from the perspective of preventing privilege escalation, remove the robot update permission from the possilbe permission set
Signed-off-by: wang yan <wangyan@vmware.com>
* have option to enable robot full access
When the system admin enable this option, the robot can be assigned with robot/user/group/quota permissions.
Signed-off-by: wang yan <wangyan@vmware.com>
* robot account permission enhancement
Update codes according to the proposal of https://github.com/goharbor/community/pull/249
Signed-off-by: wang yan <wangyan@vmware.com>
---------
Signed-off-by: wang yan <wangyan@vmware.com>
Parallel attach LDAP group
Add configure LDAP group attach parallel UI
Change the /c/login timeout from 60 (nginx default) to 900 seconds in nginx.conf
Signed-off-by: stonezdj <stone.zhang@broadcom.com>
* fix issue 19928
it needs to consider the user who is in any group that has been granted with the project admin role.
Signed-off-by: wang yan <wangyan@vmware.com>
* feat: update to golang-jwt v5.2.0
Signed-off-by: Antoine Jouve <ant.jouve@gmail.com>
* fix: module issues and robot claims
Signed-off-by: Antoine Jouve <ant.jouve@gmail.com>
* fix: add missing time import
Signed-off-by: Antoine Jouve <ant.jouve@gmail.com>
* feat: set jwt validation leeway to 60s
Signed-off-by: Antoine Jouve <ant.jouve@gmail.com>
* fix: update leeways that were still set to 10s
Signed-off-by: Antoine Jouve <ant.jouve@gmail.com>
* feat: update go.sum
Signed-off-by: Antoine Jouve <ant.jouve@gmail.com>
* feat: add two leeway related test cases
Signed-off-by: Antoine Jouve <ant.jouve@gmail.com>
* fix: correct jwt audience validation
Signed-off-by: Antoine Jouve <ant.jouve@gmail.com>
* fix: gofmt v2_token.go
Signed-off-by: Antoine Jouve <ant.jouve@gmail.com>
* feat: take into account review comments
Signed-off-by: Antoine Jouve <ant.jouve@gmail.com>
* feat: use a common constant to store JWT leeway
Signed-off-by: Antoine Jouve <ant.jouve@gmail.com>
---------
Signed-off-by: Antoine Jouve <ant.jouve@gmail.com>
Signed-off-by: Antoine Jouve <an-toine@users.noreply.github.com>
Co-authored-by: MinerYang <yminer@vmware.com>
fixes#19622
Resolve the 403 issue occurring when a robot account, equipped with both system and project scope, attempts to access project resources.
Signed-off-by: wang yan <wangyan@vmware.com>
* add permission validation for robot creating and updating.
It is not allowed to create an new robot with the access outside the predefined scope.
Signed-off-by: wang yan <wangyan@vmware.com>
* Fix robot testcase and update robot permission metadata (#167)
1. Fix robot testcase
2. update robot permission metadata
Signed-off-by: Yang Jiao <jiaoya@vmware.com>
Signed-off-by: wang yan <wangyan@vmware.com>
---------
Signed-off-by: wang yan <wangyan@vmware.com>
Signed-off-by: Yang Jiao <jiaoya@vmware.com>
Co-authored-by: Yang Jiao <72076317+YangJiao0817@users.noreply.github.com>
1. Increase the default beego max memory and upload size from 32GB to
128GB.
2. Support customize the two beego configs from env.
Signed-off-by: chlins <chenyuzh@vmware.com>
Co-authored-by: Wang Yan <wangyan@vmware.com>
The permission api targets to return the full set of permissons for robot to use.
And only system and project admin have the access
Signed-off-by: wang yan <wangyan@vmware.com>
Check username when creating user by API
Replace comma with underscore in username for OnboardUser
Fixes#19356
Signed-off-by: stonezdj <daojunz@vmware.com>
Introduce the quota update provider, improve the performance of pushing
artifacts to same project with high concurrency by implementing
optimistic lock in redis. By default the function is disabled, open it
by set env 'QUOTA_UPDATE_PROVIDER=Redis' for the core container.
Fixes: #18440
Signed-off-by: chlins <chenyuzh@vmware.com>
Since harbor deprecates notary since v2.9.0, this pull request targets to remove the code related with notary.
Signed-off-by: Wang Yan <wangyan@vmware.com>
Refactor the logic for updating the status of execution when receiving
the hook from jobservice, avoid the optimistic lock due to the multiple
tasks update one execution by refreshing the status asynchronously. But
still retain the old way by specifying the flag from ENV.
Fixes: #17584
Signed-off-by: chlins <chenyuzh@vmware.com>
Fixes#17636, to determine permissions for the project resource, the path should be /project instead of /project/project.
Signed-off-by: Wang Yan <wangyan@vmware.com>
Convert the redis range result into struct and extract job id from it
Add more log when get redis config fails
Signed-off-by: stonezdj <daojunz@vmware.com>
Signed-off-by: stonezdj <daojunz@vmware.com>
Add configuration session_timeout for API, then user can customize the
timeout from system config page or API. The timeout is 60 minutes by
default.
Signed-off-by: chlins <chenyuzh@vmware.com>
Signed-off-by: chlins <chenyuzh@vmware.com>
Filter out the OIDC group which doesn't match the regular expression
Fixes#17130
Signed-off-by: stonezdj <stonezdj@gmail.com>
Signed-off-by: stonezdj <stonezdj@gmail.com>
Add REST API to list job pool, worker, stop running task
Add jobservice handler to retrieve configuration
Add RBAC for jobservice monitoring dashboard
Add REST API to list pool, worker and stop running task
Signed-off-by: stonezdj <stonezdj@gmail.com>
Signed-off-by: stonezdj <stonezdj@gmail.com>
1. Add resource permission check for API handler
2. Validate export cve params project
3. Optimize friendly human message when execution status is error
Signed-off-by: chlins <chenyuzh@vmware.com>
