mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-20 15:48:26 +01:00
273 lines
6.7 KiB
Go
273 lines
6.7 KiB
Go
/*
|
|
Copyright (c) 2016 VMware, Inc. All Rights Reserved.
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package auth
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"net/url"
|
|
"os"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
|
|
token_util "github.com/vmware/harbor/service/token"
|
|
"github.com/vmware/harbor/utils/log"
|
|
registry_error "github.com/vmware/harbor/utils/registry/error"
|
|
)
|
|
|
|
type scope struct {
|
|
Type string
|
|
Name string
|
|
Actions []string
|
|
}
|
|
|
|
func (s *scope) string() string {
|
|
return fmt.Sprintf("%s:%s:%s", s.Type, s.Name, strings.Join(s.Actions, ","))
|
|
}
|
|
|
|
type tokenGenerator func(realm, service string, scopes []string) (token string, expiresIn int, issuedAt *time.Time, err error)
|
|
|
|
// Implements interface Authorizer
|
|
type tokenAuthorizer struct {
|
|
scope *scope
|
|
tg tokenGenerator
|
|
cache string // cached token
|
|
expiresIn int // The duration in seconds since the token was issued that it will remain valid
|
|
issuedAt *time.Time // The RFC3339-serialized UTC standard time at which a given token was issued
|
|
sync.Mutex
|
|
}
|
|
|
|
// Scheme returns the scheme that the handler can handle
|
|
func (t *tokenAuthorizer) Scheme() string {
|
|
return "bearer"
|
|
}
|
|
|
|
// AuthorizeRequest will add authorization header which contains a token before the request is sent
|
|
func (t *tokenAuthorizer) Authorize(req *http.Request, params map[string]string) error {
|
|
var scopes []*scope
|
|
var token string
|
|
|
|
hasFrom := false
|
|
from := req.URL.Query().Get("from")
|
|
if len(from) != 0 {
|
|
s := &scope{
|
|
Type: "repository",
|
|
Name: from,
|
|
Actions: []string{"pull"},
|
|
}
|
|
scopes = append(scopes, s)
|
|
// do not cache the token if "from" appears
|
|
hasFrom = true
|
|
}
|
|
|
|
if t.scope != nil {
|
|
scopes = append(scopes, t.scope)
|
|
}
|
|
|
|
expired := true
|
|
|
|
cachedToken, cachedExpiredIn, cachedIssuedAt := t.getCachedToken()
|
|
|
|
if len(cachedToken) != 0 && cachedExpiredIn != 0 && cachedIssuedAt != nil {
|
|
expired = cachedIssuedAt.Add(time.Duration(cachedExpiredIn) * time.Second).Before(time.Now().UTC())
|
|
}
|
|
|
|
if expired || hasFrom {
|
|
scopeStrs := []string{}
|
|
for _, scope := range scopes {
|
|
scopeStrs = append(scopeStrs, scope.string())
|
|
}
|
|
to, expiresIn, issuedAt, err := t.tg(params["realm"], params["service"], scopeStrs)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
token = to
|
|
|
|
if !hasFrom {
|
|
t.updateCachedToken(to, expiresIn, issuedAt)
|
|
}
|
|
} else {
|
|
token = cachedToken
|
|
}
|
|
|
|
req.Header.Add(http.CanonicalHeaderKey("Authorization"), fmt.Sprintf("Bearer %s", token))
|
|
|
|
return nil
|
|
}
|
|
|
|
func (t *tokenAuthorizer) getCachedToken() (string, int, *time.Time) {
|
|
t.Lock()
|
|
defer t.Unlock()
|
|
return t.cache, t.expiresIn, t.issuedAt
|
|
}
|
|
|
|
func (t *tokenAuthorizer) updateCachedToken(token string, expiresIn int, issuedAt *time.Time) {
|
|
t.Lock()
|
|
defer t.Unlock()
|
|
t.cache = token
|
|
t.expiresIn = expiresIn
|
|
t.issuedAt = issuedAt
|
|
}
|
|
|
|
// Implements interface Authorizer
|
|
type standardTokenAuthorizer struct {
|
|
tokenAuthorizer
|
|
client *http.Client
|
|
credential Credential
|
|
}
|
|
|
|
// NewStandardTokenAuthorizer returns a standard token authorizer. The authorizer will request a token
|
|
// from token server and add it to the origin request
|
|
func NewStandardTokenAuthorizer(credential Credential, insecure bool, scopeType, scopeName string, scopeActions ...string) Authorizer {
|
|
t := &http.Transport{
|
|
TLSClientConfig: &tls.Config{
|
|
InsecureSkipVerify: insecure,
|
|
},
|
|
}
|
|
|
|
authorizer := &standardTokenAuthorizer{
|
|
client: &http.Client{
|
|
Transport: t,
|
|
},
|
|
credential: credential,
|
|
}
|
|
|
|
if len(scopeType) != 0 || len(scopeName) != 0 {
|
|
authorizer.scope = &scope{
|
|
Type: scopeType,
|
|
Name: scopeName,
|
|
Actions: scopeActions,
|
|
}
|
|
}
|
|
|
|
authorizer.tg = authorizer.generateToken
|
|
|
|
return authorizer
|
|
}
|
|
|
|
func (s *standardTokenAuthorizer) generateToken(realm, service string, scopes []string) (token string, expiresIn int, issuedAt *time.Time, err error) {
|
|
realm = tokenURL(realm)
|
|
|
|
u, err := url.Parse(realm)
|
|
if err != nil {
|
|
return
|
|
}
|
|
q := u.Query()
|
|
q.Add("service", service)
|
|
for _, scope := range scopes {
|
|
q.Add("scope", scope)
|
|
}
|
|
u.RawQuery = q.Encode()
|
|
r, err := http.NewRequest("GET", u.String(), nil)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
s.credential.AddAuthorization(r)
|
|
|
|
resp, err := s.client.Do(r)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
b, err := ioutil.ReadAll(resp.Body)
|
|
if err != nil {
|
|
return
|
|
}
|
|
if resp.StatusCode != http.StatusOK {
|
|
err = ®istry_error.Error{
|
|
StatusCode: resp.StatusCode,
|
|
Detail: string(b),
|
|
}
|
|
return
|
|
}
|
|
|
|
tk := struct {
|
|
Token string `json:"token"`
|
|
ExpiresIn int `json:"expires_in"`
|
|
IssuedAt string `json:"issued_at"`
|
|
}{}
|
|
if err = json.Unmarshal(b, &tk); err != nil {
|
|
return
|
|
}
|
|
|
|
token = tk.Token
|
|
|
|
expiresIn = tk.ExpiresIn
|
|
|
|
if len(tk.IssuedAt) != 0 {
|
|
t, err := time.Parse(time.RFC3339, tk.IssuedAt)
|
|
if err != nil {
|
|
log.Errorf("error occurred while parsing issued_at: %v", err)
|
|
err = nil
|
|
} else {
|
|
issuedAt = &t
|
|
}
|
|
}
|
|
|
|
return
|
|
}
|
|
|
|
// when the registry client is used inside Harbor, the token request
|
|
// can be posted to token service directly rather than going through nginx.
|
|
// this solution can resolve two problems:
|
|
// 1. performance issue
|
|
// 2. the realm field returned by registry is an IP which can not reachable
|
|
// inside Harbor
|
|
func tokenURL(realm string) string {
|
|
extEndpoint := os.Getenv("EXT_ENDPOINT")
|
|
tokenURL := os.Getenv("TOKEN_URL")
|
|
if len(extEndpoint) != 0 && len(tokenURL) != 0 &&
|
|
strings.Contains(realm, extEndpoint) {
|
|
realm = strings.TrimRight(tokenURL, "/") + "/service/token"
|
|
}
|
|
return realm
|
|
}
|
|
|
|
// Implements interface Handler
|
|
type usernameTokenAuthorizer struct {
|
|
tokenAuthorizer
|
|
username string
|
|
}
|
|
|
|
// NewUsernameTokenAuthorizer returns a authorizer which will generate a token according to
|
|
// the user's privileges
|
|
func NewUsernameTokenAuthorizer(username string, scopeType, scopeName string, scopeActions ...string) Authorizer {
|
|
authorizer := &usernameTokenAuthorizer{
|
|
username: username,
|
|
}
|
|
|
|
authorizer.scope = &scope{
|
|
Type: scopeType,
|
|
Name: scopeName,
|
|
Actions: scopeActions,
|
|
}
|
|
|
|
authorizer.tg = authorizer.generateToken
|
|
|
|
return authorizer
|
|
}
|
|
|
|
func (u *usernameTokenAuthorizer) generateToken(realm, service string, scopes []string) (token string, expiresIn int, issuedAt *time.Time, err error) {
|
|
token, expiresIn, issuedAt, err = token_util.GenTokenForUI(u.username, service, scopes)
|
|
return
|
|
}
|