def _check(self, filename: str): """ Check cert and key files are correct """ path = Path(os.path.join(internal_tls_dir, filename)) if not path.exists: if filename == 'harbor_internal_ca.crt': return raise Exception('File {} not exist'.format(filename)) if not path.is_file: raise Exception('invalid {}'.format(filename)) # check key file permission if filename.endswith('.key') and not check_permission(path, mode=0o600): raise Exception( 'key file {} permission is not 600'.format(filename)) # check certificate file if filename.endswith('.crt'): if not owner_can_read(path.stat().st_mode): # check owner can read cert file raise Exception( 'File {} should readable by owner'.format(filename)) if not san_existed(path): # check SAN included if filename == 'harbor_internal_ca.crt': return raise Exception( 'cert file {} should include SAN'.format(filename))
def validate(conf: dict, **kwargs): # hostname validate if conf.get('hostname') == '127.0.0.1': raise Exception("127.0.0.1 can not be the hostname") if conf.get('hostname') == 'reg.mydomain.com': raise Exception("Please specify hostname") # protocol validate protocol = conf.get("protocol") if protocol != "https" and kwargs.get('notary_mode'): raise Exception( "Error: the protocol must be https when Harbor is deployed with Notary") if protocol == "https": if not conf.get("cert_path") or conf["cert_path"] == default_https_cert_path: raise Exception("Error: The protocol is https but attribute ssl_cert is not set") if not conf.get("cert_key_path") or conf['cert_key_path'] == default_https_key_path: raise Exception("Error: The protocol is https but attribute ssl_cert_key is not set") if protocol == "http": logging.warning("WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https") # log endpoint validate if ('log_ep_host' in conf) and not conf['log_ep_host']: raise Exception('Error: must set log endpoint host to enable external host') if ('log_ep_port' in conf) and not conf['log_ep_port']: raise Exception('Error: must set log endpoint port to enable external host') if ('log_ep_protocol' in conf) and (conf['log_ep_protocol'] not in ['udp', 'tcp']): raise Exception("Protocol in external log endpoint must be one of 'udp' or 'tcp' ") # Storage validate valid_storage_drivers = ["filesystem", "azure", "gcs", "s3", "swift", "oss"] storage_provider_name = conf.get("storage_provider_name") if storage_provider_name not in valid_storage_drivers: raise Exception("Error: storage driver %s is not supported, only the following ones are supported: %s" % ( storage_provider_name, ",".join(valid_storage_drivers))) storage_provider_config = conf.get("storage_provider_config") ## original is registry_storage_provider_config if storage_provider_name != "filesystem": if storage_provider_config == "": raise Exception( "Error: no provider configurations are provided for provider %s" % storage_provider_name) # ca_bundle validate if conf.get('registry_custom_ca_bundle_path'): registry_custom_ca_bundle_path = conf.get('registry_custom_ca_bundle_path') or '' if registry_custom_ca_bundle_path.startswith('/data/'): ca_bundle_host_path = registry_custom_ca_bundle_path else: ca_bundle_host_path = os.path.join(host_root_dir, registry_custom_ca_bundle_path.lstrip('/')) try: uid = os.stat(ca_bundle_host_path).st_uid st_mode = os.stat(ca_bundle_host_path).st_mode except Exception as e: logging.error(e) raise Exception('Can not get file info') err_msg = 'Cert File {} should be owned by user with uid 10000 or readable by others'.format(registry_custom_ca_bundle_path) if uid == DEFAULT_UID and not owner_can_read(st_mode): raise Exception(err_msg) if uid != DEFAULT_UID and not other_can_read(st_mode): raise Exception(err_msg)