* fix(conformance): OCI-Filters-Applied should return a literal
https://github.com/opencontainers/distribution-spec/issues/448
Should only indicate what filter-type was applied and not what exact
values it was filtered on.
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
* ci(conformance): point to temporary repo
Revert this commit once upstream changes have been merged
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
---------
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
Also ignore issues related to https://developer.mozilla.org/en-US/docs/Glossary/Fetch_metadata_request_header
It is not clear what the zap tool expectations are from the zot server, as these headers are supposed to be set by the zot client.
As a separate not ZUI sets these headers, but for some reason the scan expects them when scanning zot minimal without the UI
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
Resolves#1597
Fix missing properties in some calls OS/Arch/IsSigned/LastUpdated.
Since the properties were missing from the graphql requests, zli was showing default values.
Update the tests to generate a tets image with the created date different from
the go detault value for time.Time{}. The tests are now checking a non-default
value in the responses client side, in order to avoid missing issues like this in the future.
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
https://github.com/project-zot/zot/issues/1591
- I will rename "IMAGE NAME" to "REPOSITORY" in order to make the header easier to parse
- The order of the images cannot be predicted if zot is getting them 1 by 1 using the REST API for manifests, so they cannot be sorted when printed. We could wait on all calls to return but that may take minutes, and printing partial results as they become available is better.
- The order of the images can be predicted when relying on the zot specific search API, but that is not available in all zot servers depending on build options. I added sorting ascending by default. We are planning to implement configurable sorting in a separate PR - see the work under https://github.com/project-zot/zot/pull/1577
- With regards to the column widths/alignments that was discussed before, and the issue is we don't know the values beforehand for the REST API based responses. As mentioned above printing partial results as they become available is better.
- The column widths/alignments are partially fixed in this PR for the search API, but we should properly fix this in - see https://github.com/project-zot/zot/pull/851https://github.com/project-zot/zot/issues/1592
- Fix missing space after help message
https://github.com/project-zot/zot/issues/1598
- Fix table headers showing for json/yaml format
- Fix spacing shown with json format, use 1 row per shown entry in order to be compatible with json lines format: https://jsonlines.org/
- Add document header `---` to every image shown in yaml format to separate the entries
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
sync now ignores self referencing urls, this will help
in clustering mode where we can have the same config
for multiple zots
closes#1335
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
dist-spec APIs independently allow deletion of blobs and manifests.
Doing the former when in use by an image manifest or index is simply
error-prone. So disallow it.
Fixes issue #1509
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
Co-authored-by: Ramkumar Chinchani <rchincha@cisco.com>
We use locks to protect OCI layouts. However, our critical sections have
too long and cover code instead of data.
Fixes issue #1595
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
This change introduces OpenID authn by using providers such as Github,
Gitlab, Google and Dex.
User sessions are now used for web clients to identify
and persist an authenticated users session, thus not requiring every request to
use credentials.
Another change is apikey feature, users can create/revoke their api keys and use them
to authenticate when using cli clients such as skopeo.
eg:
login:
/auth/login?provider=github
/auth/login?provider=gitlab
and so on
logout:
/auth/logout
redirectURL:
/auth/callback/github
/auth/callback/gitlab
and so on
If network policy doesn't allow inbound connections, this callback wont work!
for more info read documentation added in this commit.
Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro>
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
Co-authored-by: Alex Stan <alexandrustan96@yahoo.ro>
when pushing manifests, zot will validate blobs (layers + config blob) are
present in repo, currently it opens(in case of filesystem storage) or download(
in case of cloud storage) each blob.
fixed that by adding a new method ImageStore.CheckBlobPresence() on storage
to check blobs presence without checking the cache like ImageStore.CheckBlob() method does.
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
* fix: missing Oci-Subject header pushing index with subject
Signed-off-by: Josh Dolitsky <josh@dolit.ski>
* fix(s3): Add a test to cover handling pushing indexes with a subject
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
---------
Signed-off-by: Josh Dolitsky <josh@dolit.ski>
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
Co-authored-by: Andrei Aaron <aaaron@luxoft.com>
In order to verify signatures, users could upload their certificates and public keys using these routes:
-> for public keys:
/v2/_zot/ext/mgmt?resource=signatures&tool=cosign
-> for certificates:
/v2/_zot/ext/mgmt?resource=signatures&tool=notation&truststoreType=ca&truststoreName=name
Then the public keys will be stored under $rootdir/_cosign and the certificates will be stored under
$rootdir/_notation/truststore/x509/$truststoreType/$truststoreName.
Also, for notation case, the "truststores" field of $rootir/_notation/trustpolicy.json file will be
updated with a new entry "$truststoreType:$truststoreName".
Also based on the uploaded files, the information about the signatures validity will be updated
periodically.
Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
- AuthzHandler has now been split in BaseAuthzHandler and DistSpecAuthzHandler
The former populates context with user specific data needed in most handlers, while
the latter executes access logic specific to distribution-spec handlers.
Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro>
Also modify zli to retry in case of such errors,
assuming the trivyDB will eventually be downloaded by the scheduled task.
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
because UI routes will setup a http.FileServer on '/'
any router setup after UI will be ignored at runtime
becuase gorrilla will route it to http.Fileserver instead.
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
before syncing an image we first check if it's already present in our storage
to do that we get the manifest from remote and compare it with the local one
but in the case of syncing docker images, because the conversion to OCI format is done while
syncing, we get a docker manifest before conversion, so sync detects that local manifest and
remote one are different, so it starts syncing again.
to overcome this, convert remote docker manifests to OCI manifests and then compare.
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
this causes a bug in extensions by not having the identity for the
authenticated user and couldn't apply his permissions, just the default ones.
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>