Commit Graph

585 Commits

Author SHA1 Message Date
Daniel Jiang
a087ba02e3 Populate basic auth information for registry
This commit updates `prepare` and templates to populate the credential
for registry for basic authentication.

A temporary flag `registry_use_basic_auth` was added to avoid breakage.
It MUST be removed before the release.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-12-31 14:50:46 +08:00
stonezdj(Daojun Zhang)
8ceb0e5eff
Merge pull request #10350 from reasonerjt/tokenreview-onboard
Onboard user when doing token review
2019-12-27 17:18:47 +08:00
Daniel Jiang
cc63fa7b7a Disable XSRF check for /service/token
This commit disables XSRF check for "service/token" so that when
containerd sends `POST` it will not return 403 and containerd can
fallback to `GET` to complete the workflow.

Fixes #10305

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-12-27 14:01:40 +08:00
Daniel Jiang
f3fcc37244 Onboard user when doing token review
This commit will make the "tokenreview" security filter onboard
user if the request carries a valid token.  If the "skipsearch" flag in
http_auth setting is set to false the onboard will fail.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-12-25 19:32:41 +08:00
Wenkai Yin(尹文开)
56dc0bb71f
Merge pull request #10324 from wy65701436/common-error-13
add OCI error format support
2019-12-25 17:44:35 +08:00
wang yan
ebe5bb68b9 add OCI error format support
1, Leverage go v1.13 new error feature
2, Define genernal error OCI format, so that /v2 API could return a OCI compatible error

Signed-off-by: wang yan <wangyan@vmware.com>
2019-12-25 17:07:26 +08:00
Wenkai Yin(尹文开)
c1522d3c36
Merge pull request #10261 from stonezdj/20191211_ldap_group_admin_dn
Fix admin permission not revoked when removed from LDAP admin group(Do Not Merge)
2019-12-24 14:37:28 +08:00
stonezdj
6313a55219 Fix admin permission not revoked when removed from LDAP admin group
Seperate the HasAdminRole(In DB) with the privileges from external auth, and use user.HasAdminPrivilege to check

Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-12-20 13:12:22 +08:00
Ziming
e32649adb4 enhance[cicd] introduce github action for CICD
In order to replace travis.
Implement 5 CI jobs
- UTTEST
- APITEST_DB
- APITEST_LDAP
- OFFLINE
- UI_UT

Signed-off-by: Ziming Zhang <zziming@vmware.com>
2019-12-17 18:36:33 +08:00
Daniel Jiang
7bd19f497c Stastics API should handle group members
statistic API use security Context to list project rather than calling
projectmanager directly, such that the group membership will be taken
into account.
fixes #10230

It should be cherry picked to 1.9.x and 1.10.x branches

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-12-11 18:52:43 +08:00
Wenkai Yin(尹文开)
dda6f638a9
Merge pull request #10154 from wy65701436/fix-10092-cp
[cherry-pick] improve pulling vulnerable images warning message
2019-12-06 13:56:13 +08:00
Wenkai Yin
4043ef8aa9 Sort the tag before returning the list when calling API
Sort the tag before returning the list when calling API list tag API

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-12-05 19:50:45 +08:00
wang yan
317149160d improve pulling vulnerable images warning message
To make the message more friendly and readable for the end-user

Signed-off-by: wang yan <wangyan@vmware.com>
2019-12-05 14:32:34 +08:00
Wang Yan
2fb1cc89d9
Merge pull request #10031 from ywk253100/191128_config
Fix bug when trying to get the external URL
2019-12-05 14:26:54 +08:00
Wang Yan
9016c427b9
Merge pull request #10136 from reasonerjt/rm-authproxy-case-sensitive
Get rid of case-sensitivity in authproxy setting
2019-12-05 14:26:18 +08:00
Daniel Jiang
d58f5e4bdc Get rid of case-sensitivity in authproxy setting
This commit removes the attribute to control case-sensitivity from
authproxy setting.
The result in token review status will be used as the single source of
truth, regardless the case of the letters in group names and user names.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-12-04 21:39:40 +08:00
Wenkai Yin(尹文开)
d145f4baf4
Merge pull request #10034 from ywk253100/191128_clean
Clean up admiral-related code
2019-12-04 17:33:31 +08:00
Daniel Jiang
902598fabd Support pinning to authproxy server's cert
This commit add an attribute to configurations, whose value is the
certificate of authproxy server.  When this attribute is set Harbor will
pin to this cert when connecting authproxy.
This value will also be part of the response of systemInfo API.

This commit will be cherrypicked to 1.10 and 1.9 branch.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-12-03 07:31:26 +08:00
Wenkai Yin
dd2bc0ecef Clean up admiral-related code
Clean up admiral-related code as it's useless

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-11-28 17:28:54 +08:00
Wenkai Yin
2498d597b4 Fix bug when trying to get the external URL
Fix bug when trying to get the external URL

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-11-28 10:51:42 +08:00
Daniel Jiang
030637efbf
Merge pull request #10002 from reasonerjt/groups-review-token-filter
populate group list when doing token review
2019-11-27 15:18:03 +08:00
Daniel Jiang
3664bf36d2 populate group list when doing token review
This commit fixes #9869
It has some refactor to make sure the group is populated when user is
authenticated via tokenreview workflow.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-11-26 13:31:42 +08:00
Daniel Jiang
b2b531d3af Update minimum length of project name
This commit fixes #9946, that when creating a project the minimum length
should be 1, not 2.

This commit should be cherry picked to 1.9.x and 1.10.x branch .

We need to double check if this change impacts the creation of replication
rule.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-11-26 12:41:51 +08:00
He Weiwei
fec76c3d57
fix(limited-guest): fix limited guest info missing in summary page (#9957)
Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-11-22 10:03:02 +08:00
Daniel Jiang
4e1bac4b82
Merge pull request #9820 from reasonerjt/oidc-cli-secret-group
Populate user groups during OIDC CLI secret verification
2019-11-19 03:03:38 -08:00
Daniel Jiang
64af09d52b Populate user groups during OIDC CLI secret verification
This commit refactors the flow to populate user info and verify CLI
secret in OIDC authentication.

It will call the `userinfo` backend of OIDC backend and fallback to
using the ID token if userinfo is not supported by the backend.

It also makes sure the token will be persisted if it's refreshed during
this procedure.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-11-18 23:53:05 -08:00
Wang Yan
bc0ff095c3
Merge pull request #9899 from heww/fix-9767
fix(scanner): process scenario reinstall without clair flag
2019-11-19 13:17:28 +08:00
Wang Yan
eab974419c
Merge pull request #9825 from stonezdj/bug_9681
Avoid to create duplicated immutable tag rules in the same project
2019-11-18 17:26:22 +08:00
He Weiwei
0c068d81f5
feat(vuln-severity): map negligible to none to match CVSS v3 ratings (#9885)
BREAKING CHANGE: the value negligible of severity in project metadata will change to none in the responses of project APIs

Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-11-18 14:36:51 +08:00
He Weiwei
0246ca7aa4 fix(scanner): process scenario reinstall without clair flag
1. Fix name conflict when install internal clair adapter.
2. Remove all internal adapters when reinstall harbor without --with-clair flag

Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-11-15 09:47:30 +00:00
Wang Yan
6e03c8a54e
Merge pull request #9896 from heww/owner-check-for-project-member-robot-account
fix(robot,project-member): check owner of member, robot when update, …
2019-11-15 16:53:22 +08:00
stonezdj
15898f2069 Avoid to create duplicated immutable tag rules in the same project
Fix #9681, add constraint on immutable_tag_rule and catch the error

Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-11-15 14:46:23 +08:00
Wang Yan
88773436c9
Merge pull request #9865 from wy65701436/quota-event
add quota exceed event imple
2019-11-15 11:37:19 +08:00
Wang Yan
4bec9bbfc6
Merge pull request #9875 from wy65701436/middleware-policy-checker
enable policy checker in response handler
2019-11-14 18:31:50 +08:00
wang yan
a39e1a2a34 enable policy checker in response handler
Signed-off-by: wang yan <wangyan@vmware.com>
2019-11-14 15:39:29 +08:00
He Weiwei
5bd1cfdbf2 fix(robot,project-member): check owner of member, robot when update, delete
Signed-off-by: He Weiwei <hweiwei@vmware.com>
2019-11-14 07:00:44 +00:00
Wang Yan
29be93725d
Merge pull request #9860 from reasonerjt/authproxy-case-sensitive-master
Authproxy case sensitive master
2019-11-14 14:03:53 +08:00
Daniel Jiang
6f0b4a139a
Merge pull request #9838 from stonezdj/fix_review
Fix review comments on PR9749
2019-11-14 13:12:56 +08:00
Wang Yan
10850a06d8
Merge pull request #9859 from ywk253100/191113_subresource_1.10
Refine the implementation of replication execution API
2019-11-14 11:30:10 +08:00
wang yan
f8390c5ec1 add quota exceed event imple
Signed-off-by: wang yan <wangyan@vmware.com>
2019-11-14 10:27:18 +08:00
stonezdj
a3c298e9fd Refactor immutable tag rule
Change implementation
Fix some nil pointer issue

Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-11-13 19:09:31 +08:00
Daniel Jiang
8933ab8074 Add configuration "case sensitive" to HTTP auth proxy
This commit make case sensitivity configurable when the authentication
backend is auth proxy.
When the "http_authproxy_case_sensitive" is set to false, the name of
user/group will be converted to lower-case when onboarded to Harbor, so
as long as the authentication is successful there's no difference regardless
upper or lower case is used.  It will be mapped to one entry in Harbor's
User/Group table.
Similar to auth_mode, there is limitation that once there are users
onboarded to Harbor's DB this attribute is not configurable.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-11-13 15:00:05 +08:00
Wenkai Yin
54c5811974 Update the test cases of user API
Update the test cases of user API

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-11-13 14:51:29 +08:00
Wenkai Yin
05ffb7a3c5 Refine the implementation of replication execution API
Remove the duplicated code in replication execution API

Signed-off-by: Wenkai Yin <yinw@vmware.com>
2019-11-13 14:26:57 +08:00
stonezdj
4d822e0a19 Fix review comments on PR9749
Fix review comments on PR9749
Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-11-12 13:05:11 +08:00
wang yan
c6fecf75d8 update immutable tag error message format
Signed-off-by: wang yan <wangyan@vmware.com>
2019-11-12 12:51:17 +08:00
Wang Yan
407417ce7b
Merge pull request #9810 from stonezdj/bug9479
Populate group from auth provider to Harbor when user login
2019-11-11 19:52:31 +08:00
stonezdj
0c011ae717 Populate group from auth provider to Harbor DB when user login
Fix #9749, change include LDAP auth, OIDC auth, HTTP auth

Signed-off-by: stonezdj <stonezdj@gmail.com>
2019-11-11 14:41:35 +08:00
Daniel Jiang
64dc5122e6 Add role list in project response
This commit fixes #9771

It compares the roles to return the one with highest permission in the
response of `GET /api/projects`.
In addition to that, it adds the role list to the response, because a
user can have multiple roles in a project.
It also removes the togglable attribute as it's not used anywhere.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2019-11-11 14:03:50 +08:00
wang yan
415bdfa61f Disable policy check when pull without bearer token
This commit is to fix https://github.com/goharbor/harbor/issues/9780.
To align with OCI spec, when a docker pull request without bearer token in header comes in, Harbor should not intecepte it(return a 412 if check fail)
when the policy check is enabled. As the 401 is expected by the docker/caller, and then to ask token service which url is in the 401 header.

Signed-off-by: wang yan <wangyan@vmware.com>
2019-11-08 13:59:30 +08:00