mirror of
https://github.com/harness/drone.git
synced 2025-05-06 20:00:34 +08:00
31ec4d1069
* [AH-231]: Updated PR comments and some artifact/image issues * [AH-231]: Cleanup extra table * [AH-231]: Updated versions * [AH-231]: Lint fixed * [AH-231]: Merge commit * [AH-231]: Updated logic to get child manifests * [AH-231]: Updated sleep time * [AH-231]: Completed implementation of manifest lists * [AH-231]: Updated manifest list flows * [AH-231]: Temp changes * [AH-231]: Wiring fixed * [AH-231]: Initial commit; minor fixes * [AH-307]: Updated lint * fix comment * add new method to spacestore * feat: [AH-307]: fix after rebase with main * [AH-307]: Removing comments * [AH-307]: linting fixes * feat: [AH-286]: define proto, interface and no-op reporter implementation to publish artifact events (#2657) * feat: [AH-286]: publish artifact event - no row found is not error * feat: [AH-286]: publish artifact event - no row found is not error * feat: [AH-286]: publish artifact event - lint errors, move publishing event outside DB transaction * feat: [AH-286]: publish artifact event - review comments * feat: [AH-286]: publish artifact event - address review comments * feat: [AH-286]: publish artifact event - keep payload generic * feat: [AH-286]: publish artifact event - as sqlite locks DB, perform db operation outside goroutine publishing of events * feat: [AH-286]: publish artifact event - make publishing event async * feat: [AH-286]: publish artifact event - use api types * feat: [AH-286]: Publish event for SSCA to trigger scans - no need to export spacePathStore * feat: [AH-286]: Publish event for SSCA to trigger scans - send spacePath instead of parentID * feat: [AH-286]: Publish event for SSCA to trigger scans - rename scanner as generic reporter * feat: [AH-286]: Publish event for SSCA to trigger scans - rename scanner as generic reporter * feat: [AH-286]: publish artifact event - reuse redis.Send() * feat: [AH-286]: Publish event for SSCA to trigger scans - review comments * feat: [AH-286]: Publish event for SSCA to trigger scans - remove unused interface * feat: [AH-286]: Publish event for SSCA to trigger scans - update msg format * feat: [AH-286]: define proto, interface and no-op reporter implementation to publish artifact events * feat: [AH-286]: Publish event for SSCA to trigger scans - extract acctID/orgID/projectID from spacepathStore * feat: [AH-286]: publish artifact event - remove protobuf reference, fix lint errors * feat: [AH-286]: publish artifact event - fix msg format * feat: [AH-286]: define proto, interface and no-op reporter implementation to publish artifact events * feat: [AH-286]: define proto, interface and no-op reporter implementation to publish artifact events * feat: [AH-321]: make repo form disabled for rbac (#2687) * feat: [AH-321]: make repo form disabled for rbac * fix wire-gen * GC refactoring * feat: [AH-340]: update UI as per the product feedbacks (#2685) * feat: [AH-340]: update UI as per the product feedbacks * feat: [AH-44]: add module data while redirecting to pipeline execution page * feat: [AH-44]: add build pipeline details in overview cards * feat: [AH-44]: update view for prod and non prod tag * feat: [AH-44]: rearrange filters on artifact list apge * feat: [AH-10]: add schema for overview cards, update artifact list, add ai search input, update api for registry artifact list and update mapping for deployments table * feat: [AH-307]: add secretSpacePath in upstream password field while sending to BE (#2631) * feat: [AH-307]: add secretSpacePath in upstream password field while sending to BE * feat: [AH-299]: support new changes for artifact list page (#2630) * feat: update har service api version * feat: [AH-30]: integrate API schema for deployments list content * feat: [AH-300]: update tag colors for prod and non prod tags * feat: [AH-300]: Add Deployments table in artiface version details page * feat: [AH-299]: support new changes for artifact list page * feat: [AH-299]: support new changes for artifact list page * feat: [AH-321]: support artifact registry rbac permission on UI (#2671) * feat: [AH-321]: support artifact registry rbac permission on UI * enable rbac (#2664) * fix scope * enable rbac * feat: [AH-307]: hide code tab from version details page for both docker and helm * feat: [AH-240]: add custom handling for enterprise auth type field * Merge branch 'AH-307-plus-url-support-2_no_rbac' of https://git0.harness.io/l7B_kbSEQD2wjrM7PShm5w/PROD/Harness_Commons/gitness into AH-307-plus-url-support-2_no_rbac * feat: [AH-307]: send space_ref in query param while creating registries * lowercase rootRef * [AH-307]: updated route * [AH-307]: Added logs * [AH-307]: Added logs * feat: [AH-317]: add space_ref query param * local * Merge commit * Merge commit * Merge commit * Added comments * Revert changes * Merge commit * Merge branch 'main' of https://git0.harness.io/l7B_kbSEQD2wjrM7PShm5w/PROD/Harness_Commons/gitness into AH-307-plus-url-support-2 * Merge branch 'AH-306d' of https://git0.harness.io/l7B_kbSEQD2wjrM7PShm5w/PROD/Harness_Commons/gitness into AH-307-plus-url-support-2 * fix space path handling * Merge branch 'main' of https://git0.harness.io/l7B_kbSEQD2wjrM7PShm5w/PROD/Harness_Commons/gitness into AH-307-plus-url-support-2 * Updated URLs to support slashes with + separator * fix: [AH-306c]: fix anonymous flow * fix: [AH-306c]: fix anonymous flow * feat: [AH-307]: plus url support on UI (cherry picked from commit 3fb6add3ce03498b6668b5f8f6d547e1acedaec4) * [AH-307]: Added examples (cherry picked from commit e83e41303da536f421be333be04aed09fbf75f5f) * [AH-307]: Added Regex request rewrite support (cherry picked from commit ed7b155256bdcd1134bc228b5705556a1233add6) * fix: [AH-306c]: fix anonymous flow
405 lines
13 KiB
Go
405 lines
13 KiB
Go
// Copyright 2023 Harness, Inc.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package metadata
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"net/http"
|
|
|
|
apiauth "github.com/harness/gitness/app/api/auth"
|
|
"github.com/harness/gitness/app/api/request"
|
|
"github.com/harness/gitness/app/auth"
|
|
"github.com/harness/gitness/audit"
|
|
"github.com/harness/gitness/registry/app/api/openapi/contracts/artifact"
|
|
"github.com/harness/gitness/registry/types"
|
|
types2 "github.com/harness/gitness/types"
|
|
gitnessenum "github.com/harness/gitness/types/enum"
|
|
|
|
"github.com/rs/zerolog/log"
|
|
)
|
|
|
|
func (c *APIController) ModifyRegistry(
|
|
ctx context.Context,
|
|
r artifact.ModifyRegistryRequestObject,
|
|
) (artifact.ModifyRegistryResponseObject, error) {
|
|
regInfo, err := c.GetRegistryRequestBaseInfo(ctx, "", string(r.RegistryRef))
|
|
if err != nil {
|
|
return artifact.ModifyRegistry400JSONResponse{
|
|
BadRequestJSONResponse: artifact.BadRequestJSONResponse(
|
|
*GetErrorResponse(http.StatusBadRequest, err.Error()),
|
|
),
|
|
}, err
|
|
}
|
|
space, err := c.SpaceStore.FindByRef(ctx, regInfo.ParentRef)
|
|
if err != nil {
|
|
return artifact.ModifyRegistry400JSONResponse{
|
|
BadRequestJSONResponse: artifact.BadRequestJSONResponse(
|
|
*GetErrorResponse(http.StatusBadRequest, err.Error()),
|
|
),
|
|
}, err
|
|
}
|
|
|
|
session, _ := request.AuthSessionFrom(ctx)
|
|
permissionChecks := GetPermissionChecks(space, regInfo.RegistryIdentifier, gitnessenum.PermissionRegistryEdit)
|
|
if err = apiauth.CheckRegistry(
|
|
ctx,
|
|
c.Authorizer,
|
|
session,
|
|
permissionChecks...,
|
|
); err != nil {
|
|
return artifact.ModifyRegistry403JSONResponse{
|
|
UnauthorizedJSONResponse: artifact.UnauthorizedJSONResponse(
|
|
*GetErrorResponse(http.StatusForbidden, err.Error()),
|
|
),
|
|
}, err
|
|
}
|
|
|
|
repoEntity, err := c.RegistryRepository.GetByParentIDAndName(ctx, regInfo.parentID, regInfo.RegistryIdentifier)
|
|
if err != nil {
|
|
return throwModifyRegistry500Error(err), err
|
|
}
|
|
|
|
if string(repoEntity.Type) == string(artifact.RegistryTypeVIRTUAL) {
|
|
return c.updateVirtualRegistry(ctx, r, repoEntity, err, regInfo, session)
|
|
}
|
|
upstreamproxyEntity, err := c.UpstreamProxyStore.GetByRegistryIdentifier(
|
|
ctx, regInfo.parentID,
|
|
regInfo.RegistryIdentifier,
|
|
)
|
|
if len(upstreamproxyEntity.RepoKey) == 0 {
|
|
return artifact.ModifyRegistry404JSONResponse{
|
|
NotFoundJSONResponse: artifact.NotFoundJSONResponse(
|
|
*GetErrorResponse(http.StatusNotFound, "registry doesn't exist with this key"),
|
|
),
|
|
}, nil
|
|
}
|
|
if err != nil {
|
|
return throwModifyRegistry500Error(err), err
|
|
}
|
|
registry, upstreamproxy, err := c.UpdateUpstreamProxyEntity(
|
|
ctx,
|
|
artifact.RegistryRequest(*r.Body),
|
|
regInfo.parentID, regInfo.rootIdentifierID, upstreamproxyEntity,
|
|
)
|
|
registry.ID = repoEntity.ID
|
|
upstreamproxy.ID = upstreamproxyEntity.ID
|
|
upstreamproxy.RegistryID = repoEntity.ID
|
|
if err != nil {
|
|
return throwModifyRegistry500Error(err), err
|
|
}
|
|
err = c.tx.WithTx(
|
|
ctx, func(ctx context.Context) error {
|
|
err = c.updateRegistryWithAudit(ctx, repoEntity, registry, session.Principal, regInfo.ParentRef)
|
|
|
|
if err != nil {
|
|
return fmt.Errorf("failed to update registry: %w", err)
|
|
}
|
|
|
|
err = c.updateUpstreamProxyWithAudit(
|
|
ctx, upstreamproxy, session.Principal, regInfo.ParentRef, registry.Name,
|
|
)
|
|
|
|
if err != nil {
|
|
return fmt.Errorf("failed to update upstream proxy: %w", err)
|
|
}
|
|
return nil
|
|
},
|
|
)
|
|
if err != nil {
|
|
return throwModifyRegistry500Error(err), err
|
|
}
|
|
modifiedRepoEntity, err := c.UpstreamProxyStore.Get(ctx, upstreamproxyEntity.RegistryID)
|
|
if err != nil {
|
|
return throwModifyRegistry500Error(err), err
|
|
}
|
|
return artifact.ModifyRegistry200JSONResponse{
|
|
RegistryResponseJSONResponse: *CreateUpstreamProxyResponseJSONResponse(modifiedRepoEntity),
|
|
}, nil
|
|
}
|
|
|
|
func (c *APIController) updateVirtualRegistry(
|
|
ctx context.Context, r artifact.ModifyRegistryRequestObject, repoEntity *types.Registry, err error,
|
|
regInfo *RegistryRequestBaseInfo, session *auth.Session,
|
|
) (artifact.ModifyRegistryResponseObject, error) {
|
|
if len(repoEntity.Name) == 0 {
|
|
return artifact.ModifyRegistry404JSONResponse{
|
|
NotFoundJSONResponse: artifact.NotFoundJSONResponse(
|
|
*GetErrorResponse(http.StatusNotFound, "registry doesn't exist with this key"),
|
|
),
|
|
}, nil
|
|
}
|
|
if err != nil {
|
|
return throwModifyRegistry500Error(err), err
|
|
}
|
|
registry, err := UpdateRepoEntity(
|
|
artifact.RegistryRequest(*r.Body),
|
|
repoEntity.ParentID,
|
|
repoEntity.RootParentID,
|
|
repoEntity,
|
|
)
|
|
if err != nil {
|
|
return artifact.ModifyRegistry400JSONResponse{
|
|
BadRequestJSONResponse: artifact.BadRequestJSONResponse(
|
|
*GetErrorResponse(http.StatusInternalServerError, err.Error()),
|
|
),
|
|
}, nil
|
|
}
|
|
err = c.setUpstreamProxyIDs(ctx, registry, artifact.RegistryRequest(*r.Body), regInfo.parentID)
|
|
if err != nil {
|
|
return throwModifyRegistry500Error(err), nil
|
|
}
|
|
err = c.updateRegistryWithAudit(ctx, repoEntity, registry, session.Principal, regInfo.ParentRef)
|
|
|
|
if err != nil {
|
|
return throwModifyRegistry500Error(err), nil
|
|
}
|
|
err = c.updateCleanupPolicy(ctx, r.Body, registry.ID)
|
|
if err != nil {
|
|
return throwModifyRegistry500Error(err), nil
|
|
}
|
|
modifiedRepoEntity, err := c.RegistryRepository.Get(ctx, registry.ID)
|
|
if err != nil {
|
|
return throwModifyRegistry500Error(err), nil
|
|
}
|
|
cleanupPolicies, err := c.CleanupPolicyStore.GetByRegistryID(ctx, repoEntity.ID)
|
|
if err != nil {
|
|
return throwModifyRegistry500Error(err), nil
|
|
}
|
|
return artifact.ModifyRegistry200JSONResponse{
|
|
RegistryResponseJSONResponse: *CreateVirtualRepositoryResponse(
|
|
modifiedRepoEntity,
|
|
c.getUpstreamProxyKeys(ctx, modifiedRepoEntity.UpstreamProxies), cleanupPolicies,
|
|
regInfo.RootIdentifier, c.URLProvider.RegistryURL(),
|
|
),
|
|
}, nil
|
|
}
|
|
|
|
func (c *APIController) updateUpstreamProxyWithAudit(
|
|
ctx context.Context, upstreamProxy *types.UpstreamProxyConfig,
|
|
principal types2.Principal, parentRef string, registryName string,
|
|
) error {
|
|
existingUpstreamProxy, err := c.UpstreamProxyStore.Get(ctx, upstreamProxy.RegistryID)
|
|
if err != nil {
|
|
log.Ctx(ctx).Warn().Msgf(
|
|
"failed to fig upstream proxy config for: %d",
|
|
upstreamProxy.RegistryID,
|
|
)
|
|
}
|
|
|
|
err = c.UpstreamProxyStore.Update(ctx, upstreamProxy)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if existingUpstreamProxy != nil {
|
|
auditErr := c.AuditService.Log(
|
|
ctx,
|
|
principal,
|
|
audit.NewResource(audit.ResourceTypeRegistryUpstreamProxy, registryName),
|
|
audit.ActionUpdated,
|
|
parentRef,
|
|
audit.WithOldObject(
|
|
audit.RegistryUpstreamProxyConfigObject{
|
|
ID: existingUpstreamProxy.ID,
|
|
RegistryID: existingUpstreamProxy.RegistryID,
|
|
Source: existingUpstreamProxy.Source,
|
|
URL: existingUpstreamProxy.RepoURL,
|
|
AuthType: existingUpstreamProxy.RepoAuthType,
|
|
CreatedAt: existingUpstreamProxy.CreatedAt,
|
|
UpdatedAt: existingUpstreamProxy.UpdatedAt,
|
|
CreatedBy: existingUpstreamProxy.CreatedBy,
|
|
UpdatedBy: existingUpstreamProxy.UpdatedBy,
|
|
},
|
|
),
|
|
audit.WithNewObject(
|
|
audit.RegistryUpstreamProxyConfigObject{
|
|
ID: upstreamProxy.ID,
|
|
RegistryID: upstreamProxy.RegistryID,
|
|
Source: upstreamProxy.Source,
|
|
URL: upstreamProxy.URL,
|
|
AuthType: upstreamProxy.AuthType,
|
|
CreatedAt: upstreamProxy.CreatedAt,
|
|
UpdatedAt: upstreamProxy.UpdatedAt,
|
|
CreatedBy: upstreamProxy.CreatedBy,
|
|
UpdatedBy: upstreamProxy.UpdatedBy,
|
|
},
|
|
),
|
|
)
|
|
if auditErr != nil {
|
|
log.Ctx(ctx).Warn().Msgf(
|
|
"failed to insert audit log for update upstream proxy "+
|
|
"config operation: %s", auditErr,
|
|
)
|
|
}
|
|
}
|
|
return err
|
|
}
|
|
|
|
func (c *APIController) updateRegistryWithAudit(
|
|
ctx context.Context, oldRegistry *types.Registry,
|
|
newRegistry *types.Registry, principal types2.Principal, parentRef string,
|
|
) error {
|
|
err := c.RegistryRepository.Update(ctx, newRegistry)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
auditErr := c.AuditService.Log(
|
|
ctx,
|
|
principal,
|
|
audit.NewResource(audit.ResourceTypeRegistry, newRegistry.Name),
|
|
audit.ActionUpdated,
|
|
parentRef,
|
|
audit.WithOldObject(newRegistry),
|
|
audit.WithNewObject(oldRegistry),
|
|
)
|
|
if auditErr != nil {
|
|
log.Ctx(ctx).Warn().Msgf("failed to insert audit log for update registry operation: %s", auditErr)
|
|
}
|
|
|
|
return err
|
|
}
|
|
|
|
func throwModifyRegistry500Error(err error) artifact.ModifyRegistry500JSONResponse {
|
|
return artifact.ModifyRegistry500JSONResponse{
|
|
InternalServerErrorJSONResponse: artifact.InternalServerErrorJSONResponse(
|
|
*GetErrorResponse(http.StatusInternalServerError, err.Error()),
|
|
),
|
|
}
|
|
}
|
|
|
|
func (c *APIController) updateCleanupPolicy(
|
|
ctx context.Context, config *artifact.ModifyRegistryJSONRequestBody, registryID int64,
|
|
) error {
|
|
existingCleanupPolicies, err := c.CleanupPolicyStore.GetIDsByRegistryID(ctx, registryID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
currentCleanupPolicyEntities := CreateCleanupPolicyEntity(config, registryID)
|
|
|
|
err = c.CleanupPolicyStore.ModifyCleanupPolicies(ctx, currentCleanupPolicyEntities, existingCleanupPolicies)
|
|
|
|
return err
|
|
}
|
|
|
|
func UpdateRepoEntity(
|
|
dto artifact.RegistryRequest,
|
|
parentID int64,
|
|
rootParentID int64,
|
|
existingRepo *types.Registry,
|
|
) (*types.Registry, error) {
|
|
allowedPattern, blockedPattern, description, labels := getRepoEntityFields(dto)
|
|
e := ValidatePackageTypeChange(string(existingRepo.PackageType), string(dto.PackageType))
|
|
if e != nil {
|
|
return nil, e
|
|
}
|
|
e = ValidateRepoTypeChange(string(existingRepo.Type), string(dto.Config.Type))
|
|
if e != nil {
|
|
return nil, e
|
|
}
|
|
e = ValidateIdentifierChange(existingRepo.Name, dto.Identifier)
|
|
if e != nil {
|
|
return nil, e
|
|
}
|
|
entity := &types.Registry{
|
|
Name: dto.Identifier,
|
|
ID: existingRepo.ID,
|
|
ParentID: parentID,
|
|
RootParentID: rootParentID,
|
|
Description: description,
|
|
AllowedPattern: allowedPattern,
|
|
BlockedPattern: blockedPattern,
|
|
PackageType: existingRepo.PackageType,
|
|
Type: existingRepo.Type,
|
|
Labels: labels,
|
|
CreatedAt: existingRepo.CreatedAt,
|
|
}
|
|
return entity, nil
|
|
}
|
|
|
|
func (c *APIController) UpdateUpstreamProxyEntity(
|
|
ctx context.Context, dto artifact.RegistryRequest, parentID int64, rootParentID int64, u *types.UpstreamProxy,
|
|
) (*types.Registry, *types.UpstreamProxyConfig, error) {
|
|
allowedPattern := []string{}
|
|
if dto.AllowedPattern != nil {
|
|
allowedPattern = *dto.AllowedPattern
|
|
}
|
|
blockedPattern := []string{}
|
|
if dto.BlockedPattern != nil {
|
|
blockedPattern = *dto.BlockedPattern
|
|
}
|
|
e := ValidatePackageTypeChange(string(u.PackageType), string(dto.PackageType))
|
|
if e != nil {
|
|
return nil, nil, e
|
|
}
|
|
e = ValidateIdentifierChange(u.RepoKey, dto.Identifier)
|
|
if e != nil {
|
|
return nil, nil, e
|
|
}
|
|
repoEntity := &types.Registry{
|
|
ID: u.RegistryID,
|
|
Name: dto.Identifier,
|
|
ParentID: parentID,
|
|
RootParentID: rootParentID,
|
|
AllowedPattern: allowedPattern,
|
|
BlockedPattern: blockedPattern,
|
|
PackageType: dto.PackageType,
|
|
Type: artifact.RegistryTypeUPSTREAM,
|
|
CreatedAt: u.CreatedAt,
|
|
}
|
|
config, _ := dto.Config.AsUpstreamConfig()
|
|
CleanURLPath(config.Url)
|
|
upstreamProxyConfigEntity := &types.UpstreamProxyConfig{
|
|
URL: *config.Url,
|
|
AuthType: string(config.AuthType),
|
|
RegistryID: u.RegistryID,
|
|
CreatedAt: u.CreatedAt,
|
|
}
|
|
if config.Source != nil && len(string(*config.Source)) > 0 {
|
|
err := ValidateUpstreamSource(string(*config.Source))
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
upstreamProxyConfigEntity.Source = string(*config.Source)
|
|
}
|
|
if string(artifact.UpstreamConfigSourceDockerhub) == string(*config.Source) {
|
|
upstreamProxyConfigEntity.URL = ""
|
|
}
|
|
if u.ID != -1 {
|
|
upstreamProxyConfigEntity.ID = u.ID
|
|
}
|
|
if config.AuthType == artifact.AuthTypeUserPassword {
|
|
res, err := config.Auth.AsUserPassword()
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
upstreamProxyConfigEntity.UserName = res.UserName
|
|
if res.SecretIdentifier == nil {
|
|
return nil, nil, fmt.Errorf("failed to create upstream proxy: secret_identifier missing")
|
|
}
|
|
|
|
upstreamProxyConfigEntity.SecretSpaceID, err = c.getSecretID(ctx, res.SecretSpaceId, res.SecretSpacePath)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
upstreamProxyConfigEntity.SecretSpaceID = *res.SecretSpaceId
|
|
upstreamProxyConfigEntity.SecretIdentifier = *res.SecretIdentifier
|
|
} else {
|
|
upstreamProxyConfigEntity.UserName = ""
|
|
upstreamProxyConfigEntity.SecretIdentifier = ""
|
|
upstreamProxyConfigEntity.SecretSpaceID = 0
|
|
}
|
|
return repoEntity, upstreamProxyConfigEntity, nil
|
|
}
|