0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2024-12-16 21:56:37 -05:00
Commit graph

151 commits

Author SHA1 Message Date
Ramkumar Chinchani
8c559441e6
test(cosign): add a oci dist-spec 1.1.0 conformant test case (#1835)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-09-20 12:01:36 -07:00
Andrei Aaron
a11fe2d195
feat(pprof): add profiling route handler to debug runtime (#1818)
(cherry picked from commit 56ddb70f624e7070ad0d3531d498675f9f82c664)

Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro>
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
Co-authored-by: Alex Stan <alexandrustan96@yahoo.ro>
2023-09-18 14:05:41 -07:00
Alexei Dodon
f58597ade9
refactor: Reduce zli binary size (#1805)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-09-15 15:17:01 -07:00
Alexei Dodon
98ab43f6ef
fix: can't build zot with empty EXTENSIONS (#1803)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-09-12 11:31:10 -07:00
Andrei Aaron
6115eed4ec
refactor(makefile): consolidate the make targets used for bats tests (#1746)
New examples of running tests:

1. To run a specific bats file (with and without verbose output):
make run-blackbox-tests BATS_TEST_FILE_PATH=test/blackbox/delete_images.bats
make run-blackbox-tests BATS_TEST_FILE_PATH=test/blackbox/delete_images.bats BATS_VERBOSITY=2

2. To run the CI tests (with and without verbose output)
make run-blackbox-ci
make run-blackbox-ci BATS_VERBOSITY=2

BATS_TEST_FILE_PATH is used to pass on the test file to run using `run-blackbox-tests`
BATS_VERBOSITY controls the verbosity of the bats framework output, if unspecified the output only
contains test results and failure message in case of failures.
If BATS_VERBOSITY is 1, then also show commands as they are executed.
If BATS_VERBOSITY is 2, on top of the above it also shows output of passed tests.

Other changes in this PR:
- Update some of the tests to show logs after the run ends.
- Run the linters before the tests, as it saves time on failures when running in GH

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-09-07 21:06:21 +03:00
peusebiu
c6b822f3dd
refactor(authz): use a struct for user access control info operations (#1682)
fix(authz): fix isAdmin not using groups to determine if a user is admin.
fix(authz): return 401 instead of 403

403 is correct as per HTTP spec
However authz is not part of dist-spec and clients know only about 401
So this is a compromise.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-09-01 11:13:53 -07:00
peusebiu
b80deb9927
refactor(storage): refactor storage into a single ImageStore (#1656)
unified both local and s3 ImageStore logic into a single ImageStore
added a new driver interface for common file/dirs manipulations
to be implemented by different storage types

refactor(gc): drop umoci dependency, implemented internal gc

added retentionDelay config option that specifies
the garbage collect delay for images without tags

this will also clean manifests which are part of an index image
(multiarch) that no longer exist.

fix(dedupe): skip blobs under .sync/ directory

if startup dedupe is running while also syncing is running
ignore blobs under sync's temporary storage

fix(storage): do not allow image indexes modifications

when deleting a manifest verify that it is not part of a multiarch image
and throw a MethodNotAllowed error to the client if it is.
we don't want to modify multiarch images

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-09-01 10:54:39 -07:00
LaurentiuNiculae
72a5968437
test(bats): added bats example for deleting an image (#1718)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-09-01 17:23:34 +03:00
Alexei Dodon
41bbb23e30
fix: bats test refactoring (#1731)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-08-30 12:24:28 -07:00
Andrei Aaron
780bbe42d1
feat(ui): update to latest zui version (#1735)
1. Show more detailed signature information in zui (signing tool, trusted, author)
2. Rename dex to oidc - on zui side
3. New screen for zot without images loaded
4. Remove 'Vulnerability' string from the vulnerability chips

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-08-29 15:52:08 -07:00
Alexei Dodon
ca2904762a
fix(ci/cd): detect uncommited swagger docs (#1724)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-08-23 19:21:43 +03:00
Alexei Dodon
faf702f9c2
feat: automated detection of OS and ARCH if unset (#1711)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-08-18 14:18:10 -07:00
LaurentiuNiculae
0731fd3828
test(refactor): refactor tests that use zot-test to use smaller images (#1690)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-08-18 11:46:11 +03:00
Alexei Dodon
e510df7c22
fix: swagger Makefile target broken on darwin (#1701)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-08-15 13:07:56 -07:00
Alexei Dodon
59922af528
fix: binary-stacker Makefile target is broken (#1689)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-08-10 12:39:56 -07:00
Alexei Dodon
2142055dc6
fix: Build scripts broken on Mac (#1668)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-08-03 20:53:37 +03:00
Andrei Aaron
77149aa85c
refactor(extensions)!: refactor the extensions URLs and errors (#1636)
BREAKING CHANGE: The functionality provided by the mgmt endpoint has beed redesigned - see details below
BREAKING CHANGE: The API keys endpoint has been moved -  see details below
BREAKING CHANGE: The mgmt extension config has been removed - endpoint is now enabled by having both the search and the ui extensions enabled
BREAKING CHANGE: The API keys configuration has been moved from extensions to http>auth>apikey

mgmt and imagetrust extensions:
- separate the _zot/ext/mgmt into 3 separate endpoints: _zot/ext/auth, _zot/ext/notation, _zot/ext/cosign
- signature verification logic is in a separate `imagetrust` extension
- better hanling or errors in case of signature uploads: logging and error codes (more 400 and less 500 errors)
- add authz on signature uploads (and add a new middleware in common for this purpose)
- remove the mgmt extension configuration - it is now enabled if the UI and the search extensions are enabled

userprefs estension:
- userprefs are enabled if both search and ui extensions are enabled (as opposed to just search)

apikey extension is removed and logic moved into the api folder
- Move apikeys code out of pkg/extensions and into pkg/api
- Remove apikey configuration options from the extensions configuration and move it inside the http auth section
- remove the build label apikeys

other changes:
- move most of the logic adding handlers to the extensions endpoints out of routes.go and into the extensions files.
- add warnings in case the users are still using configurations with the obsolete settings for mgmt and api keys
- add a new function in the extension package which could be a single point of starting backgroud tasks for all extensions
- more clear methods for verifying specific extensions are enabled
- fix http methods paired with the UI handlers
- rebuild swagger docs

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-08-02 21:58:34 +03:00
Ramkumar Chinchani
42f9f78125
ci: add freebsd target for releases (#1660)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-07-31 13:51:03 -07:00
Andrei Aaron
fc47fb91e1
feat(ui): update ui to support cve filtering by platform (#1661)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-29 09:19:01 -07:00
Andrei Aaron
46ee330b2a
feat(zui): update to zui supporting social login (#1639)
Also ignore issues related to https://developer.mozilla.org/en-US/docs/Glossary/Fetch_metadata_request_header
It is not clear what the zap tool expectations are from the zot server, as these headers are supposed to be set by the zot client.

As a separate not ZUI sets these headers, but for some reason the scan expects them when scanning zot minimal without the UI

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-21 12:50:41 -07:00
peusebiu
1d01b644ea
feat(sync): sync can include self url in registry.URLs (#1562)
sync now ignores self referencing urls, this will help
in clustering mode where we can have the same config
for multiple zots

closes #1335

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-10 12:27:21 +03:00
peusebiu
17d1338af1
feat: integrate openID auth logic and user profile management (#1381)
This change introduces OpenID authn by using providers such as Github,
Gitlab, Google and Dex.
User sessions are now used for web clients to identify
and persist an authenticated users session, thus not requiring every request to
use credentials.
Another change is apikey feature, users can create/revoke their api keys and use them
to authenticate when using cli clients such as skopeo.

eg:
login:
/auth/login?provider=github
/auth/login?provider=gitlab
and so on

logout:
/auth/logout

redirectURL:
/auth/callback/github
/auth/callback/gitlab
and so on

If network policy doesn't allow inbound connections, this callback wont work!

for more info read documentation added in this commit.

Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro>
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
Co-authored-by: Alex Stan <alexandrustan96@yahoo.ro>
2023-07-07 09:27:10 -07:00
LaurentiuNiculae
0a04b2a4ed
feat(cve): implemented trivy image scan for multiarch images (#1510)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-07-06 11:36:26 +03:00
Andrei Aaron
c41bf02240
fix(ui): fix login screen when anonymous and auth are both enabled (#1528)
Update to the latest zui version

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-06-16 10:26:03 -07:00
Andrei Aaron
f9f9422d13
ci(disk usage): disk related fixes and improvements (#1524)
ci(workflow): show disk usage and free up disk space used by unneeded tooling
ci(tests): routes tests: do not copy large images if they are not used later
ci(trivy): update a test: download trivy.db to a temporary folder

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-06-15 15:07:28 -07:00
Lisca Ana-Roberta
622dde9193
fix: referrers now appears in swagger generated docs (#1488)
Signed-off-by: Lisca Ana-Roberta <ana.kagome@yahoo.com>
2023-06-12 10:32:11 -07:00
Ramkumar Chinchani
d9e5f33e7e
chore: fix security alerts (#1493)
https://github.com/project-zot/zot/security/code-scanning/4293

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-06-01 16:53:50 -07:00
Andrei Aaron
96d00cd0ef
fix(cve): Fix CVE scanning in images containing Jar files (#1475) 2023-06-01 00:37:46 +03:00
peusebiu
612a12e5a8
refactor(sync): use task scheduler (#1301)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-05-31 10:26:23 -07:00
Andrei Aaron
9ca85e0937
feat(UI): upgrade to a UI which supports user preferences (#1460)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-05-18 09:44:28 -07:00
Andrei Aaron
bf4b2b9b45
fix(makefile): the EXTENSIONS variable was not replaces by BUILD_LABELS in 2 places (#1444)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-05-12 20:59:08 +03:00
Lisca Ana-Roberta
e262fbea64
feat: verifying and enabling necessary extensions for ui (#1369)
Signed-off-by: Ana-Roberta Lisca <ana.kagome@yahoo.com>
2023-05-12 09:43:14 -07:00
Ramkumar Chinchani
9534e0b88b
chore: fix dependabot alerts (#1409)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-05-11 16:39:21 -07:00
Andrei Aaron
0f8fb2b5af
fix(ui): update to latest available zui (#1433)
Includes:
- fix: change login page logic
- fix: fixed layer history not updating for multiarch images

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-05-09 08:30:55 -07:00
Andreea Lupu
40bf76add5
chore(go.mod): upgrade trivy and cosign (#1387)
Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
2023-04-27 09:35:10 -07:00
Andrei Aaron
1a092bd019
feat(ui): UX update for UI (#1391)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-04-27 08:12:15 -07:00
Ramkumar Chinchani
635d07ae04
chore: update golang (to 1.20.x) and golangci-linter (#1388)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-04-27 00:09:46 -07:00
LaurentiuNiculae
9cc990d7ca
feat(repodb): add user related information to repodb (#1317)
Initial code was contributed by Bogdan BIVOLARU <104334+bogdanbiv@users.noreply.github.com>
Moved implementation from a separate db to repodb by Andrei Aaron <aaaron@luxoft.com>

Not done yet:
- run/test dynamodb implementation, only boltdb was tested
- add additional coverage for existing functionality
- add web-based APIs to toggle the stars/bookmarks on/off

Initially graphql mutation was discussed for the missing API but
we decided REST endpoints would be better suited for configuration



feat(userdb): complete functionality for userdb integration

- dynamodb rollback changes to user starred repos in case increasing the total star count fails
- dynamodb increment/decrement repostars in repometa when user stars/unstars a repo
- dynamodb check anonymous user permissions are working as intendend
- common test handle anonymous users
- RepoMeta2RepoSummary set IsStarred and IsBookmarked



feat(userdb): rest api calls for toggling stars/bookmarks on/off



test(userdb): blackbox tests



test(userdb): move preferences tests in a different file with specific build tags



feat(repodb): add is-starred and is-bookmarked fields to repo-meta

- removed duplicated logic for determining if a repo is starred/bookmarked

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
Co-authored-by: Andrei Aaron <aaaron@luxoft.com>
2023-04-24 11:13:15 -07:00
Andrei Aaron
e63faa8898
fix(csp): upgrade UI and fix zap failure (#1372)
The zap scanner started to check the csp header, which is causing a warning.

We also need to ignore the rule, as both settings are read by the scanner.

Per https://w3c.github.io/webappsec-csp/#example-7bb4ce67 we can have multiple
Content-Security-Policy headers, and the most restrictive policies apply.
This rule doesn't seem to be applied by zap.

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-04-13 13:48:09 -07:00
Ramkumar Chinchani
9638899e6e
test: additional blackbox tests for client push/pull (#1371)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-04-13 13:47:38 -07:00
peusebiu
f35ff53146
feat(storage): rebuild storage(s3/local) dedupe index when switching dedupe status (#1062)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-04-07 09:49:24 -07:00
Lisca Ana-Roberta
b679cd2e98
feat(ui): if zui tag is not found for download, it now builds locally from the commit (#1318)
Signed-off-by: Ana-Roberta Lisca <ana.kagome@yahoo.com>
2023-03-30 13:15:48 +03:00
Andrei Aaron
fb85c8678c
feat(ui): update zui to a version which leverages the referrers on ImageSummary (#1293)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-03-22 10:16:35 -07:00
Andrei Aaron
c91d4a0308
feat(ui): upgrade to zui supporting cve search for a specific image (#1290)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-03-21 10:25:59 -07:00
Andrei Aaron
4939ca3300
ci(go.mod): verify go.mod and go.sum don't have uncommitted changes after go mod tidy (#1287)
This is to avoid situations such as https://github.com/project-zot/zot/pull/1150
where an indirect dependency became direct without a corresponding go.mod change

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-03-21 10:25:13 -07:00
LaurentiuNiculae
5d1f91a79f
feat(repodb): update referrers api to use repodb (#1230)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-03-10 10:37:29 -08:00
peusebiu
f04e66a5e2
feat(mgmt): added mgmt extension which returns current zot configuration (#1198)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-03-09 10:43:26 -08:00
Andrei Aaron
fd5a2af10b
feat(ui): zui can now show multiple manifests per image (#1254)
Update to a zui version with multiarch image support
Also fix some issues with the filtering on the global search page

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-03-09 09:00:01 -08:00
Andrei Aaron
c9b594d03d
feat(ui): update to the latest zui version which supports new multiarch image APIs (#1246)
Note patch does not mean full support for showing multiarch images in ZUI,
a single architecture is shown, but it fixes the ZUI views which were broken
since #1147

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-03-06 09:42:05 -08:00
Ramkumar Chinchani
5a2fb4108d
chore(go.mod): fix dependabot alerts (#1228)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-02-28 17:38:49 +02:00