Skip to content

Commit

Permalink
Allow the Identity Provider to be the primary auth method in Harbor. (#…
Browse files Browse the repository at this point in the history
…17627)

Allow the Identity Provider to be the primary auth method in Harbor

Signed-off-by: Maksym Trofimenko <[email protected]>
  • Loading branch information
tpoxa authored Feb 8, 2023
1 parent ff9dcd5 commit 68fb018
Show file tree
Hide file tree
Showing 20 changed files with 101 additions and 14 deletions.
36 changes: 25 additions & 11 deletions api/v2.0/swagger.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4269,7 +4269,7 @@ paths:
'404':
$ref: '#/responses/404'
'500':
$ref: '#/responses/500'
$ref: '#/responses/500'
/system/purgeaudit/{purge_id}/log:
get:
summary: Get purge job log.
Expand Down Expand Up @@ -7666,6 +7666,11 @@ definitions:
x-nullable: true
x-omitempty: true
description: The auth mode of current Harbor instance.
primary_auth_mode:
type: boolean
x-nullable: true
x-omitempty: true
description: The flag to indicate whether the current auth mode should consider as a primary one.
project_creation_restriction:
type: string
x-nullable: true
Expand Down Expand Up @@ -7793,7 +7798,7 @@ definitions:
update_time:
type: string
format: date-time
description: the update time of purge job.
description: the update time of purge job.
Schedule:
type: object
properties:
Expand Down Expand Up @@ -8593,6 +8598,9 @@ definitions:
auth_mode:
$ref: '#/definitions/StringConfigItem'
description: The auth mode of current system, such as "db_auth", "ldap_auth", "oidc_auth"
primary_auth_mode:
$ref: '#/definitions/BoolConfigItem'
description: The flag to indicate whether the current auth mode should consider as a primary one.
ldap_base_dn:
$ref: '#/definitions/StringConfigItem'
description: The Base DN for LDAP binding.
Expand Down Expand Up @@ -8697,7 +8705,7 @@ definitions:
description: The OIDC group which has the harbor admin privileges
oidc_group_filter:
$ref: '#/definitions/StringConfigItem'
description: The OIDC group filter which filters out the group doesn't match the regular expression
description: The OIDC group filter which filters out the group doesn't match the regular expression
oidc_scope:
$ref: '#/definitions/StringConfigItem'
description: The scope of the OIDC provider
Expand Down Expand Up @@ -8758,6 +8766,11 @@ definitions:
description: The auth mode of current system, such as "db_auth", "ldap_auth", "oidc_auth"
x-omitempty: true
x-isnullable: true
primary_auth_mode:
type: boolean
x-nullable: true
x-omitempty: true
description: The flag to indicate whether the current auth mode should consider as a primary one.
ldap_base_dn:
type: string
description: The Base DN for LDAP binding.
Expand Down Expand Up @@ -8942,7 +8955,7 @@ definitions:
type: string
description: The OIDC group filter which filters out the group name doesn't match the regular expression
x-omitempty: true
x-isnullable: true
x-isnullable: true
oidc_scope:
type: string
description: The scope of the OIDC provider
Expand Down Expand Up @@ -8997,7 +9010,7 @@ definitions:
type: string
description: The audit log forward endpoint
x-omitempty: true
x-isnullable: true
x-isnullable: true
skip_audit_log_database:
type: boolean
description: Skip audit log database
Expand Down Expand Up @@ -9401,10 +9414,11 @@ definitions:
items:
$ref: '#/definitions/ScanDataExportExecution'
description: The list of scan data export executions

WorkerPool:
type: object
description: the worker pool of job service
properties:
properties:
pid:
type: integer
description: the process id of jobservice
Expand All @@ -9422,13 +9436,13 @@ definitions:
concurrency:
type: integer
description: The concurrency of the work pool
host:
host:
type: string
description: The host of the work pool
description: The host of the work pool
Worker:
type: object
description: worker in the pool
properties:
properties:
id:
type: string
description: the id of the worker
Expand Down Expand Up @@ -9463,7 +9477,7 @@ definitions:
action:
type: string
description: The action of the request, should be stop, pause or resume
enum:
enum:
- stop
- pause
- resume
Expand Down Expand Up @@ -9511,4 +9525,4 @@ definitions:
paused:
type: boolean
description: if the scheduler is paused
x-omitempty: false
x-omitempty: false
1 change: 1 addition & 0 deletions src/common/const.go
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ const (

ExtEndpoint = "ext_endpoint"
AUTHMode = "auth_mode"
PrimaryAuthMode = "primary_auth_mode"
DatabaseType = "database_type"
PostGreSQLHOST = "postgresql_host"
PostGreSQLPort = "postgresql_port"
Expand Down
2 changes: 2 additions & 0 deletions src/controller/systeminfo/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ var Ctl = NewController()
// Data wraps common systeminfo data
type Data struct {
AuthMode string
PrimaryAuthMode bool
SelfRegistration bool
HarborVersion string
AuthProxySettings *models.HTTPAuthProxy
Expand Down Expand Up @@ -93,6 +94,7 @@ func (c *controller) GetInfo(ctx context.Context, opt Options) (*Data, error) {
}
res := &Data{
AuthMode: utils.SafeCastString(cfg[common.AUTHMode]),
PrimaryAuthMode: utils.SafeCastBool(cfg[common.PrimaryAuthMode]),
SelfRegistration: utils.SafeCastBool(cfg[common.SelfRegistration]),
HarborVersion: fmt.Sprintf("%s-%s", version.ReleaseVersion, version.GitCommit),
}
Expand Down
1 change: 1 addition & 0 deletions src/lib/config/metadata/metadatalist.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ var (

{Name: common.AdminInitialPassword, Scope: SystemScope, Group: BasicGroup, EnvKey: "HARBOR_ADMIN_PASSWORD", DefaultValue: "", ItemType: &PasswordType{}, Editable: true},
{Name: common.AUTHMode, Scope: UserScope, Group: BasicGroup, EnvKey: "AUTH_MODE", DefaultValue: "db_auth", ItemType: &AuthModeType{}, Editable: false, Description: `The auth mode of current system, such as "db_auth", "ldap_auth", "oidc_auth"`},
{Name: common.PrimaryAuthMode, Scope: UserScope, Group: BasicGroup, EnvKey: "PRIMARY_AUTH_MODE", DefaultValue: "false", ItemType: &BoolType{}, Description: `Use current auth mode as a primary one`},
{Name: common.ChartRepoURL, Scope: SystemScope, Group: BasicGroup, EnvKey: "CHART_REPOSITORY_URL", DefaultValue: "http://chartmuseum:9999", ItemType: &StringType{}, Editable: false},

{Name: common.TrivyAdapterURL, Scope: SystemScope, Group: TrivyGroup, EnvKey: "TRIVY_ADAPTER_URL", DefaultValue: "http://trivy-adapter:8080", ItemType: &StringType{}, Editable: false},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,36 @@
>
</div>
</div>
<section *ngIf="currentConfig?.auth_mode?.value !== 'db_auth'">
<clr-checkbox-container>
<label for="primaryAuthMode"
>{{ 'CONFIG.PRIMARY_AUTH_MODE' | translate }}
<clr-tooltip>
<clr-icon
clrTooltipTrigger
shape="info-circle"
size="24"></clr-icon>
<clr-tooltip-content
clrPosition="top-right"
clrSize="lg"
*clrIfOpen>
<span>{{
'CONFIG.TOOLTIP.PRIMARY_AUTH_MODE' | translate
}}</span>
</clr-tooltip-content>
</clr-tooltip>
</label>
<clr-checkbox-wrapper>
<input
type="checkbox"
clrCheckbox
name="primaryAuthMode"
id="primaryAuthMode"
[(ngModel)]="currentConfig.primary_auth_mode.value"
[disabled]="!currentConfig.primary_auth_mode.editable" />
</clr-checkbox-wrapper>
</clr-checkbox-container>
</section>

<section *ngIf="showUAA">
<clr-input-container>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -236,6 +236,7 @@ export class ConfigurationAuthComponent implements OnInit {
prop.startsWith('oidc_') ||
prop === 'auth_mode' ||
prop === 'project_creattion_restriction' ||
prop === 'primary_auth_mode' ||
prop === 'self_registration' ||
prop.startsWith('http_')
) {
Expand Down
2 changes: 2 additions & 0 deletions src/portal/src/app/base/left-side-nav/config/config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ export class ComplexValueItem {
export class Configuration {
[key: string]: any | any[];
auth_mode: StringValueItem;
primary_auth_mode: BoolValueItem;
project_creation_restriction: StringValueItem;
self_registration: BoolValueItem;
ldap_base_dn: StringValueItem;
Expand Down Expand Up @@ -114,6 +115,7 @@ export class Configuration {
session_timeout: NumberValueItem;
public constructor() {
this.auth_mode = new StringValueItem('db_auth', true);
this.primary_auth_mode = new BoolValueItem(false, true);
this.project_creation_restriction = new StringValueItem(
'everyone',
true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,10 @@ describe('ProjectComponent', () => {
value: 'oidc_auth',
editable: false,
},
primary_auth_mode: {
value: false,
editable: true,
},
count_per_project: {
value: -1,
editable: true,
Expand Down
2 changes: 2 additions & 0 deletions src/portal/src/app/services/app-config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ export class AppConfig {
with_trivy: boolean;
admiral_endpoint: string;
auth_mode: string;
primary_auth_mode: boolean;
registry_url: string;
project_creation_restriction: string;
self_registration: boolean;
Expand All @@ -36,6 +37,7 @@ export class AppConfig {
this.with_trivy = false;
this.admiral_endpoint = '';
this.auth_mode = 'db_auth';
this.primary_auth_mode = false;
this.registry_url = '';
this.project_creation_restriction = 'everyone';
this.self_registration = true;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,8 @@ import { AppConfigService } from '../../services/app-config.service';
import { MessageHandlerService } from '../services/message-handler.service';
import { SearchTriggerService } from '../components/global-search/search-trigger.service';
import { Observable } from 'rxjs';
import { CommonRoutes } from '../entities/shared.const';
import { UN_LOGGED_PARAM, YES } from '../../account/sign-in/sign-in.service';
import { CommonRoutes, CONFIG_AUTH_MODE } from '../entities/shared.const';

@Injectable({
providedIn: 'root',
Expand Down Expand Up @@ -76,6 +76,18 @@ export class AuthCheckGuard implements CanActivate, CanActivateChild {
let navigatorExtra: NavigationExtras = {
queryParams: { redirect_url: state.url },
};
// if primary auth mode enabled, skip the first step
if (
this.appConfigService.getConfig().auth_mode ==
CONFIG_AUTH_MODE.OIDC_AUTH &&
this.appConfigService.getConfig()
.primary_auth_mode
) {
window.location.href =
'/c/oidc/login?redirect_url=' +
encodeURI(state.url);
return observer.next(false);
}
this.router.navigate(
[CommonRoutes.EMBEDDED_SIGN_IN],
navigatorExtra
Expand Down
1 change: 1 addition & 0 deletions src/portal/src/app/shared/services/interface.ts
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,7 @@ export interface SystemInfo {
with_chartmuseum?: boolean;
admiral_endpoint?: string;
auth_mode?: string;
primary_auth_mode?: boolean;
registry_url?: string;
project_creation_restriction?: string;
self_registration?: boolean;
Expand Down
2 changes: 2 additions & 0 deletions src/portal/src/i18n/lang/de-de-lang.json
Original file line number Diff line number Diff line change
Expand Up @@ -813,6 +813,7 @@
"SESSION_TIMEOUT": "Session Timeout (Minutes)",
"SESSION_TIMEOUT_INFO": "Set the session timeout for Harbor UI. The default is 60 minutes.",
"AUTH_MODE": "Auth Mode",
"PRIMARY_AUTH_MODE": "Primärer Anmeldemodus",
"PRO_CREATION_RESTRICTION": "Projekt Erzeugung",
"SELF_REGISTRATION": "Selbst-Registrierung",
"AUTH_MODE_DB": "Datenbank",
Expand All @@ -834,6 +835,7 @@
"SELF_REGISTRATION_DISABLE": "Registrierung verboten. Haken setzen um Selbst-Registrierung zu erlauben.",
"VERIFY_REMOTE_CERT": "Festlegen, ob die Image-Replikation das Zertifikat der Gegenstelle überprüfen soll. Deaktiviere die Box, wenn der E-Mail-Server ein selbstsigniertes oder nicht-vertrauenswürdiges Zertifikat verwendet.",
"AUTH_MODE": "Der Standard Authentifizierungsmodus ist Datenbank, die Zugriffsdaten werden hierbei in einer lokalen Datenbank gespeichert. Wähle einen alternativen Authentifizierungsmodus, um die Nutzer gegen den konfigurierten Dienst zu verifizieren.",
"PRIMARY_AUTH_MODE": "Dieser Anmeldemodus wird zur Standardmethode für die Benutzeranmeldung. Der Anmeldebildschirm, in dem der Benutzer auswählt, ob er sich über den Identitätsanbieter oder über die lokale DB anmelden möchte, leitet den Benutzer automatisch an diesen Identitätsanbieter weiter. Die Anmeldung über die DB ist möglich, wenn die URL '/account/sign-in' explizit aufgerufen wird.",
"LDAP_SEARCH_DN": "DN eines Nutzers, der die Berechtigungen auf dem LDAP/AD Server hat. Falls der LDAP/AD server anonyme Suche nicht unterstützt, muss der DN und das ldap_search_pwd konfiguriert werden.",
"LDAP_BASE_DN": "Der Base DN unterhalb dem nach Nutzern im LDAP/AD gesucht wird.",
"LDAP_UID": "Das Attribut, dass in der Suche für die Zuordnung eines Nutzers verwendet wird. Kann uid, cn, email, sAMAccountName oder ein anderes Attribut abhängig vom LDAP/AD sein.",
Expand Down
4 changes: 3 additions & 1 deletion src/portal/src/i18n/lang/en-us-lang.json
Original file line number Diff line number Diff line change
Expand Up @@ -813,6 +813,7 @@
"SESSION_TIMEOUT": "Session Timeout (Minutes)",
"SESSION_TIMEOUT_INFO": "Set the session timeout for Harbor UI. The default is 60 minutes.",
"AUTH_MODE": "Auth Mode",
"PRIMARY_AUTH_MODE": "Primary Auth Mode",
"PRO_CREATION_RESTRICTION": "Project Creation",
"SELF_REGISTRATION": "Allow Self-Registration",
"AUTH_MODE_DB": "Database",
Expand All @@ -834,6 +835,7 @@
"SELF_REGISTRATION_DISABLE": "Deactivate sign up.",
"VERIFY_REMOTE_CERT": "Determine whether the image replication should verify the certificate of a remote Harbor registry. Uncheck this box when the remote registry uses a self-signed or untrusted certificate.",
"AUTH_MODE": "By default the authentication mode is database, i.e. the credentials are stored in a local database. Set it to LDAP if you want to verify a user's credential against an LDAP server.",
"PRIMARY_AUTH_MODE": "This auth mode becomes the default way for users to login. The login screen where the user selects to login via the identity provider or via local DB will automatically redirect the user to this identity provider. Login via DB is possible when visiting the url '/account/sign-in' explicitly.",
"LDAP_SEARCH_DN": "A user's DN who has the permission to search the LDAP/AD server. If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.",
"LDAP_BASE_DN": "The base DN from which to look up a user in LDAP/AD.",
"LDAP_UID": "The attribute used in a search to match a user. It could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD.",
Expand Down Expand Up @@ -896,7 +898,7 @@
"SCOPE": "OIDC Scope",
"OIDC_VERIFYCERT": "Verify Certificate",
"OIDC_AUTOONBOARD": "Automatic onboarding",
"USER_CLAIM": "Username Claim",
"USER_CLAIM": "Username Claim",
"OIDC_SETNAME": "Set OIDC Username",
"OIDC_SETNAMECONTENT": "You must create a Harbor username the first time when authenticating via a third party(OIDC).This will be used within Harbor to be associated with projects, roles, etc.",
"OIDC_USERNAME": "Username",
Expand Down
2 changes: 2 additions & 0 deletions src/portal/src/i18n/lang/es-es-lang.json
Original file line number Diff line number Diff line change
Expand Up @@ -814,6 +814,7 @@
"SESSION_TIMEOUT": "Session Timeout (Minutes)",
"SESSION_TIMEOUT_INFO": "Set the session timeout for Harbor UI. The default is 60 minutes.",
"AUTH_MODE": "Modo de autentificación",
"PRIMARY_AUTH_MODE": "Primary Auth Mode",
"PRO_CREATION_RESTRICTION": "Creación de Proyecto",
"SELF_REGISTRATION": "Permitir auto-registro",
"AUTH_MODE_DB": "Base de datos",
Expand All @@ -835,6 +836,7 @@
"SELF_REGISTRATION_DISABLE": "Disable sign up.",
"VERIFY_REMOTE_CERT": "Determina si la replicación de la imagen debería verificar el certificado de un registro Harbor remoto. Desmarque esta opción cuando el registro remoto use un certificado de confianza o autofirmado.",
"AUTH_MODE": "Por defecto el modo de autentificación es base de datos, es decir, las credenciales se almacenan en una base de datos local. Seleccione LDAP si quiere verificar las credenciales de usuarios a través del servidor LDAP.",
"PRIMARY_AUTH_MODE": "This auth mode becomes the default way for users to login. The login screen where the user selects to login via the identity provider or via local DB will automatically redirect the user to this identity provider. Login via DB is possible when visiting the url '/account/sign-in' explicitly.",
"LDAP_SEARCH_DN": "Un DN de usuario que tenga permisos para buscar el servidor LDAP/AD. Si el servidor LDAP/AD no soporta búsquedas anónimas, debería configurar este DN y ldap_search_pwd.",
"LDAP_BASE_DN": "La base DN para buscar un usuario en el LDAP/AD.",
"LDAP_UID": "El atributo usado en una búsqueda para encontrar un usuario. Debe ser el uid, cn, email, sAMAccountName u otro atributo dependiendo del LDAP/AD.",
Expand Down
2 changes: 2 additions & 0 deletions src/portal/src/i18n/lang/fr-fr-lang.json
Original file line number Diff line number Diff line change
Expand Up @@ -795,6 +795,7 @@
"SESSION_TIMEOUT": "Session Timeout (Minutes)",
"SESSION_TIMEOUT_INFO": "Set the session timeout for Harbor UI. The default is 60 minutes.",
"AUTH_MODE": "Mode d'Identification",
"PRIMARY_AUTH_MODE": "Primary Auth Mode",
"PRO_CREATION_RESTRICTION": "Création du Projet",
"SELF_REGISTRATION": "Autoriser l'Auto-Inscription",
"AUTH_MODE_DB": "Base de données",
Expand All @@ -816,6 +817,7 @@
"SELF_REGISTRATION_DISABLE": "Désactiver l'inscription.",
"VERIFY_REMOTE_CERT": "Déterminez si la réplication de l'image doit vérifier le certificat d'un dépôt Harbor distant. Décochez cette case lorsque le registre distant utilise un certificat auto-signé ou non approuvé.",
"AUTH_MODE": "Par défaut, le mode d'authentification est la base de données, c-a-d que les informations d'identification sont stockées dans une base de données locale. Définissez-le sur LDAP si vous voulez vérifier l'identité d'un utilisateur par rapport à un serveur LDAP.",
"PRIMARY_AUTH_MODE": "This auth mode becomes the default way for users to login. The login screen where the user selects to login via the identity provider or via local DB will automatically redirect the user to this identity provider. Login via DB is possible when visiting the url '/account/sign-in' explicitly.",
"LDAP_SEARCH_DN": "Le DN d'un utilisateur qui a la permission de rechercher sur le serveur LDAP/AD. Si votre serveur LDAP/AD ne prend pas en charge la recherche anonyme, vous devez configurer ce DN et ldap_search_pwd.",
"LDAP_BASE_DN": "La base DN à partir de laquelle rechercher un utilisateur dans LDAP/AD.",
"LDAP_UID": "Attribut utilisé dans une recherche pour trouver un utilisateur. Cela peut être uid, cn, email, sAMAccountName ou d'autres attributs selon votre LDAP/AD.",
Expand Down
Loading

0 comments on commit 68fb018

Please sign in to comment.