Fixes#15450
Add paging function to usergroup list/search API
Fix some 500 error when adding LDAP user/group to project member
Signed-off-by: stonezdj <stonezdj@gmail.com>
The init design of this API is to avoid the quota error leads to system disaster.
As quota has been refineded and redis lock has been removed, the API can be deprecated safely.
And this API is only call the DB to refresh quota data, user can call the SyncQuota API to handle this.
Signed-off-by: Wang Yan <wangyan@vmware.com>
update the jwt model to github.com/golang-jwt/jwt
Starting from v3.2.1, the import path has changed from github.com/dgrijalva/jwt-go to github.com/golang-jwt/jwt.
Signed-off-by: Wang Yan <wangyan@vmware.com>
This commit include 2 changes to mitigate and remediate the problem
described in #15241
1. When the token is to be updated in the "oidc_user" table, make sure
only the column "token" will be udpated.
2. Restore the subiss column for the record that has this column cleared
by mistake, by decoding the persisted token.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
There are code in the core component to conditionally execute code based
on the pattern of url path, and different ingress controller or reverse
proxy may handle the dup slashes in the url path differently.
This commit merge dup slashes in the url paths to make things more
consistent.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit moves more user related funcs, such as ChangePassword,
Login, ChangeUserProfile from common/dao to rely on /pkg/user and
pkg/oidc.
It also removes the code for resetting user's password as it's disabled.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
Add env CONFIG_OVERWRITE_JSON for declarative config
Init config with the json in CONFIG_OVERWRITE_JSON in main.go
Signed-off-by: stonezdj <stonezdj@gmail.com>
When ldap_group_search_filter is set, check other required fields
When ldap_group_search_filter is empty, skip to attach group
Signed-off-by: stonezdj <stonezdj@gmail.com>
This commit remove some funcs from package `common/dao/user` that can be
covered by the manager in `pkg/user`.
Ideally all funcs should be replaced but the dependency relationships
are tricky for some of them I'll push other commit to clean them up.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
If authenticator does not support searching user/group, wraps it as a
not found error, such that the API will return 404 rather than confusing
500.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
* Refactor labl api
move to the new program model
Signed-off-by: wang yan <wangyan@vmware.com>
* continue resolve review comments
Signed-off-by: Wang Yan <wangyan@vmware.com>
Add pkg/member/dao
Add pkg/member/models
Add pkg/member/manager
Add controller/member
Remove the old project member API
Signed-off-by: stonezdj <stonezdj@gmail.com>
This commit moves the legacy apis related to users to new model.
Some funcs under common/dao are left b/c they are used by other module,
which should also be shifted to leverage managers.
We'll handle them separately.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
Changes include:
1. Move core/config to controller/config
2. Change the job_service and gcreadonly to depends on lib/config instead of core/config
3. Move the config related dao, manager and driver to pkg/config
4. Adjust the invocation of the config API, most of then should provide a context parameter, when accessing system config, you can call it with background context, when accessing user config, the context should provide orm.Context
Signed-off-by: stonezdj <stonezdj@gmail.com>
This commit adds the attribute "http_authproxy_admin_usernames", which
is string that contains usernames separated by comma, when a user logs
in and the username in the tokenreview status matches the setting of
this attribute, the user will have administrator permission.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
* Refactor registry API
Refactor registry API
Signed-off-by: Wenkai Yin <yinw@vmware.com>
* Fix bugs of replications
1. Fix the scheduled replication doesn't work issue
2. Fix the destination name lost issue when updating replication policy
Signed-off-by: Wenkai Yin <yinw@vmware.com>
This commit updates the API POST /api/v2.0/system/oidc/ping to new
programming model, in which the code will be generated by go-swagger.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
The "*" is used by notary server for permission checking:
84287fd8df/server/server.go (L200)
Hence, we need to add this into the JWT token such that actions like key
rotation can be executed.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit updates the controller for sending reset pwd Email,
to make it use the Email from DB query result.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
1, introduce & define the system resources.
2, replace the IsSysAdmin judge method.
3, give the robot the system access capability.
Signed-off-by: Wang Yan <wangyan@vmware.com>
This commit directly maps the actoin permission in security context to
the scope generated by the token service in harbor-core.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit add a handler to handle the request to
"/c/authproxy/redirect". Harbor is configured to authenticate against
an authproxy, if a request with query string `?token=xxxx`
is sent to this URI, the handler will do tokenreview according to the
setting of authproxy and simulate a `login` workflow based on the result
of token review.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
* fix robot account update issue
enable the update method to support both v1 & v2 robot update
Signed-off-by: Wang Yan <wangyan@vmware.com>
* resolve review comments
Signed-off-by: Wang Yan <wangyan@vmware.com>
This commit adds admin_groups into the configuration of http_auth
settings, it's a string in the form of "group1, group2". If the token
review result shows the user is in one of the groups in the setting he
will have the administrator role in Harbor.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
1, remove the gc to new programming model
2, move api define to harbor v2 swagger
3, leverage task & execution manager to manage gc job schedule, trigger and log.
Signed-off-by: wang yan <wangyan@vmware.com>
author Wang Yan <wangyan@vmware.com> 1605849192 +0800
committer Wang Yan <wangyan@vmware.com> 1606361046 +0800
update code per review comments
Signed-off-by: wang yan <wangyan@vmware.com>
1. Use the task manager to manage the underlying execution/task
2. Use the pkg/scheduler to schedule the periodical job
3. Apply the new program model
4. Migration the old data into the new data model
Signed-off-by: Wenkai Yin <yinw@vmware.com>
* refactor: remove core/promgr pkg
Remove `core/promgr` package and use `controller/project` instead of it.
Signed-off-by: He Weiwei <hweiwei@vmware.com>
1. Add configs in prepare
2. Add models and config items in Core
3. Encapdulate getting metric in commom package
4. Add a middleware for global request to collect 3 metrics
Signed-off-by: DQ <dengq@vmware.com>
The ping endpoint will be blocked when DB conns reach the max open conns
of the sql.DB which will make ping request timeout,
so skip the middlewares which will require DB conn.
Signed-off-by: He Weiwei <hweiwei@vmware.com>
Add oidc_admin_group to configuration, and make sure a token with the
group name in group claim has the admin authority.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
Use `project.Controller` instead of `promgr.ProjectManager` in security
implementations because we will remove `promgr` package later.
Signed-off-by: He Weiwei <hweiwei@vmware.com>
This commit refactors the approach to encode a token in handler of /service/token,
by reusing pkg/token to avoid inconsistency.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This reverts commit 6fc0c9d75a.
Because this erases the AdminRoleInAuth attribute in user model as it is
not stored in DB and it will break the admin group of LDAP.
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit makes a change so that the user id will be stored in sessoin
after user login instead of user model to avoid data inconsistency when
user model changes.
Fixes#12934
Signed-off-by: Daniel Jiang <jiangd@vmware.com>