This commit directly maps the actoin permission in security context to
the scope generated by the token service in harbor-core.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
1. Clear cache for projects loader in quota driver of project which will
ensure that load project will raise error after project deleted.
2. Delete quota of the project before the deletion of the project.
Closes#12292
Signed-off-by: He Weiwei <hweiwei@vmware.com>
Update to repositories API so it will not differentiate if a project
does not exist or the user doesn't have permission to access it.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit disables XSRF check for "service/token" so that when
containerd sends `POST` it will not return 403 and containerd can
fallback to `GET` to complete the workflow.
Fixes#10305
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit will make the "tokenreview" security filter onboard
user if the request carries a valid token. If the "skipsearch" flag in
http_auth setting is set to false the onboard will fail.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
statistic API use security Context to list project rather than calling
projectmanager directly, such that the group membership will be taken
into account.
fixes#10230
It should be cherry picked to 1.9.x and 1.10.x branches
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit removes the attribute to control case-sensitivity from
authproxy setting.
The result in token review status will be used as the single source of
truth, regardless the case of the letters in group names and user names.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit add an attribute to configurations, whose value is the
certificate of authproxy server. When this attribute is set Harbor will
pin to this cert when connecting authproxy.
This value will also be part of the response of systemInfo API.
This commit will be cherrypicked to 1.10 and 1.9 branch.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit fixes#9869
It has some refactor to make sure the group is populated when user is
authenticated via tokenreview workflow.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit fixes#9946, that when creating a project the minimum length
should be 1, not 2.
This commit should be cherry picked to 1.9.x and 1.10.x branch .
We need to double check if this change impacts the creation of replication
rule.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit refactors the flow to populate user info and verify CLI
secret in OIDC authentication.
It will call the `userinfo` backend of OIDC backend and fallback to
using the ID token if userinfo is not supported by the backend.
It also makes sure the token will be persisted if it's refreshed during
this procedure.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
BREAKING CHANGE: the value negligible of severity in project metadata will change to none in the responses of project APIs
Signed-off-by: He Weiwei <hweiwei@vmware.com>
1. Fix name conflict when install internal clair adapter.
2. Remove all internal adapters when reinstall harbor without --with-clair flag
Signed-off-by: He Weiwei <hweiwei@vmware.com>
This commit make case sensitivity configurable when the authentication
backend is auth proxy.
When the "http_authproxy_case_sensitive" is set to false, the name of
user/group will be converted to lower-case when onboarded to Harbor, so
as long as the authentication is successful there's no difference regardless
upper or lower case is used. It will be mapped to one entry in Harbor's
User/Group table.
Similar to auth_mode, there is limitation that once there are users
onboarded to Harbor's DB this attribute is not configurable.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit fixes#9771
It compares the roles to return the one with highest permission in the
response of `GET /api/projects`.
In addition to that, it adds the role list to the response, because a
user can have multiple roles in a project.
It also removes the togglable attribute as it's not used anywhere.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit is to fix https://github.com/goharbor/harbor/issues/9780.
To align with OCI spec, when a docker pull request without bearer token in header comes in, Harbor should not intecepte it(return a 412 if check fail)
when the policy check is enabled. As the 401 is expected by the docker/caller, and then to ask token service which url is in the 401 header.
Signed-off-by: wang yan <wangyan@vmware.com>
