0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2024-12-16 21:56:37 -05:00
Commit graph

911 commits

Author SHA1 Message Date
Ramkumar Chinchani
e129d4003b
chore: fix dependabot alerts (#1702)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-08-15 10:15:50 +03:00
Damien Degois
58870a2468
docs: fix apikey case (#1693)
Signed-off-by: Damien Degois <damien@degois.info>
2023-08-12 09:53:35 +03:00
Alexei Dodon
59922af528
fix: binary-stacker Makefile target is broken (#1689)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-08-10 12:39:56 -07:00
Ramkumar Chinchani
04627534a9
chore(go.mod): fix dependabot alerts (#1684)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-08-10 09:49:55 +03:00
peusebiu
4d125d55ed
fix(authn): handle the case where zot with openid runs behind a proxy (#1675)
added a new config option under 'http' called externalURL which is used
by openid/oauth2 clients to redirect back to zot

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-08-09 09:11:21 -07:00
LaurentiuNiculae
ed90e3bd24
test(annotations): print logs for annotations bats tests (#1680)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-08-07 13:51:57 -07:00
Andreea Lupu
76277f5ebd
fix: remove inline GC and schedule a background task instead (#1610)
* fix: remove inline GC and set a default value of gc interval

- remove inline GC
- add a default value of GC interval
- run the GC periodically by default with the default value if no interval provided
- generate GC tasks with a random delay(0-30s) between
- add IsReady() method to scheduler.TaskGenerator interface

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>

* ci: add test for gc with short interval

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>

---------

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
2023-08-07 12:55:19 -07:00
LaurentiuNiculae
fce9a02ed5
fix(convert): now returned annotations for an index will fallback to annotations from a random manifest if the annotations field is not present on the index manifest (#1667)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-08-07 10:25:05 +03:00
Ramkumar Chinchani
cad564b9ee
ci(conformance): revert to upstream OCI checks (#1678)
Reverts part of de24bd937f

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-08-04 13:38:28 -07:00
Alexei Dodon
2142055dc6
fix: Build scripts broken on Mac (#1668)
Signed-off-by: Alexei Dodon <adodon@cisco.com>
2023-08-03 20:53:37 +03:00
Andrei Aaron
77149aa85c
refactor(extensions)!: refactor the extensions URLs and errors (#1636)
BREAKING CHANGE: The functionality provided by the mgmt endpoint has beed redesigned - see details below
BREAKING CHANGE: The API keys endpoint has been moved -  see details below
BREAKING CHANGE: The mgmt extension config has been removed - endpoint is now enabled by having both the search and the ui extensions enabled
BREAKING CHANGE: The API keys configuration has been moved from extensions to http>auth>apikey

mgmt and imagetrust extensions:
- separate the _zot/ext/mgmt into 3 separate endpoints: _zot/ext/auth, _zot/ext/notation, _zot/ext/cosign
- signature verification logic is in a separate `imagetrust` extension
- better hanling or errors in case of signature uploads: logging and error codes (more 400 and less 500 errors)
- add authz on signature uploads (and add a new middleware in common for this purpose)
- remove the mgmt extension configuration - it is now enabled if the UI and the search extensions are enabled

userprefs estension:
- userprefs are enabled if both search and ui extensions are enabled (as opposed to just search)

apikey extension is removed and logic moved into the api folder
- Move apikeys code out of pkg/extensions and into pkg/api
- Remove apikey configuration options from the extensions configuration and move it inside the http auth section
- remove the build label apikeys

other changes:
- move most of the logic adding handlers to the extensions endpoints out of routes.go and into the extensions files.
- add warnings in case the users are still using configurations with the obsolete settings for mgmt and api keys
- add a new function in the extension package which could be a single point of starting backgroud tasks for all extensions
- more clear methods for verifying specific extensions are enabled
- fix http methods paired with the UI handlers
- rebuild swagger docs

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-08-02 21:58:34 +03:00
Ramkumar Chinchani
42f9f78125
ci: add freebsd target for releases (#1660)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-07-31 13:51:03 -07:00
LaurentiuNiculae
9e38ca51e3
feat(pagination): move pagination and sorting image summary results after conversion (#1637)
fix(config): check for config media type when pushing to repodb

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-07-31 22:16:09 +03:00
Doug Rabson
20391a21c0
fix: freebsd build support (#1659)
- Avoid hard-coding the path for bash - this typically is installed as
  /usr/local/bin/bash

- Allow for the fact that FreeBSD's rlimit uses signed integers

Almost all of the test suite passes with three test failures that I
haven't tried to debug yet.

Signed-off-by: Doug Rabson <dfr@rabson.org>
2023-07-29 10:41:25 -07:00
Andrei Aaron
fc47fb91e1
feat(ui): update ui to support cve filtering by platform (#1661)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-29 09:19:01 -07:00
Andrei Aaron
cb1b7ae9b8
fix(auth): fix anonymous auth for ui (#1662)
The ui sends the header X-ZOT-API-CLIENT=zot-ui regardless of session authentication status.
In case of new sessions zot would reject the unauthenticated call on /v2 (which is used to determine
if anonymous access is allowed by the server when the header was set) expecting all users sending
this header to be already authenticated.

Since the ui received 401 from the server, it would not show the option for anonymous login.

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-29 09:18:33 -07:00
LaurentiuNiculae
a5c92bcac3
test(refactor): change upload image function signature (#1655)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-07-28 17:53:46 +03:00
peusebiu
635d71853e
fix(authn): session authn is skipped when anonymous policy is configured (#1647)
closes: #1642

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-27 09:55:25 -07:00
LaurentiuNiculae
abba6aa3cf
feat(test): added image builder for use in tests (#1583)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-07-26 13:08:04 +03:00
peusebiu
4194489868
feat: signal handling (#1651)
gracefully shutdown app

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-25 10:39:13 -07:00
Ramkumar Chinchani
75b94a3c8b
chore: fix dependabot alerts (#1649) 2023-07-25 08:14:37 +03:00
Ramkumar Chinchani
de24bd937f
fix(conformance): OCI-Filters-Applied should return a literal (#1640)
* fix(conformance): OCI-Filters-Applied should return a literal

https://github.com/opencontainers/distribution-spec/issues/448

Should only indicate what filter-type was applied and not what exact
values it was filtered on.

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* ci(conformance): point to temporary repo

Revert this commit once upstream changes have been merged

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

---------

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-07-22 16:25:02 -07:00
Andrei Aaron
46ee330b2a
feat(zui): update to zui supporting social login (#1639)
Also ignore issues related to https://developer.mozilla.org/en-US/docs/Glossary/Fetch_metadata_request_header
It is not clear what the zap tool expectations are from the zot server, as these headers are supposed to be set by the zot client.

As a separate not ZUI sets these headers, but for some reason the scan expects them when scanning zot minimal without the UI

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-21 12:50:41 -07:00
peusebiu
86a83ca6e3
fix(authn): fix several issues with authn, closes #1632 (#1633)
- apply Access-Control-Allow-Credentials only if authn is enabled
- enable Logout route for basic auth
- fixed Logout godoc
- fix Access-Control-Allow-Methods on Logout route
- added allowOrigin option in config example

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-19 09:27:04 -07:00
Andrei Aaron
04fccd11fd
chore(go.mod): upgrade trivy, cosign and remove replace directive (#1635)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-18 14:18:31 -07:00
LaurentiuNiculae
28de980319
feat(refator): refactoring repodb into meta (#1626)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-07-18 10:27:26 -07:00
Ramkumar Chinchani
fe9c9750b5
chore: fix dependabot alerts (#1631)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-07-17 23:37:54 +03:00
Andrei Aaron
0a5241b025
fix(ci): trivy test to expect 3 CVEs instead of 2 in the vulnerable test layer (#1623)
Trivy started detecting CVE-2023-2975, so one of the checks expecting only 2 CVEs was failing

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-16 08:27:59 -07:00
Ramkumar Chinchani
6cd4455da1
chore: fix dependabot alerts (#1621)
* chore: fix dependabot alerts

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* test: fix the validation for digests

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

---------

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-07-15 12:56:09 +03:00
Andrei Aaron
74f769d2c1
fix(cli): make sure all needed ImageSummary properties are requested from the server (#1618)
Resolves #1597

Fix missing properties in some calls OS/Arch/IsSigned/LastUpdated.
Since the properties were missing from the graphql requests, zli was showing default values.

Update the tests to generate a tets image with the created date different from
the go detault value for time.Time{}. The tests are now checking a non-default
value in the responses client side, in order to avoid missing issues like this in the future.

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-14 09:22:14 +03:00
Andrei Aaron
e3ac50b2a2
feat(zli): add new subcommand to remove a zli config (#1619)
https://github.com/project-zot/zot/issues/1594
- use indent '  ' in the config json

https://github.com/project-zot/zot/issues/1593
- add subcommand `zli config remove`

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-13 09:34:01 -07:00
peusebiu
d3f27b4ba6
feat: add additional manifest validations (#1609)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-13 09:31:39 -07:00
Ramkumar Chinchani
730ef4aada
chore: fix dependabot alerts (#1613)
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-07-13 10:14:03 +03:00
peusebiu
e682457401
fix(test): sync inconsistent test (#1611)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-12 10:21:28 -07:00
Andrei Aaron
faa410a0c3
feat(cli): Fix multiple issues with zli output (#1612)
https://github.com/project-zot/zot/issues/1591
    - I will rename "IMAGE NAME" to "REPOSITORY" in order to make the header easier to parse
    - The order of the images cannot be predicted if zot is getting them 1 by 1 using the REST API for manifests, so they cannot be sorted when printed. We could wait on all calls to return but that may take minutes, and printing partial results as they become available is better.
    - The order of the images can be predicted when relying on the zot specific search API, but that is not available in all zot servers depending on build options. I added sorting ascending by default. We are planning to implement configurable sorting in a separate PR - see the work under https://github.com/project-zot/zot/pull/1577
    - With regards to the column widths/alignments that was discussed before, and the issue is we don't know the values beforehand for the REST API based responses. As mentioned above printing partial results as they become available is better.
    - The column widths/alignments are partially fixed in this PR for the search API, but we should properly fix this in - see https://github.com/project-zot/zot/pull/851

https://github.com/project-zot/zot/issues/1592
    - Fix missing space after help message

https://github.com/project-zot/zot/issues/1598
    - Fix table headers showing for json/yaml format
    - Fix spacing shown with json format, use 1 row per shown entry in order to be compatible with json lines format: https://jsonlines.org/
    - Add document header `---` to every image shown in yaml format to separate the entries

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-12 10:21:12 -07:00
Andrei Aaron
418a1a006c
feat(cve): ability to return CVEs per image os and architecture (#1607)
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-11 09:29:04 -07:00
peusebiu
aaf03c75fc
build: fix mgmt and userprefs when building them separately (#1601)
move queryHasParams in common package
fixes building mgmt and userprefs separately

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-10 19:40:14 +03:00
peusebiu
94ba538e69
fix(test): consolidate api tests build tags (#1602)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-10 16:11:23 +03:00
peusebiu
8877083daa
fix: remove config (#1600)
remove a config added by mistake

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-10 14:03:59 +03:00
peusebiu
1d01b644ea
feat(sync): sync can include self url in registry.URLs (#1562)
sync now ignores self referencing urls, this will help
in clustering mode where we can have the same config
for multiple zots

closes #1335

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-10 12:27:21 +03:00
peusebiu
cda6916b45
fix: don't allow blobs to be deleted if in use (#1559)
dist-spec APIs independently allow deletion of blobs and manifests.
Doing the former when in use by an image manifest or index is simply
error-prone. So disallow it.

Fixes issue #1509

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
Co-authored-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-07-10 12:24:45 +03:00
Ramkumar Chinchani
b22989cfe0
fix: refactor monitoring code outside locks (#1596)
We use locks to protect OCI layouts. However, our critical sections have
too long and cover code instead of data.

Fixes issue #1595

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2023-07-07 13:51:00 -07:00
peusebiu
cd6f679359
fix(ci/cd): stop localstack after ci/cd pipeline (#1590)
this should clean localstack persisted data in tests

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-07 12:40:06 -07:00
peusebiu
17d1338af1
feat: integrate openID auth logic and user profile management (#1381)
This change introduces OpenID authn by using providers such as Github,
Gitlab, Google and Dex.
User sessions are now used for web clients to identify
and persist an authenticated users session, thus not requiring every request to
use credentials.
Another change is apikey feature, users can create/revoke their api keys and use them
to authenticate when using cli clients such as skopeo.

eg:
login:
/auth/login?provider=github
/auth/login?provider=gitlab
and so on

logout:
/auth/logout

redirectURL:
/auth/callback/github
/auth/callback/gitlab
and so on

If network policy doesn't allow inbound connections, this callback wont work!

for more info read documentation added in this commit.

Signed-off-by: Alex Stan <alexandrustan96@yahoo.ro>
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
Co-authored-by: Alex Stan <alexandrustan96@yahoo.ro>
2023-07-07 09:27:10 -07:00
peusebiu
5494a1b8d6
fix(storage): do not open/download blobs when validating manifests (#1566)
when pushing manifests, zot will validate blobs (layers + config blob) are
present in repo, currently it opens(in case of filesystem storage) or download(
in case of cloud storage) each blob.

fixed that by adding a new method ImageStore.CheckBlobPresence() on storage
to check blobs presence without checking the cache like ImageStore.CheckBlob() method does.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-06 10:33:36 -07:00
Josh Dolitsky
f3aa855405
fix: missing Oci-Subject header pushing index with subject (#1589)
* fix: missing Oci-Subject header pushing index with subject

Signed-off-by: Josh Dolitsky <josh@dolit.ski>

* fix(s3): Add a test to cover handling pushing indexes with a subject

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>

---------

Signed-off-by: Josh Dolitsky <josh@dolit.ski>
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
Co-authored-by: Andrei Aaron <aaaron@luxoft.com>
2023-07-06 10:31:40 -07:00
peusebiu
7d7e4416b5
fix(nightly): fix nightly builds (#1584)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-06 16:50:12 +03:00
Andreea Lupu
41b05c60dd
feat: upload certificates and public keys for verifying signatures (#1485)
In order to verify signatures, users could upload their certificates and public keys using these routes:
	-> for public keys:
		/v2/_zot/ext/mgmt?resource=signatures&tool=cosign
	-> for certificates:
		/v2/_zot/ext/mgmt?resource=signatures&tool=notation&truststoreType=ca&truststoreName=name
Then the public keys will be stored under $rootdir/_cosign and the certificates will be stored under
$rootdir/_notation/truststore/x509/$truststoreType/$truststoreName.
Also, for notation case, the "truststores" field of $rootir/_notation/trustpolicy.json file will be
updated with a new entry "$truststoreType:$truststoreName".
Also based on the uploaded files, the information about the signatures validity will be updated
periodically.

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
2023-07-06 14:57:59 +03:00
peusebiu
49e4d93f42
fix(test): TestConfigReloader, wait for trivy db download (#1543)
Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
2023-07-06 14:17:49 +03:00
LaurentiuNiculae
0a04b2a4ed
feat(cve): implemented trivy image scan for multiarch images (#1510)
Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2023-07-06 11:36:26 +03:00