Infrastructure/zot
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2024-12-16 21:56:37 -05:00
Code Issues Activity
zot/pkg/api/config/config.go

367 lines
8.2 KiB
Go
Raw Normal View History

Added new extension "sync" Periodically poll registries and pull images according to sync's config Added sync on demand, syncing when clients asks for an image which zot doesn't have. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2021-06-08 15:11:18 -05:00
package config
zot: initial commit
2019-06-20 18:36:40 -05:00
import (
storage: different subpaths can point to same root directory currently different subpaths can only point to same root directory only when one or both of the storage config does not enable dedupe different subpath should be able to point to same root directory and in that case their storage config should be same i.e GC,Dedupe, GC delay and GC interval Signed-off-by: Shivam Mishra <shimish2@cisco.com>
2022-08-10 17:28:52 -05:00
"os"
gc: add a gcDelay param Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2022-02-09 19:51:35 -05:00
"time"
Add identity-based access control, closes #51 Add a cli subcommand to verify config files validity
2021-05-13 13:59:12 -05:00
auth: add LDAP support fixes #23
2019-08-15 11:34:54 -05:00
"github.com/getlantern/deepcopy"
go.mod: update modules
2021-05-21 15:47:28 -05:00
distspec "github.com/opencontainers/distribution-spec/specs-go"
chore(lint): gci to separate zot from other imports (#870) Signed-off-by: Andrei Aaron <andaaron@cisco.com>
2022-10-20 11:39:20 -05:00
move references to zotregistry.io and project-zot Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2021-12-03 22:50:58 -05:00
extconf "zotregistry.io/zot/pkg/extensions/config"
refactor(storage): refactoring storage (#1459) Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-05-26 13:08:19 -05:00
storageConstants "zotregistry.io/zot/pkg/storage/constants"
zot: initial commit
2019-06-20 18:36:40 -05:00
)
ci/cd:inculde binary type in version information
2021-02-12 19:52:02 -05:00
var (
Update go version to 1.19 (#829) * ci: Update go version to 1.19 Signed-off-by: Nicol Draghici <idraghic@cisco.com> * ci: Fix lint issues Signed-off-by: Nicol Draghici <idraghic@cisco.com> * ci: Added needprivileges to lint, made needprivileges pass lint Signed-off-by: Catalin Hofnar <catalin.hofnar@gmail.com> Signed-off-by: Nicol Draghici <idraghic@cisco.com> Signed-off-by: Nicol Draghici <idraghic@cisco.com> Signed-off-by: Catalin Hofnar <catalin.hofnar@gmail.com> Co-authored-by: Catalin Hofnar <catalin.hofnar@gmail.com>
2022-10-05 05:21:14 -05:00
Commit string //nolint: gochecknoglobals
build: add commit hash to Config at build for proper discovery readme (#854) * build: add commit hash to Config at build for proper discovery readme link * fix: use tag instead of commit hash, add to release build Signed-off-by: Catalin Hofnar <catalin.hofnar@gmail.com>
2022-10-11 11:01:59 -05:00
ReleaseTag string //nolint: gochecknoglobals
Update go version to 1.19 (#829) * ci: Update go version to 1.19 Signed-off-by: Nicol Draghici <idraghic@cisco.com> * ci: Fix lint issues Signed-off-by: Nicol Draghici <idraghic@cisco.com> * ci: Added needprivileges to lint, made needprivileges pass lint Signed-off-by: Catalin Hofnar <catalin.hofnar@gmail.com> Signed-off-by: Nicol Draghici <idraghic@cisco.com> Signed-off-by: Nicol Draghici <idraghic@cisco.com> Signed-off-by: Catalin Hofnar <catalin.hofnar@gmail.com> Co-authored-by: Catalin Hofnar <catalin.hofnar@gmail.com>
2022-10-05 05:21:14 -05:00
BinaryType string //nolint: gochecknoglobals
GoVersion string //nolint: gochecknoglobals
fix(authn): fix several issues with authn, closes #1632 (#1633) - apply Access-Control-Allow-Credentials only if authn is enabled - enable Logout route for basic auth - fixed Logout godoc - fix Access-Control-Allow-Methods on Logout route - added allowOrigin option in config example Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-19 11:27:04 -05:00
feat(authn): add generic oidc and allow customizable name (#1691) Rebased and squashed Signed-off-by: Damien Degois <damien@degois.info>
2023-08-24 04:33:35 -05:00
openIDSupportedProviders = [...]string{"google", "gitlab", "oidc"} //nolint: gochecknoglobals
oauth2SupportedProviders = [...]string{"github"} //nolint: gochecknoglobals
fix(authn): fix several issues with authn, closes #1632 (#1633) - apply Access-Control-Allow-Credentials only if authn is enabled - enable Logout route for basic auth - fixed Logout godoc - fix Access-Control-Allow-Methods on Logout route - added allowOrigin option in config example Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-19 11:27:04 -05:00
ci/cd:inculde binary type in version information
2021-02-12 19:52:02 -05:00
)
version: add commit id to binary during build
2019-09-16 13:01:59 -05:00
zot: initial commit
2019-06-20 18:36:40 -05:00
type StorageConfig struct {
RootDirectory string
config: add gc and dedupe as configurable params (default to enabled) Since we want to conform to dist-spec, sometimes the gc and dedupe optimizations conflict with the conformance tests that are being run. So allow them to be turned off via configuration params.
2020-04-15 18:24:05 -05:00
Dedupe bool
refactor(cache): rewrote/refactored cachedb functionality to use interface (#667) Moved boltdb to a driver implementation for such interface Added CreateCacheDatabaseDriver in controller Fixed default directory creation (boltDB will only create the file, not the dir Added coverage tests Added example config for boltdb Re-added caching on subpaths, rewrote CreateCacheDatabaseDriver Fix tests Made cacheDriver argument mandatory for NewImageStore, added more validation, added defaults Moved cache interface to own file, removed useRelPaths from config Got rid of cache config, refactored Moved cache to own package and folder Renamed + removed cache factory to backend, replaced CloudCache to RemoteCache Moved storage constants back to storage package moved cache interface and factory to storage package, changed remoteCache defaulting Signed-off-by: Catalin Hofnar <catalin.hofnar@gmail.com>
2022-11-02 17:53:08 -05:00
RemoteCache bool
GC bool
storage: flush/sync contents to disk on file close Behavior controlled by configuration (default=off) It is a trade-off between performance and consistency. References: [1] https://github.com/golang/go/issues/20599 Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2022-01-20 23:11:44 -05:00
Commit bool
gc: add a gcDelay param Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2022-02-09 19:51:35 -05:00
GCDelay time.Duration
make gc periodic Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
2022-03-21 13:40:37 -05:00
GCInterval time.Duration
storage: add s3 backend support (without GC and dedupe) Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2021-07-16 22:53:05 -05:00
StorageDriver map[string]interface{} `mapstructure:",omitempty"`
feat(cache): dynamodb implementation (#953) Signed-off-by: Catalin Hofnar <catalin.hofnar@gmail.com>
2022-11-22 13:29:57 -05:00
CacheDriver map[string]interface{} `mapstructure:",omitempty"`
zot: initial commit
2019-06-20 18:36:40 -05:00
}
type TLSConfig struct {
Cert string
Key string
CACert string
}
type AuthHTPasswd struct {
Path string
}
type AuthConfig struct {
FailDelay int
HTPasswd AuthHTPasswd
auth: add LDAP support fixes #23
2019-08-15 11:34:54 -05:00
LDAP *LDAPConfig
Add support for bearer/token auth New options added to configuration file to reference a public key used to validate authorization tokens signed by an auth server with corresponding private key. Resolves #24 Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
2020-01-24 16:32:38 -05:00
Bearer *BearerConfig
feat: integrate openID auth logic and user profile management (#1381) This change introduces OpenID authn by using providers such as Github, Gitlab, Google and Dex. User sessions are now used for web clients to identify and persist an authenticated users session, thus not requiring every request to use credentials. Another change is apikey feature, users can create/revoke their api keys and use them to authenticate when using cli clients such as skopeo. eg: login: /auth/login?provider=github /auth/login?provider=gitlab and so on logout: /auth/logout redirectURL: /auth/callback/github /auth/callback/gitlab and so on If network policy doesn't allow inbound connections, this callback wont work! for more info read documentation added in this commit. Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> Co-authored-by: Alex Stan <alexandrustan96@yahoo.ro>
2023-07-07 11:27:10 -05:00
OpenID *OpenIDConfig
refactor(extensions)!: refactor the extensions URLs and errors (#1636) BREAKING CHANGE: The functionality provided by the mgmt endpoint has beed redesigned - see details below BREAKING CHANGE: The API keys endpoint has been moved - see details below BREAKING CHANGE: The mgmt extension config has been removed - endpoint is now enabled by having both the search and the ui extensions enabled BREAKING CHANGE: The API keys configuration has been moved from extensions to http>auth>apikey mgmt and imagetrust extensions: - separate the _zot/ext/mgmt into 3 separate endpoints: _zot/ext/auth, _zot/ext/notation, _zot/ext/cosign - signature verification logic is in a separate `imagetrust` extension - better hanling or errors in case of signature uploads: logging and error codes (more 400 and less 500 errors) - add authz on signature uploads (and add a new middleware in common for this purpose) - remove the mgmt extension configuration - it is now enabled if the UI and the search extensions are enabled userprefs estension: - userprefs are enabled if both search and ui extensions are enabled (as opposed to just search) apikey extension is removed and logic moved into the api folder - Move apikeys code out of pkg/extensions and into pkg/api - Remove apikey configuration options from the extensions configuration and move it inside the http auth section - remove the build label apikeys other changes: - move most of the logic adding handlers to the extensions endpoints out of routes.go and into the extensions files. - add warnings in case the users are still using configurations with the obsolete settings for mgmt and api keys - add a new function in the extension package which could be a single point of starting backgroud tasks for all extensions - more clear methods for verifying specific extensions are enabled - fix http methods paired with the UI handlers - rebuild swagger docs Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-08-02 13:58:34 -05:00
APIKey bool
Add support for bearer/token auth New options added to configuration file to reference a public key used to validate authorization tokens signed by an auth server with corresponding private key. Resolves #24 Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
2020-01-24 16:32:38 -05:00
}
type BearerConfig struct {
Realm string
Service string
Cert string
zot: initial commit
2019-06-20 18:36:40 -05:00
}
feat: integrate openID auth logic and user profile management (#1381) This change introduces OpenID authn by using providers such as Github, Gitlab, Google and Dex. User sessions are now used for web clients to identify and persist an authenticated users session, thus not requiring every request to use credentials. Another change is apikey feature, users can create/revoke their api keys and use them to authenticate when using cli clients such as skopeo. eg: login: /auth/login?provider=github /auth/login?provider=gitlab and so on logout: /auth/logout redirectURL: /auth/callback/github /auth/callback/gitlab and so on If network policy doesn't allow inbound connections, this callback wont work! for more info read documentation added in this commit. Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> Co-authored-by: Alex Stan <alexandrustan96@yahoo.ro>
2023-07-07 11:27:10 -05:00
type OpenIDConfig struct {
Providers map[string]OpenIDProviderConfig
}
type OpenIDProviderConfig struct {
feat(authn): add generic oidc and allow customizable name (#1691) Rebased and squashed Signed-off-by: Damien Degois <damien@degois.info>
2023-08-24 04:33:35 -05:00
Name string
feat: integrate openID auth logic and user profile management (#1381) This change introduces OpenID authn by using providers such as Github, Gitlab, Google and Dex. User sessions are now used for web clients to identify and persist an authenticated users session, thus not requiring every request to use credentials. Another change is apikey feature, users can create/revoke their api keys and use them to authenticate when using cli clients such as skopeo. eg: login: /auth/login?provider=github /auth/login?provider=gitlab and so on logout: /auth/logout redirectURL: /auth/callback/github /auth/callback/gitlab and so on If network policy doesn't allow inbound connections, this callback wont work! for more info read documentation added in this commit. Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> Co-authored-by: Alex Stan <alexandrustan96@yahoo.ro>
2023-07-07 11:27:10 -05:00
ClientID string
ClientSecret string
KeyPath string
Issuer string
Scopes []string
}
controller: support rate-limiting incoming requests helps constraining resource usage and against flood attacks. Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2022-01-21 15:30:09 -05:00
type MethodRatelimitConfig struct {
Method string
Rate int
}
type RatelimitConfig struct {
Rate *int // requests per second
Methods []MethodRatelimitConfig `mapstructure:",omitempty"`
}
feat: integrate openID auth logic and user profile management (#1381) This change introduces OpenID authn by using providers such as Github, Gitlab, Google and Dex. User sessions are now used for web clients to identify and persist an authenticated users session, thus not requiring every request to use credentials. Another change is apikey feature, users can create/revoke their api keys and use them to authenticate when using cli clients such as skopeo. eg: login: /auth/login?provider=github /auth/login?provider=gitlab and so on logout: /auth/logout redirectURL: /auth/callback/github /auth/callback/gitlab and so on If network policy doesn't allow inbound connections, this callback wont work! for more info read documentation added in this commit. Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro> Signed-off-by: Petu Eusebiu <peusebiu@cisco.com> Co-authored-by: Alex Stan <alexandrustan96@yahoo.ro>
2023-07-07 11:27:10 -05:00
//nolint:maligned
zot: initial commit
2019-06-20 18:36:40 -05:00
type HTTPConfig struct {
feat(groups)!: added "groups" mechanism for authZ (#1123) BREAKING CHANGE: repository paths are now specified under a new config key called "repositories" under "accessControl" section in order to handle "groups" feature. Previously the repository paths were specified directly under "accessControl". This PR adds the ability to create groups of users which can be used for authZ policies, instead of just users. { "http": { "accessControl": { "groups": { Just like the users, groups can be part of repository policies/default policies/admin policies. The 'groups' field in accessControl can be missing if there are no groups. The permissions priority is user>group>default>admin policy, verified in this order (in authz.go), and permissions are cumulative. It works with LDAP too, and the group attribute name is configurable. The DN of the group is used as the group name and the functionality is the same. All groups for the given user are added to the context in authn.go. Repository paths are now specified under a new keyword called "repositories" under "accessControl" section in order to handle "groups" feature. Signed-off-by: Ana-Roberta Lisca <ana.kagome@yahoo.com>
2023-03-08 14:47:15 -05:00
Address string
fix(authn): handle the case where zot with openid runs behind a proxy (#1675) added a new config option under 'http' called externalURL which is used by openid/oauth2 clients to redirect back to zot Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-08-09 11:11:21 -05:00
ExternalURL string `mapstructure:",omitempty"`
feat(groups)!: added "groups" mechanism for authZ (#1123) BREAKING CHANGE: repository paths are now specified under a new config key called "repositories" under "accessControl" section in order to handle "groups" feature. Previously the repository paths were specified directly under "accessControl". This PR adds the ability to create groups of users which can be used for authZ policies, instead of just users. { "http": { "accessControl": { "groups": { Just like the users, groups can be part of repository policies/default policies/admin policies. The 'groups' field in accessControl can be missing if there are no groups. The permissions priority is user>group>default>admin policy, verified in this order (in authz.go), and permissions are cumulative. It works with LDAP too, and the group attribute name is configurable. The DN of the group is used as the group name and the functionality is the same. All groups for the given user are added to the context in authn.go. Repository paths are now specified under a new keyword called "repositories" under "accessControl" section in order to handle "groups" feature. Signed-off-by: Ana-Roberta Lisca <ana.kagome@yahoo.com>
2023-03-08 14:47:15 -05:00
Port string
AllowOrigin string // comma separated
TLS *TLSConfig
Auth *AuthConfig
feat(mgmt): added mgmt extension which returns current zot configuration (#1198) Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-03-09 13:43:26 -05:00
AccessControl *AccessControlConfig `mapstructure:"accessControl,omitempty"`
feat(groups)!: added "groups" mechanism for authZ (#1123) BREAKING CHANGE: repository paths are now specified under a new config key called "repositories" under "accessControl" section in order to handle "groups" feature. Previously the repository paths were specified directly under "accessControl". This PR adds the ability to create groups of users which can be used for authZ policies, instead of just users. { "http": { "accessControl": { "groups": { Just like the users, groups can be part of repository policies/default policies/admin policies. The 'groups' field in accessControl can be missing if there are no groups. The permissions priority is user>group>default>admin policy, verified in this order (in authz.go), and permissions are cumulative. It works with LDAP too, and the group attribute name is configurable. The DN of the group is used as the group name and the functionality is the same. All groups for the given user are added to the context in authn.go. Repository paths are now specified under a new keyword called "repositories" under "accessControl" section in order to handle "groups" feature. Signed-off-by: Ana-Roberta Lisca <ana.kagome@yahoo.com>
2023-03-08 14:47:15 -05:00
Realm string
Ratelimit *RatelimitConfig `mapstructure:",omitempty"`
zot: initial commit
2019-06-20 18:36:40 -05:00
}
fix: changing default numWorkers, making it customizable and refactoring scheduler (#1563) Signed-off-by: Lisca Ana-Roberta <ana.kagome@yahoo.com>
2023-07-04 03:03:29 -05:00
type SchedulerConfig struct {
NumWorkers int
}
auth: add LDAP support fixes #23
2019-08-15 11:34:54 -05:00
type LDAPConfig struct {
feat(groups)!: added "groups" mechanism for authZ (#1123) BREAKING CHANGE: repository paths are now specified under a new config key called "repositories" under "accessControl" section in order to handle "groups" feature. Previously the repository paths were specified directly under "accessControl". This PR adds the ability to create groups of users which can be used for authZ policies, instead of just users. { "http": { "accessControl": { "groups": { Just like the users, groups can be part of repository policies/default policies/admin policies. The 'groups' field in accessControl can be missing if there are no groups. The permissions priority is user>group>default>admin policy, verified in this order (in authz.go), and permissions are cumulative. It works with LDAP too, and the group attribute name is configurable. The DN of the group is used as the group name and the functionality is the same. All groups for the given user are added to the context in authn.go. Repository paths are now specified under a new keyword called "repositories" under "accessControl" section in order to handle "groups" feature. Signed-off-by: Ana-Roberta Lisca <ana.kagome@yahoo.com>
2023-03-08 14:47:15 -05:00
Port int
Insecure bool
StartTLS bool // if !Insecure, then StartTLS or LDAPs
SkipVerify bool
SubtreeSearch bool
Address string
BindDN string
UserGroupAttribute string
BindPassword string
BaseDN string
UserAttribute string
CACert string
auth: add LDAP support fixes #23
2019-08-15 11:34:54 -05:00
}
zot: initial commit
2019-06-20 18:36:40 -05:00
type LogConfig struct {
Level string
Output string
logs: add an audit log for API calls with unit tests resolves #178
2021-05-25 03:38:21 -05:00
Audit string
zot: initial commit
2019-06-20 18:36:40 -05:00
}
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181
2021-04-05 19:40:33 -05:00
type GlobalStorageConfig struct {
refactor(cache): rewrote/refactored cachedb functionality to use interface (#667) Moved boltdb to a driver implementation for such interface Added CreateCacheDatabaseDriver in controller Fixed default directory creation (boltDB will only create the file, not the dir Added coverage tests Added example config for boltdb Re-added caching on subpaths, rewrote CreateCacheDatabaseDriver Fix tests Made cacheDriver argument mandatory for NewImageStore, added more validation, added defaults Moved cache interface to own file, removed useRelPaths from config Got rid of cache config, refactored Moved cache to own package and folder Renamed + removed cache factory to backend, replaced CloudCache to RemoteCache Moved storage constants back to storage package moved cache interface and factory to storage package, changed remoteCache defaulting Signed-off-by: Catalin Hofnar <catalin.hofnar@gmail.com>
2022-11-02 17:53:08 -05:00
StorageConfig `mapstructure:",squash"`
config: support multiple storage locations added support to point multiple storage locations in zot by running multiple instance of zot in background. see examples/config-multiple.json for more info about config. Closes #181
2021-04-05 19:40:33 -05:00
SubPaths map[string]StorageConfig
}
Added new extension "sync" Periodically poll registries and pull images according to sync's config Added sync on demand, syncing when clients asks for an image which zot doesn't have. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2021-06-08 15:11:18 -05:00
type AccessControlConfig struct {
feat(groups)!: added "groups" mechanism for authZ (#1123) BREAKING CHANGE: repository paths are now specified under a new config key called "repositories" under "accessControl" section in order to handle "groups" feature. Previously the repository paths were specified directly under "accessControl". This PR adds the ability to create groups of users which can be used for authZ policies, instead of just users. { "http": { "accessControl": { "groups": { Just like the users, groups can be part of repository policies/default policies/admin policies. The 'groups' field in accessControl can be missing if there are no groups. The permissions priority is user>group>default>admin policy, verified in this order (in authz.go), and permissions are cumulative. It works with LDAP too, and the group attribute name is configurable. The DN of the group is used as the group name and the functionality is the same. All groups for the given user are added to the context in authn.go. Repository paths are now specified under a new keyword called "repositories" under "accessControl" section in order to handle "groups" feature. Signed-off-by: Ana-Roberta Lisca <ana.kagome@yahoo.com>
2023-03-08 14:47:15 -05:00
Repositories Repositories `json:"repositories" mapstructure:"repositories"`
Added new extension "sync" Periodically poll registries and pull images according to sync's config Added sync on demand, syncing when clients asks for an image which zot doesn't have. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2021-06-08 15:11:18 -05:00
AdminPolicy Policy
feat(groups)!: added "groups" mechanism for authZ (#1123) BREAKING CHANGE: repository paths are now specified under a new config key called "repositories" under "accessControl" section in order to handle "groups" feature. Previously the repository paths were specified directly under "accessControl". This PR adds the ability to create groups of users which can be used for authZ policies, instead of just users. { "http": { "accessControl": { "groups": { Just like the users, groups can be part of repository policies/default policies/admin policies. The 'groups' field in accessControl can be missing if there are no groups. The permissions priority is user>group>default>admin policy, verified in this order (in authz.go), and permissions are cumulative. It works with LDAP too, and the group attribute name is configurable. The DN of the group is used as the group name and the functionality is the same. All groups for the given user are added to the context in authn.go. Repository paths are now specified under a new keyword called "repositories" under "accessControl" section in order to handle "groups" feature. Signed-off-by: Ana-Roberta Lisca <ana.kagome@yahoo.com>
2023-03-08 14:47:15 -05:00
Groups Groups
Added new extension "sync" Periodically poll registries and pull images according to sync's config Added sync on demand, syncing when clients asks for an image which zot doesn't have. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2021-06-08 15:11:18 -05:00
}
refactor: move helper functions under common, in usage specific named files (#1540) Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro>
2023-06-22 06:29:45 -05:00
func (config *AccessControlConfig) AnonymousPolicyExists() bool {
if config == nil {
return false
}
for _, repository := range config.Repositories {
if len(repository.AnonymousPolicy) > 0 {
return true
}
}
return false
}
feat(groups)!: added "groups" mechanism for authZ (#1123) BREAKING CHANGE: repository paths are now specified under a new config key called "repositories" under "accessControl" section in order to handle "groups" feature. Previously the repository paths were specified directly under "accessControl". This PR adds the ability to create groups of users which can be used for authZ policies, instead of just users. { "http": { "accessControl": { "groups": { Just like the users, groups can be part of repository policies/default policies/admin policies. The 'groups' field in accessControl can be missing if there are no groups. The permissions priority is user>group>default>admin policy, verified in this order (in authz.go), and permissions are cumulative. It works with LDAP too, and the group attribute name is configurable. The DN of the group is used as the group name and the functionality is the same. All groups for the given user are added to the context in authn.go. Repository paths are now specified under a new keyword called "repositories" under "accessControl" section in order to handle "groups" feature. Signed-off-by: Ana-Roberta Lisca <ana.kagome@yahoo.com>
2023-03-08 14:47:15 -05:00
type (
Repositories map[string]PolicyGroup
Groups map[string]Group
)
type Group struct {
Users []string
}
Added new extension "sync" Periodically poll registries and pull images according to sync's config Added sync on demand, syncing when clients asks for an image which zot doesn't have. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2021-06-08 15:11:18 -05:00
type PolicyGroup struct {
Remove AllowReadOnly and ReadOnly Signed-off-by: Nicol Draghici <idraghic@cisco.com> Remove check and set header every time Signed-off-by: Nicol Draghici <idraghic@cisco.com>
2022-07-14 10:13:46 -05:00
Policies []Policy
DefaultPolicy []string
AnonymousPolicy []string
Added new extension "sync" Periodically poll registries and pull images according to sync's config Added sync on demand, syncing when clients asks for an image which zot doesn't have. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2021-06-08 15:11:18 -05:00
}
type Policy struct {
Users []string
Actions []string
feat(groups)!: added "groups" mechanism for authZ (#1123) BREAKING CHANGE: repository paths are now specified under a new config key called "repositories" under "accessControl" section in order to handle "groups" feature. Previously the repository paths were specified directly under "accessControl". This PR adds the ability to create groups of users which can be used for authZ policies, instead of just users. { "http": { "accessControl": { "groups": { Just like the users, groups can be part of repository policies/default policies/admin policies. The 'groups' field in accessControl can be missing if there are no groups. The permissions priority is user>group>default>admin policy, verified in this order (in authz.go), and permissions are cumulative. It works with LDAP too, and the group attribute name is configurable. The DN of the group is used as the group name and the functionality is the same. All groups for the given user are added to the context in authn.go. Repository paths are now specified under a new keyword called "repositories" under "accessControl" section in order to handle "groups" feature. Signed-off-by: Ana-Roberta Lisca <ana.kagome@yahoo.com>
2023-03-08 14:47:15 -05:00
Groups []string
Added new extension "sync" Periodically poll registries and pull images according to sync's config Added sync on demand, syncing when clients asks for an image which zot doesn't have. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2021-06-08 15:11:18 -05:00
}
zot: initial commit
2019-06-20 18:36:40 -05:00
type Config struct {
Update dist-spec version automatically Warning if config has wrong dist-spec version Signed-off-by: laurentiuNiculae <themelopeus@gmail.com>
2022-03-07 07:50:15 -05:00
DistSpecVersion string `json:"distSpecVersion" mapstructure:"distSpecVersion"`
GoVersion string
Commit string
build: add commit hash to Config at build for proper discovery readme (#854) * build: add commit hash to Config at build for proper discovery readme link * fix: use tag instead of commit hash, add to release build Signed-off-by: Catalin Hofnar <catalin.hofnar@gmail.com>
2022-10-11 11:01:59 -05:00
ReleaseTag string
Update dist-spec version automatically Warning if config has wrong dist-spec version Signed-off-by: laurentiuNiculae <themelopeus@gmail.com>
2022-03-07 07:50:15 -05:00
BinaryType string
Storage GlobalStorageConfig
HTTP HTTPConfig
Log *LogConfig
Extensions *extconf.ExtensionConfig
fix: changing default numWorkers, making it customizable and refactoring scheduler (#1563) Signed-off-by: Lisca Ana-Roberta <ana.kagome@yahoo.com>
2023-07-04 03:03:29 -05:00
Scheduler *SchedulerConfig `json:"scheduler" mapstructure:",omitempty"`
zot: initial commit
2019-06-20 18:36:40 -05:00
}
Added new extension "sync" Periodically poll registries and pull images according to sync's config Added sync on demand, syncing when clients asks for an image which zot doesn't have. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2021-06-08 15:11:18 -05:00
func New() *Config {
zot: initial commit
2019-06-20 18:36:40 -05:00
return &Config{
Update dist-spec version automatically Warning if config has wrong dist-spec version Signed-off-by: laurentiuNiculae <themelopeus@gmail.com>
2022-03-07 07:50:15 -05:00
DistSpecVersion: distspec.Version,
GoVersion: GoVersion,
Commit: Commit,
build: add commit hash to Config at build for proper discovery readme (#854) * build: add commit hash to Config at build for proper discovery readme link * fix: use tag instead of commit hash, add to release build Signed-off-by: Catalin Hofnar <catalin.hofnar@gmail.com>
2022-10-11 11:01:59 -05:00
ReleaseTag: ReleaseTag,
Update dist-spec version automatically Warning if config has wrong dist-spec version Signed-off-by: laurentiuNiculae <themelopeus@gmail.com>
2022-03-07 07:50:15 -05:00
BinaryType: BinaryType,
refactor(cache): rewrote/refactored cachedb functionality to use interface (#667) Moved boltdb to a driver implementation for such interface Added CreateCacheDatabaseDriver in controller Fixed default directory creation (boltDB will only create the file, not the dir Added coverage tests Added example config for boltdb Re-added caching on subpaths, rewrote CreateCacheDatabaseDriver Fix tests Made cacheDriver argument mandatory for NewImageStore, added more validation, added defaults Moved cache interface to own file, removed useRelPaths from config Got rid of cache config, refactored Moved cache to own package and folder Renamed + removed cache factory to backend, replaced CloudCache to RemoteCache Moved storage constants back to storage package moved cache interface and factory to storage package, changed remoteCache defaulting Signed-off-by: Catalin Hofnar <catalin.hofnar@gmail.com>
2022-11-02 17:53:08 -05:00
Storage: GlobalStorageConfig{
fix: remove inline GC and schedule a background task instead (#1610) * fix: remove inline GC and set a default value of gc interval - remove inline GC - add a default value of GC interval - run the GC periodically by default with the default value if no interval provided - generate GC tasks with a random delay(0-30s) between - add IsReady() method to scheduler.TaskGenerator interface Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com> * ci: add test for gc with short interval Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com> --------- Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
2023-08-07 14:55:19 -05:00
StorageConfig: StorageConfig{
GC: true, GCDelay: storageConstants.DefaultGCDelay,
GCInterval: storageConstants.DefaultGCInterval, Dedupe: true,
},
refactor(cache): rewrote/refactored cachedb functionality to use interface (#667) Moved boltdb to a driver implementation for such interface Added CreateCacheDatabaseDriver in controller Fixed default directory creation (boltDB will only create the file, not the dir Added coverage tests Added example config for boltdb Re-added caching on subpaths, rewrote CreateCacheDatabaseDriver Fix tests Made cacheDriver argument mandatory for NewImageStore, added more validation, added defaults Moved cache interface to own file, removed useRelPaths from config Got rid of cache config, refactored Moved cache to own package and folder Renamed + removed cache factory to backend, replaced CloudCache to RemoteCache Moved storage constants back to storage package moved cache interface and factory to storage package, changed remoteCache defaulting Signed-off-by: Catalin Hofnar <catalin.hofnar@gmail.com>
2022-11-02 17:53:08 -05:00
},
HTTP: HTTPConfig{Address: "127.0.0.1", Port: "8080", Auth: &AuthConfig{FailDelay: 0}},
Log: &LogConfig{Level: "debug"},
auth: add LDAP support fixes #23
2019-08-15 11:34:54 -05:00
}
}
storage: different subpaths can point to same root directory currently different subpaths can only point to same root directory only when one or both of the storage config does not enable dedupe different subpath should be able to point to same root directory and in that case their storage config should be same i.e GC,Dedupe, GC delay and GC interval Signed-off-by: Shivam Mishra <shimish2@cisco.com>
2022-08-10 17:28:52 -05:00
func (expConfig StorageConfig) ParamsEqual(actConfig StorageConfig) bool {
return expConfig.GC == actConfig.GC && expConfig.Dedupe == actConfig.Dedupe &&
expConfig.GCDelay == actConfig.GCDelay && expConfig.GCInterval == actConfig.GCInterval
}
// SameFile compare two files.
// This method will first do the stat of two file and compare using os.SameFile method.
func SameFile(str1, str2 string) (bool, error) {
sFile, err := os.Stat(str1)
if err != nil {
return false, err
}
tFile, err := os.Stat(str2)
if err != nil {
return false, err
}
return os.SameFile(sFile, tFile), nil
}
Upgraded build pipeline Go version changed to 1.14.4 Golangci-lint changed to 1.26.0 Bazel version changed to 3.0.0 Bazel rules_go version changed to 0.23.3 Bazel gazelle version changed to v0.21.0 Bazel build tools version changed to 0.25.1 Bazel skylib version changed to 1.0.2
2020-05-11 17:13:24 -05:00
// Sanitize makes a sanitized copy of the config removing any secrets.
auth: add LDAP support fixes #23
2019-08-15 11:34:54 -05:00
func (c *Config) Sanitize() *Config {
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2021-12-13 14:23:31 -05:00
sanitizedConfig := &Config{}
if err := deepcopy.Copy(sanitizedConfig, c); err != nil {
Added new extension "sync" Periodically poll registries and pull images according to sync's config Added sync on demand, syncing when clients asks for an image which zot doesn't have. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2021-06-08 15:11:18 -05:00
panic(err)
}
Fixing all the issues with upgrading to golangci-lint 1.21.0
2019-12-13 00:53:18 -05:00
Added new extension "sync" Periodically poll registries and pull images according to sync's config Added sync on demand, syncing when clients asks for an image which zot doesn't have. Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2021-06-08 15:11:18 -05:00
if c.HTTP.Auth != nil && c.HTTP.Auth.LDAP != nil && c.HTTP.Auth.LDAP.BindPassword != "" {
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2021-12-13 14:23:31 -05:00
sanitizedConfig.HTTP.Auth.LDAP = &LDAPConfig{}
Fixing all the issues with upgrading to golangci-lint 1.21.0
2019-12-13 00:53:18 -05:00
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2021-12-13 14:23:31 -05:00
if err := deepcopy.Copy(sanitizedConfig.HTTP.Auth.LDAP, c.HTTP.Auth.LDAP); err != nil {
auth: add LDAP support fixes #23
2019-08-15 11:34:54 -05:00
panic(err)
}
Fixing all the issues with upgrading to golangci-lint 1.21.0
2019-12-13 00:53:18 -05:00
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2021-12-13 14:23:31 -05:00
sanitizedConfig.HTTP.Auth.LDAP.BindPassword = "******"
auth: add LDAP support fixes #23
2019-08-15 11:34:54 -05:00
}
Fixing all the issues with upgrading to golangci-lint 1.21.0
2019-12-13 00:53:18 -05:00
lint: upgrade golangci-lint Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2021-12-13 14:23:31 -05:00
return sanitizedConfig
auth: add LDAP support fixes #23
2019-08-15 11:34:54 -05:00
}
fix(authn): fix several issues with authn, closes #1632 (#1633) - apply Access-Control-Allow-Credentials only if authn is enabled - enable Logout route for basic auth - fixed Logout godoc - fix Access-Control-Allow-Methods on Logout route - added allowOrigin option in config example Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-19 11:27:04 -05:00
func (c *Config) IsLdapAuthEnabled() bool {
if c.HTTP.Auth != nil && c.HTTP.Auth.LDAP != nil {
return true
}
return false
}
func (c *Config) IsHtpasswdAuthEnabled() bool {
if c.HTTP.Auth != nil && c.HTTP.Auth.HTPasswd.Path != "" {
return true
}
return false
}
func (c *Config) IsBearerAuthEnabled() bool {
if c.HTTP.Auth != nil &&
c.HTTP.Auth.Bearer != nil &&
c.HTTP.Auth.Bearer.Cert != "" &&
c.HTTP.Auth.Bearer.Realm != "" &&
c.HTTP.Auth.Bearer.Service != "" {
return true
}
return false
}
func (c *Config) IsOpenIDAuthEnabled() bool {
if c.HTTP.Auth != nil &&
c.HTTP.Auth.OpenID != nil {
for provider := range c.HTTP.Auth.OpenID.Providers {
if isOpenIDAuthProviderEnabled(c, provider) {
return true
}
}
}
return false
}
func (c *Config) IsAPIKeyEnabled() bool {
refactor(extensions)!: refactor the extensions URLs and errors (#1636) BREAKING CHANGE: The functionality provided by the mgmt endpoint has beed redesigned - see details below BREAKING CHANGE: The API keys endpoint has been moved - see details below BREAKING CHANGE: The mgmt extension config has been removed - endpoint is now enabled by having both the search and the ui extensions enabled BREAKING CHANGE: The API keys configuration has been moved from extensions to http>auth>apikey mgmt and imagetrust extensions: - separate the _zot/ext/mgmt into 3 separate endpoints: _zot/ext/auth, _zot/ext/notation, _zot/ext/cosign - signature verification logic is in a separate `imagetrust` extension - better hanling or errors in case of signature uploads: logging and error codes (more 400 and less 500 errors) - add authz on signature uploads (and add a new middleware in common for this purpose) - remove the mgmt extension configuration - it is now enabled if the UI and the search extensions are enabled userprefs estension: - userprefs are enabled if both search and ui extensions are enabled (as opposed to just search) apikey extension is removed and logic moved into the api folder - Move apikeys code out of pkg/extensions and into pkg/api - Remove apikey configuration options from the extensions configuration and move it inside the http auth section - remove the build label apikeys other changes: - move most of the logic adding handlers to the extensions endpoints out of routes.go and into the extensions files. - add warnings in case the users are still using configurations with the obsolete settings for mgmt and api keys - add a new function in the extension package which could be a single point of starting backgroud tasks for all extensions - more clear methods for verifying specific extensions are enabled - fix http methods paired with the UI handlers - rebuild swagger docs Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-08-02 13:58:34 -05:00
if c.HTTP.Auth != nil && c.HTTP.Auth.APIKey {
fix(authn): fix several issues with authn, closes #1632 (#1633) - apply Access-Control-Allow-Credentials only if authn is enabled - enable Logout route for basic auth - fixed Logout godoc - fix Access-Control-Allow-Methods on Logout route - added allowOrigin option in config example Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-19 11:27:04 -05:00
return true
}
return false
}
func (c *Config) IsBasicAuthnEnabled() bool {
if c.IsHtpasswdAuthEnabled() || c.IsLdapAuthEnabled() ||
c.IsOpenIDAuthEnabled() || c.IsAPIKeyEnabled() {
return true
}
return false
}
func isOpenIDAuthProviderEnabled(config *Config, provider string) bool {
if providerConfig, ok := config.HTTP.Auth.OpenID.Providers[provider]; ok {
if IsOpenIDSupported(provider) {
if providerConfig.ClientID != "" || providerConfig.Issuer != "" ||
len(providerConfig.Scopes) > 0 {
return true
}
} else if IsOauth2Supported(provider) {
if providerConfig.ClientID != "" || len(providerConfig.Scopes) > 0 {
return true
}
}
}
return false
}
refactor(extensions)!: refactor the extensions URLs and errors (#1636) BREAKING CHANGE: The functionality provided by the mgmt endpoint has beed redesigned - see details below BREAKING CHANGE: The API keys endpoint has been moved - see details below BREAKING CHANGE: The mgmt extension config has been removed - endpoint is now enabled by having both the search and the ui extensions enabled BREAKING CHANGE: The API keys configuration has been moved from extensions to http>auth>apikey mgmt and imagetrust extensions: - separate the _zot/ext/mgmt into 3 separate endpoints: _zot/ext/auth, _zot/ext/notation, _zot/ext/cosign - signature verification logic is in a separate `imagetrust` extension - better hanling or errors in case of signature uploads: logging and error codes (more 400 and less 500 errors) - add authz on signature uploads (and add a new middleware in common for this purpose) - remove the mgmt extension configuration - it is now enabled if the UI and the search extensions are enabled userprefs estension: - userprefs are enabled if both search and ui extensions are enabled (as opposed to just search) apikey extension is removed and logic moved into the api folder - Move apikeys code out of pkg/extensions and into pkg/api - Remove apikey configuration options from the extensions configuration and move it inside the http auth section - remove the build label apikeys other changes: - move most of the logic adding handlers to the extensions endpoints out of routes.go and into the extensions files. - add warnings in case the users are still using configurations with the obsolete settings for mgmt and api keys - add a new function in the extension package which could be a single point of starting backgroud tasks for all extensions - more clear methods for verifying specific extensions are enabled - fix http methods paired with the UI handlers - rebuild swagger docs Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-08-02 13:58:34 -05:00
func (c *Config) IsSearchEnabled() bool {
return c.Extensions != nil && c.Extensions.Search != nil && *c.Extensions.Search.Enable
}
func (c *Config) IsUIEnabled() bool {
return c.Extensions != nil && c.Extensions.UI != nil && *c.Extensions.UI.Enable
}
func (c *Config) AreUserPrefsEnabled() bool {
return c.IsSearchEnabled() && c.IsUIEnabled()
}
func (c *Config) IsMgmtEnabled() bool {
feat(mgmt): mgmt extention no longer depends on UI being enabled (#1728) It is now enabled based only on search configuration Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-08-26 15:32:41 -05:00
return c.IsSearchEnabled()
refactor(extensions)!: refactor the extensions URLs and errors (#1636) BREAKING CHANGE: The functionality provided by the mgmt endpoint has beed redesigned - see details below BREAKING CHANGE: The API keys endpoint has been moved - see details below BREAKING CHANGE: The mgmt extension config has been removed - endpoint is now enabled by having both the search and the ui extensions enabled BREAKING CHANGE: The API keys configuration has been moved from extensions to http>auth>apikey mgmt and imagetrust extensions: - separate the _zot/ext/mgmt into 3 separate endpoints: _zot/ext/auth, _zot/ext/notation, _zot/ext/cosign - signature verification logic is in a separate `imagetrust` extension - better hanling or errors in case of signature uploads: logging and error codes (more 400 and less 500 errors) - add authz on signature uploads (and add a new middleware in common for this purpose) - remove the mgmt extension configuration - it is now enabled if the UI and the search extensions are enabled userprefs estension: - userprefs are enabled if both search and ui extensions are enabled (as opposed to just search) apikey extension is removed and logic moved into the api folder - Move apikeys code out of pkg/extensions and into pkg/api - Remove apikey configuration options from the extensions configuration and move it inside the http auth section - remove the build label apikeys other changes: - move most of the logic adding handlers to the extensions endpoints out of routes.go and into the extensions files. - add warnings in case the users are still using configurations with the obsolete settings for mgmt and api keys - add a new function in the extension package which could be a single point of starting backgroud tasks for all extensions - more clear methods for verifying specific extensions are enabled - fix http methods paired with the UI handlers - rebuild swagger docs Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-08-02 13:58:34 -05:00
}
func (c *Config) IsImageTrustEnabled() bool {
return c.Extensions != nil && c.Extensions.Trust != nil && *c.Extensions.Trust.Enable
}
func (c *Config) IsCosignEnabled() bool {
return c.IsImageTrustEnabled() && c.Extensions.Trust.Cosign
}
func (c *Config) IsNotationEnabled() bool {
return c.IsImageTrustEnabled() && c.Extensions.Trust.Notation
}
func (c *Config) IsSyncEnabled() bool {
return c.Extensions != nil && c.Extensions.Sync != nil && *c.Extensions.Sync.Enable
}
fix(authn): fix several issues with authn, closes #1632 (#1633) - apply Access-Control-Allow-Credentials only if authn is enabled - enable Logout route for basic auth - fixed Logout godoc - fix Access-Control-Allow-Methods on Logout route - added allowOrigin option in config example Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-19 11:27:04 -05:00
func IsOpenIDSupported(provider string) bool {
for _, supportedProvider := range openIDSupportedProviders {
if supportedProvider == provider {
return true
}
}
return false
}
func IsOauth2Supported(provider string) bool {
for _, supportedProvider := range oauth2SupportedProviders {
if supportedProvider == provider {
return true
}
}
return false
}
Reference in a new issue Copy permalink