Merge branch 'main' into selinux_comp_bind_to_vol

.gitignore

@@ -33,7 +33,7 @@ src/portal/typings/
 .vscode/
 **/node_modules
 **/ssl/
-**/proxy.config.json
+**/proxy.config.mjs
 
 src/portal/src/**/*.js
 src/portal/src/**/*.js.map

Makefile

@@ -325,7 +325,7 @@ gen_apis: lint_apis
 
 
 MOCKERY_IMAGENAME=$(IMAGENAMESPACE)/mockery
-MOCKERY_VERSION=v2.14.0
+MOCKERY_VERSION=v2.22.1
 MOCKERY=$(RUNCONTAINER) ${MOCKERY_IMAGENAME}:${MOCKERY_VERSION}
 MOCKERY_IMAGE_BUILD_CMD=${DOCKERBUILD} -f ${TOOLSPATH}/mockery/Dockerfile --build-arg GOLANG=${GOBUILDIMAGE} --build-arg MOCKERY_VERSION=${MOCKERY_VERSION} -t ${MOCKERY_IMAGENAME}:$(MOCKERY_VERSION) .
 

api/v2.0/swagger.yaml

@@ -2665,8 +2665,128 @@ paths:
           $ref: '#/responses/404'
         '500':
           $ref: '#/responses/500'
+  '/projects/{project_name_or_id}/webhook/policies/{webhook_policy_id}/executions':
+    get:
+      summary: List executions for a specific webhook policy
+      description: |
+        This endpoint returns the executions of a specific webhook policy.
+      tags:
+        - webhook
+      operationId: ListExecutionsOfWebhookPolicy
+      parameters:
+        - $ref: '#/parameters/requestId'
+        - $ref: '#/parameters/isResourceName'
+        - $ref: '#/parameters/projectNameOrId'
+        - $ref: '#/parameters/webhookPolicyId'
+        - $ref: '#/parameters/page'
+        - $ref: '#/parameters/pageSize'
+        - $ref: '#/parameters/query'
+        - $ref: '#/parameters/sort'
+      responses:
+        '200':
+          description: List webhook executions success
+          headers:
+            X-Total-Count:
+              description: The total count of executions
+              type: integer
+            Link:
+              description: Link refers to the previous page and next page
+              type: string
+          schema:
+            type: array
+            items:
+              $ref: '#/definitions/Execution'
+        '400':
+          $ref: '#/responses/400'
+        '401':
+          $ref: '#/responses/401'
+        '404':
+          $ref: '#/responses/404'
+        '403':
+          $ref: '#/responses/403'
+        '500':
+          $ref: '#/responses/500'
+  '/projects/{project_name_or_id}/webhook/policies/{webhook_policy_id}/executions/{execution_id}/tasks':
+    get:
+      summary: List tasks for a specific webhook execution
+      description: |
+        This endpoint returns the tasks of a specific webhook execution.
+      tags:
+        - webhook
+      operationId: ListTasksOfWebhookExecution
+      parameters:
+        - $ref: '#/parameters/requestId'
+        - $ref: '#/parameters/isResourceName'
+        - $ref: '#/parameters/projectNameOrId'
+        - $ref: '#/parameters/webhookPolicyId'
+        - $ref: '#/parameters/executionId'
+        - $ref: '#/parameters/page'
+        - $ref: '#/parameters/pageSize'
+        - $ref: '#/parameters/query'
+        - $ref: '#/parameters/sort'
+      responses:
+        '200':
+          description: List tasks of webhook executions success
+          headers:
+            X-Total-Count:
+              description: The total count of tasks
+              type: integer
+            Link:
+              description: Link refers to the previous page and next page
+              type: string
+          schema:
+            type: array
+            items:
+              $ref: '#/definitions/Task'
+        '400':
+          $ref: '#/responses/400'
+        '401':
+          $ref: '#/responses/401'
+        '404':
+          $ref: '#/responses/404'
+        '403':
+          $ref: '#/responses/403'
+        '500':
+          $ref: '#/responses/500'
+  '/projects/{project_name_or_id}/webhook/policies/{webhook_policy_id}/executions/{execution_id}/tasks/{task_id}/log':
+    get:
+      summary: Get logs for a specific webhook task
+      description: |
+        This endpoint returns the logs of a specific webhook task.
+      tags:
+        - webhook
+      operationId: GetLogsOfWebhookTask
+      produces:
+        - text/plain
+      parameters:
+        - $ref: '#/parameters/requestId'
+        - $ref: '#/parameters/isResourceName'
+        - $ref: '#/parameters/projectNameOrId'
+        - $ref: '#/parameters/webhookPolicyId'
+        - $ref: '#/parameters/executionId'
+        - $ref: '#/parameters/taskId'
+      responses:
+        '200':
+          description: Get log success
+          headers:
+            Content-Type:
+              description: Content type of response
+              type: string
+          schema:
+            type: string
+        '400':
+          $ref: '#/responses/400'
+        '401':
+          $ref: '#/responses/401'
+        '404':
+          $ref: '#/responses/404'
+        '403':
+          $ref: '#/responses/403'
+        '500':
+          $ref: '#/responses/500'
   '/projects/{project_name_or_id}/webhook/lasttrigger':
     get:
+      deprecated: true
       summary: Get project webhook policy last trigger info
       description: |
         This endpoint returns last trigger information of project webhook policy.
@@ -2694,6 +2814,7 @@ paths:
           $ref: '#/responses/500'
   '/projects/{project_name_or_id}/webhook/jobs':
     get:
+      deprecated: true
       summary: List project webhook jobs
       description: |
         This endpoint returns webhook jobs of a project.
@@ -2746,7 +2867,7 @@ paths:
   '/projects/{project_name_or_id}/webhook/events':
     get:
       summary: Get supported event types and notify types.
-      description: Get supportted event types and notify types.
+      description: Get supported event types and notify types.
       tags:
         - webhook
       operationId: GetSupportedEventTypes
@@ -4593,6 +4714,39 @@ paths:
           $ref: '#/responses/404'
         '500':
           $ref: '#/responses/500'
+  /jobservice/jobs/{job_id}/log:
+    get:
+      operationId: actionGetJobLog
+      summary: Get job log by job id
+      description: Get job log by job id, it is only used by administrator
+      produces:
+        - text/plain  
+      tags:
+        - jobservice
+      parameters:
+        - $ref: '#/parameters/requestId'
+        - name: job_id
+          in: path
+          required: true
+          type: string
+          description: The id of the job.
+      responses:
+        '200':
+          description: Get job log successfully.
+          headers:
+            Content-Type:
+              description: The content type of response body
+              type: string
+          schema:
+            type: string
+        '401':
+          $ref: '#/responses/401'
+        '403':
+          $ref: '#/responses/403'
+        '404':
+          $ref: '#/responses/404'
+        '500':
+          $ref: '#/responses/500'
   /jobservice/queues:
     get:
       operationId: listJobQueues
@@ -8343,7 +8497,7 @@ definitions:
         description: 'The group type, 1 for LDAP group, 2 for HTTP group, 3 for OIDC group.'
   SupportedWebhookEventTypes:
     type: object
-    description: Supportted webhook event types and notify types.
+    description: Supported webhook event types and notify types.
     properties:
       event_type:
         type: array
@@ -8353,14 +8507,33 @@ definitions:
         type: array
         items:
           $ref: '#/definitions/NotifyType'
+      payload_formats:
+        type: array
+        items:
+          $ref: '#/definitions/PayloadFormat'
   EventType:
     type: string
-    description: Webhook supportted event type.
-    example: 'pullImage'
+    description: Webhook supported event type.
+    example: 'PULL_ARTIFACT'
   NotifyType:
     type: string
-    description: Webhook supportted notify type.
+    description: Webhook supported notify type.
     example: 'http'
+  PayloadFormatType:
+    type: string
+    description: The type of webhook paylod format.
+    example: 'cloudevent'
+  PayloadFormat:
+    type: object
+    description: Webhook supported payload format type collections.
+    properties:
+      notify_type:
+        $ref: '#/definitions/NotifyType'
+      formats:
+        type: array
+        description: The supported payload formats for this notify type.
+        items:
+          $ref: '#/definitions/PayloadFormatType'
 
   WebhookTargetObject:
     type: object
@@ -8378,6 +8551,8 @@ definitions:
       skip_cert_verify:
         type: boolean
         description: Whether or not to skip cert verify.
+      payload_format:
+        $ref: '#/definitions/PayloadFormatType'
   WebhookPolicy:
     type: object
     description: The webhook policy object
@@ -9207,10 +9382,9 @@ definitions:
         format: int64
         description: The artifact id of the accessory
         x-omitempty: false
-      subject_artifact_id:
-        type: integer
-        format: int64
-        description: The subject artifact id of the accessory
+      subject_artifact_digest:
+        type: string
+        description: The subject artifact digest of the accessory
         x-omitempty: false
       size:
         type: integer

make/migrations/postgresql/0110_2.8.0_schema.up.sql

@@ -1,2 +1,82 @@
 /* remove the redundant data from table artifact_blob */
-delete from artifact_blob afb where not exists (select digest from blob b where b.digest = afb.digest_af);
+delete from artifact_blob afb where not exists (select digest from blob b where b.digest = afb.digest_af);
+
+/* replace subject_artifact_id with subject_artifact_digest*/
+alter table artifact_accessory add column subject_artifact_digest varchar(1024);
+
+DO $$
+DECLARE
+    acc RECORD;
+    art RECORD;
+BEGIN
+    FOR acc IN SELECT * FROM artifact_accessory
+    LOOP
+        SELECT * INTO art from artifact where id = acc.subject_artifact_id;
+        UPDATE artifact_accessory SET subject_artifact_digest=art.digest WHERE subject_artifact_id = art.id;
+    END LOOP;
+END $$;
+
+alter table artifact_accessory drop CONSTRAINT artifact_accessory_subject_artifact_id_fkey;
+alter table artifact_accessory drop CONSTRAINT unique_artifact_accessory;
+alter table artifact_accessory add CONSTRAINT unique_artifact_accessory UNIQUE (artifact_id, subject_artifact_digest);
+alter table artifact_accessory drop column subject_artifact_id;
+
+/* Update the registry and replication policy associated with the chartmuseum */
+UPDATE registry
+SET description = 'Chartmuseum has been deprecated in Harbor v2.8.0, please delete this registry.'
+WHERE type in ('artifact-hub', 'helm-hub');
+WITH filter_objects AS (
+    SELECT id, jsonb_array_elements(filters::jsonb) AS filter
+    FROM replication_policy
+    WHERE filters IS NOT NULL AND filters != ''
+    AND jsonb_typeof(CAST(filters AS jsonb)) = 'array'
+),
+replication_policy_ids AS (
+    SELECT rp.id
+    FROM registry r
+    INNER JOIN replication_policy rp ON (rp.dest_registry_id = r.id OR rp.src_registry_id = r.id)
+    WHERE r.type IN ('artifact-hub', 'helm-hub')
+)
+UPDATE replication_policy AS rp
+SET enabled = false,
+    filters = (
+        SELECT COALESCE(jsonb_agg(fo.filter)::text, '')
+        FROM filter_objects AS fo
+        WHERE fo.id = rp.id AND NOT(filter ->> 'type' = 'resource' AND filter ->> 'value' = 'chart')
+    ),
+    description = 'Chartmuseum is deprecated in Harbor v2.8.0, because the Source resource filter of this rule is chart(chartmuseum), so please update this rule.'
+WHERE id IN (
+    SELECT id FROM filter_objects WHERE (filter ->> 'type' = 'resource' AND filter ->> 'value' = 'chart')
+    UNION
+    SELECT id FROM replication_policy_ids
+);
+/* Update the role permission and permission policy associated with the chartmuseum */
+DELETE FROM role_permission
+WHERE permission_policy_id IN (
+    SELECT id FROM permission_policy WHERE resource IN ('helm-chart', 'helm-chart-version' ,'helm-chart-version-label')
+);
+
+DELETE FROM permission_policy
+WHERE resource IN ('helm-chart', 'helm-chart-version' ,'helm-chart-version-label');
+/* Update the notification policy associated with the chartmuseum */
+WITH event_type_objects AS (
+    SELECT id, jsonb_array_elements(event_types::jsonb) as event_type
+    FROM notification_policy
+    WHERE event_types IS NOT NULL AND event_types != ''
+    AND jsonb_typeof(CAST(event_types AS jsonb)) = 'array'
+)
+UPDATE notification_policy AS np
+SET event_types = (
+    SELECT COALESCE(jsonb_agg(eto.event_type), '[]')
+    FROM event_type_objects AS eto
+    WHERE eto.id = np.id
+    AND NOT(event_type @> '"UPLOAD_CHART"'::jsonb OR event_type @> '"DOWNLOAD_CHART"'::jsonb OR event_type @> '"DELETE_CHART"'::jsonb)
+)
+WHERE id IN (
+    SELECT id FROM event_type_objects WHERE (event_type @> '"UPLOAD_CHART"'::jsonb OR event_type @> '"DOWNLOAD_CHART"'::jsonb OR event_type @> '"DELETE_CHART"'::jsonb)
+);
+
+UPDATE notification_policy
+SET enabled = false,
+    description = 'Chartmuseum is deprecated in Harbor v2.8.0, because this notification policy only has event type about Chartmuseum, so please update or delete this notification policy.'
+WHERE event_types = '[]';

make/photon/prepare/templates/jobservice/config.yml.jinja

@@ -51,3 +51,6 @@ metric:
   path: {{ metric.path }}
   port: {{ metric.port }}
 {% endif %}
+
+# the max size of job log returned by API, default is 10M
+max_retrieve_size_mb: 10

src/common/security/robot/context.go

@@ -93,7 +93,7 @@ func (s *SecurityContext) Can(ctx context.Context, action types.Action, resource
 				accesses = append(accesses, &types.Policy{
 					Action:   a.Action,
 					Effect:   a.Effect,
-					Resource: types.Resource(fmt.Sprintf("%s/%s", p.Scope, a.Resource)),
+					Resource: types.Resource(getPolicyResource(p, a)),
 				})
 			}
 		}
@@ -138,3 +138,11 @@ func filterRobotPolicies(p *models.Project, policies []*types.Policy) []*types.P
 	}
 	return results
 }
+
+// getPolicyResource to determine permissions for the project resource, the path should be /project instead of /project/project.
+func getPolicyResource(perm *robot.Permission, pol *types.Policy) string {
+	if strings.HasPrefix(perm.Scope, robot.SCOPEPROJECT) && pol.Resource == rbac.ResourceProject {
+		return perm.Scope
+	}
+	return fmt.Sprintf("%s/%s", perm.Scope, pol.Resource)
+}