Merge branch 'main' into dependabot/go_modules/src/github.com/vmihail…

…enco/msgpack/v5-5.4.1

Makefile

@@ -452,16 +452,6 @@ package_offline: update_prepare_version compile build
 	@rm -rf $(HARBORPKG)
 	@echo "Done."
 
-gosec:
-	#go get github.com/securego/gosec/cmd/gosec
-	#go get github.com/dghubble/sling
-	@echo "run secure go scan ..."
-	@if [ "$(GOSECRESULTS)" != "" ] ; then \
-		$(GOPATH)/bin/gosec -fmt=json -out=$(GOSECRESULTS) -quiet ./... | true ; \
-	else \
-		$(GOPATH)/bin/gosec -fmt=json -out=harbor_gas_output.json -quiet ./... | true ; \
-	fi
-
 go_check: gen_apis mocks_check misspell commentfmt lint
 
 commentfmt:

api/v2.0/swagger.yaml

@@ -4719,7 +4719,7 @@ paths:
       summary: Get job log by job id
       description: Get job log by job id, it is only used by administrator
       produces:
-        - text/plain  
+        - text/plain
       tags:
         - jobservice
       parameters:
@@ -6071,7 +6071,7 @@ paths:
           description: Specify whether the dangerous Artifact are included inside summary information
           type: boolean
           required: false
-          default: false                  
+          default: false
       responses:
         '200':
           description: Success
@@ -6090,15 +6090,15 @@ paths:
     get:
       summary: Get the vulnerability list.
       description: |
-        Get the vulnerability list. use q to pass the query condition, 
+        Get the vulnerability list. use q to pass the query condition,
         supported conditions:
         cve_id(exact match)
         cvss_score_v3(range condition)
         severity(exact match)
-        repository_name(exact match) 
-        project_id(exact match) 
+        repository_name(exact match)
+        project_id(exact match)
         package(exact match)
-        tag(exact match) 
+        tag(exact match)
         digest(exact match)
       tags:
         - securityhub
@@ -7656,8 +7656,9 @@ definitions:
         description: The level of the robot, project or system
       duration:
         type: integer
+        x-nullable: true
         format: int64
-        description: The duration of the robot in days
+        description: The duration of the robot in days, duration must be either -1(Never) or a positive integer
       editable:
         type: boolean
         x-omitempty: false
@@ -7704,7 +7705,7 @@ definitions:
       duration:
         type: integer
         format: int64
-        description: The duration of the robot in days
+        description: The duration of the robot in days, duration must be either -1(Never) or a positive integer
       permissions:
         type: array
         items:
@@ -7994,7 +7995,7 @@ definitions:
         type: string
         description: |
           The schedule type. The valid values are 'Hourly', 'Daily', 'Weekly', 'Custom', 'Manual', 'None' and 'Schedule'.
-          'Manual' means to trigger it right away, 'Schedule' means to trigger it by a specified cron schedule and 
+          'Manual' means to trigger it right away, 'Schedule' means to trigger it by a specified cron schedule and
           'None' means to cancel the schedule.
         enum:
           - Hourly
@@ -9813,12 +9814,12 @@ definitions:
     type: object
     description: the dangerous CVE information
     properties:
-      cve_id: 
+      cve_id:
         type: string
         description: the cve id
       severity:
         type: string
-        description: the severity of the CVE        
+        description: the severity of the CVE
       cvss_score_v3:
         type: number
         format: float64
@@ -9828,22 +9829,22 @@ definitions:
         description: the description of the CVE
       package:
         type: string
-        description: the package of the CVE      
+        description: the package of the CVE
       version:
         type: string
         description: the version of the package
   DangerousArtifact:
     type: object
     description: the dangerous artifact information
     properties:
-      project_id: 
+      project_id:
         type: integer
         format: int64
         description: the project id of the artifact
       repository_name:
         type: string
         description: the repository name of the artifact
-      digest: 
+      digest:
         type: string
         description: the digest of the artifact
       critical_cnt:
@@ -9903,6 +9904,6 @@ definitions:
         description: The description of the vulnerability
       links:
         type: array
-        items: 
+        items:
           type: string
         description: Links of the vulnerability

src/common/rbac/const.go

@@ -152,7 +152,6 @@ var (
 
 			{Resource: ResourceQuota, Action: ActionRead},
 			{Resource: ResourceQuota, Action: ActionList},
-			{Resource: ResourceQuota, Action: ActionUpdate},
 		},
 		"Project": {
 			{Resource: ResourceLog, Action: ActionList},

src/common/rbac/project/rbac_role.go

@@ -284,6 +284,7 @@ var (
 			{Resource: rbac.ResourceQuota, Action: rbac.ActionRead},
 
 			{Resource: rbac.ResourceRepository, Action: rbac.ActionList},
+			{Resource: rbac.ResourceRepository, Action: rbac.ActionRead},
 			{Resource: rbac.ResourceRepository, Action: rbac.ActionPull},
 
 			{Resource: rbac.ResourceConfiguration, Action: rbac.ActionRead},

src/controller/artifact/controller.go

@@ -227,6 +227,7 @@ func (c *controller) ensureArtifact(ctx context.Context, repository, digest stri
 		if !errors.IsConflictErr(err) {
 			return false, nil, err
 		}
+		log.Debugf("failed to create artifact %s@%s: %v", repository, digest, err)
 		// if got conflict error, try to get the artifact again
 		artifact, err = c.artMgr.GetByDigest(ctx, repository, digest)
 		if err != nil {

src/controller/artifact/controller_test.go

@@ -237,6 +237,21 @@ func (c *controllerTestSuite) TestEnsureArtifact() {
 	c.Require().Nil(err)
 	c.True(created)
 	c.Equal(int64(1), art.ID)
+
+	// reset the mock
+	c.SetupTest()
+
+	// the artifact doesn't exist and get a conflict error on creating the artifact and fail to get again
+	c.repoMgr.On("GetByName", mock.Anything, mock.Anything).Return(&repomodel.RepoRecord{
+		ProjectID: 1,
+	}, nil)
+	c.artMgr.On("GetByDigest", mock.Anything, mock.Anything, mock.Anything).Return(nil, errors.NotFoundError(nil))
+	c.artMgr.On("Create", mock.Anything, mock.Anything).Return(int64(1), errors.ConflictError(nil))
+	c.abstractor.On("AbstractMetadata").Return(nil)
+	created, art, err = c.ctl.ensureArtifact(orm.NewContext(nil, &ormtesting.FakeOrmer{}), "library/hello-world", digest)
+	c.Require().Error(err, errors.NotFoundError(nil))
+	c.False(created)
+	c.Require().Nil(art)
 }
 
 func (c *controllerTestSuite) TestEnsure() {

src/controller/proxy/controller.go

@@ -183,7 +183,10 @@ func (c *controller) UseLocalManifest(ctx context.Context, art lib.ArtifactInfo,
 	if c.cache == nil {
 		return a != nil && string(desc.Digest) == a.Digest, nil, nil // digest matches
 	}
-
+	// Pass digest to the cache key, digest is more stable than tag, because tag could be updated
+	if len(art.Digest) == 0 {
+		art.Digest = string(desc.Digest)
+	}
 	err = c.cache.Fetch(ctx, manifestListKey(art.Repository, art), &content)
 	if err != nil {
 		if errors.Is(err, cache.ErrNotFound) {
@@ -318,8 +321,8 @@ func getRemoteRepo(art lib.ArtifactInfo) string {
 }
 
 func getReference(art lib.ArtifactInfo) string {
-	if len(art.Tag) > 0 {
-		return art.Tag
+	if len(art.Digest) > 0 {
+		return art.Digest
 	}
-	return art.Digest
+	return art.Tag
 }

src/controller/proxy/controller_test.go

@@ -209,7 +209,7 @@ func TestGetRef(t *testing.T) {
 		{
 			name: `normal`,
 			in:   lib.ArtifactInfo{Repository: "hello-world", Tag: "latest", Digest: "sha256:aabbcc"},
-			want: "latest",
+			want: "sha256:aabbcc",
 		},
 		{
 			name: `digest_only`,

src/controller/proxy/manifestcache.go

@@ -73,7 +73,10 @@ func (m *ManifestListCache) CacheContent(ctx context.Context, _ string, man dist
 		log.Errorf("failed to get reference, reference is empty, skip to cache manifest list")
 		return
 	}
-	// some registry will not return the digest in the HEAD request, if no digest returned, cache manifest list content with tag
+	// cache key should contain digest if digest exist
+	if len(art.Digest) == 0 {
+		art.Digest = string(digest.FromBytes(payload))
+	}
 	key := manifestListKey(art.Repository, art)
 	log.Debugf("cache manifest list with key=cache:%v", key)
 	if err := m.cache.Save(ctx, manifestListContentTypeKey(art.Repository, art), contentType, manifestListCacheInterval); err != nil {

src/controller/robot/controller.go

@@ -102,10 +102,6 @@ func (d *controller) Create(ctx context.Context, r *Robot) (int64, string, error
 	var expiresAt int64
 	if r.Duration == -1 {
 		expiresAt = -1
-	} else if r.Duration == 0 {
-		// system default robot duration
-		r.Duration = int64(config.RobotTokenDuration(ctx))
-		expiresAt = time.Now().AddDate(0, 0, config.RobotTokenDuration(ctx)).Unix()
 	} else {
 		durationStr := strconv.FormatInt(r.Duration, 10)
 		duration, err := strconv.Atoi(durationStr)

src/controller/scan/base_controller.go

@@ -925,6 +925,7 @@ func (bc *basicController) makeRobotAccount(ctx context.Context, projectID int64
 			Name:        fmt.Sprintf("%s-%s-%s", scannerPrefix, registration.Name, UUID),
 			Description: "for scan",
 			ProjectID:   projectID,
+			Duration:    -1,
 		},
 		Level: robot.LEVELPROJECT,
 		Permissions: []*robot.Permission{

src/controller/scan/base_controller_test.go

@@ -199,6 +199,7 @@ func (suite *ControllerTestSuite) SetupSuite() {
 			Name:        rname,
 			Description: "for scan",
 			ProjectID:   suite.artifact.ProjectID,
+			Duration:    -1,
 		},
 		Level: robot.LEVELPROJECT,
 		Permissions: []*robot.Permission{
@@ -229,6 +230,7 @@ func (suite *ControllerTestSuite) SetupSuite() {
 			Secret:      "robot-account",
 			Description: "for scan",
 			ProjectID:   suite.artifact.ProjectID,
+			Duration:    -1,
 		},
 		Level: "project",
 	}, nil)
@@ -336,7 +338,7 @@ func (suite *ControllerTestSuite) TestScanControllerScan() {
 		mock.OnAnything(suite.execMgr, "Create").Return(int64(1), nil).Once()
 		mock.OnAnything(suite.taskMgr, "Create").Return(int64(1), nil).Once()
 
-		ctx := orm.NewContext(nil, &ormtesting.FakeOrmer{})
+		ctx := orm.NewContext(context.TODO(), &ormtesting.FakeOrmer{})
 
 		suite.Require().NoError(suite.c.Scan(ctx, suite.artifact))
 	}

src/lib/config/userconfig.go

@@ -253,7 +253,6 @@ func SkipAuditLogDatabase(ctx context.Context) bool {
 
 // ScannerSkipUpdatePullTime returns the scanner skip update pull time setting
 func ScannerSkipUpdatePullTime(ctx context.Context) bool {
-	log.Infof("skip_update_pull_time:%v", DefaultMgr().Get(ctx, common.ScannerSkipUpdatePullTime).GetBool())
 	return DefaultMgr().Get(ctx, common.ScannerSkipUpdatePullTime).GetBool()
 }
 

src/portal/src/app/base/project/repository/artifact/artifact-list-page/artifact-list/artifact-list-tab/artifact-filter/artifact-filter.component.html

@@ -83,6 +83,7 @@
                         (clickLabel)="selectValue($event)"
                         [scope]="'p'"
                         [projectId]="projectId"
+                        [dropdownOpened]="dropdownOpened"
                         [width]="200"
                         [ownedLabels]="getSelectLabel()">
                     </app-label-selector>

src/portal/src/app/shared/components/label-selector/label-selector.component.spec.ts

@@ -59,6 +59,6 @@ describe('LabelSelectorComponent', () => {
         fixture.detectChanges();
         await fixture.whenStable();
         const checkIcon = fixture.nativeElement.querySelector('.check-icon');
-        expect(checkIcon.style.visibility).toEqual('visible');
+        expect(checkIcon.style.visibility).toEqual('hidden');
     });
 });

src/portal/src/app/shared/components/label-selector/label-selector.component.ts

@@ -41,6 +41,8 @@ export class LabelSelectorComponent implements OnInit, OnChanges, OnDestroy {
     scope: string = GLOBAL; // 'g' for global and 'p' for project, default 'g'
     @Input()
     projectId: number; // if scope = 'p', projectId is required
+    @Input()
+    dropdownOpened: boolean; // parent component opened status
     candidateLabels: Label[] = [];
     searchValue: string;
     loading: boolean = false;
@@ -159,7 +161,7 @@ export class LabelSelectorComponent implements OnInit, OnChanges, OnDestroy {
     isSelect(label: Label): boolean {
         if (this.ownedLabels?.length) {
             return this.ownedLabels.some(item => {
-                return item.id === label.id;
+                return item.id === label.id && this.dropdownOpened;
             });
         }
         return false;

src/portal/src/i18n/lang/de-de-lang.json

@@ -999,7 +999,7 @@
     "ABOUT": {
         "VERSION": "Version",
         "BUILD": "Build",
-        "COPYRIGHT": "Project Harbor is an an open source trusted cloud native registry project that stores, signs, and scans content. Harbor extends the open source Docker Distribution by adding the functionalities usually required by users such as security, identity and management. Harbor supports advanced features such as user management, access control, activity monitoring, and replication between instances. Having a registry closer to the build and run environment can also improve image transfer efficiency.",
+        "COPYRIGHT": "Project Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Harbor extends the open source Docker Distribution by adding the functionalities usually required by users such as security, identity and management. Harbor supports advanced features such as user management, access control, activity monitoring, and replication between instances. Having a registry closer to the build and run environment can also improve image transfer efficiency.",
         "COPYRIGHT_SUFIX": ".",
         "TRADEMARK": "VMware is a registered trademark or trademark of VMware, Inc. in the United States and other jurisdictions. All other marks and names mentioned herein may be trademark of their respective companies.",
         "END_USER_LICENSE": "End User License Agreement",

src/portal/src/i18n/lang/en-us-lang.json

@@ -1000,7 +1000,7 @@
     "ABOUT": {
         "VERSION": "Version",
         "BUILD": "Build",
-        "COPYRIGHT": "Project Harbor is an an open source trusted cloud native registry project that stores, signs, and scans content. Harbor extends the open source Docker Distribution by adding the functionalities usually required by users such as security, identity and management. Harbor supports advanced features such as user management, access control, activity monitoring, and replication between instances. Having a registry closer to the build and run environment can also improve image transfer efficiency.",
+        "COPYRIGHT": "Project Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Harbor extends the open source Docker Distribution by adding the functionalities usually required by users such as security, identity and management. Harbor supports advanced features such as user management, access control, activity monitoring, and replication between instances. Having a registry closer to the build and run environment can also improve image transfer efficiency.",
         "COPYRIGHT_SUFIX": ".",
         "TRADEMARK": "VMware is a registered trademark or trademark of VMware, Inc. in the United States and other jurisdictions. All other marks and names mentioned herein may be trademark of their respective companies.",
         "END_USER_LICENSE": "End User License Agreement",

src/portal/src/i18n/lang/es-es-lang.json

@@ -998,7 +998,7 @@
     "ABOUT": {
         "VERSION": "Versión",
         "BUILD": "Construir",
-        "COPYRIGHT": "Project Harbor is an an open source trusted cloud native registry project that stores, signs, and scans content. Harbor extends the open source Docker Distribution by adding the functionalities usually required by users such as security, identity and management. Harbor supports advanced features such as user management, access control, activity monitoring, and replication between instances. Having a registry closer to the build and run environment can also improve image transfer efficiency.",
+        "COPYRIGHT": "Project Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Harbor extends the open source Docker Distribution by adding the functionalities usually required by users such as security, identity and management. Harbor supports advanced features such as user management, access control, activity monitoring, and replication between instances. Having a registry closer to the build and run environment can also improve image transfer efficiency.",
         "COPYRIGHT_SUFIX": ".",
         "TRADEMARK": "VMware es una marca registrada o marca de VMware, Inc. en los Estados Unidos y otras jurisdicciones. Todas las demás marcas y nombres mencionados son marcas de sus respectivas compañías.",
         "END_USER_LICENSE": "Contrato de Usuario Final (EULA)",

src/registryctl/api/registry/blob/blob_test.go

@@ -42,6 +42,9 @@ func TestDeletionBlob(t *testing.T) {
 	}
 
 	req, err := http.NewRequest(http.MethodDelete, "", nil)
+	if err != nil {
+		t.Fatalf("failed to create new http request: %v", err)
+	}
 	varMap := make(map[string]string, 1)
 	varMap["reference"] = test.GetKeys(randomLayers1)[0].String()
 	req = mux.SetURLVars(req, varMap)

src/server/v2.0/handler/model/robot.go

@@ -44,7 +44,7 @@ func (r *Robot) ToSwagger() *models.Robot {
 		Name:         r.Name,
 		Description:  r.Description,
 		ExpiresAt:    r.ExpiresAt,
-		Duration:     r.Duration,
+		Duration:     &r.Duration,
 		Level:        r.Level,
 		Disable:      r.Disabled,
 		Editable:     r.Editable,