0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2024-12-16 21:56:37 -05:00
Commit graph

1191 commits

Author SHA1 Message Date
Ramkumar Chinchani
75b94a3c8b
chore: fix dependabot alerts (#1649) 2023-07-25 08:14:37 +03:00
Ramkumar Chinchani
de24bd937f
fix(conformance): OCI-Filters-Applied should return a literal (#1640)
* fix(conformance): OCI-Filters-Applied should return a literal

https://github.com/opencontainers/distribution-spec/issues/448

Should only indicate what filter-type was applied and not what exact
values it was filtered on.

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* ci(conformance): point to temporary repo

Revert this commit once upstream changes have been merged

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

---------

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-07-22 16:25:02 -07:00
Andrei Aaron
46ee330b2a
feat(zui): update to zui supporting social login (#1639)
Also ignore issues related to https://developer.mozilla.org/en-US/docs/Glossary/Fetch_metadata_request_header
It is not clear what the zap tool expectations are from the zot server, as these headers are supposed to be set by the zot client.

As a separate not ZUI sets these headers, but for some reason the scan expects them when scanning zot minimal without the UI

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-21 12:50:41 -07:00
peusebiu
86a83ca6e3
fix(authn): fix several issues with authn, closes #1632 (#1633)
- apply Access-Control-Allow-Credentials only if authn is enabled
- enable Logout route for basic auth
- fixed Logout godoc
- fix Access-Control-Allow-Methods on Logout route
- added allowOrigin option in config example

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-19 09:27:04 -07:00
Andrei Aaron
04fccd11fd
chore(go.mod): upgrade trivy, cosign and remove replace directive (#1635)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-18 14:18:31 -07:00
LaurentiuNiculae
28de980319
feat(refator): refactoring repodb into meta (#1626)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-07-18 10:27:26 -07:00
Ramkumar Chinchani
fe9c9750b5
chore: fix dependabot alerts (#1631)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-07-17 23:37:54 +03:00
Andrei Aaron
0a5241b025
fix(ci): trivy test to expect 3 CVEs instead of 2 in the vulnerable test layer (#1623)
Trivy started detecting CVE-2023-2975, so one of the checks expecting only 2 CVEs was failing

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-16 08:27:59 -07:00
Ramkumar Chinchani
6cd4455da1
chore: fix dependabot alerts (#1621)
* chore: fix dependabot alerts

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* test: fix the validation for digests

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

---------

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-07-15 12:56:09 +03:00
Andrei Aaron
74f769d2c1
fix(cli): make sure all needed ImageSummary properties are requested from the server (#1618)
Resolves #1597

Fix missing properties in some calls OS/Arch/IsSigned/LastUpdated.
Since the properties were missing from the graphql requests, zli was showing default values.

Update the tests to generate a tets image with the created date different from
the go detault value for time.Time{}. The tests are now checking a non-default
value in the responses client side, in order to avoid missing issues like this in the future.

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-14 09:22:14 +03:00
Andrei Aaron
e3ac50b2a2
feat(zli): add new subcommand to remove a zli config (#1619)
https://github.com/project-zot/zot/issues/1594
- use indent '  ' in the config json

https://github.com/project-zot/zot/issues/1593
- add subcommand `zli config remove`

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-13 09:34:01 -07:00
peusebiu
d3f27b4ba6
feat: add additional manifest validations (#1609)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-13 09:31:39 -07:00
Ramkumar Chinchani
730ef4aada
chore: fix dependabot alerts (#1613)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-07-13 10:14:03 +03:00
peusebiu
e682457401
fix(test): sync inconsistent test (#1611)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-12 10:21:28 -07:00
Andrei Aaron
faa410a0c3
feat(cli): Fix multiple issues with zli output (#1612)
https://github.com/project-zot/zot/issues/1591
    - I will rename "IMAGE NAME" to "REPOSITORY" in order to make the header easier to parse
    - The order of the images cannot be predicted if zot is getting them 1 by 1 using the REST API for manifests, so they cannot be sorted when printed. We could wait on all calls to return but that may take minutes, and printing partial results as they become available is better.
    - The order of the images can be predicted when relying on the zot specific search API, but that is not available in all zot servers depending on build options. I added sorting ascending by default. We are planning to implement configurable sorting in a separate PR - see the work under https://github.com/project-zot/zot/pull/1577
    - With regards to the column widths/alignments that was discussed before, and the issue is we don't know the values beforehand for the REST API based responses. As mentioned above printing partial results as they become available is better.
    - The column widths/alignments are partially fixed in this PR for the search API, but we should properly fix this in - see https://github.com/project-zot/zot/pull/851

https://github.com/project-zot/zot/issues/1592
    - Fix missing space after help message

https://github.com/project-zot/zot/issues/1598
    - Fix table headers showing for json/yaml format
    - Fix spacing shown with json format, use 1 row per shown entry in order to be compatible with json lines format: https://jsonlines.org/
    - Add document header `---` to every image shown in yaml format to separate the entries

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-12 10:21:12 -07:00
Andrei Aaron
418a1a006c
feat(cve): ability to return CVEs per image os and architecture (#1607)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-11 09:29:04 -07:00
peusebiu
aaf03c75fc
build: fix mgmt and userprefs when building them separately (#1601)
move queryHasParams in common package
fixes building mgmt and userprefs separately

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-10 19:40:14 +03:00
peusebiu
94ba538e69
fix(test): consolidate api tests build tags (#1602)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-10 16:11:23 +03:00
peusebiu
8877083daa
fix: remove config (#1600)
remove a config added by mistake

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-10 14:03:59 +03:00
peusebiu
1d01b644ea
feat(sync): sync can include self url in registry.URLs (#1562)
sync now ignores self referencing urls, this will help
in clustering mode where we can have the same config
for multiple zots

closes #1335

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-10 12:27:21 +03:00
peusebiu
cda6916b45
fix: don't allow blobs to be deleted if in use (#1559)
dist-spec APIs independently allow deletion of blobs and manifests.
Doing the former when in use by an image manifest or index is simply
error-prone. So disallow it.

Fixes issue #1509

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
Co-authored-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-07-10 12:24:45 +03:00
Ramkumar Chinchani
b22989cfe0
fix: refactor monitoring code outside locks (#1596)
We use locks to protect OCI layouts. However, our critical sections have
too long and cover code instead of data.

Fixes issue #1595

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-07-07 13:51:00 -07:00
peusebiu
cd6f679359
fix(ci/cd): stop localstack after ci/cd pipeline (#1590)
this should clean localstack persisted data in tests

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-07 12:40:06 -07:00
peusebiu
17d1338af1
feat: integrate openID auth logic and user profile management (#1381)
This change introduces OpenID authn by using providers such as Github,
Gitlab, Google and Dex.
User sessions are now used for web clients to identify
and persist an authenticated users session, thus not requiring every request to
use credentials.
Another change is apikey feature, users can create/revoke their api keys and use them
to authenticate when using cli clients such as skopeo.

eg:
login:
/auth/login?provider=github
/auth/login?provider=gitlab
and so on

logout:
/auth/logout

redirectURL:
/auth/callback/github
/auth/callback/gitlab
and so on

If network policy doesn't allow inbound connections, this callback wont work!

for more info read documentation added in this commit.

Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro>
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
Co-authored-by: Alex Stan <alexandrustan96@yahoo.ro>
2023-07-07 09:27:10 -07:00
peusebiu
5494a1b8d6
fix(storage): do not open/download blobs when validating manifests (#1566)
when pushing manifests, zot will validate blobs (layers + config blob) are
present in repo, currently it opens(in case of filesystem storage) or download(
in case of cloud storage) each blob.

fixed that by adding a new method ImageStore.CheckBlobPresence() on storage
to check blobs presence without checking the cache like ImageStore.CheckBlob() method does.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-06 10:33:36 -07:00
Josh Dolitsky
f3aa855405
fix: missing Oci-Subject header pushing index with subject (#1589)
* fix: missing Oci-Subject header pushing index with subject

Signed-off-by: Josh Dolitsky <josh@dolit.ski>

* fix(s3): Add a test to cover handling pushing indexes with a subject

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>

---------

Signed-off-by: Josh Dolitsky <josh@dolit.ski>
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
Co-authored-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-06 10:31:40 -07:00
peusebiu
7d7e4416b5
fix(nightly): fix nightly builds (#1584)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-06 16:50:12 +03:00
Andreea Lupu
41b05c60dd
feat: upload certificates and public keys for verifying signatures (#1485)
In order to verify signatures, users could upload their certificates and public keys using these routes:
	-> for public keys:
		/v2/_zot/ext/mgmt?resource=signatures&tool=cosign
	-> for certificates:
		/v2/_zot/ext/mgmt?resource=signatures&tool=notation&truststoreType=ca&truststoreName=name
Then the public keys will be stored under $rootdir/_cosign and the certificates will be stored under
$rootdir/_notation/truststore/x509/$truststoreType/$truststoreName.
Also, for notation case, the "truststores" field of $rootir/_notation/trustpolicy.json file will be
updated with a new entry "$truststoreType:$truststoreName".
Also based on the uploaded files, the information about the signatures validity will be updated
periodically.

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
2023-07-06 14:57:59 +03:00
peusebiu
49e4d93f42
fix(test): TestConfigReloader, wait for trivy db download (#1543)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-06 14:17:49 +03:00
LaurentiuNiculae
0a04b2a4ed
feat(cve): implemented trivy image scan for multiarch images (#1510)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-07-06 11:36:26 +03:00
LaurentiuNiculae
96d9d318df
feat(referrers): added index support for referrers queries (#1560)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-07-05 09:42:16 -07:00
alexstan12
62889c3cb1
refactor: split AuthZ mdw in 2 different parts, each for a specific purpose (#1542)
- AuthzHandler has now been split in BaseAuthzHandler and DistSpecAuthzHandler
The former populates context with user specific data needed in most handlers, while
the latter executes access logic specific to distribution-spec handlers.

Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro>
2023-07-05 09:37:52 -07:00
Andrei Aaron
7fee57e7cc
fix(CVE): attempt to scan now returns early with an error if trivyDB metadata json is missing (#1548)
Also modify zli to retry in case of such errors,
assuming the trivyDB will eventually be downloaded by the scheduled task.

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-05 09:08:16 -07:00
Ramkumar Chinchani
137e5bd793
chore: fix dependabot alerts (#1581)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-07-05 11:42:24 +03:00
Ramkumar Chinchani
aad6db279b
chore: fix dependabot alerts (#1576)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-07-04 09:19:26 -07:00
Lisca Ana-Roberta
d4f200c2e1
fix: changing default numWorkers, making it customizable and refactoring scheduler (#1563)
Signed-off-by: Lisca Ana-Roberta <ana.kagome@yahoo.com>
2023-07-04 11:03:29 +03:00
peusebiu
7881ce32b2
fix(extensions): setup UI extension as last one (#1572)
because UI routes will setup a http.FileServer on '/'
any router setup after UI will be ignored at runtime
becuase gorrilla will route it to http.Fileserver instead.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-03 17:13:15 +03:00
Poulpatine
bd7b21f3dc
docs: Add example for various popular public registries (#1550)
Signed-off-by: Poulpatine <poulpatine@gmail.com>
2023-06-30 21:53:10 +03:00
peusebiu
6932e3ffca
test: add more registries in sync blackbox tests (#1568)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-06-30 21:07:04 +03:00
Andreea Lupu
7ec748f58a
fix: change commit message for pushing changes to project-zot/helm-charts (#1564)
Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
2023-06-28 20:42:31 +03:00
Ramkumar Chinchani
d78ef0b1bd
ci: update oci dist-spec conformance test (#1552)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-06-24 18:51:47 -07:00
LaurentiuNiculae
809529be18
fix(cli): add help message for searching referrers under search command (#1551)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-06-23 17:44:30 +03:00
Ramkumar Chinchani
8cc5137b2d
build: ui extension needs mgmt (#1549) 2023-06-23 08:38:50 +03:00
Ramkumar Chinchani
1300fdfa88
refactor: filenames should use _ not - (#1547)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-06-22 11:54:41 -07:00
peusebiu
d881f4e916
fix(sync): flaky test on fetching tags (#1546)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-06-22 10:43:47 -07:00
LaurentiuNiculae
620287c7a4
feat(cli): add referrers and search commands to cli (#1497)
* feat(cli): add referrers command to cli

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>

* feat(cli): add global search command

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>

* feat(cli): fix comments

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>

---------

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-06-22 10:43:01 -07:00
alexstan12
ea7dbf9e5c
refactor: move helper functions under common, in usage specific named files (#1540)
Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro>
2023-06-22 14:29:45 +03:00
peusebiu
377aff1853
fix(sync): fixed skipping docker images when they already synced (#1521)
before syncing an image we first check if it's already present in our storage
to do that we get the manifest from remote and compare it with the local one
but in the case of syncing docker images, because the conversion to OCI format is done while
syncing, we get a docker manifest before conversion, so sync detects that local manifest and
remote one are different, so it starts syncing again.

to overcome this, convert remote docker manifests to OCI manifests and then compare.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-06-21 11:05:52 -07:00
peusebiu
ea84752214
fix(test): fix flaky test (#1544)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-06-21 19:53:14 +03:00
peusebiu
d5487d53e3
fix(authz): assign identity to authz context in tls mutual authentication (#1541)
this causes a bug in extensions by not having the identity for the
authenticated user and couldn't apply his permissions, just the default ones.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-06-21 16:06:53 +03:00