- improve the status hook sending/resending approach
- improve the status compare and set approach
- simplify the relevant flow
- add reaper to fix the out of sync jobs
- fix#10244 , fix#9963
Signed-off-by: Steven Zou <szou@vmware.com>
Before submit scan job the authorization computed and send to the scan
job and then scan job may in pending state for a long time before it
begins to run.
When the pending more than 30 min which is the default bearer token
expiration time, the authorization had been expired when execute scan
job.
This PR changes the time of computing authorization from before
submitting the scan job to executing the job.
Closes#10325
Signed-off-by: He Weiwei <hweiwei@vmware.com>
This commit disables XSRF check for "service/token" so that when
containerd sends `POST` it will not return 403 and containerd can
fallback to `GET` to complete the workflow.
Fixes#10305
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit will make the "tokenreview" security filter onboard
user if the request carries a valid token. If the "skipsearch" flag in
http_auth setting is set to false the onboard will fail.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
statistic API use security Context to list project rather than calling
projectmanager directly, such that the group membership will be taken
into account.
fixes#10230
It should be cherry picked to 1.9.x and 1.10.x branches
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit removes the attribute to control case-sensitivity from
authproxy setting.
The result in token review status will be used as the single source of
truth, regardless the case of the letters in group names and user names.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit add an attribute to configurations, whose value is the
certificate of authproxy server. When this attribute is set Harbor will
pin to this cert when connecting authproxy.
This value will also be part of the response of systemInfo API.
This commit will be cherrypicked to 1.10 and 1.9 branch.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit fixes#9869
It has some refactor to make sure the group is populated when user is
authenticated via tokenreview workflow.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit fixes#9946, that when creating a project the minimum length
should be 1, not 2.
This commit should be cherry picked to 1.9.x and 1.10.x branch .
We need to double check if this change impacts the creation of replication
rule.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
1. Introduce Evaluator interface which do the permission checking.
2. Do permission checking in security context by `Evaluator`.
3. Cache the regexp in keyMatch for casbin.
4. Cache rbac evaluator in namespace evaluator to improve performance.
Signed-off-by: He Weiwei <hweiwei@vmware.com>
This commit refactors the flow to populate user info and verify CLI
secret in OIDC authentication.
It will call the `userinfo` backend of OIDC backend and fallback to
using the ID token if userinfo is not supported by the backend.
It also makes sure the token will be persisted if it's refreshed during
this procedure.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>