mirror of https://github.com/goharbor/harbor.git
104 lines
5.2 KiB
Go
104 lines
5.2 KiB
Go
// Copyright Project Harbor Authors
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package middlewares
|
|
|
|
import (
|
|
"net/http"
|
|
"regexp"
|
|
|
|
"github.com/beego/beego/v2/server/web"
|
|
|
|
"github.com/goharbor/harbor/src/pkg/distribution"
|
|
"github.com/goharbor/harbor/src/server/middleware"
|
|
"github.com/goharbor/harbor/src/server/middleware/artifactinfo"
|
|
"github.com/goharbor/harbor/src/server/middleware/csrf"
|
|
"github.com/goharbor/harbor/src/server/middleware/log"
|
|
"github.com/goharbor/harbor/src/server/middleware/mergeslash"
|
|
"github.com/goharbor/harbor/src/server/middleware/metric"
|
|
"github.com/goharbor/harbor/src/server/middleware/notification"
|
|
"github.com/goharbor/harbor/src/server/middleware/orm"
|
|
"github.com/goharbor/harbor/src/server/middleware/readonly"
|
|
"github.com/goharbor/harbor/src/server/middleware/requestid"
|
|
"github.com/goharbor/harbor/src/server/middleware/security"
|
|
"github.com/goharbor/harbor/src/server/middleware/session"
|
|
"github.com/goharbor/harbor/src/server/middleware/trace"
|
|
"github.com/goharbor/harbor/src/server/middleware/transaction"
|
|
"github.com/goharbor/harbor/src/server/middleware/url"
|
|
)
|
|
|
|
var (
|
|
match = regexp.MustCompile
|
|
numericRegexp = match(`[0-9]+`)
|
|
serviceTokenRegexp = match(`^/service/token`)
|
|
|
|
// The ping endpoint will be blocked when DB conns reach the max open conns of the sql.DB
|
|
// which will make ping request timeout, so skip the middlewares which will require DB conn.
|
|
pingSkipper = middleware.MethodAndPathSkipper(http.MethodGet, match("^/api/v2.0/ping"))
|
|
|
|
// dbTxSkippers skip the transaction middleware for PATCH Blob Upload, PUT Blob Upload and `Read` APIs
|
|
// because the APIs may take a long time to run, enable the transaction middleware in them will hold the database connections
|
|
// until the API finished, this behavior may eat all the database connections.
|
|
// There are no database writing operations in the PATCH Blob APIs, so skip the transaction middleware is all ok.
|
|
// For the PUT Blob Upload API, we will make a transaction manually to write blob info to the database when put blob upload successfully.
|
|
dbTxSkippers = []middleware.Skipper{
|
|
middleware.MethodAndPathSkipper(http.MethodPatch, distribution.BlobUploadURLRegexp),
|
|
middleware.MethodAndPathSkipper(http.MethodPut, distribution.BlobUploadURLRegexp),
|
|
func(r *http.Request) bool { // skip tx for GET, HEAD and Options requests
|
|
m := r.Method
|
|
return m == http.MethodGet || m == http.MethodHead || m == http.MethodOptions
|
|
},
|
|
}
|
|
|
|
// readonlySkippers skip the post request when harbor sets to readonly.
|
|
readonlySkippers = []middleware.Skipper{
|
|
middleware.MethodAndPathSkipper(http.MethodPut, match("^/api/v2.0/configurations")),
|
|
middleware.MethodAndPathSkipper(http.MethodPut, match("^/api/internal/configurations")),
|
|
middleware.MethodAndPathSkipper(http.MethodPost, match("^/c/login")),
|
|
middleware.MethodAndPathSkipper(http.MethodPost, match("^/c/userExists")),
|
|
middleware.MethodAndPathSkipper(http.MethodPost, match("^/c/oidc/onboard")),
|
|
middleware.MethodAndPathSkipper(http.MethodPost, match("^/service/notifications/jobs/adminjob/"+numericRegexp.String())),
|
|
middleware.MethodAndPathSkipper(http.MethodPost, match("^/service/notifications/jobs/replication/"+numericRegexp.String())),
|
|
middleware.MethodAndPathSkipper(http.MethodPost, match("^/service/notifications/jobs/replication/task/"+numericRegexp.String())),
|
|
middleware.MethodAndPathSkipper(http.MethodPost, match("^/service/notifications/jobs/retention/task/"+numericRegexp.String())),
|
|
middleware.MethodAndPathSkipper(http.MethodPost, match("^/service/notifications/jobs/schedules/"+numericRegexp.String())),
|
|
// Harbor doesn't handle the POST request to /service/token. beego framework return 405 for the POST request
|
|
// some client, such as containerd, may send the POST request to /service/token and depends on 405/404/401/400 return code to determine continue or not
|
|
// the read only middleware returns 403 before the beego framework, so skip this request to make the client continue
|
|
middleware.MethodAndPathSkipper(http.MethodPost, serviceTokenRegexp),
|
|
pingSkipper,
|
|
}
|
|
)
|
|
|
|
// MiddleWares returns global middlewares
|
|
func MiddleWares() []web.MiddleWare {
|
|
return []web.MiddleWare{
|
|
url.Middleware(),
|
|
mergeslash.Middleware(),
|
|
trace.Middleware(),
|
|
metric.Middleware(),
|
|
requestid.Middleware(),
|
|
log.Middleware(),
|
|
session.Middleware(),
|
|
csrf.Middleware(),
|
|
orm.Middleware(pingSkipper),
|
|
notification.Middleware(pingSkipper), // notification must ahead of transaction ensure the DB transaction execution complete
|
|
transaction.Middleware(dbTxSkippers...),
|
|
artifactinfo.Middleware(),
|
|
security.Middleware(pingSkipper),
|
|
security.UnauthorizedMiddleware(),
|
|
readonly.Middleware(readonlySkippers...),
|
|
}
|
|
}
|