diff --git a/node-packages/commons/src/api.ts b/node-packages/commons/src/api.ts index 05c1a20848..b7c4e24be5 100644 --- a/node-packages/commons/src/api.ts +++ b/node-packages/commons/src/api.ts @@ -1386,17 +1386,3 @@ export const getProblemsforProjectEnvironment = async ( }); return response.environmentByName.problems; }; - -export const getProblemHarborScanMatches = () => graphqlapi.query( - `query getProblemHarborScanMatches { - allProblemHarborScanMatchers { - id - name - description - defaultLagoonProject - defaultLagoonEnvironment - defaultLagoonService - regex - } - }` -); diff --git a/node-packages/commons/src/harborApi.ts b/node-packages/commons/src/harborApi.ts deleted file mode 100644 index 2b8a80c570..0000000000 --- a/node-packages/commons/src/harborApi.ts +++ /dev/null @@ -1,48 +0,0 @@ -// @flow - -import axios from 'axios'; - -const HARBOR_BASE_API_URL = - process.env.HARBOR_BASE_API_URL || - 'https://harbor-nginx-lagoon-master.ch.amazee.io'; -const HARBOR_BASE_URL_POSTFIX = '/tags/latest/scan'; -const HARBOR_ACCEPT_HEADER = - 'application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0'; -const HARBOR_USERNAME = process.env.HARBOR_USERNAME || 'admin'; -const HARBOR_PASSWORD = process.env.HARBOR_ADMIN_PASSWORD; -const HARBOR_API_VERSION = process.env.HARBOR_API_VERSION || 'v2.0'; - -export const getVulnerabilitiesPayloadFromHarbor = async (repository, configOverrides) => { - - let endpoint = `${HARBOR_BASE_API_URL}/api/repositories/${repository.repo_full_name}/tags/latest/scan`; //assume v1 by default - if(HARBOR_API_VERSION != 'v1.0') { - endpoint = `${HARBOR_BASE_API_URL}/api/v2.0/projects/${repository.namespace}/repositories/${encodeURIComponent(repository.name)}/artifacts/latest/additions/vulnerabilities` - } - - return await getVulnerabilitiesPayloadFromHarborDriver(endpoint, configOverrides) -} - -/** - * - * @param repoFullName - * @param configOverrides allows us to override call details {authUsername, authPassword, acceptHeader} - * @returns - */ -const getVulnerabilitiesPayloadFromHarborDriver = async (endpoint, configOverrides) => { - - const username = configOverrides.authUsername || HARBOR_USERNAME; - const password = configOverrides.authPassword || HARBOR_PASSWORD; - const acceptHeader = configOverrides.acceptHeader || HARBOR_ACCEPT_HEADER; - const options = { - timeout: 30000, - headers: { - Accept: acceptHeader, - Authorization: - 'Basic ' + - Buffer.from(username + ':' + (password)).toString('base64'), - }, - }; - - const response = await axios.get(endpoint, options); - return response.data; -}; diff --git a/services/api/Dockerfile b/services/api/Dockerfile index 559df98678..bf6a9a4ce3 100644 --- a/services/api/Dockerfile +++ b/services/api/Dockerfile @@ -33,9 +33,7 @@ ENV NODE_ENV=production \ KEYCLOAK_ADMIN_PASSWORD=admin \ ELASTICSEARCH_URL=http://logs-db-service:9200 \ KEYCLOAK_API_CLIENT_SECRET=39d5282d-3684-4026-b4ed-04bbc034b61a \ - HARBOR_ADMIN_PASSWORD=Harbor12345 \ - REDIS_PASSWORD=admin \ - HARBOR_API_VERSION=v2.0 + REDIS_PASSWORD=admin # The API is not very resilient to sudden mariadb restarts which can happen when the api and mariadb are starting # at the same time. So we have a small entrypoint which waits for mariadb to be fully ready. diff --git a/services/api/package.json b/services/api/package.json index d04391a03b..75b1cbfb36 100644 --- a/services/api/package.json +++ b/services/api/package.json @@ -15,7 +15,6 @@ "sync:gitlab:all": "yarn run sync:gitlab:users && yarn run sync:gitlab:groups && yarn run sync:gitlab:projects", "sync:opendistro-security": "node --max-http-header-size=80000 dist/helpers/sync-groups-opendistro-security", "sync:bitbucket:repo-permissions": "node dist/bitbucket-sync/repo-permissions", - "sync:harbor:projects": "node dist/migrations/2-harbor/harborSync.js", "migrations:lagoon": "node dist/migrations/lagoon/migrations.js" }, "keywords": [], diff --git a/services/api/src/clients/harborClient.ts b/services/api/src/clients/harborClient.ts deleted file mode 100644 index c9927da118..0000000000 --- a/services/api/src/clients/harborClient.ts +++ /dev/null @@ -1,24 +0,0 @@ -import got from 'got'; -import { getConfigFromEnv, getLagoonRouteFromEnv } from '../util/config'; - -export const config = { - origin: getConfigFromEnv( - 'HARBOR_URL', - 'http://harbor-harbor-core.harbor.svc.cluster.local:80' - ), - user: 'admin', - pass: getConfigFromEnv('HARBOR_ADMIN_PASSWORD', 'Harbor12345'), - // Use an empty string for backwards compatibility with Harbor version 1.x.x - apiVersion: getConfigFromEnv('HARBOR_API_VERSION', 'v2.0'), - get publicRoute() { - return getLagoonRouteFromEnv(/harbor-nginx/, this.origin); - } -}; - -export const harborClient = got.extend({ - baseUrl: `${config.publicRoute}/api/${ - config.apiVersion ? config.apiVersion.concat('/') : '' - }`, - json: true, - auth: `${config.user}:${config.pass}` -}); diff --git a/services/api/src/resolvers.js b/services/api/src/resolvers.js index dc0556b0d7..333bffe2fc 100644 --- a/services/api/src/resolvers.js +++ b/services/api/src/resolvers.js @@ -10,9 +10,6 @@ const { deleteProblemsFromSource, addProblemsFromSource, getProblemSources, - getProblemHarborScanMatches, - addProblemHarborScanMatch, - deleteProblemHarborScanMatch } = require('./resources/problem/resolvers'); const { @@ -581,7 +578,6 @@ const resolvers = { allProblems: getAllProblems, allGroups: getAllGroups, allProjectsInGroup: getAllProjectsInGroup, - allProblemHarborScanMatchers: getProblemHarborScanMatches, allUsers: getAllUsers, allNotifications: getAllNotifications, userByEmail: getUserByEmail, @@ -601,10 +597,8 @@ const resolvers = { }, Mutation: { addProblem, - addProblemHarborScanMatch, deleteProblem, deleteProblemsFromSource, - deleteProblemHarborScanMatch, addFact, addFacts, addFactsByName, diff --git a/services/api/src/resources/problem/resolvers.ts b/services/api/src/resources/problem/resolvers.ts index bfe3454a5b..3d41f7f07a 100644 --- a/services/api/src/resources/problem/resolvers.ts +++ b/services/api/src/resources/problem/resolvers.ts @@ -278,36 +278,3 @@ export const deleteProblemsFromSource: ResolverFn = async ( return 'success'; }; - -export const getProblemHarborScanMatches: ResolverFn = async ( - root, - args, - { sqlClientPool, hasPermission } -) => { - throw new Error('Harbor-Trivy integration with core removed in Lagoon 2') -}; - -export const addProblemHarborScanMatch: ResolverFn = async ( - root, - { - input: { - name, - description, - defaultLagoonProject, - defaultLagoonEnvironment, - defaultLagoonService, - regex - } - }, - { sqlClientPool, hasPermission, userActivityLogger } -) => { - throw new Error('Harbor-Trivy integration with core removed in Lagoon 2') -}; - -export const deleteProblemHarborScanMatch: ResolverFn = async ( - root, - { input: { id } }, - { sqlClientPool, hasPermission, userActivityLogger } -) => { - throw new Error('Harbor-Trivy integration with core removed in Lagoon 2') -}; diff --git a/services/api/src/resources/problem/sql.ts b/services/api/src/resources/problem/sql.ts index be641e9e30..93972dafe7 100644 --- a/services/api/src/resources/problem/sql.ts +++ b/services/api/src/resources/problem/sql.ts @@ -18,16 +18,6 @@ const standardEnvironmentReturn = { deleted: 'deleted' }; -const standardProblemHarborScanMatchReturn = { - id: 'id', - name: 'name', - description: 'description', - default_lagoon_project: 'defaultLagoonProject', - default_lagoon_environment: 'defaultLagoonEnvironment', - default_lagoon_service: 'defaultLagoonServiceName', - regex: 'regex' -}; - export const Sql = { selectAllProblems: ({ source = [], diff --git a/services/api/src/typeDefs.js b/services/api/src/typeDefs.js index c10f70919f..475a4f13ea 100644 --- a/services/api/src/typeDefs.js +++ b/services/api/src/typeDefs.js @@ -268,29 +268,6 @@ const typeDefs = gql` deleted: String } - type ProblemHarborScanMatch { - id: Int - name: String - description: String - defaultLagoonProject: String - defaultLagoonEnvironment: String - defaultLagoonService: String - regex: String - } - - input AddProblemHarborScanMatchInput { - name: String! - description: String! - defaultLagoonProject: String - defaultLagoonEnvironment: String - defaultLagoonService: String - regex: String! - } - - input DeleteProblemHarborScanMatchInput { - id: Int! - } - input AddProblemInput { id: Int environment: Int! @@ -1401,10 +1378,6 @@ const typeDefs = gql` """ lagoonVersion: JSON """ - Returns all ProblemHarborScanMatchers - """ - allProblemHarborScanMatchers: [ProblemHarborScanMatch] @deprecated(reason: "Harbor-Trivy integration with core removed in Lagoon 2") - """ Returns all AdvancedTaskDefinitions """ allAdvancedTaskDefinitions: [AdvancedTaskDefinition] @@ -2420,10 +2393,8 @@ const typeDefs = gql` cancelDeployment(input: CancelDeploymentInput!): String addBackup(input: AddBackupInput!): Backup addProblem(input: AddProblemInput!): Problem - addProblemHarborScanMatch(input: AddProblemHarborScanMatchInput!): ProblemHarborScanMatch @deprecated(reason: "Harbor-Trivy integration with core removed in Lagoon 2") deleteProblem(input: DeleteProblemInput!): String deleteProblemsFromSource(input: DeleteProblemsFromSourceInput!): String - deleteProblemHarborScanMatch(input: DeleteProblemHarborScanMatchInput!): String @deprecated(reason: "Harbor-Trivy integration with core removed in Lagoon 2") addFact(input: AddFactInput!): Fact addFacts(input: AddFactsInput!): [Fact] @deprecated(reason: "Use addFactsByName instead") addFactsByName(input: AddFactsByNameInput!): [Fact] diff --git a/services/keycloak/lagoon-realm-base-import.json b/services/keycloak/lagoon-realm-base-import.json index 239dc06677..3d1fbe9a56 100644 --- a/services/keycloak/lagoon-realm-base-import.json +++ b/services/keycloak/lagoon-realm-base-import.json @@ -891,24 +891,6 @@ } ] }, - { - "name": "harbor_scan_match", - "ownerManagedAccess": false, - "displayName": "Harbor scan match", - "attributes": {}, - "uris": [], - "scopes": [ - { - "name": "add" - }, - { - "name": "view" - }, - { - "name": "delete" - } - ] - }, { "name": "advanced_task", "ownerManagedAccess": false, @@ -2147,17 +2129,6 @@ "applyPolicies": "[\"[Lagoon] Users role for realm is Platform Owner\"]" } }, - { - "name": "Add Harbor Scan Match", - "type": "scope", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "resources": "[\"harbor_scan_match\"]", - "scopes": "[\"add\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" - } - }, { "name": "Delete Production Environment", "type": "scope", @@ -2466,17 +2437,6 @@ "applyPolicies": "[\"[Lagoon] User has access to own data\",\"[Lagoon] Users role for realm is Platform Owner\"]" } }, - { - "name": "Delete Harbor Scan Match", - "type": "scope", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "resources": "[\"harbor_scan_match\"]", - "scopes": "[\"delete\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" - } - }, { "name": "View All Openshifts", "type": "scope", @@ -2741,17 +2701,6 @@ "applyPolicies": "[\"[Lagoon] User has access to project\",\"[Lagoon] Users role for project is Guest\"]" } }, - { - "name": "View Harbor Scan Match", - "type": "scope", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "resources": "[\"harbor_scan_match\"]", - "scopes": "[\"view\"]", - "applyPolicies": "[\"[Lagoon] Users role for realm is Admin\"]" - } - }, { "name": "Run Drush sql-sync to Production Environment", "type": "scope", diff --git a/services/keycloak/startup-scripts/00-configure-lagoon.sh b/services/keycloak/startup-scripts/00-configure-lagoon.sh index 93f61562df..34116c560e 100755 --- a/services/keycloak/startup-scripts/00-configure-lagoon.sh +++ b/services/keycloak/startup-scripts/00-configure-lagoon.sh @@ -332,6 +332,31 @@ EOF EOF } +function migrate_remove_harbor_scan_permissions { + # The changes here match the changes that are made in the realm import script + # fresh installs will not need to perform this migration as the changes will already be in the import + # this will only run on existing installations to get it into a state that matches the realm import + CLIENT_ID=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients?clientId=api --config $CONFIG_PATH | jq -r '.[0]["id"]') + view_harbor_scan_match=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients/$CLIENT_ID/authz/resource-server/permission?name=View+Harbor+Scan+Match --config $CONFIG_PATH) + + if [ "$view_harbor_scan_match" == "[ ]" ]; then + echo "view_harbor_scan_match already removed" + return 0 + fi + + echo Removing old harbor permissions + + echo Delete view_harbor_scan_match permission + view_harbor_scan_match_id=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients/$CLIENT_ID/authz/resource-server/permission?name=View+Harbor+Scan+Match --config $CONFIG_PATH | jq -r '.[0]["id"]') + /opt/keycloak/bin/kcadm.sh delete -r lagoon clients/$CLIENT_ID/authz/resource-server/permission/$view_harbor_scan_match_id --config $CONFIG_PATH + echo Delete add_harbor_scan_match permission + add_harbor_scan_match_id=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients/$CLIENT_ID/authz/resource-server/permission?name=Add+Harbor+Scan+Match --config $CONFIG_PATH | jq -r '.[0]["id"]') + /opt/keycloak/bin/kcadm.sh delete -r lagoon clients/$CLIENT_ID/authz/resource-server/permission/$add_harbor_scan_match_id --config $CONFIG_PATH + echo Delete delete_harbor_scan_match permission + delete_harbor_scan_match_id=$(/opt/keycloak/bin/kcadm.sh get -r lagoon clients/$CLIENT_ID/authz/resource-server/permission?name=Delete+Harbor+Scan+Match --config $CONFIG_PATH | jq -r '.[0]["id"]') + /opt/keycloak/bin/kcadm.sh delete -r lagoon clients/$CLIENT_ID/authz/resource-server/permission/$delete_harbor_scan_match_id --config $CONFIG_PATH +} + ################## # Initialization # ################## @@ -362,6 +387,7 @@ function configure_keycloak { service-api_add_query-groups_permission add_notification_view_all migrate_admin_organization_permissions + migrate_remove_harbor_scan_permissions # always run last sync_client_secrets diff --git a/services/webhooks2tasks/src/webhooks/problems.ts b/services/webhooks2tasks/src/webhooks/problems.ts index 14fc64cd26..e463bf2411 100644 --- a/services/webhooks2tasks/src/webhooks/problems.ts +++ b/services/webhooks2tasks/src/webhooks/problems.ts @@ -10,16 +10,6 @@ import { Project } from '../types'; -// NOTE: Here we are going through the process of deprecating the Trivy integration -const enableHarborIntegration = (() => { - if(process.env.ENABLE_DEPRECATED_TRIVY_INTEGRATION && process.env.ENABLE_DEPRECATED_TRIVY_INTEGRATION == "true") { - console.log("ENABLE_DEPRECATED_TRIVY_INTEGRATION is 'true' -- enabling Harbor/Trivy"); - return true; - } - console.log("ENABLE_DEPRECATED_TRIVY_INTEGRATION is not 'true' -- Harbor/Trivy integration is not enabled"); - return false; -})(); - export async function processProblems( rabbitMsg, channelWrapperWebhooks diff --git a/services/workflows/internal/lagoonclient/schema.graphql b/services/workflows/internal/lagoonclient/schema.graphql index c951d05ce9..0c41bb17a9 100644 --- a/services/workflows/internal/lagoonclient/schema.graphql +++ b/services/workflows/internal/lagoonclient/schema.graphql @@ -208,15 +208,6 @@ input AddOrUpdateEnvironmentStorageInput { updated: String } -input AddProblemHarborScanMatchInput { - name: String! - description: String! - defaultLagoonProject: String - defaultLagoonEnvironment: String - defaultLagoonService: String - regex: String! -} - input AddProblemInput { id: Int environment: Int! @@ -556,10 +547,6 @@ input DeleteOpenshiftInput { name: String! } -input DeleteProblemHarborScanMatchInput { - id: Int! -} - input DeleteProblemInput { environment: Int! identifier: String! @@ -1072,14 +1059,8 @@ type Mutation { cancelDeployment(input: CancelDeploymentInput!): String addBackup(input: AddBackupInput!): Backup addProblem(input: AddProblemInput!): Problem - addProblemHarborScanMatch( - input: AddProblemHarborScanMatchInput! - ): ProblemHarborScanMatch deleteProblem(input: DeleteProblemInput!): String deleteProblemsFromSource(input: DeleteProblemsFromSourceInput!): String - deleteProblemHarborScanMatch( - input: DeleteProblemHarborScanMatchInput! - ): String addFact(input: AddFactInput!): Fact addFacts(input: AddFactsInput!): [Fact] deleteFact(input: DeleteFactInput!): String @@ -1259,16 +1240,6 @@ type Problem { deleted: String } -type ProblemHarborScanMatch { - id: Int - name: String - description: String - defaultLagoonProject: String - defaultLagoonEnvironment: String - defaultLagoonService: String - regex: String -} - enum ProblemSeverityRating { NONE UNKNOWN @@ -1696,11 +1667,6 @@ type Query { """ lagoonVersion: JSON - """ - Returns all ProblemHarborScanMatchers - """ - allProblemHarborScanMatchers: [ProblemHarborScanMatch] - """ Returns all AdvancedTaskDefinitions """