Commit Graph

1086 Commits

Author SHA1 Message Date
DQ
c954969bcd Add mTLS configs
mTLS only enabled in jobservice and registryctl

Signed-off-by: DQ <dengq@vmware.com>
2020-03-18 19:22:10 +08:00
DQ
03e11c63c7 Fix docker file with secure tls change
Signed-off-by: DQ <dengq@vmware.com>
2020-03-18 19:22:10 +08:00
DQ
115185894f Merge internal Transport and Secure Transport
Signed-off-by: DQ <dengq@vmware.com>
2020-03-18 19:22:09 +08:00
DQ
da359f609f Feat: enable mtls in core
add mtls related code in core

Signed-off-by: DQ <dengq@vmware.com>
2020-03-18 19:22:09 +08:00
Wang Yan
b4e941e961
drop table access log in migration (#11118)
Use the audit log instead, the access log table should be dropped after migration

Signed-off-by: wang yan <wangyan@vmware.com>
2020-03-18 19:04:38 +08:00
He Weiwei
7d20154db5
fix: remove old artifact model (#11112)
Signed-off-by: He Weiwei <hweiwei@vmware.com>
2020-03-18 14:20:06 +08:00
He Weiwei
f8983fe198
feat(log): track request id in the log message (#11095)
Signed-off-by: He Weiwei <hweiwei@vmware.com>
2020-03-17 19:29:59 +08:00
He Weiwei
60f8595034
refactor(quota): implement internal quota APIs by quota controller (#11058)
1. Use quota controller to implement the internal quota APIs.
2. The internal quota APIs can exceed the quota limitations.

Signed-off-by: He Weiwei <hweiwei@vmware.com>
2020-03-16 10:20:17 +08:00
Wenkai Yin
c6940e8184 United error response format for management APIs (legacy and v2.0 APIs)
United error response format for management APIs (legacy and v2.0 APIs)

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2020-03-13 22:00:08 +08:00
He Weiwei
2a243ef7a2
refactor(rbac): refactor rbac impl to improve performance (#9988)
1. Introduce `Evaluator` interface which do the permission checking.
2. `admin`, `lazy`, `rbac`, `namespace` and `evaluartor` set are implemented the
`Evaluator` interface.
3. Move project rbac implemention from `project` to `rbac` pkg to reduce
the name  conflict with project instance of model.
4. Do permission checking in security context by `Evaluator`.
5. Cache the regexp in rbac evaluator for casbin.
6. Cache evaluator in namespace evaluator to improve performance.

Signed-off-by: He Weiwei <hweiwei@vmware.com>
2020-03-12 23:42:53 +08:00
Wenkai Yin
4ccc3da99b Remove the "x-go-type" for artifact definition in swagger
Using "x-go-type" may cause the inconsistence between the swagger definition and the real data model

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2020-03-12 10:06:22 +08:00
He Weiwei
89dfe24f19
feat(quota): add Request and Refresh middlewares for APIs (#10907)
1. Introduce ReqquestMiddleware and RefereshMiddleware.
2. Add request middlware to copy artifact, mount blob, put blob upload,
put manifest, upload chart verson APIs.
3. Add refresh project middleware to delete manifest, delete artifact,
delete chart version, delete repository APIs.

Signed-off-by: He Weiwei <hweiwei@vmware.com>
2020-03-11 22:25:40 +08:00
Daniel Jiang
0f0e27179b Remove dependency on travis-ci
Github actions work fine, we no longer needs travi-ci to trigger the
tests.
This commit removes it.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2020-03-09 01:30:38 +08:00
Wenkai Yin
4c9b59c904 Migrate artifact data in 2.0
Abstract extra attributes and annotations for artifacts stored in database

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2020-02-28 18:09:02 +08:00
DQ
ff0c8b382c Refactor the version to variable
Signed-off-by: DQ <dengq@vmware.com>
2020-02-26 16:24:49 +08:00
Wang Yan
948d45604c Revise the GC job flow,
1, set harbor to readonly
2, select the candidate artifacts from Harbor DB.
3, call registry API(--delete-untagged=false) to delete manifest bases on the results of #2
4, clean keys of redis DB of registry, clean artifact trash and untagged from DB.
5, roll back readonly.

Signed-off-by: wang yan <wangyan@vmware.com>
2020-02-24 18:29:55 +08:00
Wenkai Yin
528f598268 Reimplement the registry client
This commit reimplements the registry client under directory src/pkg/registry and removes the useless code

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2020-02-24 14:36:26 +08:00
Wenkai Yin
bd204464f3 Remove dead code
Remove dead code

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2020-02-23 17:11:46 +08:00
Wenkai Yin
9312b788dc Upgrade the artifact table
Split the table artifact into artifact and tags, and populate related data

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2020-02-21 20:37:31 +08:00
He Weiwei
88fcacd4b7
feat(middleware): add blob middlewares (#10710)
1. Add middleware to record the accepted blob size for stream blob
upload.
2. Add middleware to create blob and associate it with project after blob upload
complete.
3. Add middleware to sync blobs, create blob for manifest and associate blobs
with the manifest after put manifest.
4. Add middleware to associate blob with project after mount blob.
5. Cleanup associations for the project when artifact deleted.

Signed-off-by: He Weiwei <hweiwei@vmware.com>
2020-02-20 23:20:34 +08:00
Wenkai Yin
c4d4850845 Implement copy artifact API
Copy artifact into the repository from the specified artifact

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2020-02-20 16:59:35 +08:00
Wenkai Yin
1db0077096 Implement delete/update repository API
Implement delete/update repository API

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2020-02-20 08:39:26 +08:00
Steven Zou
f1374737f6
Merge pull request #10694 from danielpacak/feature/install_with_trivy
chore(install): Add --with-trivy arg to the installation script
2020-02-19 16:27:57 +08:00
Daniel Jiang
5a6e9331fd
Artifact signature populate (#7)
* Populate signature status in artifact API

This Commit add signature status into response of list artifact API.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2020-02-18 01:42:56 +08:00
Wenkai Yin
93731eeb2e Support add/remove label to/from artifact
This commit add supporting for adding/removing label to/from artifacts and populates labels when listing artifacts

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2020-02-13 10:46:23 +08:00
Daniel Pacak
a642667ffc chore(install): Add --with-trivy arg to the installation script
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
2020-02-12 23:47:56 +01:00
Wenkai Yin(尹文开)
d66c1a4a21
Merge pull request #10612 from ywk253100/200202_replication_basic_auth
Do enhancement for the registry authorizer
2020-02-11 22:09:40 +08:00
Wenkai Yin
a4ebbc6ecf Do enhancement for the registry authorizer
This commit introduces a new wrapper authorizer which can authorize the request according to the auth scheme automatically

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2020-02-11 21:21:49 +08:00
Wang Yan
65dc54b059 Merge pull request #10626 from ywk253100/200125_handle_error
Unify the method/style to handle error in handler/middleware
2020-02-10 17:47:12 +08:00
Wenkai Yin
af4dd142bc Unify the method/style to handle error in handler/middleware
This commit provides a "SendError" method to unify the way to handle error in handlers/middlewares

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2020-02-08 07:37:00 +08:00
Wenkai Yin
0f6057a22c Implement get addition API for image
This commit implements the API to get build history of image with manifest version 2 and populates the addition links when listing/getting the artifact

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2020-02-07 20:21:38 +08:00
Wenkai Yin
6087647895 Add permission check for artifact related APIs
Add permission check for artifact related APIs

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2020-02-05 15:58:39 +08:00
He Weiwei
b1437c1341
refactor(security): add NewContext and FromContext to security pkg (#10617)
1. Add `NewContext` and `FromContext` funcs in security pkg.
2. Add `Name` func in `security.Context` interface to make the checking
for the `/api/internal/configurations` API clear.
3. Get the security from the context to prepare change the security
filter to middleware.
4. Remove `GetSecurityContext` in filter pkg.

Signed-off-by: He Weiwei <hweiwei@vmware.com>
2020-02-03 17:43:36 +08:00
Daniel Jiang
2064a1cd6d Switch to basic authentication for registry
1. Add basic authorizer for registry which modify the request
to add basic authorization header to request based on configuration.
2. Set basic auth header for proxy when accessing registry
3. Switche the registry to use basic auth by default and use the basic
authorizer to access Harbor.
4. Make necessary change to test cases, particularly
"test_robot_account.py" and "docker_api.py", because the error is
changed after siwtched to basic auth from token auth.  #10604 is opened
to track the follow up work.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2020-01-31 21:46:47 +09:00
Wenkai Yin
400a47a5c5 Implement tag/artifact manager and artifact controller
1. Implement tag/artifact manager
2. Implement artifact controller
3. Onboard the artifact when pushing artifacts

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2020-01-08 20:19:48 +08:00
Wenkai Yin(尹文开)
56dc0bb71f
Merge pull request #10324 from wy65701436/common-error-13
add OCI error format support
2019-12-25 17:44:35 +08:00
wang yan
ebe5bb68b9 add OCI error format support
1, Leverage go v1.13 new error feature
2, Define genernal error OCI format, so that /v2 API could return a OCI compatible error

Signed-off-by: wang yan <wangyan@vmware.com>
2019-12-25 17:07:26 +08:00
stonezdj
6313a55219 Fix admin permission not revoked when removed from LDAP admin group
Seperate the HasAdminRole(In DB) with the privileges from external auth, and use user.HasAdminPrivilege to check

Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-12-20 13:12:22 +08:00
Wang Yan
9405b11480
Merge pull request #10114 from julienvey/typo-registryctl
Fix typo in registryctl client log
2019-12-06 13:15:16 +08:00
Wang Yan
9016c427b9
Merge pull request #10136 from reasonerjt/rm-authproxy-case-sensitive
Get rid of case-sensitivity in authproxy setting
2019-12-05 14:26:18 +08:00
Daniel Jiang
d58f5e4bdc Get rid of case-sensitivity in authproxy setting
This commit removes the attribute to control case-sensitivity from
authproxy setting.
The result in token review status will be used as the single source of
truth, regardless the case of the letters in group names and user names.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-12-04 21:39:40 +08:00
Wenkai Yin(尹文开)
d145f4baf4
Merge pull request #10034 from ywk253100/191128_clean
Clean up admiral-related code
2019-12-04 17:33:31 +08:00
stonezdj(Daojun Zhang)
339c1d4cab
Merge pull request #10088 from reasonerjt/authproxy-cert-setting
Support pinning to authproxy server's cert
2019-12-04 14:03:27 +08:00
Wenkai Yin(尹文开)
a1712e5332
Merge pull request #10083 from MrMEEE/fix-listings-squashed
Squashed version of PR-9943
2019-12-04 09:35:20 +08:00
Julien Vey
a13f918fd0 Fix typo in registryctl client
Signed-off-by: Julien Vey <vey.julien@gmail.com>
2019-12-03 23:51:15 +01:00
Yogi_Wang
f022e89843 Modify the repository list sort and filter
Signed-off-by: Yogi_Wang <yawang@vmware.com>
2019-12-03 10:37:41 +08:00
Daniel Jiang
902598fabd Support pinning to authproxy server's cert
This commit add an attribute to configurations, whose value is the
certificate of authproxy server.  When this attribute is set Harbor will
pin to this cert when connecting authproxy.
This value will also be part of the response of systemInfo API.

This commit will be cherrypicked to 1.10 and 1.9 branch.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-12-03 07:31:26 +08:00
Martin Juhl
06594a1756 Squashed version of PR-9943
Signed-off-by: Martin Juhl <m@rtinjuhl.dk>
2019-12-02 11:59:33 +01:00
Wenkai Yin
dd2bc0ecef Clean up admiral-related code
Clean up admiral-related code as it's useless

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-11-28 17:28:54 +08:00
Daniel Jiang
4e1bac4b82
Merge pull request #9820 from reasonerjt/oidc-cli-secret-group
Populate user groups during OIDC CLI secret verification
2019-11-19 03:03:38 -08:00
Daniel Jiang
64af09d52b Populate user groups during OIDC CLI secret verification
This commit refactors the flow to populate user info and verify CLI
secret in OIDC authentication.

It will call the `userinfo` backend of OIDC backend and fallback to
using the ID token if userinfo is not supported by the backend.

It also makes sure the token will be persisted if it's refreshed during
this procedure.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-11-18 23:53:05 -08:00
He Weiwei
0c068d81f5
feat(vuln-severity): map negligible to none to match CVSS v3 ratings (#9885)
BREAKING CHANGE: the value negligible of severity in project metadata will change to none in the responses of project APIs

Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-11-18 14:36:51 +08:00
Wang Yan
6e03c8a54e
Merge pull request #9896 from heww/owner-check-for-project-member-robot-account
fix(robot,project-member): check owner of member, robot when update, …
2019-11-15 16:53:22 +08:00
Wang Yan
7b12ed14a1
Merge pull request #9852 from stonezdj/remove_tedious_msg
Change log level to avoid tedious error in log
2019-11-15 10:42:28 +08:00
He Weiwei
5bd1cfdbf2 fix(robot,project-member): check owner of member, robot when update, delete
Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-11-14 07:00:44 +00:00
Wang Yan
29be93725d
Merge pull request #9860 from reasonerjt/authproxy-case-sensitive-master
Authproxy case sensitive master
2019-11-14 14:03:53 +08:00
Daniel Jiang
8933ab8074 Add configuration "case sensitive" to HTTP auth proxy
This commit make case sensitivity configurable when the authentication
backend is auth proxy.
When the "http_authproxy_case_sensitive" is set to false, the name of
user/group will be converted to lower-case when onboarded to Harbor, so
as long as the authentication is successful there's no difference regardless
upper or lower case is used.  It will be mapped to one entry in Harbor's
User/Group table.
Similar to auth_mode, there is limitation that once there are users
onboarded to Harbor's DB this attribute is not configurable.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-11-13 15:00:05 +08:00
stonezdj
dc5cb3504c Change log level to avoid tedious error in log
change from error to debug

Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-11-13 11:15:00 +08:00
stonezdj
4d822e0a19 Fix review comments on PR9749
Fix review comments on PR9749
Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-11-12 13:05:11 +08:00
Wang Yan
407417ce7b
Merge pull request #9810 from stonezdj/bug9479
Populate group from auth provider to Harbor when user login
2019-11-11 19:52:31 +08:00
stonezdj
0c011ae717 Populate group from auth provider to Harbor DB when user login
Fix #9749, change include LDAP auth, OIDC auth, HTTP auth

Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-11-11 14:41:35 +08:00
Daniel Jiang
64dc5122e6 Add role list in project response
This commit fixes #9771

It compares the roles to return the one with highest permission in the
response of `GET /api/projects`.
In addition to that, it adds the role list to the response, because a
user can have multiple roles in a project.
It also removes the togglable attribute as it's not used anywhere.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-11-11 14:03:50 +08:00
Daniel Jiang
7d04eab63c
Merge pull request #9593 from qyqcswill/code_improve
promote code quality
2019-11-08 18:28:46 +08:00
Steven Zou
ee31418e8e revoke scan permission from the developer role
Signed-off-by: Steven Zou <szou@vmware.com>
2019-11-06 17:57:48 +08:00
Steven Zou
ebc5d2482b do improvements to the scan all job
- update scan all job to avoid sending too many HTTP requets
- update scan controller to support scan options
- update the db schema of the scan report to introduce requester
- introduce scan all metrics to report the overall progress of scan all job
- fix the status updating bug in scan report
- enhance the admin job status updats
- add duplicate checking before triggering generic admin job
- update the db scheme of admin job

fix #9705
fix #9722
fix #9670

Signed-off-by: Steven Zou <szou@vmware.com>
2019-11-05 15:12:07 +08:00
He Weiwei
ae8931e816 fix(policy-checker): add func to transform project severity to vuln.Severity
The severity saved in db is lowercase but the severities in vuln pkg
begin with upper letter, this fix use func to transform project severity
value from db to vuln.Severity.

Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-10-31 14:11:44 +00:00
He Weiwei
3c80832341 fix(quota): order by quotas only on support resources
Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-10-30 02:42:34 +00:00
Daniel Jiang
b17711abbf
Merge pull request #9592 from qyqcswill/code_clean
remove useless code
2019-10-29 15:08:59 +08:00
Steven Zou
5b2ab34e03 permission grant for scanner related actions are not correctly
- add new endpoint for getting scanner candidates of specified project
- adjust the permission granting functions
- fix #9608

Signed-off-by: Steven Zou <szou@vmware.com>
2019-10-28 18:20:47 +08:00
Wenkai Yin(尹文开)
f007a62b04
Merge pull request #9588 from stonezdj/fix_ldap_group_sql
Fix User Group Search SQL error
2019-10-28 11:22:14 +08:00
hao.cheng
29e905271d promote code quality
Signed-off-by: hao.cheng <hao.cheng@daocloud.io>
2019-10-25 15:37:35 +08:00
hao.cheng
94bc8c2f5c remove useless code
Signed-off-by: hao.cheng <hao.cheng@daocloud.io>
2019-10-25 15:20:25 +08:00
stonezdj
f402db380b Fix User Group Search SQL error
User Group Query SQL error in some cases

Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-10-25 14:00:45 +08:00
Wang Yan
d18678a48d
Merge pull request #9506 from wy65701436/token-sevice
Enable robot account to support scan pull case
2019-10-24 19:52:33 +08:00
wang yan
71c769ec97 remvoe bypass to scanner pull
Signed-off-by: wang yan <wangyan@vmware.com>
2019-10-24 17:49:20 +08:00
wang yan
a6ad1b2db8 update code per review comments
Signed-off-by: wang yan <wangyan@vmware.com>
2019-10-23 20:05:51 +08:00
wang yan
2fa85aefca fix per comments
Signed-off-by: wang yan <wangyan@vmware.com>
2019-10-23 18:45:30 +08:00
wang yan
5996189bb0 update per comments and fix govet error
Signed-off-by: wang yan <wangyan@vmware.com>
2019-10-23 18:45:30 +08:00
wang yan
22b4ea0f89 Enable robot account bypass policy check
1, the commit is for internal robot to bypass policy check, like vul and signature checking.
2, add a bool attribute into registry token, decode it in the harbor core and add the status into request context.
3, add a bool attribut for robot API controller, but API will not use it.y

Signed-off-by: wang yan <wangyan@vmware.com>
2019-10-23 18:45:30 +08:00
Wenkai Yin
9d896d4d72 Remove the health checker for Clair in health check API
As we introduce the pluggable scanner, users can add the external scanners, so we remove the Clair from the health check API

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-10-23 12:55:03 +08:00
stonezdj(Daojun Zhang)
4dcd323b4a
Merge pull request #9475 from wy65701436/immu-delete-repo
add immutable match in the repository/tag delete api
2019-10-22 17:28:15 +08:00
Wang Yan
fc106e218c
Merge pull request #9503 from heww/issue-9308
fix(configuration): E notation support for int64 and quota types
2019-10-22 11:50:06 +08:00
Wang Yan
3772ccc163
Merge pull request #9493 from stonezdj/remove_nested_group
Remove nested group search
2019-10-21 17:45:50 +08:00
He Weiwei
7c8f5426ed fix(configuration): E notation support for int64 and quota types
Closes #9308

Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-10-21 08:15:27 +00:00
wang yan
424f11e697 add immutable match in the repository/tag delete api
Signed-off-by: wang yan <wangyan@vmware.com>
2019-10-21 15:53:24 +08:00
stonezdj
b148ffe6a8 Remove the nested group search
Remove the code change in #8378, because the previous code change caused issues: #9092, #9110, #9326

Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-10-21 14:34:53 +08:00
He Weiwei
e254fe3095
fix(permissions): permissions checking for member and quota info (#9490)
1. Only show project member info when has member list permission.
2. Only show quota info when has quota read permission.
3. Add quota read permission for all roles of project.
4. Refactor permission service in portoal.
5. Clear cache when clear session.

Closes #8697

Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-10-21 14:03:52 +08:00
He Weiwei
bf6a14c9ad
feat(role): introduce a limited guest role (#9403)
Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-10-20 14:21:28 +08:00
Wenkai Yin(尹文开)
f98196e5ba
Merge pull request #9435 from reasonerjt/oidc-refresh-refine
Update OIDC token refresh process
2019-10-18 19:43:34 +08:00
Steven Zou
0f16913635 rebase: resolve the code confilcts with master
Signed-off-by: Steven Zou <szou@vmware.com>
2019-10-17 17:42:41 +08:00
Wenkai Yin(尹文开)
97ddff2ac8
Merge pull request #9434 from heww/clair-adapter
build(clair): internal clair adapter when install with clair
2019-10-17 16:06:10 +08:00
He Weiwei
8964a8697a build(clair): internal clair adapter when install with clair
Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-10-17 12:00:51 +08:00
Daniel Jiang
f0cb16cb86 Update OIDC token refresh process
1) Disassociate id token from user session

2) Some OIDC providers do not return id_token in the response of refresh
request:
https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
When validating the CLI secret it will not validate the id token,
instead it will check the expiration of the access token, and try to
refresh it.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-10-17 11:26:18 +08:00
Steven Zou
f18afc0a3f do changes to let the vul policy check compatiable with new framework
- update the scan/scanner controller
- enhance the report summary generation
- do changes to the vulnerable handler
- remove the unused clair related code
- add more UT cases
- update the scan web hook event
- drop the unsed tables/index/triggers in sql schema

Signed-off-by: Steven Zou <szou@vmware.com>
2019-10-16 23:15:26 +08:00
stonezdj(Daojun Zhang)
2973ddcf6b
Merge pull request #9428 from stonezdj/disable_self_reg
Update default self_registration=false
2019-10-16 17:41:21 +08:00
stonezdj
3636a1afa5 Update default self_registration=false
Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-10-16 01:33:48 -07:00
He Weiwei
d9a539807b perf(test): speed up TestAddBlobsToProject test in dao pkg
Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-10-14 16:46:01 +00:00
Daniel Jiang
ee9e92b6dd
Merge pull request #9157 from phin1x/master
Escape user dn in ldap group search filter
2019-10-14 16:41:27 +08:00
Wenkai Yin(尹文开)
7d0505593f
Merge pull request #8556 from chlins/feat/image-replication-adapter-for-quay.io
Feat/image replication adapter for quay.io
2019-10-14 09:16:45 +08:00
Steven Zou
a86afd6ebc Merge branch 'master' into feature/pluggable_scanner_s3_merge 2019-10-12 15:18:06 +08:00
wang yan
6f6f113f0f refactor robot api
1, add API controller for robot account, make it callable internally
2, add Manager to handler dao releate operation

Signed-off-by: wang yan <wangyan@vmware.com>
2019-10-11 17:26:18 +08:00
Steven Zou
58afd8e14b [stage3] support pluggable scanner
- implement scan controller
- add scan resource and update role bindings
- update registration model and related interfaces

Signed-off-by: Steven Zou <szou@vmware.com>

- implement scan API to do scan/get report/get log
- update repository rest API to produce scan report summary
- update scan job hook handler
- update some UT cases

- update robot account making content
- hidden credential in the job log

Commnet scan related API test cases which will be re-activate later
fix #8985

fix the issues found by codacy

Signed-off-by: Steven Zou <szou@vmware.com>
2019-10-11 12:53:02 +08:00
chlins
4ab3b864ae feat: add image replication adapter for quay.io
Signed-off-by: chlins <chlins.zhang@gmail.com>
2019-10-11 10:00:07 +08:00
stonezdj(Daojun Zhang)
a2938c5d78
Merge pull request #9274 from wy65701436/immu-refatctor
refactor immutable dao code to align the new structure under pkg
2019-10-10 10:38:22 +08:00
He Weiwei
4ce72e37c4 fix(robot): robot account improvement for policies
Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-09-27 03:07:58 +00:00
wang yan
7c4fd79b5c refactor immutable dao code to align the new structure under pkg
1, add manager
2, move model dao to /pkg/dao

Signed-off-by: wang yan <wangyan@vmware.com>
2019-09-26 20:35:58 +08:00
stonezdj
cc22a175b9 Add immutable tag API
Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-09-25 15:53:56 +08:00
stonezdj(Daojun Zhang)
ec559b0585
Merge pull request #9123 from stonezdj/immutable_tags
Add DAO for immutable tags
2019-09-23 21:46:07 +08:00
stonezdj
29d2bcce99 Add DAO for immutable tags
Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-09-23 16:45:07 +08:00
Fabian
1467f4bbb1 Escape User DN
Signed-off-by: Fabian Weber <fa.weber@enbw.com>
2019-09-19 14:29:09 +02:00
Daniel Jiang
b21f9dc6f1 Support OIDC groups
This commit enable project admin to add group as project member when
Harbor is configured against OIDC as AuthN backend.

It populates the information of groups from ID Token based on the claim
that is set in OIDC settings.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-09-19 17:49:31 +08:00
Daniel Jiang
f36efa4dcd Add groups claim to OIDC configuration
This commit add the new setting "oidc_groups_claim" to Harbor's
configurations.
And add "group_claim" to OIDCSetting struct.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-09-16 15:54:14 +08:00
Daniel Jiang
753219834e
Merge pull request #8960 from ninjadq/upgrade_hash_alg_for_pswd
Upgrade hash alg for pswd
2019-09-12 11:22:39 +08:00
Wenkai Yin
089eb4c449 Add the port 8080 to the default URL of portal to avoid the health check API failure
We changed the listenning port of portal from 80 to 8080 to run the process as non-root user, but the change didn't update the default URL of portal in source code, this causes the health check API fail.

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-09-11 10:45:55 +08:00
DQ
ea5c27fcd5 Enhance: Upgrade encrypt alg to sha256
previous sha1 will still used for old password

Signed-off-by: DQ <dengq@vmware.com>
2019-09-09 21:48:21 +08:00
Wenkai Yin
3b07be5a72 Check the status behind error when trying to update the scan schedule
Check the status behind error when trying to update the scan schedule

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-09-09 13:31:10 +08:00
Wang Yan
2194834b41
Merge pull request #8910 from heww/foreign-layers
fix(quota): correct size quota for image with foreign layers
2019-09-03 00:29:24 +08:00
He Weiwei
f44b75f398 fix(quota): correct size quota for image with foreign layers
1. Sync blobs from manifest for image with foreign layers.
2. Ignore size of foreign layers when compute size quota.
3. Fix repo info of artifact when upgrade from 1.8 version.

Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-09-02 14:10:58 +00:00
wang yan
d3f7d01a69 fix int out of range when to set usage in GC job
Signed-off-by: wang yan <wangyan@vmware.com>
2019-09-02 18:48:10 +08:00
wang yan
c28920c84f fix #8807
Format the error of mount blob, return a http error so that the core can parse it.

Signed-off-by: wang yan <wangyan@vmware.com>
2019-08-30 16:29:47 +08:00
wang yan
16b910e1cf fix(quota/sync) #8886
The foreign layer won't be counted into project quota
NOTE: the foreign layer will be dumped from the registry in the migration

Signed-off-by: wang yan <wangyan@vmware.com>
2019-08-29 17:29:40 +08:00
Wang Yan
db5781bf78
Merge pull request #8860 from wy65701436/fix-quota-sync
fix quota sync issues
2019-08-29 13:45:38 +08:00
wang yan
5decb56369 update code per review comments
Signed-off-by: wang yan <wangyan@vmware.com>
2019-08-29 12:46:42 +08:00
Wenkai Yin(尹文开)
5da4286ef4 Hard delete project metadata (#8856)
Hard delete project metadata

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-08-29 12:14:39 +08:00
wang yan
942e793f20 fix quota sync issues
1, fix #8858, add retry to ping backend service
2, fix #8859, split the blobs data when larger then 65535

Signed-off-by: wang yan <wangyan@vmware.com>
2019-08-28 18:59:25 +08:00
He Weiwei
2c1c816941
fix(database): generate db url by url.URL for schema upgrade (#8852)
Closes #7948

Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-08-28 16:59:22 +08:00
Ziming
94138137d5
add valid for rule (#8846)
Change-Id: I82215a0cf1ec32a253c8db9bfafe7e25b26c9ad9
Signed-off-by: Ziming Zhang <zziming@vmware.com>
2019-08-28 16:58:49 +08:00
wang yan
19f543a025 fix sql in remove blob from project
the project id is missing in the method, that makes GC to clean all of items,
and if quota will not compute twice for the existing manifest.

Signed-off-by: wang yan <wangyan@vmware.com>
2019-08-28 00:38:11 +08:00
Wenkai Yin(尹文开)
7262cc4c1a
Merge pull request #8836 from wy65701436/update-quota-error
Revise quota errors to make it more readable
2019-08-27 11:34:36 +08:00
wang yan
f343b2ec45 Revise quota errors to make it more readable
1, fix #8802, update the error formet
2, fix #8807, raise the real retag error to UI
3, fix #8832, raise the real chart error to chart client & ut

Signed-off-by: wang yan <wangyan@vmware.com>
2019-08-26 17:00:31 +08:00
wang yan
e3155e00d6 fix #8815 :add remove untagged blob record in table project_blob
Signed-off-by: wang yan <wangyan@vmware.com>
2019-08-26 15:57:19 +08:00
mmpei
d5f87063e4
Merge branch 'master' into official-wehook-events-20190811 2019-08-22 22:07:12 -05:00
wang yan
2d569192ab fix quota count size for same manifest in different repo
Signed-off-by: wang yan <wangyan@vmware.com>
2019-08-23 00:56:45 +08:00
Wenkai Yin(尹文开)
21f8290110
Merge pull request #8777 from heww/issue-8635
fix(rbac): NewProjectNamespace in rbac only accept projectID
2019-08-22 17:52:27 +08:00
Wenkai Yin(尹文开)
6198ed2634
Merge pull request #8758 from heww/issue-8681
refactor(quota,middleware): skip overflow error when subtract resources
2019-08-22 13:54:01 +08:00
He Weiwei
8effdc6f18 fix(rbac): NewProjectNamespace in rbac only accept projectID
Closes #8635

Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-08-21 19:37:28 +00:00
wang yan
e91ded65cb fix quota size usage in gc job, issue #https://github.com/goharbor/harbor/issues/8699
Signed-off-by: wang yan <wangyan@vmware.com>
2019-08-21 16:51:31 +08:00
Wang Yan
4bccb17236
Merge pull request #8749 from heww/issue-8493
fix(quota-driver): owner name of project quota reference object
2019-08-21 13:47:17 +08:00
He Weiwei
c22bf2539e refactor(quota,middleware): skip overflow error when subtract resources
1. Skip overflow error when subtract resources
2. Take up resources before handle request and put it back when handle
failed for add action in quota interceptor
3. Free resources only after handle success for subtract action in quota
interceptor

Closes #8681

Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-08-20 14:41:55 +00:00
He Weiwei
8eb17be13c fix(quota-driver): owner name of project quota reference object
Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-08-20 07:03:11 +00:00
stonezdj
7c7b6d2710 Normalize LDAP filter for user filter and group filter
Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-08-20 10:55:30 +08:00
Daniel Jiang
f10fb67d6d
Merge pull request #8662 from stonezdj/email_sec2
Set default email to null if not provided
2019-08-20 09:01:50 +08:00
He Weiwei
75772aae11
refactor(quota): new error types for quota checking (#8726)
Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-08-19 19:00:29 +08:00
stonezdj
5fa8eb7854 Set default email to null if not provided
Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-08-19 15:20:44 +08:00
Daniel Jiang
b3abd0316b
Merge pull request #8713 from reasonerjt/fix-8702
Avoid overwriting system CVE whitelist by mistake
2019-08-19 01:42:58 +08:00
Daniel Jiang
504202ecfd
Merge pull request #8378 from Typositoire/ldap/nested-groups
Search for LDAP_MATCHING_RULE_IN_CHAIN groups
2019-08-18 16:07:16 +08:00
Wang Yan
7a41d89ac8 Add quota sync api toi to sync quota data with backend storage
Signed-off-by: wang yan <wangyan@vmware.com>
2019-08-16 14:55:46 +08:00
Daniel Jiang
30bb2ddcdf Avoid overwriting system CVE whitelist by mistake
Fixes #8702
Also enforce the code to mitigate the potential risk.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-08-16 13:28:16 +08:00
Qian Deng
89aed1a1ea
Merge pull request #8672 from ywk253100/190815_content_length
Set content length when pushing blobs
2019-08-15 12:45:35 +08:00
Wenkai Yin
b94a99dded Set content length when pushing blobs
Set content length when pushing blobs

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-08-15 10:52:08 +08:00
Wang Yan
bf0b5a3fd0
Merge pull request #8663 from wy65701436/fix-quota-api
Fix quota switch fail to get project size
2019-08-15 10:49:49 +08:00
wang yan
a947a4259d Fix quota switch fail to get project size
Signed-off-by: wang yan <wangyan@vmware.com>
2019-08-14 22:32:32 +08:00
He Weiwei
98e1f68468 feat(configuration,db): connection pool configs for db
Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-08-14 14:30:34 +08:00
wang yan
9e0addee55 Enable usage sync when switch quota setting
Signed-off-by: wang yan <wangyan@vmware.com>
2019-08-14 12:47:12 +08:00
wang yan
76c52c2332 append commit to fix core compile error introduced by pr #8606
Signed-off-by: wang yan <wangyan@vmware.com>

Signed-off-by: wang yan <wangyan@vmware.com>
2019-08-14 00:22:55 +08:00
Steven Zou
1adc3a9469
Merge pull request #8606 from ywk253100/190807_stuck
Fix replication tasks stuck in "InProgress" issue
2019-08-13 15:59:20 +08:00
stonezdj(Daojun Zhang)
3e0191be5a
Merge pull request #8621 from stonezdj/project_sort
Sort project by name
2019-08-13 14:13:29 +08:00
He Weiwei
c1cea42089 feat(quota,middleware): enable or disable quota per project by config
Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-08-12 00:02:26 +00:00
peimingming
222c47142a Add chart and scanning event for webhook
Signed-off-by: peimingming <peimingming@corp.netease.com>
2019-08-11 18:01:07 +08:00
stonezdj
65dc665717 Sort project by name
Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-08-09 16:22:55 +08:00
Wang Yan
54a39c7159
Merge pull request #8597 from heww/size-quota
refactor(quota,middleware): implement size quota by quota interceptor
2019-08-09 15:44:33 +08:00
He Weiwei
e62c29123d refactor(quota,middleware): implement size quota by quota interceptor
Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-08-08 23:55:54 +00:00
Wang Yan
9cbcc93e8a
Merge pull request #8602 from goharbor/webhook-dev-20190807
Add feature webhook implementation
2019-08-08 16:01:39 +08:00
Wenkai Yin
8777c07d47 Fix replication tasks stuck in "InProgress" issue
Fix replication tasks stuck in "InProgress" issue

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-08-08 15:42:42 +08:00
Yann David
6435f32bc5
Prevent duplicated entries
Signed-off-by: Yann David <davidyann88@gmail.com>
2019-08-07 13:16:43 -04:00
guanxiatao
e7fafd1941 webhook policy, job, event support
Signed-off-by: guanxiatao <guanxiatao@corp.netease.com>
2019-08-07 20:30:26 +08:00
cd1989
870d7115c4 Refactor code to extract a common task runner
Signed-off-by: cd1989 <chende@caicloud.io>
2019-08-07 17:14:10 +08:00
cd1989
e2e540233b Use context for concurrency control
Signed-off-by: cd1989 <chende@caicloud.io>
2019-08-07 17:14:10 +08:00
cd1989
1f541c890c Improve performance for other registry adapters
Signed-off-by: cd1989 <chende@caicloud.io>
2019-08-07 17:14:10 +08:00
Wenkai Yin(尹文开)
6c0c75743e
Merge pull request #8571 from ywk253100/190806_retention_time
Populate pull/push time properties to the returning data when listing tags
2019-08-07 12:41:23 +08:00
Wang Yan
305242e993
Merge pull request #8573 from stonezdj/change_trace_level
Change trace level of missing configure metadata
2019-08-07 12:41:00 +08:00
Wenkai Yin
216ef269b3 Populate pull/push time properties to the returning data when listing tags
Populate pull/push time properties to the returning data when listing tags

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-08-07 11:47:05 +08:00
stonezdj
05f9920e62 Change trace level of missing metadata
Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-08-06 14:09:54 +08:00
Daniel Jiang
eec4fc2798 Remove clair notifier
The way Harbor handles notification is problematic.
It currently triggers rescan, which will cause problem when there are
lot of images in the registry.
Such as #7316
This commit removes the notifier and we need to revisit the notification
to figure out how to map the notification to a particular image if need
the notification mechanism in future.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-08-06 01:58:15 +08:00
stonezdj(Daojun Zhang)
12fb643f0a
Merge pull request #8557 from stonezdj/merge_user_group_roles
Merge user roles and group roles
2019-08-05 17:07:35 +08:00
stonezdj
35a49568ce Merge user roles and group roles
Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-08-05 15:10:06 +08:00
Steven Zou
97c812a1e8
Merge pull request #8359 from nlowe/bugfix/logging-line-call-outside-repo-root
Fix logger line() call if built outside of the repo root
2019-08-05 14:49:06 +08:00
He Weiwei
9778954852 feat(quota,middleware): image count quota support
Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-08-01 14:48:59 +08:00
He Weiwei
8cc9314984
feat(helm-chart,quota): count quota support for helm chart (#8439)
* feat(helm-chart,quota): count quota support for helm chart

Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-07-31 16:48:40 +08:00
Wang Yan
0a92e61d97
Merge pull request #8485 from wy65701436/internal-reg-quota
add internal reg request handler chain
2019-07-30 20:47:21 +08:00
wang yan
4410cc93f9 add internal reg request handler chain
this is for internal registry api call, the request should be intercpeted by quota middlerwares, like retag and delete.
Note: The api developer has to know that if the internal registry call in your api, please consider to use
NewRepositoryClientForLocal() to init the repository client, which can handle quota change.

Signed-off-by: wang yan <wangyan@vmware.com>
2019-07-30 19:39:56 +08:00
Wenkai Yin(尹文开)
9e6b022ce1
Merge pull request #8425 from ywk253100/190726_acr
Fix #8319, got error when replicating image with Azure container registry
2019-07-30 15:19:12 +08:00
Wenkai Yin
4dac036013 Fix #8319, got error when replicating image with Azure container registry
Fix #8319, got error when replicating image with Azure container registry

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-07-30 12:58:22 +08:00
Daniel Jiang
2211be7a80
Merge pull request #8446 from reasonerjt/group-perm-merge
Update GetRolesByGroupID
2019-07-29 19:11:51 +08:00
Daniel Jiang
37b7ab6174 Update GetRolesByGroupID
This commit fixes #8432
When querying the role of group ID, all matched roles should be returned
instead of the minimal role ID.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-07-29 11:24:35 +08:00
wang yan
a23ff4e448 Update pull time in artifact table for docker image pull
Signed-off-by: wang yan <wangyan@vmware.com>
2019-07-28 12:30:20 +08:00
Wang Yan
b9ea3731f7
Merge pull request #8350 from wy65701436/blob-flow-dev
Add size middleware to support quota
2019-07-26 01:25:40 +08:00
Wang Yan
1dfc47d24e Add size middleware to support quota
[Add]:
1, size middleware for quota size
2, count middleware for quota artifact count

[Support]:
1, put, patch, mount blob
2, put manifest

[Refactor]:
1, Add handle response for middlerware
2, Remove the modifyResponse for registry proxy
3, Use the custom response writer to recored status

Signed-off-by: wang yan <wangyan@vmware.com>
2019-07-26 00:28:36 +08:00
He Weiwei
f3a2280033
Merge pull request #8384 from heww/quota-apis
feat(quota,api): APIs for quotas
2019-07-25 15:19:46 +08:00
He Weiwei
e625f2aa11 feat(quota,api): APIs for quotas
Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-07-25 13:40:26 +08:00
wang yan
4763864dae merge with latest master code with quota feature branch
Signed-off-by: wang yan <wangyan@vmware.com>
2019-07-24 08:47:05 -07:00
Steven Zou
c44747fd3c merge code from master and fix conflicts
Signed-off-by: Steven Zou <szou@vmware.com>
2019-07-24 17:27:37 +08:00
Ziming
43c2af9857 map retention with policy (#8313)
Signed-off-by: Ziming Zhang <zziming@vmware.com>

Implement the API and controller of tag retention
 - API handler
 - retention controller
 - dao
2019-07-24 17:22:26 +08:00
He Weiwei
ce58c58c01 feat(quota,api): quota support for create project API
Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-07-24 01:02:51 +08:00
Yann David
51eb8bc60f
Search for LDAP_MATCHING_RULE_IN_CHAIN groups
Signed-off-by: Yann David <davidyann88@gmail.com>
2019-07-23 12:19:56 -04:00
Wenkai Yin
7362fae7cc Implement a common scheduler
Implement a common scheduler that can be used globally

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-07-23 17:20:31 +08:00
wang yan
2292954a31 Merge branch 'master' of https://github.com/goharbor/harbor into project-quota-dev 2019-07-22 15:46:09 +08:00
Wang Yan
e8565a4539
Merge pull request #8335 from reasonerjt/add-oidc-ping-api
Add API to ping OIDC endpoint
2019-07-22 14:30:24 +08:00
Wang Yan
834e604ec0
Merge pull request #8246 from ninjadq/fix_chart_museum_500_error
Fix: Internal server error with messy code when chartmuseum not work
2019-07-22 11:07:55 +08:00
Nathan Lowe
b4e169db26
Fix logger line() call if built outside of the repo root
If harbor is built (or `go test`'d) in a different folder than the repo
root, the call to common/utils/log/line(...) will panic with an index
out of range runtime error because the separator can't find `harbor/src`
in the path.

Signed-off-by: Nathan Lowe <public@nlowe.me>
2019-07-21 22:30:17 -04:00
Wenkai Yin
5f1d2bd644 Fix package import cycle issue
Fix package import cycle issue

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-07-19 13:50:55 +08:00
He Weiwei
9c9b8d3a6d Merge branch 'master' into project-quota-dev 2019-07-19 10:02:51 +08:00
Daniel Jiang
96e2e0b145 Add API to ping OIDC endpoint
This commit adds an API to help admin verify the OIDC endpoint is a
valid one.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-07-18 19:32:12 +08:00
stonezdj
13772b859e Fix OnBoardGroup issue
Signed-off-by: stonezdj <stonezdj@gmail.com>

Fix issue when adding a HTTP user group to a project member, returns HTTP 500 error.
2019-07-18 19:19:09 +08:00
Steven Zou
746d082e2e Merge branch 'master' into feature/tag_retention 2019-07-18 10:40:49 +08:00
Wenkai Yin(尹文开)
a64e089773
Merge pull request #8210 from stonezdj/http_group_dao2
Add HTTP group support
2019-07-17 15:22:36 +08:00
DQ
af58195a29 Fix: Internal server error with messy code when chartmuseum not work
log err when doesn't get data from chart museum

Signed-off-by: DQ <dengq@vmware.com>
2019-07-17 15:14:50 +08:00
Ziming Zhang
815901ea33 fix
Signed-off-by: Ziming Zhang <zziming@vmware.com>
Change-Id: I3f2d3c7f1e32b4983c31c23d9753f04239e3c82f
Signed-off-by: Ziming Zhang <zziming@vmware.com>
2019-07-16 19:24:40 +08:00
stonezdj
bb2ae7c093 Add HTTP group feature
Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-07-16 15:38:46 +08:00
Ziming Zhang
c22c38994a retention api
Change-Id: I70f2c34d6bb96ecf4cb5359e2b1ab2dbb99fdbf9
Signed-off-by: Ziming Zhang <zziming@vmware.com>
2019-07-16 15:06:37 +08:00
Wang Yan
8ac6bdbbb0 Add quota workflow for quota
1, apply count for manifest if it's a new image
2, insert data for artifact and artifact_blob

Signed-off-by: wang yan <wangyan@vmware.com>
2019-07-16 14:48:05 +08:00
wang yan
f066d986b9 merge with latest master code 2019-07-11 20:21:15 +08:00
Wang Yan
b98ca7bf0b
Merge pull request #8237 from wy65701436/redis-locker
add redis lock
2019-07-11 20:10:16 +08:00
wang yan
ef14f0cf35 add redis lock, it will be used to lock digest in the quota scenario
Signed-off-by: wang yan <wangyan@vmware.com>
2019-07-11 19:24:24 +08:00
Wenkai Yin(尹文开)
3bebf7bc64
Merge pull request #8238 from reasonerjt/project-cve-whitelist
Enable project level CVE whitelist
2019-07-10 14:41:01 +08:00
Wang Yan
155b0b0acd
Merge pull request #8175 from heww/quota-manager
Add manager for quota
2019-07-10 11:03:57 +08:00
wang yan
6d0271ee5c Merge branch 'master' of https://github.com/goharbor/harbor into project-quota-dev 2019-07-10 10:57:10 +08:00
He Weiwei
41ba410bb2 Manager for quota
Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-07-09 13:59:48 +08:00
wang yan
24c3753581 add dao of artifact
Signed-off-by: wang yan <wangyan@vmware.com>

Add dao for quota

Signed-off-by: He Weiwei <hweiwei@vmware.com>

fix govet

Signed-off-by: wang yan <wangyan@vmware.com>
2019-07-08 23:42:50 +08:00
Daniel Jiang
8f5f0031c7 Enable project level CVE whitelist
This commit update the project API to support "reuse_sys_cve_whitelist"
setting in project metadata and "cve_whitelist" in project request.
Also modify the interceptor to support project level CVE whitelist if
the reuse flag is false.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-07-08 18:55:54 +08:00
Daniel Jiang
c296f0ddfb
Merge pull request #8176 from stonezdj/http_group
Refactor LDAP usergroup
2019-07-08 09:54:31 +08:00
stonezdj
c0ed55445d Refactor LDAP group
Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-07-05 14:44:18 +08:00
Daniel Jiang
88a5572f8e Reload OIDC provider older than 3 seconds
This commit make sure the OIDC is more actively recreated, to mitigate
the problem in #8177

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-07-04 14:55:34 +08:00
He Weiwei
4fedfa6580 Add dao for quota
Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-07-04 11:53:26 +08:00
Daniel Jiang
5d887ad0d8
Merge pull request #8179 from reasonerjt/interceptor-use-whitelist
Apply CVE white list in interceptor
2019-07-03 15:12:33 +08:00
Daniel Jiang
bba4b2a6a4 Apply CVE white list in interceptor
Interceptor will filter the vulnerability in whitelist while calculating
the serverity of an image and determine whether or not to block client
form pulling it.

It will use the system level whitelist in this commit, another commit
will switch to project level whitelist based on setting in a project.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-07-03 14:13:00 +08:00
He Weiwei
720dcc72bd Fix read permission of project member read api
Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-07-02 14:40:46 +08:00
Ziming
af548e915e
Merge branch 'master' into replication_gcr_1.9 2019-06-27 11:27:33 +08:00
Steven Zou
5521b7b7ad
Merge pull request #7915 from bitsf/replication_ecr_1.9
aws driver for replication
2019-06-27 11:24:54 +08:00
Daniel Jiang
4aca812ff2 API for system level vulnerability whitelist
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-06-26 23:35:40 +08:00
Ziming Zhang
072bdd101b aws driver for replication
Change-Id: I8792ffce2eaa5975359bb6159a1ba7b85926a925
Signed-off-by: Ziming Zhang <zziming@vmware.com>
2019-06-25 19:11:27 +08:00
Ziming Zhang
e387c63242 gcr driver for replication
Change-Id: I5a6626950d3878bfa9726b332e68bee59159269f
Signed-off-by: Ziming Zhang <zziming@vmware.com>
2019-06-25 18:08:10 +08:00
wang yan
a4b202d656 remove the id in the post body when to create a robot account
Signed-off-by: wang yan <wangyan@vmware.com>
2019-06-11 10:47:56 +08:00
wang yan
056cfc7e31 Return account id when to issue a robot
Signed-off-by: wang yan <wangyan@vmware.com>
2019-05-22 10:39:26 +08:00
wang yan
2068732eef add validation for robot account registration
Signed-off-by: wang yan <wangyan@vmware.com>
2019-05-15 15:03:35 +08:00
Wang Yan
774a9f8d75
Remove unused configure item cfg_expiration (#7744)
Signed-off-by: wang yan <wangyan@vmware.com>
2019-05-09 22:07:18 +08:00
Daniel Jiang
cbbf2ea973 Redirect regular user to OIDC login page (#7717)
When the auth mode is OIDC, when a user login via Harbor's login form.
If the user does not exist or the user is onboarded via OIDC, he will be
redirected to the OIDC login page.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-05-09 10:53:40 +08:00
Wang Yan
095f7b2ff7
add scan all and gc schedule migration (#7628)
* add scan all and gc schedule migration

Signed-off-by: wang yan <wangyan@vmware.com>

* Fix gofmt errors

Signed-off-by: wang yan <wangyan@vmware.com>

* Update code according to review comments

Signed-off-by: wang yan <wangyan@vmware.com>

* remove convertschedule return name just return value

Signed-off-by: wang yan <wangyan@vmware.com>
2019-05-08 19:11:33 +08:00
Daniel Jiang
4118769088 print more sectors of file path in logger
This would help as we have more and more source files having duplicated
names.
Fixes #7202

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-05-08 15:49:19 +08:00
Daniel Jiang
c16b44d30b Make sure panic is not thrown when refresh token
Fixes #7695

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-05-07 20:30:07 +08:00
Wenkai Yin
d74624d306 Iterate all paginations when listing projects and repositories (#7660)
Iterate all paginations when listing projects and repositories

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-05-07 13:34:48 +08:00
Wenkai Yin
e64a71d809
Merge pull request #7594 from wy65701436/fix-gc-log
Fix get log issue of Periodic job
2019-04-30 10:19:17 +08:00
He Weiwei
37a4f1c982 Remove push+pull action (#7571)
Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-04-29 15:37:10 +08:00
wang yan
02c7cbeec2 Fix get log issue of Periodic job
Use the latest error or success execution as the periodic job log

Signed-off-by: wang yan <wangyan@vmware.com>
2019-04-29 15:30:05 +08:00
Wenkai Yin
c53d73775a
Merge pull request #7590 from reasonerjt/oidc-wrong-secret-err
Return more details for error in exchange token
2019-04-29 14:22:37 +08:00
Wang Yan
c26f655bce
add periodic job UUID to upstream job id and use execution log as the… (#7530)
* add periodic job UUID to upstream job id and use execution log as the periodic log

Signed-off-by: wang yan <wangyan@vmware.com>

* add comments to fix codacy

Signed-off-by: wang yan <wangyan@vmware.com>

* Update code per comments

Signed-off-by: wang yan <wangyan@vmware.com>
2019-04-28 15:09:56 +08:00
Wenkai Yin
7af679af7e
Merge pull request #7567 from reasonerjt/oidc-google-refresh-token
Persist the new token in DB after login
2019-04-28 14:12:25 +08:00
Daniel Jiang
15626fcae0 Return more details for error in exchange token
This commit update the response off OIDC callback when there's error in exchange token.
Additionally add comments to clarify that by default 500 error will not
contain any details.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-04-28 13:41:53 +08:00
Wenkai Yin
2a463016a9 Upgrade the distribution and notary library (#7516)
* Return 404 when the log of task doesn't exist

Return 404 when the log of task doesn't exist

Signed-off-by: Wenkai Yin <yinw@vmware.com>

* Upgrade the distribution and notary library

Upgrade the distribution library to 2.7.1, the notary library to 0.6.1

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-04-28 12:00:26 +08:00
Daniel Jiang
473fed5689 Persist the new token in DB after login
This commit make sure the token is persist to DB after every time after
a user logs in via OIDC provider, to make sure the secret is usable for
the OIDC providers that don't provide refresh token.

It also updates the authorize URL for google to make sure the refresh
token will be returned.

Also some misc refinement included, including add comment to the
OIDC onboarded user, preset the username in onboard dialog.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-04-27 23:03:59 +08:00
Wenkai Yin
6511417ba6
Merge pull request #7495 from stonezdj/const_debts
Replace string with const in metadatalist.go
2019-04-25 17:41:04 +08:00
stonezdj
504eab56c3 Replace string with const in metadatalist.go
Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-04-25 17:01:43 +08:00
Wenkai Yin
7160e411cc
Merge pull request #7498 from ywk253100/190423_docker_hub
Support replicate public repositories from Docker Hub
2019-04-24 17:17:23 +08:00
Wenkai Yin
66087aac82
Merge pull request #7493 from stonezdj/tech_debts
Remove adminserver in sourcecode
2019-04-24 16:24:59 +08:00
Steven Zou
9bd2de3e35
Merge pull request #7452 from steven-zou/fix_issues_for_jobservice
Fix issues for jobservice
2019-04-24 16:15:43 +08:00
Wenkai Yin
5629bf8546 Support replicate public repositories from Docker Hub
Support replicate the public repositories from Docker Hub without providing the credential

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-04-24 16:15:31 +08:00
Steven Zou
9bcbe2907b fix go vet issues in the code
Signed-off-by: Steven Zou <szou@vmware.com>
2019-04-24 07:31:37 +08:00
stonezdj
d7798a12d2 Remove adminserver in sourcecode
Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-04-23 15:05:29 +08:00
wang yan
1b4c75af25 Add event into upload ctx
Signed-off-by: wang yan <wangyan@vmware.com>
2019-04-23 10:57:31 +08:00
wang yan
df6e0600c9 Fix chart upload issue on event based
Use chart API to load the uploaded chart file to get the name and version

Signed-off-by: wang yan <wangyan@vmware.com>
2019-04-23 10:57:31 +08:00
Steven Zou
3937c8b0dc Merge branch 'master' into fix_issues_for_jobservice 2019-04-22 19:26:51 +08:00
Daniel Jiang
1fdc2e6ba9 Provide API to generate CLI secret
This commit provide an API to allow a user that is onboarded via OIDC
authn update his CLI secret.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-04-22 13:34:12 +08:00
Steven Zou
8e734407c0 Merge branch 'master' into fix_issues_for_jobservice 2019-04-19 21:15:21 +08:00
stonezdj(Daojun Zhang)
36d13e8243
Merge pull request #7328 from stonezdj/debts
Fix issue 6450 Test LDAP server error without save configuration
2019-04-19 16:51:57 +08:00
Steven Zou
f8feaa192e add get scheduled and periodic executions APIs
Signed-off-by: Steven Zou <szou@vmware.com>
2019-04-19 13:54:23 +08:00
Wenkai Yin
059b75e97c
Merge pull request #7392 from reasonerjt/oidc-logout
Handle OIDC user invalidation from OIDC provider.
2019-04-19 12:46:36 +08:00
Daniel Jiang
239b33c5fb Handle OIDC user invalidation from OIDC provider.
Ths commmit ensures that when user's token is invalidated OIDC provider, he
cannot access protected resource in Harbor with the user info in his session.
We share the code path with secret verification b/c the refresh token
can be used only once, so it has to be stored in one place.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-04-19 01:27:31 +08:00
Steven Zou
16f97326ad
Merge pull request #7433 from goharbor/replication_ng
Merge the replication ng branch to master
2019-04-18 16:35:45 +08:00
Steven Zou
1f481e492c Refactor job servcie primary logic to fix related bugs
Signed-off-by: Steven Zou <szou@vmware.com>
2019-04-18 16:02:49 +08:00
stonezdj
41a574e55c Fix issue 6450 Test LDAP server error without save configuration
Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-04-18 14:24:21 +08:00
wang yan
ba76550d14 Disable throw internal error to UI
Signed-off-by: wang yan <wangyan@vmware.com>
2019-04-18 00:04:19 +08:00
wang yan
e017294f71 merge with master latest
Signed-off-by: wang yan <wangyan@vmware.com>
2019-04-17 17:52:39 +08:00
Wang Yan
a6af9e9972
Support well-formatted error returned from the REST APIs. (#6957)
Signed-off-by: wang yan <wangyan@vmware.com>
2019-04-17 16:43:06 +08:00
wang yan
7a373c2eed Add event trigger to helm upload/deletion replication
Signed-off-by: wang yan <wangyan@vmware.com>
2019-04-15 19:02:33 +08:00
Wenkai Yin
c222f18fa7 Update replication
1. Refine the health check of docker hub
2. Remove the GetNamespace method from adapter interface

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-04-13 15:20:06 +08:00
Daniel Jiang
f92bc8076d "Skip verify cert" to "verify cert"
This commit tweaks the attribute for auth proxy mode and OIDC auth mode.
To change it from "Skip verify cert" to "verify cert" so they are more
consistent with other modes.
Additionally it removes a workaround in `SearchUser` in auth proxy
authenticator.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-04-12 23:25:54 +08:00
Daniel Jiang
763c5df010 Add UT
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-04-11 15:30:19 +08:00
Wenkai Yin
b73acde051 Support the migration for scheduled replication rule from previous version of Harbor
Support the migration for scheduled replication rule from previous version of Harbor

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-04-11 13:14:32 +08:00
Daniel Jiang
0d18e6c82f Update according to comments
For more context see PR #7335

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-04-10 19:38:12 +08:00
Daniel Jiang
0a2343f542 Support secret for docker CLI
As CLI does not support oauth flow, we'll use secret for help OIDC user
to authenticate via CLI.
Add column to store secret and token, and add code to support
verify/refresh token associates with secret.  Such that when the user is
removed from OIDC provider the secret will no longer work.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-04-10 19:38:11 +08:00
Daniel Jiang
08e00744be Fix misc bugs for e2e OIDC user onboard process
This commit adjust the code and fix some bugs to make onboard process
work.
Only thing missed is that the UI will need to initiate the redirection,
because the request of onboarding a user was sent via ajax call and didn't
handle the 302.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-04-10 19:38:11 +08:00
Wenkai Yin
580674f3da Merge remote-tracking branch 'upstream/master' into 190409_sync 2019-04-09 17:01:09 +08:00
Wenkai Yin
855c0a2a6e
Merge pull request #7194 from stonezdj/remove_error_msg
Remove error message of saving system setting to db
2019-04-09 12:02:17 +08:00
Wenkai Yin
d72a53aa0c
Merge pull request #7318 from ywk253100/190408_upgrade
Upgrade the replication_job table
2019-04-08 22:43:40 +08:00
Wenkai Yin
4ffa0c3da0 Upgrade the replication_job table
This commit migrates the replication_job table, add one execution record and one task record for each job

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-04-08 22:23:53 +08:00
stonezdj
e8ab7156bc Remove error message of saving system setting to db
Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-04-08 18:16:18 +08:00
cd1989
5a2d03593f Add helth check method to registry adapter
Signed-off-by: cd1989 <chende@caicloud.io>
2019-04-08 10:03:28 +08:00
Wenkai Yin
e8fe2aa60c Upgrade the registry and replication policy tables
Upgrade the registry and replication tables in database

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-04-05 13:25:00 +08:00
Wenkai Yin
4116433de8
Merge pull request #7306 from ywk253100/190404_cleanup
Remove the useless replication code
2019-04-04 21:18:04 +08:00
Wenkai Yin
c2f702be2a Remove the useless replication code
This commit removes the useless replication code

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-04-04 20:56:25 +08:00
Wenkai Yin
b66b1f341e Merge remote-tracking branch 'upstream/master' into 190404_sync 2019-04-04 14:55:09 +08:00
Yan
da0e20ec60
Add controller to onboard oidc user (#7286)
Signed-off-by: wang yan <wangyan@vmware.com>
2019-04-03 20:47:22 +08:00
wang yan
dcf1d704e6 fix dao UT issue and refine the error of onboard OIDC user
Signed-off-by: wang yan <wangyan@vmware.com>
2019-04-03 14:05:18 +08:00
wang yan
41018041f7 remove oidc controller and add more UTs
Signed-off-by: wang yan <wangyan@vmware.com>
2019-04-03 09:54:21 +08:00
Yan
0de5999f52 add the controller for ocdi onboard user
Signed-off-by: wang yan <wangyan@vmware.com>
2019-04-03 09:52:22 +08:00
Wenkai Yin
74efee569e Update the registry client to support pulling public images from docker hub without login
Only add the authentication info when the username is provided to support pulling public images from docker hub without login

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-04-01 19:15:07 +08:00
Daniel Jiang
587acd33ad Add callback controller for OIDC
This commit add callback controller to handle the redirection from
successful OIDC authentication.
For E2E case this requires callback controller to kick off onboard
process, which will be covered in subsequent commits.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-04-01 12:35:31 +08:00
Wenkai Yin
8c7b63bac2
Merge pull request #7248 from ywk253100/190326_event
Add event based trigger and scheduled trigger
2019-03-29 14:58:09 +08:00
Wenkai Yin
4f8e283e8e Add event based trigger and scheduled trigger
This commit implements the event based trigger and scheduled trigger in replilcation

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-03-29 13:48:34 +08:00
Daniel Jiang
9ce98f4acd Add controller to handle oidc login
The controller will redirect user to the OIDC login page based on
configuration.
Additionally this commit add some basic code to wrap `oauth2` package
and `provider` in `go-oidc`, and fixed an issue in UT to make
InMemoryDriver for config management thread-safe.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-03-28 11:29:05 +08:00