def testAssignRoleToLdapGroup(self):
"""
Test case:
Assign Role To Ldap Group
Test step and expected result:
1. Set LDAP Auth configurations;
2. Create a new public project(PA) by Admin;
3. Add 3 member groups to project(PA);
4. Push image by each member role;
5. Verfify that admin_user can add project member, dev_user and guest_user can not add project member;
6. Verfify that admin_user and dev_user can push image, guest_user can not push image;
7. Verfify that admin_user, dev_user and guest_user can view logs, test user can not view logs.
8. Delete repository(RA) by user(UA);
9. Delete project(PA);
"""
url = ADMIN_CLIENT["endpoint"]
USER_ADMIN=dict(endpoint = url, username = "******", password = "******", repo = "haproxy")
USER_DEV=dict(endpoint = url, username = "******", password = "******", repo = "alpine")
USER_GUEST=dict(endpoint = url, username = "******", password = "******", repo = "busybox")
USER_TEST=dict(endpoint = url, username = "******", password = "******")
USER_MIKE=dict(endpoint = url, username = "******", password = "******")
#USER001 is in group harbor_group3
self.conf.set_configurations_of_ldap(ldap_filter="", ldap_group_attribute_name="cn", ldap_group_base_dn="ou=groups,dc=example,dc=com",
ldap_group_search_filter="objectclass=groupOfNames", ldap_group_search_scope=2, **ADMIN_CLIENT)
with created_project(metadata={"public": "false"}) as (project_id, project_name):
self.project.add_project_members(project_id, member_role_id = 1, _ldap_group_dn = "cn=harbor_admin,ou=groups,dc=example,dc=com", **ADMIN_CLIENT)
self.project.add_project_members(project_id, member_role_id = 2, _ldap_group_dn = "cn=harbor_dev,ou=groups,dc=example,dc=com", **ADMIN_CLIENT)
self.project.add_project_members(project_id, member_role_id = 3, _ldap_group_dn = "cn=harbor_guest,ou=groups,dc=example,dc=com", **ADMIN_CLIENT)
projects = self.project.get_projects(dict(name=project_name), **USER_ADMIN)
self.assertTrue(len(projects) == 1)
self.assertEqual(1, projects[0].current_user_role_id)
#Mike has logged in harbor in previous test.
mike = self.user.get_user_by_name(USER_MIKE["username"], **ADMIN_CLIENT)
#Verify role difference in add project member feature, to distinguish between admin and dev role
self.project.add_project_members(project_id, user_id=mike.user_id, member_role_id = 3, **USER_ADMIN)
self.project.add_project_members(project_id, user_id=mike.user_id, member_role_id = 3, expect_status_code=403, **USER_DEV)
self.project.add_project_members(project_id, user_id=mike.user_id, member_role_id = 3, expect_status_code=403, **USER_GUEST)
repo_name_admin, _ = push_image_to_project(project_name, harbor_server, USER_ADMIN["username"], USER_ADMIN["password"], USER_ADMIN["repo"], "latest")
artifacts = self.artifact.list_artifacts(project_name, USER_ADMIN["repo"], **USER_ADMIN)
self.assertTrue(len(artifacts) == 1)
repo_name_dev, _ = push_image_to_project(project_name, harbor_server, USER_DEV["username"], USER_DEV["password"], USER_DEV["repo"], "latest")
artifacts = self.artifact.list_artifacts(project_name, USER_DEV["repo"], **USER_DEV)
self.assertTrue(len(artifacts) == 1)
push_image_to_project(project_name, harbor_server, USER_GUEST["username"], USER_GUEST["password"], USER_GUEST["repo"], "latest", expected_error_message = "unauthorized to access repository")
artifacts = self.artifact.list_artifacts(project_name, USER_GUEST["repo"], **USER_GUEST)
self.assertTrue(len(artifacts) == 0)
self.assertTrue(self.project.query_user_logs(project_name, **USER_ADMIN)>0, "admin user can see logs")
self.assertTrue(self.project.query_user_logs(project_name, **USER_DEV)>0, "dev user can see logs")
self.assertTrue(self.project.query_user_logs(project_name, **USER_GUEST)>0, "guest user can see logs")
self.assertTrue(self.project.query_user_logs(project_name, status_code=403, **USER_TEST)==0, "test user can not see any logs")
self.repo.delete_repository(project_name, repo_name_admin.split('/')[1], **USER_ADMIN)
self.repo.delete_repository(project_name, repo_name_dev.split('/')[1], **USER_ADMIN)
def testScanImageInPublicProject(self):
"""
Test case:
Scan An Image Artifact In Public Project
Test step and expected result:
1. Create a new user(UA);
2. Create a new public project(PA) by user(UA);
3. Add user(UA) as a member of project(PA) with project-admin role;
4. Create a new repository(RA) and tag(TA) in project(PA) by user(UA);
5. Send scan image command without credential (anonymous), the API response should be 401;
6. Create a new user(UB) which is non member of the project(PA);
7. Send scan image command with credential of the new created user(UB), the API response should be 403;
8. Delete user(UB);
9. Send scan image command with credential of the user(UA) and get tag(TA) information to check scan result, it should be finished;
10. Delete repository(RA) by user(UA);
11. Delete project(PA);
12. Delete user(UA);
"""
password = '******' # nosec
with created_user(password) as (user_id, username):
with created_project(metadata={"public": "true"},
user_id=user_id) as (_, project_name):
image, src_tag = "docker", "1.13"
full_name, tag = push_self_build_image_to_project(
project_name, harbor_server, username, password, image,
src_tag)
repo_name = full_name.split('/')[1]
# scan image with anonymous user
self.scan.scan_artifact(project_name,
repo_name,
tag,
expect_status_code=401,
username=None,
password=None)
with created_user(password) as (_, username1):
# scan image with non project memeber
self.scan.scan_artifact(project_name,
repo_name,
tag,
expect_status_code=403,
username=username1,
password=password)
self.scan.scan_artifact(project_name,
repo_name,
tag,
username=username,
password=password)
self.artifact.check_image_scan_result(project_name,
image,
tag,
username=username,
password=password,
with_scan_overview=True)
self.repo.delete_repository(project_name, repo_name)
def testProjectQuota(self):
"""
Test case:
Project Quota
Test step and expected result:
1. Create a new user(UA);
2. Create a new private project(PA) by user(UA);
3. Add user(UA) as a member of project(PA) with project-admin role;
4. Push an image to project(PA) by user(UA), then check the project quota usage;
5. Check quota change
6. Push the image with another tag to project(PA) by user(UA)
7. Check quota not changed
8. Delete repository(RA) by user(UA);
9. Delete image, the quota should be changed to 0.
Tear down:
1. Delete repository(RA) by user(UA);
2. Delete project(PA);
3. Delete user(UA);
"""
user_001_password = "******"
#1. Create a new user(UA);
with created_user(user_001_password) as (user_id, user_name):
#2. Create a new private project(PA) by user(UA);
#3. Add user(UA) as a member of project(PA) with project-admin role;
with created_project(metadata={"public": "false"},
user_id=user_id) as (project_id,
project_name):
#4. Push an image to project(PA) by user(UA), then check the project quota usage; -- {"count": 1, "storage": 2791709}
image, tag = "goharbor/alpine", "3.10"
push_image_to_project(project_name, harbor_server, user_name,
user_001_password, image, tag)
#5. Get project quota
quota = self.system.get_project_quota("project", project_id,
**ADMIN_CLIENT)
self.assertEqual(quota[0].used["count"], 1)
self.assertEqual(quota[0].used["storage"], 2789002)
#6. Push the image with another tag to project(PA) by user(UA), the check the project quota usage; -- {"count": 1, "storage": 2791709}
push_image_to_project(project_name, harbor_server, user_name,
user_001_password, image, tag)
#7. Get project quota
quota = self.system.get_project_quota("project", project_id,
**ADMIN_CLIENT)
self.assertEqual(quota[0].used["count"], 1)
self.assertEqual(quota[0].used["storage"], 2789002)
#8. Delete repository(RA) by user(UA);
self.repo.delete_repoitory(project_name, image, **ADMIN_CLIENT)
#9. Quota should be 0
quota = self.system.get_project_quota("project", project_id,
**ADMIN_CLIENT)
self.assertEqual(quota[0].used["count"], 0)
self.assertEqual(quota[0].used["storage"], 0)
def test_02_SystemlevelRobotAccount(self):
"""
Test case:
Robot Account
Test step and expected result:
1. Define a number of access lists;
2. Create the same number of private projects;
3. Create a system robot account has permission for those projects;
4. Verify the system robot account has the corresponding rights;
5. Disable the system robot account;
6. Verify the system robot account has no the corresponding rights;
7. Enable the system robot account;
8. Verify the system robot account has the corresponding rights;
9. Refresh secret for the system robot account;
10. Verify the system robot account has no the corresponding right with the old secret already;
11. Verify the system robot account still has the corresponding right with the new secret;
12. List system robot account, then add a new project to the system robot account project permission list;
13. Delete this project;
14. List system robot account successfully;
15. Delete the system robot account;
16. Verify the system robot account has no the corresponding right;
17. Add a system robot account with all project coverd;
18. Verify the system robot account has no the corresponding right;
"""
#1. Define a number of access lists;
CHART_FILE_LIST = [
dict(name='prometheus', version='7.0.2'),
dict(name='harbor', version='0.2.0')
]
for i in range(2):
base.run_command([
"curl", r"-o", "./tests/apitests/python/{}-{}.tgz".format(
CHART_FILE_LIST[i]["name"], CHART_FILE_LIST[i]["version"]),
"https://storage.googleapis.com/harbor-builds/helm-chart-test-files/{}-{}.tgz"
.format(CHART_FILE_LIST[i]["name"],
CHART_FILE_LIST[i]["version"])
])
#Make sure that whether 'True' or 'False' must be included in each line or row.
check_list = [
[True, True, True, True, True, True, False, True, False, True],
[False, False, False, False, True, True, False, True, True, False],
[True, False, True, False, True, False, True, False, True, True],
[False, False, False, True, False, True, False, True, True, False]
]
access_list_list = []
for i in range(len(check_list)):
access_list_list.append(
self.robot.create_access_list(check_list[i]))
#2. Create the same number of private projects;
robot_account_Permissions_list = []
project_access_list = []
for i in range(len(check_list)):
with created_user(TestRobotAccount.user_ra_password,
_teardown=False) as (user_id, username):
with created_project(metadata={"public": "false"},
user_id=user_id,
_teardown=False) as (project_id,
project_name):
project_access_list.append(
dict(project_name=project_name,
project_id=project_id,
check_list=check_list[i]))
robot_account_Permissions = v2_swagger_client.Permission(
kind="project",
namespace=project_name,
access=access_list_list[i])
robot_account_Permissions_list.append(
robot_account_Permissions)
#3. Create a system robot account has permission for those projects;
system_robot_account_id, system_robot_account = self.robot.create_system_robot(
robot_account_Permissions_list, 300)
print("system_robot_account:", system_robot_account)
SYSTEM_RA_CLIENT = dict(endpoint=TestRobotAccount.url,
username=system_robot_account.name,
password=system_robot_account.secret)
SYSTEM_RA_CHART_CLIENT = dict(endpoint=CHART_API_CLIENT["endpoint"],
username=SYSTEM_RA_CLIENT["username"],
password=SYSTEM_RA_CLIENT["password"])
#4. Verify the system robot account has the corresponding rights;
for project_access in project_access_list:
print(r"project_access:", project_access)
if project_access["check_list"][1]: #---repository:push---
repo = push_self_build_image_to_project(
project_access["project_name"], harbor_server,
SYSTEM_RA_CLIENT["username"], SYSTEM_RA_CLIENT["password"],
"test_pushable", "v6.8.1")
else:
push_self_build_image_to_project(
project_access["project_name"],
harbor_server,
SYSTEM_RA_CLIENT["username"],
SYSTEM_RA_CLIENT["password"],
"test_unpushable",
"v6.8.1",
expected_error_message="unauthorized to access repository")
tag_for_del = "v1.0.0"
repo_name, tag = push_self_build_image_to_project(
project_access["project_name"], harbor_server,
ADMIN_CLIENT["username"], ADMIN_CLIENT["password"],
"test_del_artifact", tag_for_del)
if project_access["check_list"][0]: #---repository:pull---
pull_harbor_image(harbor_server, SYSTEM_RA_CLIENT["username"],
SYSTEM_RA_CLIENT["password"], repo_name,
tag_for_del)
else:
pull_harbor_image(
harbor_server,
SYSTEM_RA_CLIENT["username"],
SYSTEM_RA_CLIENT["password"],
repo_name,
tag_for_del,
expected_error_message=
"action: pull: unauthorized to access repository")
if project_access["check_list"][2]: #---artifact:delete---
self.artifact.delete_artifact(project_access["project_name"],
repo_name.split('/')[1],
tag_for_del, **SYSTEM_RA_CLIENT)
else:
self.artifact.delete_artifact(project_access["project_name"],
repo_name.split('/')[1],
tag_for_del,
expect_status_code=403,
**SYSTEM_RA_CLIENT)
#Prepare for chart read and delete
self.chart.upload_chart(
project_access["project_name"],
r'./tests/apitests/python/{}-{}.tgz'.format(
CHART_FILE_LIST[1]["name"],
CHART_FILE_LIST[1]["version"]), **CHART_API_CLIENT)
if project_access["check_list"][3]: #---helm-chart:read---
library.helm.helm2_fetch_chart_file(
"chart_repo_" + base._random_name("repo"), harbor_url,
project_access["project_name"],
SYSTEM_RA_CLIENT["username"], SYSTEM_RA_CLIENT["password"],
CHART_FILE_LIST[1]["name"])
else:
library.helm.helm2_fetch_chart_file(
"chart_repo_" + base._random_name("repo"),
harbor_url,
project_access["project_name"],
SYSTEM_RA_CLIENT["username"],
SYSTEM_RA_CLIENT["password"],
CHART_FILE_LIST[1]["name"],
expected_add_repo_error_message="403 Forbidden")
if project_access["check_list"][
4]: #---helm-chart-version:create---
self.chart.upload_chart(
project_access["project_name"],
r'./tests/apitests/python/{}-{}.tgz'.format(
CHART_FILE_LIST[0]["name"],
CHART_FILE_LIST[0]["version"]),
**SYSTEM_RA_CHART_CLIENT)
else:
self.chart.upload_chart(
project_access["project_name"],
r'./tests/apitests/python/{}-{}.tgz'.format(
CHART_FILE_LIST[0]["name"],
CHART_FILE_LIST[0]["version"]),
expect_status_code=403,
**SYSTEM_RA_CHART_CLIENT)
if project_access["check_list"][
5]: #---helm-chart-version:delete---
self.chart.delete_chart_with_version(
project_access["project_name"], CHART_FILE_LIST[1]["name"],
CHART_FILE_LIST[1]["version"], **SYSTEM_RA_CHART_CLIENT)
else:
self.chart.delete_chart_with_version(
project_access["project_name"],
CHART_FILE_LIST[1]["name"],
CHART_FILE_LIST[1]["version"],
expect_status_code=403,
**SYSTEM_RA_CHART_CLIENT)
repo_name, tag = push_self_build_image_to_project(
project_access["project_name"], harbor_server,
ADMIN_CLIENT["username"], ADMIN_CLIENT["password"],
"test_create_tag", "latest_1")
self.artifact.create_tag(project_access["project_name"],
repo_name.split('/')[1], tag,
"for_delete", **ADMIN_CLIENT)
if project_access["check_list"][6]: #---tag:create---
self.artifact.create_tag(project_access["project_name"],
repo_name.split('/')[1], tag, "1.0",
**SYSTEM_RA_CLIENT)
else:
self.artifact.create_tag(project_access["project_name"],
repo_name.split('/')[1],
tag,
"1.0",
expect_status_code=403,
**SYSTEM_RA_CLIENT)
if project_access["check_list"][7]: #---tag:delete---
self.artifact.delete_tag(project_access["project_name"],
repo_name.split('/')[1], tag,
"for_delete", **SYSTEM_RA_CLIENT)
else:
self.artifact.delete_tag(project_access["project_name"],
repo_name.split('/')[1],
tag,
"for_delete",
expect_status_code=403,
**SYSTEM_RA_CLIENT)
repo_name, tag = push_self_build_image_to_project(
project_access["project_name"], harbor_server,
ADMIN_CLIENT["username"], ADMIN_CLIENT["password"],
"test_create_artifact_label", "latest_1")
#Add project level label to artifact
label_id, _ = self.label.create_label(
project_id=project_access["project_id"],
scope="p",
**ADMIN_CLIENT)
if project_access["check_list"][8]: #---artifact-label:create---
self.artifact.add_label_to_reference(
project_access["project_name"],
repo_name.split('/')[1], tag, int(label_id),
**SYSTEM_RA_CLIENT)
else:
self.artifact.add_label_to_reference(
project_access["project_name"],
repo_name.split('/')[1],
tag,
int(label_id),
expect_status_code=403,
**SYSTEM_RA_CLIENT)
if project_access["check_list"][9]: #---scan:create---
self.scan.scan_artifact(project_access["project_name"],
repo_name.split('/')[1], tag,
**SYSTEM_RA_CLIENT)
else:
self.scan.scan_artifact(project_access["project_name"],
repo_name.split('/')[1],
tag,
expect_status_code=403,
**SYSTEM_RA_CLIENT)
#5. Disable the system robot account;
self.robot.update_system_robot_account(system_robot_account_id,
system_robot_account.name,
robot_account_Permissions_list,
disable=True,
**ADMIN_CLIENT)
#6. Verify the system robot account has no the corresponding rights;
self.verify_repository_unpushable(project_access_list,
SYSTEM_RA_CLIENT)
#7. Enable the system robot account;
self.robot.update_system_robot_account(system_robot_account_id,
system_robot_account.name,
robot_account_Permissions_list,
disable=False,
**ADMIN_CLIENT)
#8. Verify the system robot account has the corresponding rights;
self.verify_repository_pushable(project_access_list, SYSTEM_RA_CLIENT)
#9. Refresh secret for the system robot account;
new_secret = "new_secret_At_321"
self.robot.refresh_robot_account_secret(system_robot_account_id,
new_secret, **ADMIN_CLIENT)
#10. Verify the system robot account has no the corresponding right with the old secret already;
self.verify_repository_unpushable(project_access_list,
SYSTEM_RA_CLIENT)
#11. Verify the system robot account still has the corresponding right with the new secret;
SYSTEM_RA_CLIENT["password"] = new_secret
self.verify_repository_pushable(project_access_list, SYSTEM_RA_CLIENT)
#12. List system robot account, then add a new project to the system robot account project permission list;
self.robot.list_robot(**ADMIN_CLIENT)
project_for_del_id, project_for_del_name = self.project.create_project(
metadata={"public": "true"}, **ADMIN_CLIENT)
robot_account_Permissions = v2_swagger_client.Permission(
kind="project",
namespace=project_for_del_name,
access=access_list_list[0])
robot_account_Permissions_list.append(robot_account_Permissions)
self.robot.update_system_robot_account(system_robot_account_id,
system_robot_account.name,
robot_account_Permissions_list,
**ADMIN_CLIENT)
self.robot.list_robot(**ADMIN_CLIENT)
#13. Delete this project;
self.project.delete_project(project_for_del_id, **ADMIN_CLIENT)
#14. List system robot account successfully;
self.robot.list_robot(**ADMIN_CLIENT)
#15. Delete the system robot account;
self.robot.delete_robot_account(system_robot_account_id,
**ADMIN_CLIENT)
#16. Verify the system robot account has no the corresponding right;
self.verify_repository_unpushable(project_access_list,
SYSTEM_RA_CLIENT)
#17. Add a system robot account with all project coverd;
all_true_access_list = self.robot.create_access_list([True] * 10)
robot_account_Permissions_list = []
robot_account_Permissions = v2_swagger_client.Permission(
kind="project", namespace="*", access=all_true_access_list)
robot_account_Permissions_list.append(robot_account_Permissions)
_, system_robot_account_cover_all = self.robot.create_system_robot(
robot_account_Permissions_list, 300)
#18. Verify the system robot account has no the corresponding right;
print("system_robot_account_cover_all:",
system_robot_account_cover_all)
SYSTEM_RA_CLIENT_COVER_ALL = dict(
endpoint=TestRobotAccount.url,
username=system_robot_account_cover_all.name,
password=system_robot_account_cover_all.secret)
projects = self.project.get_projects(dict(), **ADMIN_CLIENT)
print("All projects:", projects)
project_access_list = []
for i in range(len(projects)):
project_access_list.append(
dict(project_name=projects[i].name,
project_id=projects[i].project_id,
check_list=all_true_access_list))
self.verify_repository_pushable(project_access_list,
SYSTEM_RA_CLIENT_COVER_ALL)
