Interceptor will filter the vulnerability in whitelist while calculating
the serverity of an image and determine whether or not to block client
form pulling it.
It will use the system level whitelist in this commit, another commit
will switch to project level whitelist based on setting in a project.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
* add scan all and gc schedule migration
Signed-off-by: wang yan <wangyan@vmware.com>
* Fix gofmt errors
Signed-off-by: wang yan <wangyan@vmware.com>
* Update code according to review comments
Signed-off-by: wang yan <wangyan@vmware.com>
* remove convertschedule return name just return value
Signed-off-by: wang yan <wangyan@vmware.com>
This commit tweaks the attribute for auth proxy mode and OIDC auth mode.
To change it from "Skip verify cert" to "verify cert" so they are more
consistent with other modes.
Additionally it removes a workaround in `SearchUser` in auth proxy
authenticator.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
As CLI does not support oauth flow, we'll use secret for help OIDC user
to authenticate via CLI.
Add column to store secret and token, and add code to support
verify/refresh token associates with secret. Such that when the user is
removed from OIDC provider the secret will no longer work.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
* add authn proxy docker login support
User could use the web hook token issued by k8s api server to login to harbor.
The username should add a specific prefix.
Signed-off-by: wang yan <wangyan@vmware.com>
* update code per review comments
Signed-off-by: wang yan <wangyan@vmware.com>
* Add UT for auth proxy modifier
Signed-off-by: wang yan <wangyan@vmware.com>
2. Add ng replication policy CURD methods.
3. Implement ng policy manger.
Signed-off-by: Frank Kung <kfanjian@gmail.com>
Signed-off-by: 慕薇疯魔 <kfanjian@gmail.com>
Previously the settings of HTTP authproxy were set in environment
variable.
This commit move them to the configuration API
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit is to make the expiration of robot account configurable
1, The expiration could be set by system admin in the configuation page or
by /api/config with robot_token_expiration=60, the default value is 30 days.
2, The expiration could be shown in the robot account infor both on UI and API.
Signed-off-by: wang yan <wangyan@vmware.com>
This commit is to do:
1, Add post response on creating robot account
2, Lower-case the attribute of response
Signed-off-by: wang yan <wangyan@vmware.com>
Add API implementation of robot account
1. POST /api/project/pid/robots
2, GET /api/project/pid/robots/id?
3, PUT /api/project/pid/robots/id
4, DELETE /api/project/pid/robots/id
Signed-off-by: wang yan <wangyan@vmware.com>
Fixes#6115
As for the change in migration sql file, in 1.7 we'll switch to
jobservice for scheduling "scan all" job. To avoid inconsistency,
this item will be reset and user will need to configure the policy again.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
- add new interface method to get total count of charts under namespaces by calling get index
- add new field 'chart_count' in project model
- append chart count to the project model in project API
Signed-off-by: Steven Zou <szou@vmware.com>
The sslmode of the connection with postgresql is hardcoded as "disable" currently, this commit expose it as an environment variable so that users can configure it
Signed-off-by: Wenkai Yin <yinw@vmware.com>
It supports Harbor admin to trigger job either manual or
schedule. The job will be populated to job service to execute.
The api includes:
1. POST /api/system/gc
2, GET /api/system/gc/:id
3, GET /api/system/gc/:id/log
4, PUT/GET/POST /api/system/gc/schedule
The project list will contain all public projects, user is a member of this project, or user is in the group which is a member of this projects.
Change the behaviour of user roles, if the user is not a member of this project, then return the user's groups role of current project
Currently "Critical" vulnerablity is treated as "Unknown" in Harbor.
This commit provides a quickfix that it will be interpret as "High". In
future, we should consider introduce "Critical" and enable UI to handle
it to be more consistent with CVSS spec.
Remove the attribute "uaa_ca_root" from harbor.cfg and introduce
"uaa_verify_cert". Similar to LDAP settings, this allow user to
explicitly turn of the cert verification against UAA server, such that
the code will work with self-signed certificate.
push test
Add unit test for ldap verify cert
remove common.VerifyRemoteCert
Update code with PR review comments
Add change ldaps config and add UT testcase for TLS feature
add ldap verfiy cert checkbox about #3513
Draft harbor ova install guide
Search and import ldap user when add project members
Add unit test case for SearchAndImportUser
ova guide
Add ova install guide
Add ova install guide 2
Add ova install guide 3
Call ValidateLdapConf before search ldap
trim space in username
Remove leading space in openLdap username
Remove doc change in this branch
Update unit test for ldap search and import user
Add test case about ldap verify cert checkbox
Modify ldap testcase
