0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2024-12-16 21:56:37 -05:00
Commit graph

1188 commits

Author SHA1 Message Date
Alexei Dodon
f5b63963be
refactor: Reduce binary size of zot-minimal; Added CI check for binary size (#1758)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-09-06 19:58:00 +03:00
Ramkumar Chinchani
75a76005b4
chore: fix dependabot alerts (#1763)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-09-05 22:30:49 +03:00
peusebiu
59dc4c3229
feat(scheduler): pass the shutdown/reload ctx to running tasks (#1671)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-09-05 09:48:56 -07:00
peusebiu
a0290b4b37
fix(gc): gc removes unknown manifests (#1762)
without removing its index.json reference

fix that by also reporting if manifests with unknown mediatypes
are referenced in index.json

this will make gc delete manifest blobs with deleteImageManifest() method
instead of deleteBlob(), which also removes index.json entries.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-09-05 09:42:12 -07:00
Ramkumar Chinchani
8e36bfd4d1
fix: add manifest validation checks (#1747)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-09-02 01:28:31 -07:00
peusebiu
c6b822f3dd
refactor(authz): use a struct for user access control info operations (#1682)
fix(authz): fix isAdmin not using groups to determine if a user is admin.
fix(authz): return 401 instead of 403

403 is correct as per HTTP spec
However authz is not part of dist-spec and clients know only about 401
So this is a compromise.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-09-01 11:13:53 -07:00
peusebiu
b80deb9927
refactor(storage): refactor storage into a single ImageStore (#1656)
unified both local and s3 ImageStore logic into a single ImageStore
added a new driver interface for common file/dirs manipulations
to be implemented by different storage types

refactor(gc): drop umoci dependency, implemented internal gc

added retentionDelay config option that specifies
the garbage collect delay for images without tags

this will also clean manifests which are part of an index image
(multiarch) that no longer exist.

fix(dedupe): skip blobs under .sync/ directory

if startup dedupe is running while also syncing is running
ignore blobs under sync's temporary storage

fix(storage): do not allow image indexes modifications

when deleting a manifest verify that it is not part of a multiarch image
and throw a MethodNotAllowed error to the client if it is.
we don't want to modify multiarch images

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-09-01 10:54:39 -07:00
LaurentiuNiculae
72a5968437
test(bats): added bats example for deleting an image (#1718)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-09-01 17:23:34 +03:00
Alexei Dodon
423302df5f
fix: nightly build (#1745)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-09-01 13:08:17 +03:00
Andrei Aaron
521b109c8c
chore(go.mod): upgrade 3rd party packages (#1742)
Special note for oras.land/oras-go:
- 1.2.4 is not released yet, but tip of their v1 branch is compatible with docker v24.0.2
- 1.2.3 is not compatible with docker v24.0.2
Other 3rd party software depend on both oras-go v1 and docker v24

See also https://github.com/oras-project/oras-go/pull/527

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-08-31 20:40:19 +03:00
Alexei Dodon
41bbb23e30
fix: bats test refactoring (#1731)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-08-30 12:24:28 -07:00
LaurentiuNiculae
112fbec5b6
refactor(cli): added equivalent subcommands for each flag combination under every command (#1674)
- image command is now deprecated in favor of 'images'
- cve command is now deprecated in favor of 'cves'

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-08-30 20:12:24 +03:00
peusebiu
2bd479edd7
fix(examples): revert examples/config-minimal.json (#1740)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-08-30 13:25:32 +03:00
Ramkumar Chinchani
9bccd784a9
chore: fix dependabot alerts (#1737) 2023-08-30 07:53:03 +03:00
Andrei Aaron
780bbe42d1
feat(ui): update to latest zui version (#1735)
1. Show more detailed signature information in zui (signing tool, trusted, author)
2. Rename dex to oidc - on zui side
3. New screen for zot without images loaded
4. Remove 'Vulnerability' string from the vulnerability chips

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-08-29 15:52:08 -07:00
LaurentiuNiculae
40b599cca8
refactor(log): replace default logger with config complient log in root.go (#1734)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-08-29 12:10:30 -07:00
peusebiu
6926bddd3a
feat(apikey): added route to list user api keys (#1708)
adding api key expiration date

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-08-29 09:38:38 -07:00
Andrei Aaron
28858f695f
feat(mgmt): mgmt extention no longer depends on UI being enabled (#1728)
It is now enabled based only on search configuration

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-08-26 13:32:41 -07:00
Damien Degois
289acfabbd
feat(authn): add generic oidc and allow customizable name (#1691)
Rebased and squashed

Signed-off-by: Damien Degois <damien@degois.info>
2023-08-24 12:33:35 +03:00
Alexei Dodon
247f6dcd3f
feat: propagate detailed error msgs to client (OCI dist-spec format) (#1681)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-08-23 20:59:52 +03:00
LaurentiuNiculae
94429a82df
fix(parse): lock storage while reading using image store (#1719)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-08-23 19:29:23 +03:00
Alexei Dodon
ca2904762a
fix(ci/cd): detect uncommited swagger docs (#1724)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-08-23 19:21:43 +03:00
Ramkumar Chinchani
6d65401499
chore: fix dependabot alerts (#1720)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-08-22 14:43:34 +03:00
Andreea Lupu
cacf54e8cb
refactor: move /pkg/meta/signatures under /pkg/extensions/imagetrust (#1712)
- the size of the binary-minimal becomes 32MB
- "signatures" package is renamed into "imagetrust" and moved under extensions
- if the binary is not built using "imagetrust" tag then the signatures verification will
not be performed

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
2023-08-19 08:52:03 +03:00
Alexei Dodon
faf702f9c2
feat: automated detection of OS and ARCH if unset (#1711)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-08-18 14:18:10 -07:00
LaurentiuNiculae
0731fd3828
test(refactor): refactor tests that use zot-test to use smaller images (#1690)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-08-18 11:46:11 +03:00
Alexei Dodon
e510df7c22
fix: swagger Makefile target broken on darwin (#1701)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-08-15 13:07:56 -07:00
Ramkumar Chinchani
e129d4003b
chore: fix dependabot alerts (#1702)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-08-15 10:15:50 +03:00
Damien Degois
58870a2468
docs: fix apikey case (#1693)
Signed-off-by: Damien Degois <damien@degois.info>
2023-08-12 09:53:35 +03:00
Alexei Dodon
59922af528
fix: binary-stacker Makefile target is broken (#1689)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-08-10 12:39:56 -07:00
Ramkumar Chinchani
04627534a9
chore(go.mod): fix dependabot alerts (#1684)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-08-10 09:49:55 +03:00
peusebiu
4d125d55ed
fix(authn): handle the case where zot with openid runs behind a proxy (#1675)
added a new config option under 'http' called externalURL which is used
by openid/oauth2 clients to redirect back to zot

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-08-09 09:11:21 -07:00
LaurentiuNiculae
ed90e3bd24
test(annotations): print logs for annotations bats tests (#1680)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-08-07 13:51:57 -07:00
Andreea Lupu
76277f5ebd
fix: remove inline GC and schedule a background task instead (#1610)
* fix: remove inline GC and set a default value of gc interval

- remove inline GC
- add a default value of GC interval
- run the GC periodically by default with the default value if no interval provided
- generate GC tasks with a random delay(0-30s) between
- add IsReady() method to scheduler.TaskGenerator interface

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>

* ci: add test for gc with short interval

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>

---------

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
2023-08-07 12:55:19 -07:00
LaurentiuNiculae
fce9a02ed5
fix(convert): now returned annotations for an index will fallback to annotations from a random manifest if the annotations field is not present on the index manifest (#1667)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-08-07 10:25:05 +03:00
Ramkumar Chinchani
cad564b9ee
ci(conformance): revert to upstream OCI checks (#1678)
Reverts part of de24bd937f

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-08-04 13:38:28 -07:00
Alexei Dodon
2142055dc6
fix: Build scripts broken on Mac (#1668)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-08-03 20:53:37 +03:00
Andrei Aaron
77149aa85c
refactor(extensions)!: refactor the extensions URLs and errors (#1636)
BREAKING CHANGE: The functionality provided by the mgmt endpoint has beed redesigned - see details below
BREAKING CHANGE: The API keys endpoint has been moved -  see details below
BREAKING CHANGE: The mgmt extension config has been removed - endpoint is now enabled by having both the search and the ui extensions enabled
BREAKING CHANGE: The API keys configuration has been moved from extensions to http>auth>apikey

mgmt and imagetrust extensions:
- separate the _zot/ext/mgmt into 3 separate endpoints: _zot/ext/auth, _zot/ext/notation, _zot/ext/cosign
- signature verification logic is in a separate `imagetrust` extension
- better hanling or errors in case of signature uploads: logging and error codes (more 400 and less 500 errors)
- add authz on signature uploads (and add a new middleware in common for this purpose)
- remove the mgmt extension configuration - it is now enabled if the UI and the search extensions are enabled

userprefs estension:
- userprefs are enabled if both search and ui extensions are enabled (as opposed to just search)

apikey extension is removed and logic moved into the api folder
- Move apikeys code out of pkg/extensions and into pkg/api
- Remove apikey configuration options from the extensions configuration and move it inside the http auth section
- remove the build label apikeys

other changes:
- move most of the logic adding handlers to the extensions endpoints out of routes.go and into the extensions files.
- add warnings in case the users are still using configurations with the obsolete settings for mgmt and api keys
- add a new function in the extension package which could be a single point of starting backgroud tasks for all extensions
- more clear methods for verifying specific extensions are enabled
- fix http methods paired with the UI handlers
- rebuild swagger docs

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-08-02 21:58:34 +03:00
Ramkumar Chinchani
42f9f78125
ci: add freebsd target for releases (#1660)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-07-31 13:51:03 -07:00
LaurentiuNiculae
9e38ca51e3
feat(pagination): move pagination and sorting image summary results after conversion (#1637)
fix(config): check for config media type when pushing to repodb

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-07-31 22:16:09 +03:00
Doug Rabson
20391a21c0
fix: freebsd build support (#1659)
- Avoid hard-coding the path for bash - this typically is installed as
  /usr/local/bin/bash

- Allow for the fact that FreeBSD's rlimit uses signed integers

Almost all of the test suite passes with three test failures that I
haven't tried to debug yet.

Signed-off-by: Doug Rabson <dfr@rabson.org>
2023-07-29 10:41:25 -07:00
Andrei Aaron
fc47fb91e1
feat(ui): update ui to support cve filtering by platform (#1661)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-29 09:19:01 -07:00
Andrei Aaron
cb1b7ae9b8
fix(auth): fix anonymous auth for ui (#1662)
The ui sends the header X-ZOT-API-CLIENT=zot-ui regardless of session authentication status.
In case of new sessions zot would reject the unauthenticated call on /v2 (which is used to determine
if anonymous access is allowed by the server when the header was set) expecting all users sending
this header to be already authenticated.

Since the ui received 401 from the server, it would not show the option for anonymous login.

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-29 09:18:33 -07:00
LaurentiuNiculae
a5c92bcac3
test(refactor): change upload image function signature (#1655)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-07-28 17:53:46 +03:00
peusebiu
635d71853e
fix(authn): session authn is skipped when anonymous policy is configured (#1647)
closes: #1642

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-27 09:55:25 -07:00
LaurentiuNiculae
abba6aa3cf
feat(test): added image builder for use in tests (#1583)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-07-26 13:08:04 +03:00
peusebiu
4194489868
feat: signal handling (#1651)
gracefully shutdown app

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-25 10:39:13 -07:00
Ramkumar Chinchani
75b94a3c8b
chore: fix dependabot alerts (#1649) 2023-07-25 08:14:37 +03:00
Ramkumar Chinchani
de24bd937f
fix(conformance): OCI-Filters-Applied should return a literal (#1640)
* fix(conformance): OCI-Filters-Applied should return a literal

https://github.com/opencontainers/distribution-spec/issues/448

Should only indicate what filter-type was applied and not what exact
values it was filtered on.

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* ci(conformance): point to temporary repo

Revert this commit once upstream changes have been merged

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

---------

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-07-22 16:25:02 -07:00
Andrei Aaron
46ee330b2a
feat(zui): update to zui supporting social login (#1639)
Also ignore issues related to https://developer.mozilla.org/en-US/docs/Glossary/Fetch_metadata_request_header
It is not clear what the zap tool expectations are from the zot server, as these headers are supposed to be set by the zot client.

As a separate not ZUI sets these headers, but for some reason the scan expects them when scanning zot minimal without the UI

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-21 12:50:41 -07:00