0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2024-12-16 21:56:37 -05:00
Commit graph

471 commits

Author SHA1 Message Date
peusebiu
17d1338af1
feat: integrate openID auth logic and user profile management (#1381)
This change introduces OpenID authn by using providers such as Github,
Gitlab, Google and Dex.
User sessions are now used for web clients to identify
and persist an authenticated users session, thus not requiring every request to
use credentials.
Another change is apikey feature, users can create/revoke their api keys and use them
to authenticate when using cli clients such as skopeo.

eg:
login:
/auth/login?provider=github
/auth/login?provider=gitlab
and so on

logout:
/auth/logout

redirectURL:
/auth/callback/github
/auth/callback/gitlab
and so on

If network policy doesn't allow inbound connections, this callback wont work!

for more info read documentation added in this commit.

Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro>
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
Co-authored-by: Alex Stan <alexandrustan96@yahoo.ro>
2023-07-07 09:27:10 -07:00
peusebiu
5494a1b8d6
fix(storage): do not open/download blobs when validating manifests (#1566)
when pushing manifests, zot will validate blobs (layers + config blob) are
present in repo, currently it opens(in case of filesystem storage) or download(
in case of cloud storage) each blob.

fixed that by adding a new method ImageStore.CheckBlobPresence() on storage
to check blobs presence without checking the cache like ImageStore.CheckBlob() method does.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-06 10:33:36 -07:00
Josh Dolitsky
f3aa855405
fix: missing Oci-Subject header pushing index with subject (#1589)
* fix: missing Oci-Subject header pushing index with subject

Signed-off-by: Josh Dolitsky <josh@dolit.ski>

* fix(s3): Add a test to cover handling pushing indexes with a subject

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>

---------

Signed-off-by: Josh Dolitsky <josh@dolit.ski>
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
Co-authored-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-06 10:31:40 -07:00
Andreea Lupu
41b05c60dd
feat: upload certificates and public keys for verifying signatures (#1485)
In order to verify signatures, users could upload their certificates and public keys using these routes:
	-> for public keys:
		/v2/_zot/ext/mgmt?resource=signatures&tool=cosign
	-> for certificates:
		/v2/_zot/ext/mgmt?resource=signatures&tool=notation&truststoreType=ca&truststoreName=name
Then the public keys will be stored under $rootdir/_cosign and the certificates will be stored under
$rootdir/_notation/truststore/x509/$truststoreType/$truststoreName.
Also, for notation case, the "truststores" field of $rootir/_notation/trustpolicy.json file will be
updated with a new entry "$truststoreType:$truststoreName".
Also based on the uploaded files, the information about the signatures validity will be updated
periodically.

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
2023-07-06 14:57:59 +03:00
peusebiu
49e4d93f42
fix(test): TestConfigReloader, wait for trivy db download (#1543)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-06 14:17:49 +03:00
LaurentiuNiculae
0a04b2a4ed
feat(cve): implemented trivy image scan for multiarch images (#1510)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-07-06 11:36:26 +03:00
LaurentiuNiculae
96d9d318df
feat(referrers): added index support for referrers queries (#1560)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-07-05 09:42:16 -07:00
alexstan12
62889c3cb1
refactor: split AuthZ mdw in 2 different parts, each for a specific purpose (#1542)
- AuthzHandler has now been split in BaseAuthzHandler and DistSpecAuthzHandler
The former populates context with user specific data needed in most handlers, while
the latter executes access logic specific to distribution-spec handlers.

Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro>
2023-07-05 09:37:52 -07:00
Andrei Aaron
7fee57e7cc
fix(CVE): attempt to scan now returns early with an error if trivyDB metadata json is missing (#1548)
Also modify zli to retry in case of such errors,
assuming the trivyDB will eventually be downloaded by the scheduled task.

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-05 09:08:16 -07:00
Lisca Ana-Roberta
d4f200c2e1
fix: changing default numWorkers, making it customizable and refactoring scheduler (#1563)
Signed-off-by: Lisca Ana-Roberta <ana.kagome@yahoo.com>
2023-07-04 11:03:29 +03:00
peusebiu
7881ce32b2
fix(extensions): setup UI extension as last one (#1572)
because UI routes will setup a http.FileServer on '/'
any router setup after UI will be ignored at runtime
becuase gorrilla will route it to http.Fileserver instead.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-03 17:13:15 +03:00
LaurentiuNiculae
809529be18
fix(cli): add help message for searching referrers under search command (#1551)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-06-23 17:44:30 +03:00
Ramkumar Chinchani
1300fdfa88
refactor: filenames should use _ not - (#1547)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-06-22 11:54:41 -07:00
peusebiu
d881f4e916
fix(sync): flaky test on fetching tags (#1546)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-06-22 10:43:47 -07:00
LaurentiuNiculae
620287c7a4
feat(cli): add referrers and search commands to cli (#1497)
* feat(cli): add referrers command to cli

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>

* feat(cli): add global search command

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>

* feat(cli): fix comments

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>

---------

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-06-22 10:43:01 -07:00
alexstan12
ea7dbf9e5c
refactor: move helper functions under common, in usage specific named files (#1540)
Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro>
2023-06-22 14:29:45 +03:00
peusebiu
377aff1853
fix(sync): fixed skipping docker images when they already synced (#1521)
before syncing an image we first check if it's already present in our storage
to do that we get the manifest from remote and compare it with the local one
but in the case of syncing docker images, because the conversion to OCI format is done while
syncing, we get a docker manifest before conversion, so sync detects that local manifest and
remote one are different, so it starts syncing again.

to overcome this, convert remote docker manifests to OCI manifests and then compare.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-06-21 11:05:52 -07:00
peusebiu
ea84752214
fix(test): fix flaky test (#1544)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-06-21 19:53:14 +03:00
peusebiu
d5487d53e3
fix(authz): assign identity to authz context in tls mutual authentication (#1541)
this causes a bug in extensions by not having the identity for the
authenticated user and couldn't apply his permissions, just the default ones.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-06-21 16:06:53 +03:00
Lisca Ana-Roberta
aab149610f
fix: removed quotation marks from enum in swagger docs (#1539)
Signed-off-by: Lisca Ana-Roberta <ana.kagome@yahoo.com>
2023-06-20 15:32:19 +03:00
Lisca Ana-Roberta
aa16c955b3
fix: added swagger doc generation for mgmt and userprefs (#1530)
Signed-off-by: Lisca Ana-Roberta <ana.kagome@yahoo.com>
2023-06-19 10:43:25 -07:00
peusebiu
fc6d6356fb
feat(sync): sync references(signatures/artifacts) recursively (#1500)
sync now also pulls chained artifacts recursively
eg:
 image->sbom->sbom signature
 image->artifact->artifact

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-06-16 10:27:33 -07:00
Andrei Aaron
f9f9422d13
ci(disk usage): disk related fixes and improvements (#1524)
ci(workflow): show disk usage and free up disk space used by unneeded tooling
ci(tests): routes tests: do not copy large images if they are not used later
ci(trivy): update a test: download trivy.db to a temporary folder

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-06-15 15:07:28 -07:00
Lisca Ana-Roberta
622dde9193
fix: referrers now appears in swagger generated docs (#1488)
Signed-off-by: Lisca Ana-Roberta <ana.kagome@yahoo.com>
2023-06-12 10:32:11 -07:00
Ramkumar Chinchani
4d6ca493f2
chore: fix dependabot alerts (#1501)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-06-09 10:27:42 -07:00
Andrei Aaron
96d00cd0ef
fix(cve): Fix CVE scanning in images containing Jar files (#1475) 2023-06-01 00:37:46 +03:00
peusebiu
612a12e5a8
refactor(sync): use task scheduler (#1301)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-05-31 10:26:23 -07:00
Ramkumar Chinchani
2202d6dfd4
fix: revert "org.opencontainers.referrers.filtersApplied" (#1478)
As per latest dist-spec, this is now removed.

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-05-26 13:56:44 -07:00
LaurentiuNiculae
a3f355c278
refactor(storage): refactoring storage (#1459)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-05-26 11:08:19 -07:00
peusebiu
9acd19f7ea
fix(extensions): consolidate extensions headers returned to UI by extensions (#1473)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-05-25 11:44:54 -07:00
Lisca Ana-Roberta
6a7035c599
fix: removed duplicate structures from service.go and moved them to pkg/common (#1436)
Signed-off-by: Ana-Roberta Lisca <ana.kagome@yahoo.com>
2023-05-25 11:27:49 -07:00
peusebiu
4970f8814d
fix(test): fix storage flaky tests (#1474)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-05-25 11:24:56 -07:00
LaurentiuNiculae
2b8479f7f2
feat(userprefs): update documentation and list extensions endpoint (#1456)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-05-25 14:46:52 +03:00
Andreea Lupu
970997f3a8
feat(graphql & repodb): add info about signature validity (#1344)
Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
2023-05-24 09:46:16 -07:00
LaurentiuNiculae
6e6ffe800c
chore(go.mod): upgrade to notation-go v1.0.0-rc.5 and image-spec v1.1.0-rc3 (#1468)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-05-23 15:16:33 +00:00
Ramkumar Chinchani
83ae1aad70
chore(go.mod): fix dependabot alerts (#1466)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-05-23 10:14:43 +03:00
LaurentiuNiculae
c0170b0811
feat(routes): move the cors handler from /v2 to only where it's needed (#1457)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-05-19 21:22:51 -07:00
peusebiu
1b184ceef8
fix(zb): fixed remote repositories cleanup (#1461)
fix(storage/local): also put deduped blobs in cache, not just origin blobs

this caused an error when trying to delete deduped blobs
from multiple repositories

fix(storage/s3): check blob is present in cache before deleting

this is an edge case where dedupe is false but cacheDriver is not nil
(because in s3 we open the cache.db if storage find it in rootDir)
it caused an error when trying to delete blobs uploaded with dedupe false

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-05-19 09:51:15 -07:00
Ramkumar Chinchani
2be5459c8e
chore: fix dependabot alerts (#1458)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-05-17 00:37:34 -07:00
LaurentiuNiculae
f4501e6b6b
feat(search): add artifact type to manifest summary gql structure (#1448)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-05-15 10:44:49 -07:00
LaurentiuNiculae
912854f29b
fix(sync): fix digest set into repodb (#1446)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-05-15 10:43:41 -07:00
LaurentiuNiculae
7bf40e7308
fix(sync): fixed way of updating repodb when syncing a signature (#1439)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-05-15 12:02:23 +03:00
Lisca Ana-Roberta
e262fbea64
feat: verifying and enabling necessary extensions for ui (#1369)
Signed-off-by: Ana-Roberta Lisca <ana.kagome@yahoo.com>
2023-05-12 09:43:14 -07:00
LaurentiuNiculae
7d7bc9d5e4
feat(api): added oci-subject header when pushing an image with subject field (#1415)
- as requested by the latest version of the oci distribution spec

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-05-12 09:32:01 -07:00
Ramkumar Chinchani
9534e0b88b
chore: fix dependabot alerts (#1409)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-05-11 16:39:21 -07:00
LaurentiuNiculae
b7ef88c96d
fix(search): added the missing headers for search route (#1438)
- added allow methods and allowed headers

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-05-11 16:05:14 +03:00
LaurentiuNiculae
ea79be64da
refactor(artifact): remove oci artifact support (#1359)
* refactor(artifact): remove oci artifact support
- add header to referrers call to indicated applied artifact type filters

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>

* feat(gc): simplify gc logic to increase coverage

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>

---------

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-05-10 10:15:33 -07:00
LaurentiuNiculae
3be690c2ac
feat(userpreferences): update allowed methods header for user preferences routes (#1430)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-05-10 10:09:53 -07:00
peusebiu
d62dbcdf63
fix(sync): fix syncing signatures when using destination in sync's config (#1429)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-05-08 10:16:20 -07:00
LaurentiuNiculae
449f0d0ac3
fix(repoinfo): fix userprefs values for repos returned by expanded repo info (#1413)
- now isBookmarked and isStarred are updated correctly

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-05-04 09:51:21 -07:00