* add periodic job UUID to upstream job id and use execution log as the periodic log
Signed-off-by: wang yan <wangyan@vmware.com>
* add comments to fix codacy
Signed-off-by: wang yan <wangyan@vmware.com>
* Update code per comments
Signed-off-by: wang yan <wangyan@vmware.com>
This commit update the response off OIDC callback when there's error in exchange token.
Additionally add comments to clarify that by default 500 error will not
contain any details.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
* Return 404 when the log of task doesn't exist
Return 404 when the log of task doesn't exist
Signed-off-by: Wenkai Yin <yinw@vmware.com>
* Upgrade the distribution and notary library
Upgrade the distribution library to 2.7.1, the notary library to 0.6.1
Signed-off-by: Wenkai Yin <yinw@vmware.com>
This commit make sure the token is persist to DB after every time after
a user logs in via OIDC provider, to make sure the secret is usable for
the OIDC providers that don't provide refresh token.
It also updates the authorize URL for google to make sure the refresh
token will be returned.
Also some misc refinement included, including add comment to the
OIDC onboarded user, preset the username in onboard dialog.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit ensures that the TLS config of the HTTP client for auth
proxy is updated when the configuration is changed.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
1. Only return the event based trigger for local Harbor
2. Valid the trigger pattern and cron string when creating/updating policies
3. Set the schema as "http" if it isn't specified when creating/updating registries
Signed-off-by: Wenkai Yin <yinw@vmware.com>
Chart client eats the http error if not status ok, after refactor, the
real http response will be catched in core api.
Signed-off-by: wang yan <wangyan@vmware.com>
1. Fix bug when creating the namespace
2. Keep the same logic for hiding access secret
3. Filter only push mode policies for event trigger
Signed-off-by: Wenkai Yin <yinw@vmware.com>
If a user does not have OIDC meta data in DB, it means he's not
onboarded via OIDC authn, hence, we should not check the token.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
Ths commmit ensures that when user's token is invalidated OIDC provider, he
cannot access protected resource in Harbor with the user info in his session.
We share the code path with secret verification b/c the refresh token
can be used only once, so it has to be stored in one place.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit introduces a solution to workaround the restriction of project creation API: only normal users can create projects
Signed-off-by: Wenkai Yin <yinw@vmware.com>
This commit tweaks the attribute for auth proxy mode and OIDC auth mode.
To change it from "Skip verify cert" to "verify cert" so they are more
consistent with other modes.
Additionally it removes a workaround in `SearchUser` in auth proxy
authenticator.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
1. check the disable/enable status before starting the replication
2. process the support_namespace property
Signed-off-by: Wenkai Yin <yinw@vmware.com>
As CLI does not support oauth flow, we'll use secret for help OIDC user
to authenticate via CLI.
Add column to store secret and token, and add code to support
verify/refresh token associates with secret. Such that when the user is
removed from OIDC provider the secret will no longer work.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit adjust the code and fix some bugs to make onboard process
work.
Only thing missed is that the UI will need to initiate the redirection,
because the request of onboarding a user was sent via ajax call and didn't
handle the 302.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
Call Harbor API to delete the images in Harbor adapter to avoid the inconsistent between the different versions of Harbor
Signed-off-by: Wenkai Yin <yinw@vmware.com>
1. Add operation property for tasks
2. Add trigger property for executions
3. Update the getting registry info API to allow passing 0 as ID to get the info of local Harbor registry
Signed-off-by: Wenkai Yin <yinw@vmware.com>
This commit add callback controller to handle the redirection from
successful OIDC authentication.
For E2E case this requires callback controller to kick off onboard
process, which will be covered in subsequent commits.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
The controller will redirect user to the OIDC login page based on
configuration.
Additionally this commit add some basic code to wrap `oauth2` package
and `provider` in `go-oidc`, and fixed an issue in UT to make
InMemoryDriver for config management thread-safe.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
* add authn proxy docker login support
User could use the web hook token issued by k8s api server to login to harbor.
The username should add a specific prefix.
Signed-off-by: wang yan <wangyan@vmware.com>
* update code per review comments
Signed-off-by: wang yan <wangyan@vmware.com>
* Add UT for auth proxy modifier
Signed-off-by: wang yan <wangyan@vmware.com>
