Merge pull request #8485 from wy65701436/internal-reg-quota

add internal reg request handler chain

make/photon/prepare/templates/core/env.jinja

@@ -31,6 +31,7 @@ CLAIR_DB_USERNAME={{clair_db_username}}
 CLAIR_DB={{clair_db_name}}
 CLAIR_DB_SSLMODE={{clair_db_sslmode}}
 CORE_URL={{core_url}}
+CORE_LOCAL_URL={{core_local_url}}
 JOBSERVICE_URL={{jobservice_url}}
 CLAIR_URL={{clair_url}}
 NOTARY_URL={{notary_url}}

make/photon/prepare/utils/configs.py

@@ -67,6 +67,7 @@ def parse_yaml_config(config_file_path):
         'registry_url': "http://registry:5000",
         'registry_controller_url': "http://registryctl:8080",
         'core_url': "http://core:8080",
+        'core_local_url': "http://127.0.0.1:8080",
         'token_service_url': "http://core:8080/service/token",
         'jobservice_url': 'http://jobservice:8080',
         'clair_url': 'http://clair:6060',

src/common/config/metadata/metadatalist.go

@@ -75,6 +75,7 @@ var (
 		{Name: common.ClairURL, Scope: SystemScope, Group: ClairGroup, EnvKey: "CLAIR_URL", DefaultValue: "http://clair:6060", ItemType: &StringType{}, Editable: false},
 
 		{Name: common.CoreURL, Scope: SystemScope, Group: BasicGroup, EnvKey: "CORE_URL", DefaultValue: "http://core:8080", ItemType: &StringType{}, Editable: false},
+		{Name: common.CoreLocalURL, Scope: SystemScope, Group: BasicGroup, EnvKey: "CORE_LOCAL_URL", DefaultValue: "http://127.0.0.1:8080", ItemType: &StringType{}, Editable: false},
 		{Name: common.DatabaseType, Scope: SystemScope, Group: BasicGroup, EnvKey: "DATABASE_TYPE", DefaultValue: "postgresql", ItemType: &StringType{}, Editable: false},
 
 		{Name: common.EmailFrom, Scope: UserScope, Group: EmailGroup, EnvKey: "EMAIL_FROM", DefaultValue: "admin <sample_admin@mydomain.com>", ItemType: &StringType{}, Editable: false},

src/common/const.go

@@ -55,6 +55,7 @@ const (
 	PostGreSQLSSLMode                = "postgresql_sslmode"
 	SelfRegistration                 = "self_registration"
 	CoreURL                          = "core_url"
+	CoreLocalURL                     = "core_local_url"
 	JobServiceURL                    = "jobservice_url"
 	LDAPURL                          = "ldap_url"
 	LDAPSearchDN                     = "ldap_search_dn"

src/core/api/repository.go

@@ -238,7 +238,7 @@ func (ra *RepositoryAPI) Delete() {
 		return
 	}
 
-	rc, err := coreutils.NewRepositoryClientForUI(ra.SecurityCtx.GetUsername(), repoName)
+	rc, err := coreutils.NewRepositoryClientForLocal(ra.SecurityCtx.GetUsername(), repoName)
 	if err != nil {
 		log.Errorf("error occurred while initializing repository client for %s: %v", repoName, err)
 		ra.SendInternalServerError(errors.New("internal error"))

src/core/config/config.go

@@ -280,7 +280,11 @@ func InternalJobServiceURL() string {
 // InternalCoreURL returns the local harbor core url
 func InternalCoreURL() string {
 	return strings.TrimSuffix(cfgMgr.Get(common.CoreURL).GetString(), "/")
+}
 
+// LocalCoreURL returns the local harbor core url
+func LocalCoreURL() string {
+	return cfgMgr.Get(common.CoreLocalURL).GetString()
 }
 
 // InternalTokenServiceEndpoint returns token service endpoint for internal communication between Harbor containers

src/core/config/config_test.go

@@ -208,6 +208,9 @@ func TestConfig(t *testing.T) {
 	assert.Equal("http://myjob:8888", InternalJobServiceURL())
 	assert.Equal("http://myui:8888/service/token", InternalTokenServiceEndpoint())
 
+	localCoreURL := LocalCoreURL()
+	assert.Equal("http://127.0.0.1:8080", localCoreURL)
+
 }
 
 func currPath() string {

src/core/middlewares/config.go

@@ -28,3 +28,6 @@ const (
 
 // Middlewares with sequential organization
 var Middlewares = []string{READONLY, URL, MUITIPLEMANIFEST, LISTREPO, CONTENTTRUST, VULNERABLE, SIZEQUOTA, COUNTQUOTA}
+
+// MiddlewaresLocal ...
+var MiddlewaresLocal = []string{SIZEQUOTA, COUNTQUOTA}

src/core/middlewares/inlet.go

@@ -16,26 +16,42 @@ package middlewares
 
 import (
 	"errors"
+	"github.com/goharbor/harbor/src/common/utils/log"
+	"github.com/goharbor/harbor/src/core/filter"
 	"github.com/goharbor/harbor/src/core/middlewares/registryproxy"
 	"github.com/goharbor/harbor/src/core/middlewares/util"
 	"net/http"
 )
 
 var head http.Handler
+var proxy http.Handler
 
 // Init initialize the Proxy instance and handler chain.
 func Init() error {
-	ph := registryproxy.New()
-	if ph == nil {
+	proxy = registryproxy.New()
+	if proxy == nil {
 		return errors.New("get nil when to create proxy")
 	}
-	handlerChain := New(Middlewares).Create()
-	head = handlerChain.Then(ph)
 	return nil
 }
 
 // Handle handles the request.
 func Handle(rw http.ResponseWriter, req *http.Request) {
+	securityCtx, err := filter.GetSecurityContext(req)
+	if err != nil {
+		log.Errorf("failed to get security context in middlerware: %v", err)
+		// error to get security context, use the default chain.
+		head = New(Middlewares).Create().Then(proxy)
+	} else {
+		// true: the request is from 127.0.0.1, only quota middlewares are applied to request
+		// false: the request is from outside, all of middlewares are applied to the request.
+		if securityCtx.IsSolutionUser() {
+			head = New(MiddlewaresLocal).Create().Then(proxy)
+		} else {
+			head = New(Middlewares).Create().Then(proxy)
+		}
+	}
+
 	customResW := util.NewCustomResponseWriter(rw)
 	head.ServeHTTP(customResW, req)
 }

src/core/middlewares/util/util.go

@@ -31,6 +31,7 @@ import (
 	"github.com/goharbor/harbor/src/pkg/scan/whitelist"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"regexp"
 	"strconv"
 	"strings"
@@ -368,6 +369,16 @@ func GetProjectID(name string) (int64, error) {
 
 // GetRegRedisCon ...
 func GetRegRedisCon() (redis.Conn, error) {
+	// FOR UT
+	if os.Getenv("UTTEST") == "true" {
+		return redis.Dial(
+			"tcp",
+			fmt.Sprintf("%s:%d", os.Getenv("REDIS_HOST"), 6379),
+			redis.DialConnectTimeout(DialConnectionTimeout),
+			redis.DialReadTimeout(DialReadTimeout),
+			redis.DialWriteTimeout(DialWriteTimeout),
+		)
+	}
 	return redis.DialURL(
 		config.GetRedisOfRegURL(),
 		redis.DialConnectTimeout(DialConnectionTimeout),

src/core/utils/retag.go

@@ -28,13 +28,13 @@ import (
 // Retag tags an image to another
 func Retag(srcImage, destImage *models.Image) error {
 	isSameRepo := getRepoName(srcImage) == getRepoName(destImage)
-	srcClient, err := NewRepositoryClientForUI("harbor-ui", getRepoName(srcImage))
+	srcClient, err := NewRepositoryClientForLocal("harbor-ui", getRepoName(srcImage))
 	if err != nil {
 		return err
 	}
 	destClient := srcClient
 	if !isSameRepo {
-		destClient, err = NewRepositoryClientForUI("harbor-ui", getRepoName(destImage))
+		destClient, err = NewRepositoryClientForLocal("harbor-ui", getRepoName(destImage))
 		if err != nil {
 			return err
 		}

src/core/utils/utils.go

@@ -17,6 +17,7 @@ package utils
 
 import (
 	"net/http"
+	"os"
 	"time"
 
 	"github.com/goharbor/harbor/src/common/utils/log"
@@ -33,7 +34,20 @@ func NewRepositoryClientForUI(username, repository string) (*registry.Repository
 	if err != nil {
 		return nil, err
 	}
+	return newRepositoryClient(endpoint, username, repository)
+}
 
+// NewRepositoryClientForLocal creates a repository client that can only be used to
+// access the internal registry with 127.0.0.1
+func NewRepositoryClientForLocal(username, repository string) (*registry.Repository, error) {
+	// The 127.0.0.1:8080 is not reachable as we do not enable core in UT env.
+	if os.Getenv("UTTEST") == "true" {
+		return NewRepositoryClientForUI(username, repository)
+	}
+	return newRepositoryClient(config.LocalCoreURL(), username, repository)
+}
+
+func newRepositoryClient(endpoint, username, repository string) (*registry.Repository, error) {
 	uam := &auth.UserAgentModifier{
 		UserAgent: "harbor-registry-client",
 	}