harbor icon indicating copy to clipboard operation
harbor copied to clipboard
verified publisher icon goharbor

Using robot account allowing cookies makes subsequent calls unauthorized

Open middagj opened this issue 4 years ago • 12 comments

Expected behavior and actual behavior: I am trying to automate some tasks using the new Robot accounts. Using a sessions object with Python requests library automatically adds cookies set by the server to the jar which is used by subsequent requets.

Expected behavior is that using cookies set by Harbor does not make a subsequent requests fail if still using same authentication.

Steps to reproduce the problem: Send two requests that needs authentication and store cookies set by server inbetween. Using HTTPie

$> http --session ./sess --auth "robot+$HARBOR_PROJECT+$HARBOR_ROBOT_NAME:$HARBOR_ROBOT_SECRET" DELETE "$HARBOR_URL/api/v2.0/projects/$HARBOR_PROJECT/repositories/$HARBOR_REPO/artifacts/$HARBOR_ARTIFACT"
HTTP/1.1 404 Not Found
Connection: keep-alive
Content-Length: 143
Content-Type: application/json; charset=utf-8
Date: Tue, 09 Mar 2021 21:48:30 GMT
Set-Cookie: sid=MASKED; Path=/; HttpOnly
Strict-Transport-Security: max-age=15724800; includeSubDomains
X-Request-Id: MASKED

{
    "errors": [
        {
            "code": "NOT_FOUND",
            "message": "artifact MASKED not found"
        }
    ]
}

$> http --session ./sess --auth "robot+$HARBOR_PROJECT+$HARBOR_ROBOT_NAME:$HARBOR_ROBOT_SECRET" DELETE "$HARBOR_URL/api/v2.0/projects/$HARBOR_PROJECT/repositories/$HARBOR_REPO/artifacts/$HARBOR_ARTIFACT"
HTTP/1.1 403 Forbidden
Connection: keep-alive
Content-Length: 65
Content-Type: application/json; charset=utf-8
Date: Tue, 09 Mar 2021 21:48:31 GMT
Set-Cookie: _gorilla_csrf=MASKED; Path=/; Expires=Wed, 10 Mar 2021 09:48:31 GMT; Max-Age=43200; HttpOnly; Secure; SameSite=Strict
Strict-Transport-Security: max-age=15724800; includeSubDomains
X-Harbor-Csrf-Token: MASKED
X-Request-Id: MASKED

{
    "errors": [
        {
            "code": "FORBIDDEN",
            "message": "CSRF token invalid"
        }
    ]
}

Workaround

class BlockAll(cookiejar.DefaultCookiePolicy):
    def set_ok(self, cookie, request):
        return False

self.session = requests.Session()
self.session.auth = (username, password)
self.session.cookies.set_policy(BlockAll())

Versions: Please specify the versions of following systems.

  • harbor version: 2.2.0
  • docker engine version: n/a
  • docker-compose version: n/a

Additional context:

  • Harbor config files: You can get them by packaging harbor.yml and files in the same directory, including subdirectory. No access
  • Log files: You can get them by package the /var/log/harbor/ . No access

middagj avatar Mar 09 '21 22:03 middagj

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jun 18 '21 23:06 stale[bot]

Still waiting for a fix.

middagj avatar Jun 19 '21 18:06 middagj

why not use the workaround as a solution? This is what the OCI conformance is using, see https://github.com/opencontainers/distribution-spec/blob/main/conformance/setup.go#L171

It seems that it's not a robot account call.

wy65701436 avatar Aug 10 '21 10:08 wy65701436

How do you mean it isn't a robot account call? I thought the new Robot accounts were also meant to do these kind of calls.

We use the workaround, but I don't think it is a proper solution as HTTP specification says you should send the received cookies in subsequent calls in the same session. If this is just the way Harbor works, this deviation should at least be properly documented.

middagj avatar Aug 10 '21 10:08 middagj

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Apr 16 '22 22:04 stale[bot]

Still not fixed

middagj avatar Apr 17 '22 17:04 middagj

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar Jul 05 '22 11:07 github-actions[bot]

Still not fixed

middagj avatar Jul 05 '22 16:07 middagj

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar Sep 05 '22 09:09 github-actions[bot]

Still not fixed to my knowledge

middagj avatar Sep 05 '22 13:09 middagj

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar Nov 06 '22 09:11 github-actions[bot]

really every 60 days?

middagj avatar Nov 06 '22 12:11 middagj

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar Jan 07 '23 09:01 github-actions[bot]

I am closing this issue because apparently being HTTP compliant is not a feature for harbor. This policy of asking bug reporters to bump issues every 60 days or they will be closed is very effective on lowering the open issues. Not only will bugs be closed because people give up on bumping, but also they will not report new ones. Job well done.

middagj avatar Jan 07 '23 10:01 middagj