Move certificate verification to target level

The certificate verification is on system level before this commit. Moving it
to target level makes the configuration more flexible for different targets.

docs/swagger.yaml

@@ -2339,6 +2339,9 @@ definitions:
         type: integer
         format: int
         description: Reserved field.
+      insecure:
+        type: boolean
+        description: Whether or not the certificate will be verified when Harbor tries to access the server.
       creation_time:
         type: string
         description: The create time of the policy.
@@ -2360,6 +2363,9 @@ definitions:
       password:
         type: string
         description: The target server password.
+      insecure:
+        type: boolean
+        description: Whether or not the certificate will be verified when Harbor tries to access the server.
   PingTarget:
     type: object
     properties:
@@ -2372,6 +2378,9 @@ definitions:
       password:
         type: string
         description: The target server password.
+      insecure:
+        type: boolean
+        description: Whether or not the certificate will be verified when Harbor tries to access the server.
   PutTarget:
     type: object
     properties:
@@ -2387,6 +2396,9 @@ definitions:
       password:
         type: string
         description: The target server password.
+      insecure:
+        type: boolean
+        description: Whether or not the certificate will be verified when Harbor tries to access the server.
   HasAdminRole:
     type: object
     properties:

make/common/db/registry.sql

@@ -163,6 +163,7 @@ create table replication_target (
  1 means it's a regulart registry
  */
  target_type tinyint(1) NOT NULL DEFAULT 0,
+ insecure tinyint(1) NOT NULL DEFAULT 0,
  creation_time timestamp default CURRENT_TIMESTAMP,
  update_time timestamp default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
  PRIMARY KEY (id)

make/common/db/registry_sqlite.sql

@@ -158,6 +158,7 @@ create table replication_target (
  1 means it's a regulart registry
  */
  target_type tinyint(1) NOT NULL DEFAULT 0,
+ insecure tinyint(1) NOT NULL DEFAULT 0,
  creation_time timestamp default CURRENT_TIMESTAMP,
  update_time timestamp default CURRENT_TIMESTAMP
  );

make/common/templates/adminserver/env

@@ -27,7 +27,6 @@ EMAIL_FROM=$email_from
 EMAIL_IDENTITY=$email_identity
 HARBOR_ADMIN_PASSWORD=$harbor_admin_password
 PROJECT_CREATION_RESTRICTION=$project_creation_restriction
-VERIFY_REMOTE_CERT=$verify_remote_cert
 MAX_JOB_WORKERS=$max_job_workers
 UI_SECRET=$ui_secret
 JOBSERVICE_SECRET=$jobservice_secret

make/prepare

@@ -149,7 +149,6 @@ if protocol == "https":
 customize_crt = rcp.get("configuration", "customize_crt")
 max_job_workers = rcp.get("configuration", "max_job_workers")
 token_expiration = rcp.get("configuration", "token_expiration")
-verify_remote_cert = rcp.get("configuration", "verify_remote_cert")
 proj_cre_restriction = rcp.get("configuration", "project_creation_restriction")
 secretkey_path = rcp.get("configuration", "secretkey_path")
 if rcp.has_option("configuration", "admiral_url"):
@@ -239,7 +238,6 @@ render(os.path.join(templates_dir, "adminserver", "env"),
         email_identity=email_identity,
         harbor_admin_password=harbor_admin_password,
         project_creation_restriction=proj_cre_restriction,
-        verify_remote_cert=verify_remote_cert,
         max_job_workers=max_job_workers,
         ui_secret=ui_secret,
         jobservice_secret=jobservice_secret,

src/adminserver/systemcfg/systemcfg.go

@@ -111,10 +111,6 @@ var (
 			env:   "MAX_JOB_WORKERS",
 			parse: parseStringToInt,
 		},
-		common.VerifyRemoteCert: &parser{
-			env:   "VERIFY_REMOTE_CERT",
-			parse: parseStringToBool,
-		},
 		common.ProjectCreationRestriction: "PROJECT_CREATION_RESTRICTION",
 		common.AdminInitialPassword:       "HARBOR_ADMIN_PASSWORD",
 		common.AdmiralEndpoint:            "ADMIRAL_URL",

src/common/const.go

@@ -57,7 +57,6 @@ const (
 	EmailIdentity              = "email_identity"
 	EmailInsecure              = "email_insecure"
 	ProjectCreationRestriction = "project_creation_restriction"
-	VerifyRemoteCert           = "verify_remote_cert"
 	MaxJobWorkers              = "max_job_workers"
 	TokenExpiration            = "token_expiration"
 	CfgExpiration              = "cfg_expiration"

src/common/dao/replication_job.go

@@ -76,7 +76,7 @@ func DeleteRepTarget(id int64) error {
 func UpdateRepTarget(target models.RepTarget) error {
 	o := GetOrmer()
 	target.UpdateTime = time.Now()
-	_, err := o.Update(&target, "URL", "Name", "Username", "Password", "UpdateTime")
+	_, err := o.Update(&target, "URL", "Name", "Username", "Password", "Insecure", "UpdateTime")
 	return err
 }
 

src/common/models/replication_job.go

@@ -105,6 +105,7 @@ type RepTarget struct {
 	Username     string    `orm:"column(username)" json:"username"`
 	Password     string    `orm:"column(password)" json:"password"`
 	Type         int       `orm:"column(target_type)" json:"type"`
+	Insecure     bool      `orm:"column(insecure)" json:"insecure"`
 	CreationTime time.Time `orm:"column(creation_time);auto_now_add" json:"creation_time"`
 	UpdateTime   time.Time `orm:"column(update_time);auto_now" json:"update_time"`
 }

src/common/utils/test/adminserver.go

@@ -53,7 +53,6 @@ var adminServerDefaultConfig = map[string]interface{}{
 	common.EmailInsecure:              false,
 	common.EmailIdentity:              "",
 	common.ProjectCreationRestriction: common.ProCrtRestrAdmOnly,
-	common.VerifyRemoteCert:           false,
 	common.MaxJobWorkers:              3,
 	common.TokenExpiration:            30,
 	common.CfgExpiration:              5,

src/jobservice/config/config.go

@@ -74,15 +74,6 @@ func initKeyProvider() {
 	keyProvider = comcfg.NewFileKeyProvider(path)
 }
 
-// VerifyRemoteCert returns bool value.
-func VerifyRemoteCert() (bool, error) {
-	cfg, err := mg.Get()
-	if err != nil {
-		return true, err
-	}
-	return cfg[common.VerifyRemoteCert].(bool), nil
-}
-
 // Database ...
 func Database() (*models.Database, error) {
 	cfg, err := mg.Get()

src/jobservice/config/config_test.go

@@ -49,10 +49,6 @@ func TestConfig(t *testing.T) {
 		t.Fatalf("failed to initialize configurations: %v", err)
 	}
 
-	if _, err := VerifyRemoteCert(); err != nil {
-		t.Fatalf("failed to get verify remote cert: %v", err)
-	}
-
 	if _, err := Database(); err != nil {
 		t.Fatalf("failed to get database settings: %v", err)
 	}

src/jobservice/job/job_test.go

@@ -106,7 +106,7 @@ func TestRepJob(t *testing.T) {
 	j, err := dao.GetRepJob(repJobID)
 	assert.Equal(models.JobRetrying, j.Status)
 	assert.Equal(1, rj.parm.Enabled)
-	assert.True(rj.parm.Insecure)
+	assert.False(rj.parm.Insecure)
 	rj2 := NewRepJob(99999)
 	err = rj2.Init()
 	assert.NotNil(err)

src/jobservice/job/jobs.go

@@ -120,17 +120,12 @@ func (rj *RepJob) Init() error {
 	if err != nil {
 		return err
 	}
-	verify, err := config.VerifyRemoteCert()
-	if err != nil {
-		return err
-	}
 	rj.parm = &RepJobParm{
 		LocalRegURL: regURL,
 		Repository:  job.Repository,
 		Tags:        job.TagList,
 		Enabled:     policy.Enabled,
 		Operation:   job.Operation,
-		Insecure:    !verify,
 	}
 	if policy.Enabled == 0 {
 		//worker will cancel this job
@@ -159,6 +154,7 @@ func (rj *RepJob) Init() error {
 	}
 
 	rj.parm.TargetPassword = pwd
+	rj.parm.Insecure = target.Insecure
 	return nil
 }
 

src/ui/api/config.go

@@ -49,7 +49,6 @@ var (
 		common.EmailIdentity,
 		common.EmailInsecure,
 		common.ProjectCreationRestriction,
-		common.VerifyRemoteCert,
 		common.TokenExpiration,
 		common.ScanAllPolicy,
 	}
@@ -81,7 +80,6 @@ var (
 		common.EmailSSL,
 		common.EmailInsecure,
 		common.SelfRegistration,
-		common.VerifyRemoteCert,
 	}
 
 	passwordKeys = []string{

src/ui/api/config_test.go

@@ -61,7 +61,7 @@ func TestPutConfig(t *testing.T) {
 	apiTest := newHarborAPI()
 
 	cfg := map[string]interface{}{
-		common.VerifyRemoteCert: false,
+		common.TokenExpiration: 60,
 	}
 
 	code, err := apiTest.PutConfig(*admin, cfg)
@@ -104,13 +104,13 @@ func TestResetConfig(t *testing.T) {
 		return
 	}
 
-	value, ok := cfgs[common.VerifyRemoteCert]
+	value, ok := cfgs[common.TokenExpiration]
 	if !ok {
-		t.Errorf("%s not found", common.VerifyRemoteCert)
+		t.Errorf("%s not found", common.TokenExpiration)
 		return
 	}
 
-	assert.Equal(value.Value.(bool), true, "unexpected value")
+	assert.Equal(int(value.Value.(float64)), 30, "unexpected 30")
 
 	ccc, err := config.GetSystemCfg()
 	if err != nil {

src/ui/api/target.go

@@ -58,13 +58,8 @@ func (t *TargetAPI) Prepare() {
 	}
 }
 
-func (t *TargetAPI) ping(endpoint, username, password string) {
-	verify, err := config.VerifyRemoteCert()
-	if err != nil {
-		log.Errorf("failed to check whether insecure or not: %v", err)
-		t.CustomAbort(http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError))
-	}
-	registry, err := newRegistryClient(endpoint, !verify, username, password)
+func (t *TargetAPI) ping(endpoint, username, password string, insecure bool) {
+	registry, err := newRegistryClient(endpoint, insecure, username, password)
 	if err != nil {
 		// timeout, dns resolve error, connection refused, etc.
 		if urlErr, ok := err.(*url.Error); ok {
@@ -105,14 +100,15 @@ func (t *TargetAPI) PingByID() {
 	endpoint := target.URL
 	username := target.Username
 	password := target.Password
+	insecure := target.Insecure
 	if len(password) != 0 {
 		password, err = utils.ReversibleDecrypt(password, t.secretKey)
 		if err != nil {
 			log.Errorf("failed to decrypt password: %v", err)
 			t.CustomAbort(http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError))
 		}
 	}
-	t.ping(endpoint, username, password)
+	t.ping(endpoint, username, password, insecure)
 }
 
 // Ping validates whether the target is reachable and whether the credential is valid
@@ -121,14 +117,15 @@ func (t *TargetAPI) Ping() {
 		Endpoint string `json:"endpoint"`
 		Username string `json:"username"`
 		Password string `json:"password"`
+		Insecure bool   `json:"insecure"`
 	}{}
 	t.DecodeJSONReq(&req)
 
 	if len(req.Endpoint) == 0 {
 		t.CustomAbort(http.StatusBadRequest, "endpoint is required")
 	}
 
-	t.ping(req.Endpoint, req.Username, req.Password)
+	t.ping(req.Endpoint, req.Username, req.Password, req.Insecure)
 }
 
 // Get ...
@@ -255,6 +252,7 @@ func (t *TargetAPI) Put() {
 		Endpoint *string `json:"endpoint"`
 		Username *string `json:"username"`
 		Password *string `json:"password"`
+		Insecure *bool   `json:"insecure"`
 	}{}
 	t.DecodeJSONReq(&req)
 
@@ -273,6 +271,9 @@ func (t *TargetAPI) Put() {
 	if req.Password != nil {
 		target.Password = *req.Password
 	}
+	if req.Insecure != nil {
+		target.Insecure = *req.Insecure
+	}
 
 	t.Validate(target)
 

src/ui/config/config.go

@@ -276,15 +276,6 @@ func OnlyAdminCreateProject() (bool, error) {
 	return cfg[common.ProjectCreationRestriction].(string) == common.ProCrtRestrAdmOnly, nil
 }
 
-// VerifyRemoteCert returns bool value.
-func VerifyRemoteCert() (bool, error) {
-	cfg, err := mg.Get()
-	if err != nil {
-		return true, err
-	}
-	return cfg[common.VerifyRemoteCert].(bool), nil
-}
-
 // Email returns email server settings
 func Email() (*models.Email, error) {
 	cfg, err := mg.Get()

src/ui/config/config_test.go

@@ -108,10 +108,6 @@ func TestConfig(t *testing.T) {
 		t.Fatalf("failed to get onldy admin create project: %v", err)
 	}
 
-	if _, err := VerifyRemoteCert(); err != nil {
-		t.Fatalf("failed to get verify remote cert: %v", err)
-	}
-
 	if _, err := Email(); err != nil {
 		t.Fatalf("failed to get email settings: %v", err)
 	}

src/ui_ng/lib/src/create-edit-endpoint/create-edit-endpoint.component.html.ts

@@ -38,6 +38,10 @@ export const CREATE_EDIT_ENDPOINT_TEMPLATE: string = `
           <label for="destination_password" class="col-md-4 form-group-label-override">{{ 'DESTINATION.PASSWORD' | translate }}</label>
           <input type="password" class="col-md-8" id="destination_password" [disabled]="testOngoing" [readonly]="!editable" [(ngModel)]="target.password" size="20" name="password" #password="ngModel" (focus)="clearPassword($event)">
         </div>
+        <div class="form-group">
+          <label for="destination_insecure" class="col-md-4 form-group-label-override">{{'CONFIG.VERIFY_REMOTE_CERT' | translate }}</label>
+          <clr-checkbox #insecure  class="col-md-8" name="insecure" id="destination_insecure" [(ngModel)]="target.insecure"></clr-checkbox>
+        </div>
         <div class="form-group">
           <label for="spin" class="col-md-4"></label>
           <span class="col-md-8 spinner spinner-inline" [hidden]="!inProgress"></span>

src/ui_ng/lib/src/create-edit-endpoint/create-edit-endpoint.component.spec.ts

@@ -21,6 +21,7 @@ describe('CreateEditEndpointComponent (inline template)', () => {
     "name": "target_01",
     "username": "admin",
     "password": "",
+    "insecure": false,
     "type": 0
   };