1. Use ctx from http request for the readonly middleware.
2. Refactor the AuthenticateHelper to let it get orm from ctx of the http request.
3. Change to use ctx from http request for oidc and authproxy http handlers.
Signed-off-by: He Weiwei <hweiwei@vmware.com>
1, add permission check for API of List Projects
2, add permission check for API of List Repositories
3, use the self defined query to handle both names and public query
Signed-off-by: wang yan <wangyan@vmware.com>
1, deprecate support for version 1 robot support, the robotv1 cannot be used anymore.
2, reserve the /project/{id_or_name}/robots api.
After the PR, user cannot use the robotv1 to login, and do any interaction with Harbor,
but still can view & delete them with UI or API.
Signed-off-by: Wang Yan <wangyan@vmware.com>
The robotv1 context uses the robot$ as a hardcoded prefix to identify robot account, it will raise error
for a valid robotv2 account with this prefix.
Update the log level to avoid the redundant logs for the default installation.
Signed-off-by: Wang Yan <wangyan@vmware.com>
There are code in the core component to conditionally execute code based
on the pattern of url path, and different ingress controller or reverse
proxy may handle the dup slashes in the url path differently.
This commit merge dup slashes in the url paths to make things more
consistent.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit enhances the v2auth middleware, such that any un-recognized
request sent to /v2/ will be blocked.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
Fixes#14822
When upstream registry not working, but status might stay healthy because the health check interval is 5 minutes, if a pull request comes before registry status turns to unhealthy, the proxy cache middleware might proxy the request to the upstream registry and get a 401 error and this 401 error might translate to a http 500 error to the client eventually.
To solve this issue, it fall back all error to local registry when proxying manifest except the NotFoundError from the local registry.
Signed-off-by: stonezdj <stonezdj@gmail.com>
This commit moves more user related funcs, such as ChangePassword,
Login, ChangeUserProfile from common/dao to rely on /pkg/user and
pkg/oidc.
It also removes the code for resetting user's password as it's disabled.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commits make sure when the request does not carry authorization
headers, the HEAD and GET will get the same response code. This change
should be made due to #14711
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
Changes include:
1. Move core/config to controller/config
2. Change the job_service and gcreadonly to depends on lib/config instead of core/config
3. Move the config related dao, manager and driver to pkg/config
4. Adjust the invocation of the config API, most of then should provide a context parameter, when accessing system config, you can call it with background context, when accessing user config, the context should provide orm.Context
Signed-off-by: stonezdj <stonezdj@gmail.com>
This commit adds the attribute "http_authproxy_admin_usernames", which
is string that contains usernames separated by comma, when a user logs
in and the username in the tokenreview status matches the setting of
this attribute, the user will have administrator permission.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
* Refactor registry API
Refactor registry API
Signed-off-by: Wenkai Yin <yinw@vmware.com>
* Fix bugs of replications
1. Fix the scheduled replication doesn't work issue
2. Fix the destination name lost issue when updating replication policy
Signed-off-by: Wenkai Yin <yinw@vmware.com>
This commit updates the API POST /api/v2.0/system/oidc/ping to new
programming model, in which the code will be generated by go-swagger.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
* update blob list query
Deprecate blob list parameters, and use the query for instead.
Signed-off-by: wang yan <wangyan@vmware.com>
* update per review comments
Signed-off-by: Wang Yan <wangyan@vmware.com>
1. Add operation id in ctx in baseapi before prepare
2. add operation id for registry proxy request
3. use url for other request
Signed-off-by: DQ <dengq@vmware.com>
1, introduce & define the system resources.
2, replace the IsSysAdmin judge method.
3, give the robot the system access capability.
Signed-off-by: Wang Yan <wangyan@vmware.com>
feat: Store vulnerability report from scanner into a relational format
Convert vulnerability report JSON obtained from scanner into a relational format describe in:https://github.com/goharbor/community/pull/145
Signed-off-by: prahaladdarkin <prahaladd@vmware.com>
Fixes#13740
Update ManifestExist to return Descriptor instead of digest
For docker 20.10 or containerd, it HEAD the manifest before pull, then
it GET the manifest with digest, add logic to handle this scenario and
correlate the tag between the digest in proxy cache
Signed-off-by: stonezdj <stonezdj@gmail.com>
This reverts commit e6f80259
This reverts commit 918fe125
Signed-off-by: stonezdj <stonezdj@gmail.com>
Revert "Add content type and length in header"
This reverts commit ca379111
Signed-off-by: stonezdj <stonezdj@gmail.com>
Fixes#13566: Quota of dockerhub is still used in v2.1.1 after the image is cached
Cache manifest list in redis cache.
Trade off between efficiency and data integrity, it might cause the proxy cache return the full content of a manifest list instead of the actual manifest list saved in the Harbor storage, which is a part of the manifest list. but this change doesn't break any /v2/ API, just caches full manifest list.
Signed-off-by: stonezdj <stonezdj@gmail.com>
