Add cve whitelist to harbor_project resource (#71)

Co-authored-by: nolte <[email protected]>
nolte · Sep 27, 2020 · 37a331d · 37a331d
1 parent ced1fd6
commit 37a331d
Show file tree

Hide file tree

Showing 4 changed files with 92 additions and 7 deletions.
diff --git a/documentation/provider_doc/resources/harbor_project.mdpp b/documentation/provider_doc/resources/harbor_project.mdpp
@@ -31,6 +31,13 @@ The following arguments are optional:
 
 * `vulnerability_scanning` - (Optional) Activate [Vulnerability Scanning](https://goharbor.io/docs/1.10/administration/vulnerability-scanning/). Default: `true`
 
+* `reuse_sys_cve_whitelist` - (Optional) Whether this project should reuse the system level CVE whitelist as the whitelist of its own. Default: `true`
+
+    If `true`  The whitelist associated with this project will be ignored.
+
+    If `false` The project will use the whitelist defined by `cve_whitelist`.
+
+* `cve_whitelist` - (Optional) List of whitelisted CVE ids for the project.
 
 ## Attributes Reference
 

diff --git a/examples/tf-acception-test/project.tf b/examples/tf-acception-test/project.tf
@@ -1,5 +1,7 @@
 resource "harbor_project" "main" {
-  name                   = "main"
-  public                 = false # (Optional) Default value is false
-  vulnerability_scanning = true  # (Optional) Default vale is true. Automatically scan images on push
+  name                    = "main"
+  public                  = false # (Optional) Default value is false
+  vulnerability_scanning  = true  # (Optional) Default value is true. Automatically scan images on push
+  reuse_sys_cve_whitelist = false # (Optional) Default value is true.
+  cve_whitelist           = ["CVE-2020-12345", "CVE-2020-54321"]
 }
diff --git a/harbor/data_source_project.go b/harbor/data_source_project.go
@@ -32,6 +32,16 @@ func dataSourceProject() *schema.Resource {
 				Optional: true,
 				Computed: true,
 			},
+			"reuse_sys_cve_whitelist": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  true,
+			},
+			"cve_whitelist": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
 		},
 
 		Read: dataSourceProjectRead,

diff --git a/harbor/resource_project.go b/harbor/resource_project.go
@@ -28,6 +28,16 @@ func resourceProject() *schema.Resource {
 				Optional: true,
 				Default:  true,
 			},
+			"reuse_sys_cve_whitelist": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  true,
+			},
+			"cve_whitelist": {
+				Type:     schema.TypeList,
+				Optional: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
 		},
 		Create: resourceProjectCreate,
 		Read:   resourceProjectRead,
@@ -46,8 +56,12 @@ func resourceProjectCreate(d *schema.ResourceData, m interface{}) error {
 	body := products.NewPostProjectsParams().WithProject(&models.ProjectReq{
 		ProjectName: projectName,
 		Metadata: &models.ProjectMetadata{
-			AutoScan: strconv.FormatBool(d.Get("vulnerability_scanning").(bool)),
-			Public:   strconv.FormatBool(d.Get("public").(bool)),
+			AutoScan:             strconv.FormatBool(d.Get("vulnerability_scanning").(bool)),
+			Public:               strconv.FormatBool(d.Get("public").(bool)),
+			ReuseSysCveWhitelist: strconv.FormatBool(d.Get("reuse_sys_cve_whitelist").(bool)),
+		},
+		CveWhitelist: &models.CVEWhitelist{
+			Items: expandCveWhitelist(d.Get("cve_whitelist").([]interface{})),
 		},
 	})
 
@@ -62,6 +76,14 @@ func resourceProjectCreate(d *schema.ResourceData, m interface{}) error {
 
 	d.SetId(strconv.Itoa(int(project.ProjectID)))
 
+	if len(d.Get("cve_whitelist").([]interface{})) > 0 {
+		// There is a bug in the Harbor API where the CVE Whitelist does not persist during Project creation
+		err = resourceProjectUpdate(d, m)
+		if err != nil {
+			return err
+		}
+	}
+
 	return resourceProjectRead(d, m)
 }
 
@@ -119,8 +141,12 @@ func resourceProjectUpdate(d *schema.ResourceData, m interface{}) error {
 		body := products.NewPutProjectsProjectIDParams().WithProject(&models.ProjectReq{
 			ProjectName: d.Get("name").(string),
 			Metadata: &models.ProjectMetadata{
-				AutoScan: d.Get("vulnerability_scanning").(string),
-				Public:   d.Get("public").(string),
+				AutoScan:             strconv.FormatBool(d.Get("vulnerability_scanning").(bool)),
+				Public:               strconv.FormatBool(d.Get("public").(bool)),
+				ReuseSysCveWhitelist: strconv.FormatBool(d.Get("reuse_sys_cve_whitelist").(bool)),
+			},
+			CveWhitelist: &models.CVEWhitelist{
+				Items: expandCveWhitelist(d.Get("cve_whitelist").([]interface{})),
 			},
 		}).WithProjectID(projectID)
 
@@ -177,5 +203,45 @@ func setProjectSchema(data *schema.ResourceData, project *models.Project) error
 		return err
 	}
 
+	if project.Metadata.ReuseSysCveWhitelist != "" {
+		reuseSysCveWhitelist, err := strconv.ParseBool(project.Metadata.ReuseSysCveWhitelist)
+		if err != nil {
+			return err
+		}
+
+		if err := data.Set("reuse_sys_cve_whitelist", reuseSysCveWhitelist); err != nil {
+			return err
+		}
+	}
+
+	if err := data.Set("cve_whitelist", flattenCveWhitelist(data, project.CveWhitelist)); err != nil {
+		return err
+	}
+
 	return nil
 }
+
+func expandCveWhitelist(cveWhitelist []interface{}) []*models.CVEWhitelistItem {
+	var cveWhitelistItems []*models.CVEWhitelistItem
+
+	for _, cve := range cveWhitelist {
+		cveWhitelistItem := &models.CVEWhitelistItem{
+			CveID: cve.(string),
+		}
+		cveWhitelistItems = append(cveWhitelistItems, cveWhitelistItem)
+	}
+
+	return cveWhitelistItems
+}
+
+func flattenCveWhitelist(data *schema.ResourceData, CveWhitelist *models.CVEWhitelist) []interface{} {
+	var cveWhitelist []interface{}
+
+	for _, cve := range CveWhitelist.Items {
+		if cve.CveID != "" {
+			cveWhitelist = append(cveWhitelist, cve.CveID)
+		}
+	}
+
+	return cveWhitelist
+}