint = new StringValueItem('', true); this.oidc_endpoint = new StringValueItem('', true);
this.oidc_client_id = new StringValueItem('', true); this.oidc_client_id = new StringValueItem('', true);

View File

@ -310,13 +310,13 @@
</clr-checkbox-wrapper> </clr-checkbox-wrapper>
</div> </div>
<div class="form-group"> <div class="form-group">
<label for="http_authproxy_always_onboard" <label for="http_authproxy_skip_search"
class="required">{{'CONFIG.HTTP_AUTH.ALWAYS_ONBOARD' | translate}}</label> class="required">{{'CONFIG.HTTP_AUTH.SKIP_SEARCH' | translate}}</label>
<clr-checkbox-wrapper> <clr-checkbox-wrapper>
<input type="checkbox" clrCheckbox name="http_authproxy_always_onboard" <input type="checkbox" clrCheckbox name="http_authproxy_skip_search"
id="http_authproxy_always_onboard" id="http_authproxy_skip_search"
[disabled]="!currentConfig.http_authproxy_always_onboard.editable" [disabled]="!currentConfig.http_authproxy_skip_search.editable"
[(ngModel)]="currentConfig.http_authproxy_always_onboard.value" /> [(ngModel)]="currentConfig.http_authproxy_skip_search.value" />
</clr-checkbox-wrapper> </clr-checkbox-wrapper>
</div> </div>
</section> </section>

View File

@ -769,7 +769,7 @@
"HTTP_AUTH": { "HTTP_AUTH": {
"ENDPOINT": "Server Endpoint", "ENDPOINT": "Server Endpoint",
"TOKEN_REVIEW": "Token Review Endpoint", "TOKEN_REVIEW": "Token Review Endpoint",
"ALWAYS_ONBOARD": "Always Onboard", "SKIP_SEARCH": "Skip Search",
"VERIFY_CERT": "Verify Certificate" "VERIFY_CERT": "Verify Certificate"
}, },
"OIDC": { "OIDC": {

View File

@ -769,7 +769,7 @@
"HTTP_AUTH": { "HTTP_AUTH": {
"ENDPOINT": "Server Endpoint", "ENDPOINT": "Server Endpoint",
"TOKEN_REVIEW": "Review Endpoint De Token", "TOKEN_REVIEW": "Review Endpoint De Token",
"ALWAYS_ONBOARD": "Always Onboard", "SKIP_SEARCH": "Skip Search",
"VERIFY_CERT": "Authentication Verify Cert" "VERIFY_CERT": "Authentication Verify Cert"
}, },
"OIDC": { "OIDC": {

View File

@ -743,7 +743,7 @@
"HTTP_AUTH": { "HTTP_AUTH": {
"ENDPOINT": "serveur paramètre", "ENDPOINT": "serveur paramètre",
"TOKEN_REVIEW": "examen symbolique paramètre", "TOKEN_REVIEW": "examen symbolique paramètre",
"ALWAYS_ONBOARD": "always onboard", "SKIP_SEARCH": "Skip Search",
"VERIFY_CERT": "authentification vérifier cert" "VERIFY_CERT": "authentification vérifier cert"
}, },
"OIDC": { "OIDC": {

View File

@ -763,7 +763,7 @@
"HTTP_AUTH": { "HTTP_AUTH": {
"ENDPOINT": "Server endpoint", "ENDPOINT": "Server endpoint",
"TOKEN_REVIEW": "Ponto final do Token Review", "TOKEN_REVIEW": "Ponto final do Token Review",
"ALWAYS_ONBOARD": "Sempre Onboard", "SKIP_SEARCH": "Skip Search",
"VERIFY_CERT": "Verificar certificado de Authentication" "VERIFY_CERT": "Verificar certificado de Authentication"
}, },
"OIDC": { "OIDC": {

View File

@ -768,7 +768,7 @@
"HTTP_AUTH": { "HTTP_AUTH": {
"ENDPOINT": "Server Endpoint", "ENDPOINT": "Server Endpoint",
"TOKEN_REVIEW": "Token Review Endpoint", "TOKEN_REVIEW": "Token Review Endpoint",
"ALWAYS_ONBOARD": "Always Onboard", "SKIP_SEARCH": "Skip Search",
"VERIFY_CERT": "Authentication验证证书" "VERIFY_CERT": "Authentication验证证书"
}, },
"OIDC": { "OIDC": {