0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2024-12-16 21:56:37 -05:00
zot/pkg/extensions
Andreea Lupu 41b05c60dd
feat: upload certificates and public keys for verifying signatures (#1485)
In order to verify signatures, users could upload their certificates and public keys using these routes:
	-> for public keys:
		/v2/_zot/ext/mgmt?resource=signatures&tool=cosign
	-> for certificates:
		/v2/_zot/ext/mgmt?resource=signatures&tool=notation&truststoreType=ca&truststoreName=name
Then the public keys will be stored under $rootdir/_cosign and the certificates will be stored under
$rootdir/_notation/truststore/x509/$truststoreType/$truststoreName.
Also, for notation case, the "truststores" field of $rootir/_notation/trustpolicy.json file will be
updated with a new entry "$truststoreType:$truststoreName".
Also based on the uploaded files, the information about the signatures validity will be updated
periodically.

Signed-off-by: Andreea-Lupu <andreealupu1470@yahoo.com>
2023-07-06 14:57:59 +03:00
..
config fix(cve): Fix CVE scanning in images containing Jar files (#1475) 2023-06-01 00:37:46 +03:00
lint refactor: filenames should use _ not - (#1547) 2023-06-22 11:54:41 -07:00
monitoring feat: remove usage of zerolog.Logger.Msgf() from zot code (#1382) 2023-04-27 19:44:22 -07:00
scrub refactor(storage): refactoring storage (#1459) 2023-05-26 11:08:19 -07:00
search fix(test): TestConfigReloader, wait for trivy db download (#1543) 2023-07-06 14:17:49 +03:00
sync fix: changing default numWorkers, making it customizable and refactoring scheduler (#1563) 2023-07-04 11:03:29 +03:00
_zot.md feat(userprefs): update documentation and list extensions endpoint (#1456) 2023-05-25 14:46:52 +03:00
extension_metrics.go feat(ui): package zui within zot binary (#1161) 2023-02-10 14:52:54 -08:00
extension_metrics_disabled.go feat(ui): package zui within zot binary (#1161) 2023-02-10 14:52:54 -08:00
extension_mgmt.go feat: upload certificates and public keys for verifying signatures (#1485) 2023-07-06 14:57:59 +03:00
extension_mgmt_disabled.go feat: upload certificates and public keys for verifying signatures (#1485) 2023-07-06 14:57:59 +03:00
extension_mgmt_disabled_test.go feat: upload certificates and public keys for verifying signatures (#1485) 2023-07-06 14:57:59 +03:00
extension_scrub.go fix: changing default numWorkers, making it customizable and refactoring scheduler (#1563) 2023-07-04 11:03:29 +03:00
extension_scrub_disabled.go initial design for task scheduler (#700) 2022-09-22 22:27:56 -07:00
extension_search.go fix: changing default numWorkers, making it customizable and refactoring scheduler (#1563) 2023-07-04 11:03:29 +03:00
extension_search_disabled.go feat(userprefs): update documentation and list extensions endpoint (#1456) 2023-05-25 14:46:52 +03:00
extension_search_test.go fix: changing default numWorkers, making it customizable and refactoring scheduler (#1563) 2023-07-04 11:03:29 +03:00
extension_sync.go refactor(sync): use task scheduler (#1301) 2023-05-31 10:26:23 -07:00
extension_sync_disabled.go refactor(sync): use task scheduler (#1301) 2023-05-31 10:26:23 -07:00
extension_ui.go fix(csp): upgrade UI and fix zap failure (#1372) 2023-04-13 13:48:09 -07:00
extension_ui_disabled.go build(ui): the ui is now included in the zot binary by default (#1202) 2023-02-23 22:28:08 +02:00
extension_ui_test.go feat(repodb): Multiarch Image support (#1147) 2023-02-27 11:23:18 -08:00
extension_userprefs.go fix: removed quotation marks from enum in swagger docs (#1539) 2023-06-20 15:32:19 +03:00
extension_userprefs_disable.go feat(userprefs): update documentation and list extensions endpoint (#1456) 2023-05-25 14:46:52 +03:00
extension_userprefs_test.go fix(extensions): consolidate extensions headers returned to UI by extensions (#1473) 2023-05-25 11:44:54 -07:00
extensions_lint.go image level lint: enforce manifest mandatory annotations 2022-07-27 11:48:04 +03:00
extensions_lint_disabled.go image level lint: enforce manifest mandatory annotations 2022-07-27 11:48:04 +03:00
extensions_test.go feat: upload certificates and public keys for verifying signatures (#1485) 2023-07-06 14:57:59 +03:00
get_extensions.go feat(userprefs): update documentation and list extensions endpoint (#1456) 2023-05-25 14:46:52 +03:00
get_extensions_disabled_test.go feat(userprefs): update documentation and list extensions endpoint (#1456) 2023-05-25 14:46:52 +03:00
mgmt.md feat: upload certificates and public keys for verifying signatures (#1485) 2023-07-06 14:57:59 +03:00
README.md refactor: split AuthZ mdw in 2 different parts, each for a specific purpose (#1542) 2023-07-05 09:37:52 -07:00
userprefs.md feat(userprefs): update documentation and list extensions endpoint (#1456) 2023-05-25 14:46:52 +03:00

Adding new extensions

As new requirements come and build time extensions need to be added, there are a few things that you have to make sure are present before commiting :

  • files that should be included in the binary only with a specific extension must contain the following syntax at the beginning of the file :

//go:build sync will be added automatically by the linter, so only the second line is mandatory .

NOTE: the third line in the example should be blank, otherwise the build tag would be just another comment.

//go:build sync
// +build sync

package extensions
...................
  • when adding a new tag, specify the new order in which multiple tags should be used (bottom of this page)

  • for each and every new file that contains functions (functionalities) specific to an extension, one should create a corresponding file that must contain the exact same functions, but no functionalities included. This file must begin with an "anti-tag" (e.g. // +build !sync) which will include this file in binaries that don't include this extension ( in this example, the file won't be used in binaries that include sync extension ). See extension-sync-disabled.go for an example.

  • each extension is responsible with implementing authorization for newly added HTTP endpoints. zot will provide the necessary data, including user permissions, to the extension, but actual enforcement of these permissions is the responsibility of each extension. Each extension http.Handler has access to a context previously populated by BaseAuthzHandler with relevant user info. That info has the following structure:

    type AccessControlContext struct {
      // read method action
      ReadGlobPatterns map[string]bool
      // detectManifestCollision behaviour action
      DmcGlobPatterns map[string]bool
      IsAdmin         bool
      Username        string
      Groups          []string
      } 
    

    This data can then be accessed from the request context so that every extension can apply its own authorization logic, if needed .

  • when a new extension comes out, the developer should also write some blackbox tests, where a binary that contains the new extension should be tested in a real usage scenario. See test/blackbox folder for multiple extensions examples.

  • newly added blackbox tests should have targets in Makefile. You should also add them as Github Workflows, in .github/workflows/ecosystem-tools.yaml

  • with every new extension, you should modify the EXTENSIONS variable in Makefile by adding the new extension. The EXTENSIONS variable represents all extensions and is used in Make targets that require them all (e.g make test).

  • the available extensions that can be used at the moment are: sync, scrub, metrics, search . NOTE: When multiple extensions are used, they should be listed in the above presented order.