upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor synced 2024-09-20 16:35:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add settings to define admin with LDAP group DN

Browse Source
This commit is contained in:
stonezdj 2018-07-01 09:22:25 +08:00
parent e1000d5984
commit 62acdb14f3
9 changed files with 59 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/swagger.yaml
View File

@ -3494,6 +3494,9 @@ definitions:
ldap_group_search_scope:
type: integer
description: The scope to search ldap. '0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE'
ldap_group_admin_dn:
type: string
description: Specify the ldap group which have the same privilege with Harbor admin.
project_creation_restriction:
type: string
description: >-

1
make/common/templates/adminserver/env
View File

@ -61,3 +61,4 @@ REGISTRY_STORAGE_PROVIDER_NAME=$storage_provider_name
READ_ONLY=false
SKIP_RELOAD_ENV_PATTERN=$skip_reload_env_pattern
RELOAD_KEY=$reload_key
LDAP_GROUP_ADMIN_DN=$ldap_group_admin_dn

3
make/prepare
View File

@ -344,6 +344,8 @@ else:
#Use reload_key to avoid reload config after restart harbor
reload_key = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(6)) if reload_config == "true" else ""
ldap_group_admin_dn = rcp.get("configuration", "ldap_group_admin_dn") if rcp.has_option("configuration", "ldap_group_admin_dn") else ""
render(os.path.join(templates_dir, "adminserver", "env"),
adminserver_conf_env,
reload_config=reload_config,
@ -364,6 +366,7 @@ render(os.path.join(templates_dir, "adminserver", "env"),
ldap_group_filter=ldap_group_filter,
ldap_group_gid=ldap_group_gid,
ldap_group_scope=ldap_group_scope,
ldap_group_admin_dn=ldap_group_admin_dn,
db_password=db_password,
db_host=db_host,
db_user=db_user,

3
src/adminserver/systemcfg/systemcfg.go
View File

@ -163,7 +163,8 @@ var (
env: "READ_ONLY",
parse: parseStringToBool,
},
common.ReloadKey: "RELOAD_KEY",
common.ReloadKey: "RELOAD_KEY",
common.LdapGroupAdminDn: "LDAP_GROUP_ADMIN_DN",
}
// configurations need read from environment variables

1
src/common/const.go
View File

@ -108,4 +108,5 @@ const (
DefaultNotaryEndpoint = "http://notary-server:4443"
LdapGroupType = 1
ReloadKey = "reload_key"
LdapGroupAdminDn = "ldap_group_admin_dn"
)

1
src/common/models/ldap.go
View File

@ -33,6 +33,7 @@ type LdapGroupConf struct {
LdapGroupFilter string `json:"ldap_group_filter,omitempty"`
LdapGroupNameAttribute string `json:"ldap_group_name_attribute,omitempty"`
LdapGroupSearchScope int `json:"ldap_group_search_scope"`
LdapGroupAdminDN string `json:"ldap_group_admin_dn,omitempty"`
}
// LdapUser ...

13
src/ui/auth/ldap/ldap.go
View File

@ -27,6 +27,7 @@ import (
ldapUtils "github.com/vmware/harbor/src/common/utils/ldap"
"github.com/vmware/harbor/src/common/utils/log"
"github.com/vmware/harbor/src/ui/auth"
"github.com/vmware/harbor/src/ui/config"
)
// Auth implements AuthenticateHelper interface to authenticate against LDAP
@ -84,8 +85,17 @@ func (l *Auth) Authenticate(m models.AuthModel) (*models.User, error) {
return nil, auth.NewErrAuth(err.Error())
}
//Retrieve ldap related info in login to avoid too many traffic with LDAP server.
//Get group admin dn
groupCfg, err := config.LDAPGroupConf()
groupAdminDN := strings.TrimSpace(groupCfg.LdapGroupAdminDN)
//Attach user group
for _, groupDN := range ldapUsers[0].GroupDNList {
if len(groupAdminDN) > 0 && groupAdminDN == groupDN {
u.HasAdminRole = true
}
userGroupQuery := models.UserGroup{
GroupType: 1,
LdapGroupDN: groupDN,
@ -210,7 +220,8 @@ func (l *Auth) PostAuthenticate(u *models.User) error {
return nil
}
u.UserID = dbUser.UserID
u.HasAdminRole = dbUser.HasAdminRole
//If user has admin role already, do not overwrite by user info in DB.
u.HasAdminRole = u.HasAdminRole || dbUser.HasAdminRole
if dbUser.Email != u.Email {
Re := regexp.MustCompile(`^[a-z0-9._%+\-]+@[a-z0-9.\-]+\.[a-z]{2,4}$`)

33
src/ui/auth/ldap/ldap_test.go
View File

@ -69,6 +69,7 @@ var adminServerLdapTestConfig = map[string]interface{}{
common.LDAPGroupBaseDN: "dc=example,dc=com",
common.LDAPGroupAttributeName: "cn",
common.LDAPGroupSearchScope: 2,
common.LdapGroupAdminDn: "cn=harbor_users,ou=groups,dc=example,dc=com",
}
func TestMain(m *testing.M) {
@ -181,6 +182,38 @@ func TestSearchUser(t *testing.T) {
t.Errorf("Search user failed %v", user)
}
}
func TestAuthenticateWithAdmin(t *testing.T) {
var person models.AuthModel
var authHelper *Auth
person.Principal = "mike"
person.Password = "zhu88jie"
user, err := authHelper.Authenticate(person)
if err != nil {
t.Errorf("unexpected ldap authenticate fail: %v", err)
}
if user.Username != "mike" {
t.Errorf("unexpected ldap user authenticate fail: %s = %s", "user.Username", user.Username)
}
if !user.HasAdminRole {
t.Errorf("ldap user mike should have admin role!")
}
}
func TestAuthenticateWithoutAdmin(t *testing.T) {
var person models.AuthModel
var authHelper *Auth
person.Principal = "user001"
person.Password = "zhu88jie"
user, err := authHelper.Authenticate(person)
if err != nil {
t.Errorf("unexpected ldap authenticate fail: %v", err)
}
if user.Username != "user001" {
t.Errorf("unexpected ldap user authenticate fail: %s = %s", "user.Username", user.Username)
}
if user.HasAdminRole {
t.Errorf("ldap user user001 should not have admin role!")
}
}
func TestSearchUser_02(t *testing.T) {
var username = "nonexist"
var auth *Auth

3
src/ui/config/config.go
View File

@ -249,6 +249,9 @@ func LDAPGroupConf() (*models.LdapGroupConf, error) {
ldapGroupConf.LdapGroupSearchScope = int(scopeFloat)
}
}
if _, ok := cfg[common.LdapGroupAdminDn]; ok {
ldapGroupConf.LdapGroupAdminDN = cfg[common.LdapGroupAdminDn].(string)
}
return ldapGroupConf, nil
}