From 48cf33a8c1a7377a4cdee5dce1be627cd2fc2edd Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Fri, 4 Sep 2015 16:48:32 -0400
Subject: [PATCH 01/34] Add missing superuser aggregate logs endpoint

Reference: https://d33v4339jhl8k0.cloudfront.net/inline/18403/7664a00bc6391e80409134f7d579928954749304/d47d28ea4e2d66cd110c53622ee2b5ced21e7724/Screen-Shot-2015-09-04-at-11-04-41.png
---
 endpoints/api/superuser.py | 30 +++++++++++++++++++++++++-----
 test/test_api_security.py  | 21 ++++++++++++++++++++-
 2 files changed, 45 insertions(+), 6 deletions(-)

diff --git a/endpoints/api/superuser.py b/endpoints/api/superuser.py
index e2bbee4c5..8d66a2fce 100644
--- a/endpoints/api/superuser.py
+++ b/endpoints/api/superuser.py
@@ -13,7 +13,7 @@ from app import app, avatar, superusers, authentication
 from endpoints.api import (ApiResource, nickname, resource, validate_json_request,
                            internal_only, require_scope, show_if, parse_args,
                            query_param, abort, require_fresh_login, path_param, verify_not_prod)
-from endpoints.api.logs import get_logs
+from endpoints.api.logs import get_logs, get_aggregate_logs
 from data import model
 from auth.permissions import SuperUserPermission
 from auth import scopes
@@ -83,6 +83,26 @@ class SuperUserSystemLogServices(ApiResource):
     abort(403)
 
 
+@resource('/v1/superuser/aggregatelogs')
+@internal_only
+class SuperUserAggregateLogs(ApiResource):
+  """ Resource for fetching aggregated logs for the current user. """
+  @require_fresh_login
+  @verify_not_prod
+  @nickname('listAllAggregateLogs')
+  @parse_args
+  @query_param('starttime', 'Earliest time from which to get logs. (%m/%d/%Y %Z)', type=str)
+  @query_param('endtime', 'Latest time to which to get logs. (%m/%d/%Y %Z)', type=str)
+  def get(self, args):
+    """ Returns the aggregated logs for the current system. """
+    if SuperUserPermission().can():
+      start_time = args['starttime']
+      end_time = args['endtime']
+
+      return get_aggregate_logs(start_time, end_time)
+
+    abort(403)
+
 
 @resource('/v1/superuser/logs')
 @internal_only
@@ -93,9 +113,9 @@ class SuperUserLogs(ApiResource):
   @verify_not_prod
   @nickname('listAllLogs')
   @parse_args
-  @query_param('starttime', 'Earliest time from which to get logs. (%m/%d/%Y %Z)', type=str)
-  @query_param('endtime', 'Latest time to which to get logs. (%m/%d/%Y %Z)', type=str)
-  @query_param('performer', 'Username for which to filter logs.', type=str)
+  @query_param('starttime', 'Earliest time from which to get logs (%m/%d/%Y %Z)', type=str)
+  @query_param('endtime', 'Latest time to which to get logs (%m/%d/%Y %Z)', type=str)
+  @query_param('page', 'The page number for the logs', type=int, default=1)
   @require_scope(scopes.SUPERUSER)
   def get(self, args):
     """ List the usage logs for the current system. """
@@ -103,7 +123,7 @@ class SuperUserLogs(ApiResource):
       start_time = args['starttime']
       end_time = args['endtime']
 
-      return get_logs(start_time, end_time)
+      return get_logs(start_time, end_time, page=args['page'])
 
     abort(403)
 
diff --git a/test/test_api_security.py b/test/test_api_security.py
index 8b2acdf6f..3b0f3cad1 100644
--- a/test/test_api_security.py
+++ b/test/test_api_security.py
@@ -47,7 +47,8 @@ from endpoints.api.permission import (RepositoryUserPermission, RepositoryTeamPe
                                       RepositoryUserTransitivePermission)
 from endpoints.api.superuser import (SuperUserLogs, SuperUserList, SuperUserManagement,
                                      SuperUserSendRecoveryEmail, ChangeLog,
-                                     SuperUserOrganizationManagement, SuperUserOrganizationList)
+                                     SuperUserOrganizationManagement, SuperUserOrganizationList,
+                                     SuperUserAggregateLogs)
 
 
 try:
@@ -3928,6 +3929,24 @@ class TestUserAuthorization(ApiTestCase):
     self._run_test('DELETE', 404, 'devtable', None)
 
 
+class TestSuperAggregateUserLogs(ApiTestCase):
+  def setUp(self):
+    ApiTestCase.setUp(self)
+    self._set_url(SuperUserAggregateLogs)
+
+  def test_get_anonymous(self):
+    self._run_test('GET', 401, None, None)
+
+  def test_get_freshuser(self):
+    self._run_test('GET', 403, 'freshuser', None)
+
+  def test_get_reader(self):
+    self._run_test('GET', 403, 'reader', None)
+
+  def test_get_devtable(self):
+    self._run_test('GET', 200, 'devtable', None)
+
+
 class TestSuperUserLogs(ApiTestCase):
   def setUp(self):
     ApiTestCase.setUp(self)

From c0286d1ac3ba8320b26f2a0fef6945f2f3f9d512 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Fri, 4 Sep 2015 16:14:46 -0400
Subject: [PATCH 02/34] Add support for Dex to Quay

Fixes #306

- Adds support for Dex as an OAuth external login provider
- Adds support for OIDC in general
- Extract out external logins on the JS side into a service
- Add a feature flag for disabling direct login
- Add support for directing to the single external login service
- Does *not* yet support the config in the superuser tool
---
 app.py                                        |   8 +-
 config.py                                     |   6 +
 .../3a3bb77e17d5_add_support_for_dex_login.py |  26 ++++
 endpoints/api/user.py                         |   3 +
 endpoints/oauthlogin.py                       |  91 ++++++++++-
 initdb.py                                     |   1 +
 .../directives/ui/external-login-button.css   |   7 +-
 .../directives/ui/external-logins-manager.css |   5 +-
 static/css/directives/ui/signup-form.css      |  10 ++
 static/directives/external-login-button.html  |  34 ++---
 .../directives/external-logins-manager.html   |  55 +++----
 static/directives/header-bar.html             |   6 +-
 static/directives/signin-form.html            |  19 ++-
 static/directives/signup-form.html            |  65 ++++----
 static/directives/user-setup.html             |   4 +-
 .../js/directives/ui/external-login-button.js |  10 +-
 .../directives/ui/external-logins-manager.js  |  24 ++-
 static/js/directives/ui/header-bar.js         |   5 +-
 static/js/directives/ui/signin-form.js        |   6 +-
 static/js/directives/ui/signup-form.js        |   4 +-
 static/js/pages/signin.js                     |   7 +-
 static/js/pages/user-view.js                  |   3 +-
 static/js/services/external-login-service.js  | 141 ++++++++++++++++++
 static/js/services/key-service.js             |  40 +----
 static/partials/user-view.html                |   5 +-
 templates/ologinerror.html                    |   2 +-
 util/config/oauth.py                          | 122 ++++++++++++++-
 27 files changed, 533 insertions(+), 176 deletions(-)
 create mode 100644 data/migrations/versions/3a3bb77e17d5_add_support_for_dex_login.py
 create mode 100644 static/js/services/external-login-service.js

diff --git a/app.py b/app.py
index ebb5a3391..68e527ee2 100644
--- a/app.py
+++ b/app.py
@@ -26,7 +26,9 @@ from util import get_app_url
 from util.saas.analytics import Analytics
 from util.saas.exceptionlog import Sentry
 from util.names import urn_generator
-from util.config.oauth import GoogleOAuthConfig, GithubOAuthConfig, GitLabOAuthConfig
+from util.config.oauth import (GoogleOAuthConfig, GithubOAuthConfig, GitLabOAuthConfig,
+                               DexOAuthConfig)
+
 from util.security.signing import Signer
 from util.saas.cloudwatch import start_cloudwatch_sender
 from util.saas.metricqueue import MetricQueue
@@ -135,7 +137,9 @@ github_login = GithubOAuthConfig(app.config, 'GITHUB_LOGIN_CONFIG')
 github_trigger = GithubOAuthConfig(app.config, 'GITHUB_TRIGGER_CONFIG')
 gitlab_trigger = GitLabOAuthConfig(app.config, 'GITLAB_TRIGGER_CONFIG')
 google_login = GoogleOAuthConfig(app.config, 'GOOGLE_LOGIN_CONFIG')
-oauth_apps = [github_login, github_trigger, gitlab_trigger, google_login]
+dex_login = DexOAuthConfig(app.config, 'DEX_LOGIN_CONFIG')
+
+oauth_apps = [github_login, github_trigger, gitlab_trigger, google_login, dex_login]
 
 image_diff_queue = WorkQueue(app.config['DIFFS_QUEUE_NAME'], tf)
 image_replication_queue = WorkQueue(app.config['REPLICATION_QUEUE_NAME'], tf)
diff --git a/config.py b/config.py
index ea65ad54e..f97447f45 100644
--- a/config.py
+++ b/config.py
@@ -153,6 +153,9 @@ class DefaultConfig(object):
   # Feature Flag: Whether Google login is supported.
   FEATURE_GOOGLE_LOGIN = False
 
+  # Feature Flag: Whther Dex login is supported.
+  FEATURE_DEX_LOGIN = False
+
   # Feature flag, whether to enable olark chat
   FEATURE_OLARK_CHAT = False
 
@@ -184,6 +187,9 @@ class DefaultConfig(object):
   # Feature Flag: Whether to automatically replicate between storage engines.
   FEATURE_STORAGE_REPLICATION = False
 
+  # Feature Flag: Whether users can directly login to the UI.
+  FEATURE_DIRECT_LOGIN = True
+
   BUILD_MANAGER = ('enterprise', {})
 
   DISTRIBUTED_STORAGE_CONFIG = {
diff --git a/data/migrations/versions/3a3bb77e17d5_add_support_for_dex_login.py b/data/migrations/versions/3a3bb77e17d5_add_support_for_dex_login.py
new file mode 100644
index 000000000..5e883237e
--- /dev/null
+++ b/data/migrations/versions/3a3bb77e17d5_add_support_for_dex_login.py
@@ -0,0 +1,26 @@
+"""Add support for Dex login
+
+Revision ID: 3a3bb77e17d5
+Revises: 9512773a4a2
+Create Date: 2015-09-04 15:57:38.007822
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '3a3bb77e17d5'
+down_revision = '9512773a4a2'
+
+from alembic import op
+import sqlalchemy as sa
+
+
+def upgrade(tables):
+  op.bulk_insert(tables.loginservice, [{'id': 7, 'name': 'dex'}])
+
+
+def downgrade(tables):
+  op.execute(
+    tables.loginservice.delete()
+    .where(tables.loginservice.c.name == op.inline_literal('dex'))
+  )
+
diff --git a/endpoints/api/user.py b/endpoints/api/user.py
index de928597f..7c3094cc7 100644
--- a/endpoints/api/user.py
+++ b/endpoints/api/user.py
@@ -306,6 +306,7 @@ class User(ApiResource):
     return user_view(user)
 
   @show_if(features.USER_CREATION)
+  @show_if(features.DIRECT_LOGIN)
   @nickname('createNewUser')
   @internal_only
   @validate_json_request('NewUser')
@@ -496,6 +497,7 @@ class ConvertToOrganization(ApiResource):
 
 
 @resource('/v1/signin')
+@show_if(features.DIRECT_LOGIN)
 @internal_only
 class Signin(ApiResource):
   """ Operations for signing in the user. """
@@ -595,6 +597,7 @@ class Signout(ApiResource):
 
 
 @resource('/v1/detachexternal/<servicename>')
+@show_if(features.DIRECT_LOGIN)
 @internal_only
 class DetachExternal(ApiResource):
   """ Resource for detaching an external login. """
diff --git a/endpoints/oauthlogin.py b/endpoints/oauthlogin.py
index ae41af0ef..665801a6d 100644
--- a/endpoints/oauthlogin.py
+++ b/endpoints/oauthlogin.py
@@ -5,7 +5,7 @@ from flask import request, redirect, url_for, Blueprint
 from flask.ext.login import current_user
 
 from endpoints.common import render_page_template, common_login, route_show_if
-from app import app, analytics, get_app_url, github_login, google_login
+from app import app, analytics, get_app_url, github_login, google_login, dex_login
 from data import model
 from util.names import parse_repository_name
 from util.validation import generate_valid_usernames
@@ -14,6 +14,7 @@ from auth.auth import require_session_login
 from peewee import IntegrityError
 
 import features
+from util.security.strictjwt import decode, InvalidTokenError
 
 logger = logging.getLogger(__name__)
 client = app.config['HTTPCLIENT']
@@ -24,7 +25,7 @@ def render_ologin_error(service_name,
   return render_page_template('ologinerror.html', service_name=service_name,
                               error_message=error_message,
                               service_url=get_app_url(),
-                              user_creation=features.USER_CREATION)
+                              user_creation=features.USER_CREATION and features.DIRECT_LOGIN)
 
 
 def get_user(service, token):
@@ -86,7 +87,7 @@ def conduct_oauth_login(service, user_id, username, email, metadata={}):
 
   return render_ologin_error(service_name)
 
-def get_google_username(user_data):
+def get_email_username(user_data):
   username = user_data['email']
   at = username.find('@')
   if at > 0:
@@ -108,7 +109,7 @@ def google_oauth_callback():
   if not user_data or not user_data.get('id', None) or not user_data.get('email', None):
     return render_ologin_error('Google')
 
-  username = get_google_username(user_data)
+  username = get_email_username(user_data)
   metadata = {
     'service_username': user_data['email']
   }
@@ -194,7 +195,7 @@ def google_oauth_attach():
   google_id = user_data['id']
   user_obj = current_user.db_user()
 
-  username = get_google_username(user_data)
+  username = get_email_username(user_data)
   metadata = {
     'service_username': user_data['email']
   }
@@ -236,3 +237,83 @@ def github_oauth_attach():
     return render_ologin_error('GitHub', err)
 
   return redirect(url_for('web.user'))
+
+
+def decode_user_jwt(token, oidc_provider):
+  try:
+    return decode(token, oidc_provider.get_public_key(), algorithms=['RS256'],
+                  audience=oidc_provider.client_id(),
+                  issuer=oidc_provider.issuer)
+  except InvalidTokenError:
+    # Public key may have expired. Try to retrieve an updated public key and use it to decode.
+    return decode(token, oidc_provider.get_public_key(force_refresh=True), algorithms=['RS256'],
+                  audience=oidc_provider.client_id(),
+                  issuer=oidc_provider.issuer)
+
+
+@oauthlogin.route('/dex/callback', methods=['GET', 'POST'])
+@route_show_if(features.DEX_LOGIN)
+def dex_oauth_callback():
+  error = request.values.get('error', None)
+  if error:
+    return render_ologin_error(dex_login.public_title, error)
+
+  code = request.values.get('code')
+  if not code:
+    return render_ologin_error(dex_login.public_title, 'Missing OAuth code')
+
+  token = dex_login.exchange_code_for_token(app.config, client, code, client_auth=True,
+                                            form_encode=True)
+
+  try:
+    payload = decode_user_jwt(token, dex_login)
+  except InvalidTokenError:
+    logger.exception('Exception when decoding returned JWT')
+    return render_ologin_error(dex_login.public_title,
+      'Could not decode response. Please contact your system administrator about this error.')
+
+  username = get_email_username(payload)
+  metadata = {}
+
+  dex_id = payload['sub']
+  email_address = payload['email']
+
+  if not payload.get('email_verified', False):
+    return render_ologin_error(dex_login.public_title,
+      'A verified e-mail address is required for login. Please verify your ' +
+      'e-mail address in %s and try again.' % dex_login.public_title)
+
+
+  return conduct_oauth_login(dex_login, dex_id, username, email_address,
+                             metadata=metadata)
+
+
+@oauthlogin.route('/dex/callback/attach', methods=['GET', 'POST'])
+@route_show_if(features.DEX_LOGIN)
+@require_session_login
+def dex_oauth_attach():
+  code = request.args.get('code')
+  token = dex_login.exchange_code_for_token(app.config, client, code, redirect_suffix='/attach',
+                                            client_auth=True, form_encode=True)
+  if not token:
+    return render_ologin_error(dex_login.public_title)
+
+  try:
+    payload = decode_user_jwt(token, dex_login)
+  except jwt.InvalidTokenError:
+    logger.exception('Exception when decoding returned JWT')
+    return render_ologin_error(dex_login.public_title,
+      'Could not decode response. Please contact your system administrator about this error.')
+
+  user_obj = current_user.db_user()
+  dex_id = payload['sub']
+  metadata = {}
+
+  try:
+    model.user.attach_federated_login(user_obj, 'dex', dex_id, metadata=metadata)
+  except IntegrityError:
+    err = '%s account is already attached to a %s account' % (dex_login.public_title,
+      app.config['REGISTRY_TITLE_SHORT'])
+    return render_ologin_error(dex_login.public_title, err)
+
+  return redirect(url_for('web.user'))
diff --git a/initdb.py b/initdb.py
index be50d12c4..57024f00d 100644
--- a/initdb.py
+++ b/initdb.py
@@ -218,6 +218,7 @@ def initialize_database():
   LoginService.create(name='ldap')
   LoginService.create(name='jwtauthn')
   LoginService.create(name='keystone')
+  LoginService.create(name='dex')
 
   BuildTriggerService.create(name='github')
   BuildTriggerService.create(name='custom-git')
diff --git a/static/css/directives/ui/external-login-button.css b/static/css/directives/ui/external-login-button.css
index 390eda57d..8cf5ff69e 100644
--- a/static/css/directives/ui/external-login-button.css
+++ b/static/css/directives/ui/external-login-button.css
@@ -1,3 +1,8 @@
-.external-login-button i.fa {
+.external-login-button i.fa,
+.external-login-button img {
   margin-right: 4px;
+  width: 24px;
+  font-size: 18px;
+  text-align: center;
+  vertical-align: middle;
 }
\ No newline at end of file
diff --git a/static/css/directives/ui/external-logins-manager.css b/static/css/directives/ui/external-logins-manager.css
index 2c5ca7302..947870dbd 100644
--- a/static/css/directives/ui/external-logins-manager.css
+++ b/static/css/directives/ui/external-logins-manager.css
@@ -6,6 +6,9 @@
   font-size: 18px;
 }
 
-.external-logins-manager .external-auth-provider td:first-child i.fa {
+.external-logins-manager .external-auth-provider-title i.fa,
+.external-logins-manager .external-auth-provider-title img {
   margin-right: 6px;
+  width: 24px;
+  text-align: center;
 }
\ No newline at end of file
diff --git a/static/css/directives/ui/signup-form.css b/static/css/directives/ui/signup-form.css
index 5a3dede2f..1d71692ee 100644
--- a/static/css/directives/ui/signup-form.css
+++ b/static/css/directives/ui/signup-form.css
@@ -4,4 +4,14 @@
 
 .signup-form-element .co-alert {
   color: black;
+}
+
+.signup-form-element .single-sign-on a {
+    font-size: 24px;
+}
+
+.signup-form-element .single-sign-on .external-login-button i.fa,
+.signup-form-element .single-sign-on .external-login-button img {
+    width: 30px;
+    font-size: 24px;
 }
\ No newline at end of file
diff --git a/static/directives/external-login-button.html b/static/directives/external-login-button.html
index edf81a36a..65aaee41d 100644
--- a/static/directives/external-login-button.html
+++ b/static/directives/external-login-button.html
@@ -1,24 +1,14 @@
 <span class="external-login-button-element">
-  <span ng-if="provider == 'github'">
-    <a href="javascript:void(0)" ng-class="isLink ? '' : 'btn btn-primary btn-block'" quay-require="['GITHUB_LOGIN']" ng-click="startSignin('github')" style="margin-bottom: 10px" ng-disabled="signingIn">
-      <i class="fa fa-github fa-lg"></i>
-      <span ng-if="action != 'attach'">
-          Sign In with GitHub
-          <span ng-if="isEnterprise('github')">Enterprise</span>
-      </span>
-      <span ng-if="action == 'attach'">
-        Attach to GitHub
-        <span ng-if="isEnterprise('github')">Enterprise</span>
-        Account
-      </span>
-    </a>
-  </span>
-
-  <span ng-if="provider == 'google'">
-    <a href="javascript:void(0)" ng-class="isLink ? '' : 'btn btn-primary btn-block'" quay-require="['GOOGLE_LOGIN']"  ng-click="startSignin('google')" ng-disabled="signingIn">
-      <i class="fa fa-google fa-lg"></i>
-      <span ng-if="action != 'attach'">Sign In with Google</span>
-      <span ng-if="action == 'attach'">Attach to Google Account</span>
-    </a>
-  </span>
+  <a href="javascript:void(0)" ng-class="isLink ? '' : 'btn btn-primary btn-block'"
+     ng-if="providerInfo.enabled" ng-click="startSignin()" style="margin-bottom: 10px"
+     ng-disabled="signingIn">
+    <img ng-src="{{ providerInfo.icon().url }}" ng-if="providerInfo.icon().url">
+    <i class="fa" ng-class="providerInfo.icon().icon" ng-if="providerInfo.icon().icon"></i>
+    <span ng-if="action != 'attach'">
+        Sign In with {{ providerInfo.title() }}
+    </span>
+    <span ng-if="action == 'attach'">
+      Attach to {{ providerInfo.title() }}
+    </span>
+  </a>
 </span>
diff --git a/static/directives/external-logins-manager.html b/static/directives/external-logins-manager.html
index 2c07c2a3a..ed7198a75 100644
--- a/static/directives/external-logins-manager.html
+++ b/static/directives/external-logins-manager.html
@@ -9,52 +9,35 @@
     <thead>
       <td>Provider</td>
       <td>Account Status</td>
-      <td>Attach/Detach</td>
+      <td quay-show="Features.DIRECT_LOGIN">Attach/Detach</td>
     </thead>
 
-    <!-- GitHub Login -->
-    <tr class="external-auth-provider" ng-show="Features.GITHUB_LOGIN">
-      <td>
-        <i class="fa fa-github"></i> GitHub <span ng-if="KeyService.isEnterprise('github')">Enterprise</span>
+    <tr class="external-auth-provider" ng-repeat="provider in EXTERNAL_LOGINS">
+      <td class="external-auth-provider-title">
+        <img ng-src="{{ provider.icon().url }}" ng-if="provider.icon().url">
+        <i class="fa" ng-class="provider.icon().icon" ng-if="provider.icon().icon"></i>
+        {{ provider.title() }}
       </td>
       <td>
-        <span ng-if="hasGithubLogin">
-          Attached to GitHub <span ng-if="KeyService.isEnterprise('github')">Enterprise</span> account <b><a href="{{githubEndpoint}}{{githubLogin}}" target="_blank">{{githubLogin}}</a></b>
+        <span ng-if="externalLoginInfo[provider.id]">
+          Attached to {{ provider.title() }} account
+          <b ng-if="provider.hasUserInfo">
+            <a ng-href="{{ provider.getUserInfo(externalLoginInfo[provider.id]).endpoint }}" target="_blank">
+              {{ provider.getUserInfo(externalLoginInfo[provider.id]).username }}
+            </a>
+          </b>
         </span>
 
-        <span class="empty" ng-if="!hasGithubLogin">
-          (Not attached to GitHub<span ng-if="KeyService.isEnterprise('github')"> Enterprise</span>)
+        <span class="empty" ng-if="!externalLoginInfo[provider.id]">
+          Not attached to {{ provider.title() }}
         </span>
       </td>
 
       <td>
-        <span class="external-login-button" provider="github" action="attach" is-link="true"
-              ng-if="!hasGithubLogin"></span>
-        <a href="javascript:void(0)" ng-if="hasGithubLogin"
-           ng-click="detachExternalLogin('github')">Detach Account</a>
-      </td>
-    </tr>
-
-    <!-- Google Login -->
-    <tr class="external-auth-provider" ng-show="Features.GOOGLE_LOGIN">
-      <td>
-        <i class="fa fa-google"></i> Google Account
-      </td>
-      <td>
-        <span ng-if="hasGoogleLogin">
-          Attached to Google account <b>{{ googleLogin }}</b>
-        </span>
-
-        <span class="empty" ng-if="!hasGoogleLogin">
-          (Not attached to a Google account)
-        </span>
-      </td>
-
-      <td>
-        <span class="external-login-button" provider="google" action="attach" is-link="true"
-              ng-if="!hasGoogleLogin"></span>
-        <a href="javascript:void(0)" ng-if="hasGoogleLogin"
-           ng-click="detachExternalLogin('google')">Detach Account</a>
+        <span class="external-login-button" provider="{{ provider.id }}" action="attach" is-link="true"
+              ng-if="!externalLoginInfo[provider.id]"></span>
+        <a href="javascript:void(0)" ng-if="externalLoginInfo[provider.id] && Features.DIRECT_LOGIN"
+           ng-click="detachExternalLogin(provider.id)">Detach Account</a>
       </td>
     </tr>
   </table>
diff --git a/static/directives/header-bar.html b/static/directives/header-bar.html
index 27d3ff4cd..b3b2111ea 100644
--- a/static/directives/header-bar.html
+++ b/static/directives/header-bar.html
@@ -42,7 +42,8 @@
             </a>
           </li>
           <li ng-switch-default>
-            <a class="user-view" href="/signin/" target="{{ appLinkTarget() }}">Sign in</a>
+            <a class="user-view" href="/signin/" target="{{ appLinkTarget() }}" ng-if="!externalSigninUrl">Sign in</a>
+            <a class="user-view" ng-href="{{ externalSigninUrl }}" ng-if="externalSigninUrl">Sign in</a>
           </li>
         </ul>
 
@@ -133,7 +134,8 @@
             </ul>
           </li>
           <li ng-switch-default>
-            <a class="user-view" href="/signin/" target="{{ appLinkTarget() }}">Sign in</a>
+            <a class="user-view" href="/signin/" target="{{ appLinkTarget() }}" ng-if="!externalSigninUrl">Sign in</a>
+            <a class="user-view" ng-href="{{ externalSigninUrl }}" ng-if="externalSigninUrl">Sign in</a>
           </li>
         </ul>
       </div><!-- /.navbar-collapse -->
diff --git a/static/directives/signin-form.html b/static/directives/signin-form.html
index fc5727828..ccaedc9a9 100644
--- a/static/directives/signin-form.html
+++ b/static/directives/signin-form.html
@@ -1,25 +1,28 @@
 <div class="signin-form-element" style="position: relative">
   <span class="cor-loader" ng-show="signingIn"></span>
+
   <form class="form-signin" ng-submit="signin();" ng-show="!signingIn">
-    <input type="text" class="form-control input-lg" name="username"
-           placeholder="Username or E-mail Address" ng-model="user.username" autofocus>
-    <input type="password" class="form-control input-lg" name="password"
-           placeholder="Password" ng-model="user.password">
+    <div quay-show="Features.DIRECT_LOGIN">
+      <input type="text" class="form-control input-lg" name="username"
+             placeholder="Username or E-mail Address" ng-model="user.username" autofocus>
+      <input type="password" class="form-control input-lg" name="password"
+             placeholder="Password" ng-model="user.password">
+    </div>
 
     <div class="co-alert co-alert-warning" ng-show="tryAgainSoon > 0">
       Too many attempts have been made to login. Please try again in {{ tryAgainSoon }} second<span ng-if="tryAgainSoon != 1">s</span>.
     </div>
 
     <span ng-show="tryAgainSoon == 0">
-      <button class="btn btn-lg btn-primary btn-block" type="submit">Sign In</button>
+      <button class="btn btn-lg btn-primary btn-block" type="submit" quay-show="Features.DIRECT_LOGIN">Sign In</button>
 
-      <span class="social-alternate" quay-show="Features.GITHUB_LOGIN || Features.GOOGLE_LOGIN">
+      <span class="social-alternate" quay-show="EXTERNAL_LOGINS.length && Features.DIRECT_LOGIN">
         <i class="fa fa-circle"></i>
         <span class="inner-text">OR</span>
       </span>
 
-      <div class="external-login-button" provider="github" redirect-url="redirectUrl" sign-in-started="markStarted()"></div>
-      <div class="external-login-button" provider="google" redirect-url="redirectUrl" sign-in-started="markStarted()"></div>
+      <div class="external-login-button" provider="{{ provider.id }}" redirect-url="redirectUrl"
+           sign-in-started="markStarted()" ng-repeat="provider in EXTERNAL_LOGINS"></div>
     </span>
   </form>
 
diff --git a/static/directives/signup-form.html b/static/directives/signup-form.html
index 27561f327..627fbb684 100644
--- a/static/directives/signup-form.html
+++ b/static/directives/signup-form.html
@@ -1,32 +1,39 @@
-<div class="signup-form-element"
-     quay-show="Features.USER_CREATION && Config.AUTHENTICATION_TYPE == 'Database'">
-  <form class="form-signup" name="signupForm" ng-submit="register()" ng-show="!awaitingConfirmation && !registering">
-    <input type="text" class="form-control" placeholder="Create a username" name="username" ng-model="newUser.username" autofocus required ng-pattern="/^[a-z0-9_]{4,30}$/">
-    <input type="email" class="form-control" placeholder="Email address" ng-model="newUser.email" required>
-    <input type="password" class="form-control" placeholder="Create a password" ng-model="newUser.password" required
-           ng-pattern="/^.{8,}$/">
-    <input type="password" class="form-control" placeholder="Verify your password" ng-model="newUser.repeatPassword"
-           match="newUser.password" required
-           ng-pattern="/^.{8,}$/">
-    <div class="form-group signin-buttons">
-      <button id="signupButton"
-              class="btn btn-primary btn-block landing-signup-button" ng-disabled="signupForm.$invalid" type="submit"
-              analytics-on analytics-event="register">
-        <span quay-show="Features.BILLING">Sign Up for Free!</span>
-        <span quay-show="!Features.BILLING">Sign Up</span>
-      </button>
-      <span class="social-alternate" quay-require="['GITHUB_LOGIN']">
-        <i class="fa fa-circle"></i>
-        <span class="inner-text">OR</span>
-      </span>
-      <div class="external-login-button" provider="github"></div>
-      <div class="external-login-button" provider="google"></div>
+<div class="signup-form-element">
+  <div quay-show="singleSigninUrl" class="single-sign-on">
+    <div class="external-login-button" provider="{{ EXTERNAL_LOGINS[0].id }}"></div>
+  </div>
+
+  <div quay-show="Features.USER_CREATION && Config.AUTHENTICATION_TYPE == 'Database' && !singleSigninUrl">
+    <form class="form-signup" name="signupForm" ng-submit="register()" ng-show="!awaitingConfirmation && !registering">
+      <div quay-show="Features.DIRECT_LOGIN">
+        <input type="text" class="form-control" placeholder="Create a username" name="username" ng-model="newUser.username" autofocus required ng-pattern="/^[a-z0-9_]{4,30}$/">
+        <input type="email" class="form-control" placeholder="Email address" ng-model="newUser.email" required>
+        <input type="password" class="form-control" placeholder="Create a password" ng-model="newUser.password" required
+               ng-pattern="/^.{8,}$/">
+        <input type="password" class="form-control" placeholder="Verify your password" ng-model="newUser.repeatPassword"
+               match="newUser.password" required
+               ng-pattern="/^.{8,}$/">
+      </div>
+      <div class="form-group signin-buttons">
+        <button id="signupButton"
+                class="btn btn-primary btn-block landing-signup-button" ng-disabled="signupForm.$invalid" type="submit"
+                analytics-on analytics-event="register"
+                quay-show="Features.DIRECT_LOGIN">
+          <span quay-show="Features.BILLING">Sign Up for Free!</span>
+          <span quay-show="!Features.BILLING">Sign Up</span>
+        </button>
+        <span class="social-alternate" quay-show="Features.DIRECT_LOGIN && EXTERNAL_LOGINS.length">
+          <i class="fa fa-circle"></i>
+          <span class="inner-text">OR</span>
+        </span>
+        <div class="external-login-button" provider="{{ provider.id }}" ng-repeat="provider in EXTERNAL_LOGINS"></div>
+      </div>
+    </form>
+    <div class="cor-loader" ng-show="registering"></div>
+    <div class="co-alert co-alert-info"
+         ng-show="awaitingConfirmation && hideRegisteredMessage != 'true'">
+      Thank you for registering! We have sent you an activation email.
+      You must <b>verify your email address</b> before you can continue.
     </div>
-  </form>
-  <div class="cor-loader" ng-show="registering"></div>
-  <div class="co-alert co-alert-info"
-       ng-show="awaitingConfirmation && hideRegisteredMessage != 'true'">
-    Thank you for registering! We have sent you an activation email.
-    You must <b>verify your email address</b> before you can continue.
   </div>
 </div>
diff --git a/static/directives/user-setup.html b/static/directives/user-setup.html
index 679f35da3..291614fa9 100644
--- a/static/directives/user-setup.html
+++ b/static/directives/user-setup.html
@@ -15,7 +15,7 @@
       </div>
     </div>
     <div class="panel panel-default"
-         quay-show="Features.USER_CREATION && Config.AUTHENTICATION_TYPE == 'Database'">
+         quay-show="Features.USER_CREATION && Config.AUTHENTICATION_TYPE == 'Database' && Features.DIRECT_LOGIN">
       <div class="panel-heading">
         <h6 class="panel-title accordion-title">
           <a class="accordion-toggle" data-toggle="collapse" data-parent="#accordion" data-target="#collapseRegister">
@@ -30,7 +30,7 @@
       </div>
     </div>
     <div class="panel panel-default"
-         quay-show="Features.MAILING && Config.AUTHENTICATION_TYPE == 'Database'">
+         quay-show="Features.MAILING && Config.AUTHENTICATION_TYPE == 'Database' && Features.DIRECT_LOGIN">
       <div class="panel-heading">
         <h6 class="panel-title accordion-title">
           <a class="accordion-toggle" data-toggle="collapse" data-parent="#accordion" data-target="#collapseForgot">
diff --git a/static/js/directives/ui/external-login-button.js b/static/js/directives/ui/external-login-button.js
index 7d7602f85..509b2b489 100644
--- a/static/js/directives/ui/external-login-button.js
+++ b/static/js/directives/ui/external-login-button.js
@@ -15,14 +15,14 @@ angular.module('quay').directive('externalLoginButton', function () {
       'provider': '@provider',
       'action': '@action'
     },
-    controller: function($scope, $timeout, $interval, ApiService, KeyService, CookieService, Features, Config) {
+    controller: function($scope, $timeout, $interval, ApiService, KeyService, CookieService, ExternalLoginService) {
       $scope.signingIn = false;
-      $scope.isEnterprise = KeyService.isEnterprise;
+      $scope.providerInfo = ExternalLoginService.getProvider($scope.provider);
 
-      $scope.startSignin = function(service) {
-        $scope.signInStarted({'service': service});
+      $scope.startSignin = function() {
+        $scope.signInStarted({'service': $scope.provider});
 
-        var url = KeyService.getExternalLoginUrl(service, $scope.action || 'login');
+        var url = ExternalLoginService.getLoginUrl($scope.provider, $scope.action || 'login');
 
         // Save the redirect URL in a cookie so that we can redirect back after the service returns to us.
         var redirectURL = $scope.redirectUrl || window.location.toString();
diff --git a/static/js/directives/ui/external-logins-manager.js b/static/js/directives/ui/external-logins-manager.js
index 4dba38482..4706b4e88 100644
--- a/static/js/directives/ui/external-logins-manager.js
+++ b/static/js/directives/ui/external-logins-manager.js
@@ -11,41 +11,37 @@ angular.module('quay').directive('externalLoginsManager', function () {
     scope: {
       'user': '=user',
     },
-    controller: function($scope, $element, ApiService, UserService, Features, Config, KeyService) {
+    controller: function($scope, $element, ApiService, UserService, Features, Config, KeyService,
+                         ExternalLoginService) {
       $scope.Features = Features;
       $scope.Config = Config;
       $scope.KeyService = KeyService;
 
+      $scope.EXTERNAL_LOGINS = ExternalLoginService.EXTERNAL_LOGINS;
+      $scope.externalLoginInfo = {};
+      $scope.hasSingleSignin = ExternalLoginService.hasSingleSignin();
+
       UserService.updateUserIn($scope, function(user) {
         $scope.cuser = jQuery.extend({}, user);
+        $scope.externalLoginInfo = {};
 
         if ($scope.cuser.logins) {
           for (var i = 0; i < $scope.cuser.logins.length; i++) {
             var login = $scope.cuser.logins[i];
             login.metadata = login.metadata || {};
-
-            if (login.service == 'github') {
-              $scope.hasGithubLogin = true;
-              $scope.githubLogin = login.metadata['service_username'];
-              $scope.githubEndpoint = KeyService['githubEndpoint'];
-            }
-
-            if (login.service == 'google') {
-              $scope.hasGoogleLogin = true;
-              $scope.googleLogin = login.metadata['service_username'];
-            }
+            $scope.externalLoginInfo[login.service] = login;
           }
         }
       });
 
       $scope.detachExternalLogin = function(kind) {
+        if (!Features.DIRECT_LOGIN) { return; }
+
         var params = {
           'servicename': kind
         };
 
         ApiService.detachExternalLogin(null, params).then(function() {
-          $scope.hasGithubLogin = false;
-          $scope.hasGoogleLogin = false;
           UserService.load();
         }, ApiService.errorDisplay('Count not detach service'));
       };
diff --git a/static/js/directives/ui/header-bar.js b/static/js/directives/ui/header-bar.js
index 0d96aa2a6..243055df9 100644
--- a/static/js/directives/ui/header-bar.js
+++ b/static/js/directives/ui/header-bar.js
@@ -14,7 +14,10 @@ angular.module('quay').directive('headerBar', function () {
     },
     controller: function($rootScope, $scope, $element, $location, $timeout, hotkeys, UserService,
           PlanService, ApiService, NotificationService, Config, CreateService, Features,
-          DocumentationService) {
+          DocumentationService, ExternalLoginService) {
+
+      $scope.externalSigninUrl = ExternalLoginService.getSingleSigninUrl();
+
       var hotkeysAdded = false;
       var userUpdated = function(cUser) {
         $scope.searchingAllowed = Features.ANONYMOUS_ACCESS || !cUser.anonymous;
diff --git a/static/js/directives/ui/signin-form.js b/static/js/directives/ui/signin-form.js
index 3921d01ed..1d0bc4d4e 100644
--- a/static/js/directives/ui/signin-form.js
+++ b/static/js/directives/ui/signin-form.js
@@ -14,10 +14,12 @@ angular.module('quay').directive('signinForm', function () {
       'signInStarted': '&signInStarted',
       'signedIn': '&signedIn'
     },
-    controller: function($scope, $location, $timeout, $interval, ApiService, KeyService, UserService, CookieService, Features, Config) {
+    controller: function($scope, $location, $timeout, $interval, ApiService, KeyService, UserService, CookieService, Features, Config, ExternalLoginService) {
       $scope.tryAgainSoon = 0;
       $scope.tryAgainInterval = null;
       $scope.signingIn = false;
+      $scope.EXTERNAL_LOGINS = ExternalLoginService.EXTERNAL_LOGINS;
+      $scope.Features = Features;
 
       $scope.markStarted = function() {
        $scope.signingIn = true;
@@ -45,7 +47,7 @@ angular.module('quay').directive('signinForm', function () {
       });
 
       $scope.signin = function() {
-        if ($scope.tryAgainSoon > 0) { return; }
+        if ($scope.tryAgainSoon > 0 || !Features.DIRECT_LOGIN) { return; }
 
         $scope.markStarted();
         $scope.cancelInterval();
diff --git a/static/js/directives/ui/signup-form.js b/static/js/directives/ui/signup-form.js
index e22a5e3ee..50e23a474 100644
--- a/static/js/directives/ui/signup-form.js
+++ b/static/js/directives/ui/signup-form.js
@@ -13,11 +13,13 @@ angular.module('quay').directive('signupForm', function () {
       'hideRegisteredMessage': '@hideRegisteredMessage',
       'userRegistered': '&userRegistered'
     },
-    controller: function($scope, $location, $timeout, ApiService, KeyService, UserService, Config, UIService) {
+    controller: function($scope, $location, $timeout, ApiService, KeyService, UserService, Config, UIService, ExternalLoginService) {
       $('.form-signup').popover();
 
       $scope.awaitingConfirmation = false;
       $scope.registering = false;
+      $scope.EXTERNAL_LOGINS = ExternalLoginService.EXTERNAL_LOGINS;
+      $scope.singleSigninUrl = ExternalLoginService.getSingleSigninUrl();
 
       $scope.register = function() {
         UIService.hidePopover('#signupButton');
diff --git a/static/js/pages/signin.js b/static/js/pages/signin.js
index 12b89e116..d1d49f010 100644
--- a/static/js/pages/signin.js
+++ b/static/js/pages/signin.js
@@ -8,7 +8,12 @@
     });
   }]);
 
-  function SignInCtrl($scope, $location) {
+  function SignInCtrl($scope, $location, ExternalLoginService, Features) {
     $scope.redirectUrl = '/';
+
+    var singleUrl = ExternalLoginService.getSingleSigninUrl();
+    if (singleUrl) {
+      document.location = singleUrl;
+    }
   }
 })();
diff --git a/static/js/pages/user-view.js b/static/js/pages/user-view.js
index 4f41b4e85..d6d55fa7c 100644
--- a/static/js/pages/user-view.js
+++ b/static/js/pages/user-view.js
@@ -10,7 +10,7 @@
     })
   }]);
 
-  function UserViewCtrl($scope, $routeParams, $timeout, ApiService, UserService, UIService, AvatarService, Config) {
+  function UserViewCtrl($scope, $routeParams, $timeout, ApiService, UserService, UIService, AvatarService, Config, ExternalLoginService) {
     var username = $routeParams.username;
 
     $scope.showInvoicesCounter = 0;
@@ -18,6 +18,7 @@
     $scope.showRobotsCounter = 0;
     $scope.changeEmailInfo = {};
     $scope.changePasswordInfo = {};
+    $scope.hasSingleSignin = ExternalLoginService.hasSingleSignin();
 
     UserService.updateUserIn($scope);
 
diff --git a/static/js/services/external-login-service.js b/static/js/services/external-login-service.js
new file mode 100644
index 000000000..91197e7b4
--- /dev/null
+++ b/static/js/services/external-login-service.js
@@ -0,0 +1,141 @@
+/**
+ * Service which exposes the supported external logins.
+ */
+angular.module('quay').factory('ExternalLoginService', ['KeyService', 'Features', 'Config',
+  function(KeyService, Features, Config) {
+  var externalLoginService = {};
+
+  externalLoginService.getLoginUrl = function(service, action) {
+    var serviceInfo = externalLoginService.getProvider(service);
+    if (!serviceInfo) { return ''; }
+
+    var stateClause = '';
+
+    if (Config.MIXPANEL_KEY && window.mixpanel) {
+      if (mixpanel.get_distinct_id !== undefined) {
+        stateClause = "&state=" + encodeURIComponent(mixpanel.get_distinct_id());
+      }
+    }
+
+    var loginUrl = KeyService.getConfiguration(serviceInfo.key, 'AUTHORIZE_ENDPOINT');
+    var clientId = KeyService.getConfiguration(serviceInfo.key, 'CLIENT_ID');
+
+    var scope = serviceInfo.scopes();
+    var redirectUri = Config.getUrl('/oauth2/' + service + '/callback');
+
+    if (action == 'attach') {
+      redirectUri += '/attach';
+    }
+
+    var url = loginUrl + 'client_id=' + clientId + '&scope=' + scope + '&redirect_uri=' +
+              redirectUri + stateClause;
+
+    return url;
+  };
+
+  var DEX = {
+    id: 'dex',
+    key: 'DEX_LOGIN_CONFIG',
+
+    title: function() {
+      return KeyService.getConfiguration('DEX_LOGIN_CONFIG', 'OIDC_TITLE');
+    },
+
+    icon: function() {
+      return {'url': KeyService.getConfiguration('DEX_LOGIN_CONFIG', 'OIDC_LOGO') };
+    },
+
+    scopes: function() {
+      return 'openid email profile'
+    },
+
+    enabled: Features.DEX_LOGIN
+  };
+
+  var GITHUB = {
+    id: 'github',
+    key: 'GITHUB_LOGIN_CONFIG',
+
+    title: function() {
+      return KeyService.isEnterprise('github') ? 'GitHub Enterprise' : 'GitHub';
+    },
+
+    icon: function() {
+      return {'icon': 'fa-github'};
+    },
+
+    hasUserInfo: true,
+    getUserInfo: function(service_info) {
+      username = service_info['metadata']['service_username'];
+      return {
+        'username': username,
+        'endpoint': KeyService['githubEndpoint'] + username
+      }
+    },
+
+    scopes: function() {
+      var scopes = 'user:email';
+      if (KeyService.getConfiguration('GITHUB_LOGIN_CONFIG', 'ORG_RESTRICT')) {
+        scopes += ' read:org';
+      }
+
+      return scopes;
+    },
+
+    enabled: Features.GITHUB_LOGIN
+  };
+
+  var GOOGLE = {
+    id: 'google',
+    key: 'GOOGLE_LOGIN_CONFIG',
+
+    title: function() {
+      return 'Google';
+    },
+
+    icon: function() {
+      return {'icon': 'fa-google'};
+    },
+
+    scopes: function() {
+      return 'openid email';
+    },
+
+    enabled: Features.GOOGLE_LOGIN
+  };
+
+  externalLoginService.ALL_EXTERNAL_LOGINS = [
+    DEX, GITHUB, GOOGLE
+  ];
+
+  externalLoginService.EXTERNAL_LOGINS = externalLoginService.ALL_EXTERNAL_LOGINS.filter(function(el) {
+    return el.enabled;
+  });
+
+  externalLoginService.getProvider = function(providerId) {
+    for (var i = 0; i < externalLoginService.EXTERNAL_LOGINS.length; ++i) {
+      var current = externalLoginService.EXTERNAL_LOGINS[i];
+      if (current.id == providerId) {
+        return current;
+      }
+    }
+
+    return null;
+  };
+
+  externalLoginService.hasSingleSignin = function() {
+    return externalLoginService.EXTERNAL_LOGINS.length == 1 && !Features.DIRECT_LOGIN;
+  };
+
+  externalLoginService.getSingleSigninUrl = function() {
+    // If there is a single external login service and direct login is disabled,
+    // then redirect to the external login directly.
+    if (externalLoginService.hasSingleSignin()) {
+      return externalLoginService.getLoginUrl(externalLoginService.EXTERNAL_LOGINS[0].id);
+    }
+
+    return null;
+  };
+
+  return externalLoginService;
+}]);
\ No newline at end of file
diff --git a/static/js/services/key-service.js b/static/js/services/key-service.js
index 12b02b41d..62a89ac34 100644
--- a/static/js/services/key-service.js
+++ b/static/js/services/key-service.js
@@ -10,35 +10,26 @@ angular.module('quay').factory('KeyService', ['$location', 'Config', function($l
 
   keyService['gitlabTriggerClientId'] = oauth['GITLAB_TRIGGER_CONFIG']['CLIENT_ID'];
   keyService['githubTriggerClientId'] = oauth['GITHUB_TRIGGER_CONFIG']['CLIENT_ID'];
-  keyService['githubLoginClientId'] = oauth['GITHUB_LOGIN_CONFIG']['CLIENT_ID'];
-  keyService['googleLoginClientId'] = oauth['GOOGLE_LOGIN_CONFIG']['CLIENT_ID'];
 
   keyService['gitlabRedirectUri'] = Config.getUrl('/oauth2/gitlab/callback');
   keyService['githubRedirectUri'] = Config.getUrl('/oauth2/github/callback');
   keyService['googleRedirectUri'] = Config.getUrl('/oauth2/google/callback');
 
-  keyService['githubLoginUrl'] = oauth['GITHUB_LOGIN_CONFIG']['AUTHORIZE_ENDPOINT'];
-  keyService['googleLoginUrl'] = oauth['GOOGLE_LOGIN_CONFIG']['AUTHORIZE_ENDPOINT'];
-
-  keyService['githubEndpoint'] = oauth['GITHUB_LOGIN_CONFIG']['GITHUB_ENDPOINT'];
-
   keyService['githubTriggerEndpoint'] = oauth['GITHUB_TRIGGER_CONFIG']['GITHUB_ENDPOINT'];
   keyService['githubTriggerAuthorizeUrl'] = oauth['GITHUB_TRIGGER_CONFIG']['AUTHORIZE_ENDPOINT'];
 
   keyService['gitlabTriggerEndpoint'] = oauth['GITLAB_TRIGGER_CONFIG']['GITLAB_ENDPOINT'];
   keyService['gitlabTriggerAuthorizeUrl'] = oauth['GITLAB_TRIGGER_CONFIG']['AUTHORIZE_ENDPOINT'];
 
-  keyService['githubLoginScope'] = 'user:email';
-  if (oauth['GITHUB_LOGIN_CONFIG']['ORG_RESTRICT']) {
-    keyService['githubLoginScope'] += ',read:org';
-  }
-
-  keyService['googleLoginScope'] = 'openid email';
+  keyService.getConfiguration = function(parent, key) {
+    return oauth[parent][key];
+  };
 
   keyService.isEnterprise = function(service) {
     switch (service) {
       case 'github':
-        return keyService['githubLoginUrl'].indexOf('https://github.com/') < 0;
+        var loginUrl = oauth['GITHUB_LOGIN_CONFIG']['AUTHORIZE_ENDPOINT'];
+        return loginUrl.indexOf('https://github.com/') < 0;
 
       case 'github-trigger':
         return keyService['githubTriggerAuthorizeUrl'].indexOf('https://github.com/') < 0;
@@ -47,26 +38,5 @@ angular.module('quay').factory('KeyService', ['$location', 'Config', function($l
     return false;
   };
 
-  keyService.getExternalLoginUrl = function(service, action) {
-    var state_clause = '';
-    if (Config.MIXPANEL_KEY && window.mixpanel) {
-      if (mixpanel.get_distinct_id !== undefined) {
-        state_clause = "&state=" + encodeURIComponent(mixpanel.get_distinct_id());
-      }
-    }
-
-    var client_id = keyService[service + 'LoginClientId'];
-    var scope = keyService[service + 'LoginScope'];
-    var redirect_uri = keyService[service + 'RedirectUri'];
-    if (action == 'attach') {
-      redirect_uri += '/attach';
-    }
-
-    var url = keyService[service + 'LoginUrl'] + 'client_id=' + client_id + '&scope=' + scope +
-      '&redirect_uri=' + redirect_uri + state_clause;
-
-    return url;
-  };
-
   return keyService;
 }]);
diff --git a/static/partials/user-view.html b/static/partials/user-view.html
index d58896a74..d274cd8c5 100644
--- a/static/partials/user-view.html
+++ b/static/partials/user-view.html
@@ -43,7 +43,8 @@
               tab-init="showInvoices()" quay-show="Features.BILLING">
           <i class="fa ci-invoice"></i>
         </span>
-        <span class="cor-tab" tab-title="External Logins" tab-target="#external">
+        <span class="cor-tab" tab-title="External Logins" tab-target="#external"
+              quay-show="!hasSingleSignin">
           <i class="fa fa-external-link-square"></i>
         </span>
         <span class="cor-tab" tab-title="Authorized Applications" tab-target="#applications"
@@ -70,7 +71,7 @@
         </div>
 
         <!-- External Logins -->
-        <div id="external" class="tab-pane">
+        <div id="external" class="tab-pane" quay-show="!hasSingleSignin">
           <div class="external-logins-manager" user="viewuser"></div>
         </div>
 
diff --git a/templates/ologinerror.html b/templates/ologinerror.html
index 74f51987e..f32f2b60d 100644
--- a/templates/ologinerror.html
+++ b/templates/ologinerror.html
@@ -11,7 +11,7 @@
         <h2 style="margin-bottom: 20px;">There was an error logging in with {{ service_name }}.</h2>
 
         {% if error_message %}
-          <div class="alert alert-danger">{{ error_message }}</div>
+          <div class="co-alert co-alert-danger">{{ error_message }}</div>
         {% endif %}
 
         {% if user_creation %}
diff --git a/util/config/oauth.py b/util/config/oauth.py
index 33c9330d1..0bd4473b8 100644
--- a/util/config/oauth.py
+++ b/util/config/oauth.py
@@ -1,5 +1,13 @@
 import urlparse
 import github
+import json
+import logging
+import time
+
+from cachetools.func import TTLCache
+from jwkest.jwk import KEYS, keyrep
+
+logger = logging.getLogger(__name__)
 
 class OAuthConfig(object):
   def __init__(self, config, key_name):
@@ -38,10 +46,8 @@ class OAuthConfig(object):
 
 
   def exchange_code_for_token(self, app_config, http_client, code, form_encode=False,
-                              redirect_suffix=''):
+                              redirect_suffix='', client_auth=False):
     payload = {
-      'client_id': self.client_id(),
-      'client_secret': self.client_secret(),
       'code': code,
       'grant_type': 'authorization_code',
       'redirect_uri': self.get_redirect_uri(app_config, redirect_suffix)
@@ -51,11 +57,18 @@ class OAuthConfig(object):
       'Accept': 'application/json'
     }
 
+    auth = None
+    if client_auth:
+      auth = (self.client_id(), self.client_secret())
+    else:
+      payload['client_id'] = self.client_id()
+      payload['client_secret'] = self.client_secret()
+
     token_url = self.token_endpoint()
     if form_encode:
-      get_access_token = http_client.post(token_url, data=payload, headers=headers)
+      get_access_token = http_client.post(token_url, data=payload, headers=headers, auth=auth)
     else:
-      get_access_token = http_client.post(token_url, params=payload, headers=headers)
+      get_access_token = http_client.post(token_url, params=payload, headers=headers, auth=auth)
 
     json_data = get_access_token.json()
     if not json_data:
@@ -248,3 +261,102 @@ class GitLabOAuthConfig(OAuthConfig):
       'AUTHORIZE_ENDPOINT': self.authorize_endpoint(),
       'GITLAB_ENDPOINT': self._endpoint(),
     }
+
+
+OIDC_WELLKNOWN = ".well-known/openid-configuration"
+PUBLIC_KEY_CACHE_TTL = 3600 # 1 hour
+
+class OIDCConfig(OAuthConfig):
+  def __init__(self, config, key_name):
+    super(OIDCConfig, self).__init__(config, key_name)
+
+    self._public_key_cache = TTLCache(1, PUBLIC_KEY_CACHE_TTL, missing=self._get_public_key)
+    self._oidc_config = {}
+    self._http_client = config['HTTPCLIENT']
+
+    if self.config.get('OIDC_SERVER'):
+      self._load_via_discovery(config['DEBUGGING'])
+
+  def _load_via_discovery(self, is_debugging):
+    oidc_server = self.config['OIDC_SERVER']
+    if not oidc_server.startswith('https://') and not is_debugging:
+      raise Exception('OIDC server must be accessed over SSL')
+
+    discovery_url = urlparse.urljoin(oidc_server, OIDC_WELLKNOWN)
+    discovery = self._http_client.get(discovery_url, timeout=5)
+
+    if discovery.status_code / 100 != 2:
+      raise Exception("Could not load OIDC discovery information")
+
+    try:
+      self._oidc_config = json.loads(discovery.text)
+    except ValueError:
+      logger.exception('Could not parse OIDC discovery for url: %s', discovery_url)
+      raise Exception("Could not parse OIDC discovery information")
+
+  def authorize_endpoint(self):
+    return self._oidc_config['authorization_endpoint'] + '?'
+
+  def token_endpoint(self):
+    return self._oidc_config['token_endpoint']
+
+  def user_endpoint(self):
+    return None
+
+  def validate_client_id_and_secret(self, http_client, app_config):
+    pass
+
+  def get_public_config(self):
+    return {
+      'CLIENT_ID': self.client_id(),
+      'AUTHORIZE_ENDPOINT': self.authorize_endpoint()
+    }
+
+  @property
+  def issuer(self):
+    return self.config.get('OIDC_ISSUER', self.config['OIDC_SERVER'])
+
+  def get_public_key(self, force_refresh=False):
+    """ Retrieves the public key for this handler. """
+    # If force_refresh is true, we expire all the items in the cache by setting the time to
+    # the current time + the expiration TTL.
+    if force_refresh:
+      self._public_key_cache.expire(time=time.time() + PUBLIC_KEY_CACHE_TTL)
+
+    # Retrieve the public key from the cache. If the cache does not contain the public key,
+    # it will internally call _get_public_key to retrieve it and then save it. The None is
+    # a random key chose to be stored in the cache, and could be anything.
+    return self._public_key_cache[None]
+
+  def _get_public_key(self):
+    """ Retrieves the public key for this handler. """
+    keys_url = self._oidc_config['jwks_uri']
+
+    keys = KEYS()
+    keys.load_from_url(keys_url)
+
+    if not list(keys):
+      raise Exception('No keys provided by OIDC provider')
+
+    rsa_key = list(keys)[0]
+    rsa_key.deserialize()
+    return rsa_key.key.exportKey('PEM')
+
+
+class DexOAuthConfig(OIDCConfig):
+  def service_name(self):
+    return 'Dex'
+
+  @property
+  def public_title(self):
+    return self.get_public_config()['OIDC_TITLE']
+
+  def get_public_config(self):
+    return {
+      'CLIENT_ID': self.client_id(),
+      'AUTHORIZE_ENDPOINT': self.authorize_endpoint(),
+
+      # TODO(jschorr): This should ideally come from the Dex side.
+      'OIDC_TITLE': 'Dex',
+      'OIDC_LOGO': 'https://tectonic.com/assets/ico/favicon-96x96.png'
+    }

From 386fcfd50ed783df41326f4e8b04568409b4714c Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Tue, 8 Sep 2015 10:10:00 -0400
Subject: [PATCH 03/34] Robot accounts allow underscores

Fixes #451
---
 static/js/app.js       |  2 +-
 test/test_api_usage.py | 20 ++++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/static/js/app.js b/static/js/app.js
index a0c4fb3fd..17894fcd3 100644
--- a/static/js/app.js
+++ b/static/js/app.js
@@ -1,5 +1,5 @@
 var TEAM_PATTERN = '^[a-zA-Z][a-zA-Z0-9]+$';
-var ROBOT_PATTERN = '^[a-zA-Z][a-zA-Z0-9]{3,29}$';
+var ROBOT_PATTERN = '^[a-zA-Z][a-zA-Z0-9_]{3,29}$';
 var USER_PATTERN = '^[a-z0-9_]{4,30}$';
 
 // Define the pages module.
diff --git a/test/test_api_usage.py b/test/test_api_usage.py
index 7d6d07046..c39ac4fec 100644
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@@ -2512,6 +2512,26 @@ class TestOrgRobots(ApiTestCase):
     return [r['name'] for r in self.getJsonResponse(OrgRobotList,
                                                     params=dict(orgname=ORGANIZATION))['robots']]
 
+  def test_create_robot_with_underscores(self):
+    self.login(ADMIN_ACCESS_USER)
+
+    # Create the robot.
+    self.putJsonResponse(OrgRobot,
+                         params=dict(orgname=ORGANIZATION, robot_shortname='mr_bender'),
+                         expected_code=201)
+
+    # Add the robot to a team.
+    membername = ORGANIZATION + '+mr_bender'
+    self.putJsonResponse(TeamMember,
+                         params=dict(orgname=ORGANIZATION, teamname='readers',
+                                     membername=membername))
+
+    # Retrieve the robot's details.
+    self.getJsonResponse(OrgRobot,
+                         params=dict(orgname=ORGANIZATION, robot_shortname='mr_bender'),
+                         expected_code=200)
+
+
   def test_delete_robot_after_use(self):
     self.login(ADMIN_ACCESS_USER)
 

From f0c85526681e913e5130366f43110879a3d23f61 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Tue, 8 Sep 2015 10:29:28 -0400
Subject: [PATCH 04/34] Remove uses of _external for url_for

Fixes #439
---
 data/userfiles.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/data/userfiles.py b/data/userfiles.py
index f4b786df5..6ad461df6 100644
--- a/data/userfiles.py
+++ b/data/userfiles.py
@@ -1,11 +1,13 @@
 import os
 import logging
 import magic
+import urlparse
 
 from uuid import uuid4
 from flask import url_for, request, send_file, make_response, abort
 from flask.views import View
 from _pyio import BufferedReader
+from util import get_app_url
 
 
 logger = logging.getLogger(__name__)
@@ -77,7 +79,9 @@ class DelegateUserfiles(object):
     if url is None:
       with self._app.app_context() as ctx:
         ctx.url_adapter = self._build_url_adapter()
-        return (url_for(self._handler_name, file_id=file_id, _external=True), file_id)
+        file_relative_url = url_for(self._handler_name, file_id=file_id)
+        file_url = urlparse.urljoin(get_app_url(self._app.config), file_relative_url)
+        return (file_url, file_id)
 
     return (url, file_id)
 
@@ -97,7 +101,8 @@ class DelegateUserfiles(object):
     if url is None:
       with self._app.app_context() as ctx:
         ctx.url_adapter = self._build_url_adapter()
-        return url_for(self._handler_name, file_id=file_id, _external=True)
+        file_relative_url = url_for(self._handler_name, file_id=file_id)
+        return urlparse.urljoin(get_app_url(self._app.config), file_relative_url)
 
     return url
 

From d0e22e5afb5df9c3c49d3602d182f5be95e3028f Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Tue, 8 Sep 2015 10:40:10 -0400
Subject: [PATCH 05/34] Use a different port number for each live server test
 case in the registry tests

---
 test/registry_tests.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/test/registry_tests.py b/test/registry_tests.py
index cba8fa87d..4300f2df9 100644
--- a/test/registry_tests.py
+++ b/test/registry_tests.py
@@ -68,11 +68,16 @@ class TestFeature(object):
                            data=json.dumps(dict(value=self.old_value)),
                            headers={'Content-Type': 'application/json'})
 
+_PORT_NUMBER = 5001
+
 class RegistryTestCase(LiveServerTestCase):
   maxDiff = None
 
   def create_app(self):
+    global _PORT_NUMBER
+    _PORT_NUMBER = _PORT_NUMBER + 1
     app.config['TESTING'] = True
+    app.config['LIVESERVER_PORT'] = _PORT_NUMBER
     return app
 
   def setUp(self):

From 8b4d99adcfbbb7a8889bf23915bb88a83e5e5f88 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Tue, 8 Sep 2015 12:35:03 -0400
Subject: [PATCH 06/34] Have registry tests use a copy of the database

This makes the test suite much faster
---
 test/registry_tests.py | 53 +++++++++++++++++++++++++++++++++++-------
 test/testconfig.py     |  1 +
 2 files changed, 46 insertions(+), 8 deletions(-)

diff --git a/test/registry_tests.py b/test/registry_tests.py
index 4300f2df9..f30bb7527 100644
--- a/test/registry_tests.py
+++ b/test/registry_tests.py
@@ -6,16 +6,19 @@ from flask.blueprints import Blueprint
 from flask.ext.testing import LiveServerTestCase
 
 from app import app
+from data.database import close_db_filter, configure
 from endpoints.v1 import v1_bp
 from endpoints.api import api_bp
 from initdb import wipe_database, initialize_database, populate_database
 from endpoints.csrf import generate_csrf_token
+from tempfile import NamedTemporaryFile
 
 import endpoints.decorated
 import json
 import features
 
 import tarfile
+import shutil
 
 from cStringIO import StringIO
 from digest.checksums import compute_simple
@@ -28,7 +31,9 @@ except ValueError:
   pass
 
 
-# Add a test blueprint for generating CSRF tokens and setting feature flags.
+# Add a test blueprint for generating CSRF tokens, setting feature flags and reloading the
+# DB connection.
+
 testbp = Blueprint('testbp', __name__)
 
 @testbp.route('/csrf', methods=['GET'])
@@ -42,6 +47,15 @@ def set_feature(feature_name):
   features._FEATURES[feature_name].value = request.get_json()['value']
   return jsonify({'old_value': old_value})
 
+@testbp.route('/reloaddb', methods=['POST'])
+def reload_db():
+  # Close any existing connection.
+  close_db_filter(None)
+
+  # Reload the database config.
+  configure(app.config)
+  return 'OK'
+
 app.register_blueprint(testbp, url_prefix='/__test')
 
 
@@ -69,6 +83,28 @@ class TestFeature(object):
                            headers={'Content-Type': 'application/json'})
 
 _PORT_NUMBER = 5001
+_CLEAN_DATABASE_PATH = None
+
+def get_new_database_uri():
+  # If a clean copy of the database has not yet been created, create one now.
+  global _CLEAN_DATABASE_PATH
+  if not _CLEAN_DATABASE_PATH:
+    wipe_database()
+    initialize_database()
+    populate_database()
+    close_db_filter(None)
+
+    # Save the path of the clean database.
+    _CLEAN_DATABASE_PATH = app.config['TEST_DB_FILE'].name
+
+  # Create a new temp file to be used as the actual backing database for the test.
+  # Note that we have the close() the file to ensure we can copy to it via shutil.
+  local_db_file = NamedTemporaryFile(delete=True)
+  local_db_file.close()
+
+  # Copy the clean database to the path.
+  shutil.copy2(_CLEAN_DATABASE_PATH, local_db_file.name)
+  return 'sqlite:///{0}'.format(local_db_file.name)
 
 class RegistryTestCase(LiveServerTestCase):
   maxDiff = None
@@ -76,20 +112,21 @@ class RegistryTestCase(LiveServerTestCase):
   def create_app(self):
     global _PORT_NUMBER
     _PORT_NUMBER = _PORT_NUMBER + 1
+    app.config['DEBUG'] = True
     app.config['TESTING'] = True
     app.config['LIVESERVER_PORT'] = _PORT_NUMBER
+    app.config['DB_URI'] = get_new_database_uri()
     return app
 
   def setUp(self):
-    # Note: We cannot use the normal savepoint-based DB setup here because we are accessing
-    # different app instances remotely via a live webserver, which is multiprocess. Therefore, we
-    # completely clear the database between tests.
-    wipe_database()
-    initialize_database()
-    populate_database()
-
     self.clearSession()
 
+    # Tell the remote running app to reload the database. By default, the app forks from the
+    # current context and has already loaded the DB config with the *original* DB URL. We call
+    # the remote reload method to force it to pick up the changes to DB_URI set in the create_app
+    # method.
+    self.conduct('POST', '/__test/reloaddb')
+
   def clearSession(self):
     self.session = requests.Session()
     self.signature = None
diff --git a/test/testconfig.py b/test/testconfig.py
index 75c1c3f9c..2ee3e89bb 100644
--- a/test/testconfig.py
+++ b/test/testconfig.py
@@ -21,6 +21,7 @@ class TestConfig(DefaultConfig):
   TESTING = True
   SECRET_KEY = 'a36c9d7d-25a9-4d3f-a586-3d2f8dc40a83'
 
+  TEST_DB_FILE = TEST_DB_FILE
   DB_URI = os.environ.get('TEST_DATABASE_URI', 'sqlite:///{0}'.format(TEST_DB_FILE.name))
   DB_CONNECTION_ARGS = {
     'threadlocals': True,

From 104bdef339a8dd2098fccb4f248aee0ffab490b3 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Tue, 8 Sep 2015 12:51:23 -0400
Subject: [PATCH 07/34] DEBUG flag is still broken on older version of
 Flask-Testing

---
 test/registry_tests.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/test/registry_tests.py b/test/registry_tests.py
index f30bb7527..e85ca309f 100644
--- a/test/registry_tests.py
+++ b/test/registry_tests.py
@@ -112,7 +112,6 @@ class RegistryTestCase(LiveServerTestCase):
   def create_app(self):
     global _PORT_NUMBER
     _PORT_NUMBER = _PORT_NUMBER + 1
-    app.config['DEBUG'] = True
     app.config['TESTING'] = True
     app.config['LIVESERVER_PORT'] = _PORT_NUMBER
     app.config['DB_URI'] = get_new_database_uri()

From 9a952436769330eb11ead67cdf925ab0dd0a9d53 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Tue, 8 Sep 2015 14:31:28 -0400
Subject: [PATCH 08/34] LDN directory needs to be absolute to the domain, not
 relative.

---
 external_libraries.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/external_libraries.py b/external_libraries.py
index 74f398a02..b5055abeb 100644
--- a/external_libraries.py
+++ b/external_libraries.py
@@ -2,7 +2,7 @@ import urllib2
 import re
 import os
 
-LOCAL_DIRECTORY = 'static/ldn/'
+LOCAL_DIRECTORY = '/static/ldn/'
 
 EXTERNAL_JS = [
   'code.jquery.com/jquery.js',

From cccb1651f5bfec957e1f055661309080e7f9c2f3 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Tue, 8 Sep 2015 16:55:47 -0400
Subject: [PATCH 09/34] Fixes for direct cloud storage copying

---
 storage/cloud.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/storage/cloud.py b/storage/cloud.py
index d333d0358..cc2750dae 100644
--- a/storage/cloud.py
+++ b/storage/cloud.py
@@ -224,6 +224,8 @@ class _CloudStorage(BaseStorage):
     return k.etag[1:-1][:7]
 
   def copy_to(self, destination, path):
+    self._initialize_cloud_conn()
+
     # First try to copy directly via boto, but only if the storages are the
     # same type, with the same access information.
     if (self.__class__ == destination.__class__ and
@@ -235,6 +237,7 @@ class _CloudStorage(BaseStorage):
       source_path = self._init_path(path)
       source_key = self._key_class(self._cloud_bucket, source_path)
 
+      destination._initialize_cloud_conn()
       dest_path = destination._init_path(path)
       source_key.copy(destination._cloud_bucket, dest_path)
       return

From 3ee41471173686d4398b607f9f81cf8b1845dc55 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Wed, 9 Sep 2015 13:59:45 -0400
Subject: [PATCH 10/34] Switch the build logs archiver to a more performant
 query

Fixes #459
---
 data/model/build.py          | 22 +++++++++++----
 test/test_queries.py         | 40 ++++++++++++++++++++++++++
 workers/buildlogsarchiver.py | 54 ++++++++++++++++++------------------
 3 files changed, 84 insertions(+), 32 deletions(-)
 create mode 100644 test/test_queries.py

diff --git a/data/model/build.py b/data/model/build.py
index 70501c5dc..7f2479772 100644
--- a/data/model/build.py
+++ b/data/model/build.py
@@ -4,7 +4,7 @@ from peewee import JOIN_LEFT_OUTER
 from datetime import timedelta, datetime
 
 from data.database import (BuildTriggerService, RepositoryBuildTrigger, Repository, Namespace, User,
-                           RepositoryBuild, BUILD_PHASE, db_for_update)
+                           RepositoryBuild, BUILD_PHASE, db_for_update, db_random_func)
 from data.model import (InvalidBuildTriggerException, InvalidRepositoryBuildException,
                         db_transaction, user as user_model)
 
@@ -163,11 +163,23 @@ def cancel_repository_build(build, work_queue):
     return True
 
 
-def archivable_buildlogs_query():
+def get_archivable_build():
   presumed_dead_date = datetime.utcnow() - PRESUMED_DEAD_BUILD_AGE
-  return (RepositoryBuild
-          .select()
+  candidates = (RepositoryBuild
+          .select(RepositoryBuild.id)
           .where((RepositoryBuild.phase == BUILD_PHASE.COMPLETE) |
                  (RepositoryBuild.phase == BUILD_PHASE.ERROR) |
                  (RepositoryBuild.started < presumed_dead_date),
-                 RepositoryBuild.logs_archived == False))
+                 RepositoryBuild.logs_archived == False)
+          .limit(50)
+          .alias('candidates'))
+
+  try:
+    return (RepositoryBuild
+             .select(candidates.c.id)
+             .from_(candidates)
+             .order_by(db_random_func())
+             .get())
+  except RepositoryBuild.DoesNotExist:
+    return None
+
diff --git a/test/test_queries.py b/test/test_queries.py
new file mode 100644
index 000000000..6ef9b24d9
--- /dev/null
+++ b/test/test_queries.py
@@ -0,0 +1,40 @@
+import unittest
+
+from app import app
+from initdb import setup_database_for_testing, finished_database_for_testing
+from data import model
+from data.database import RepositoryBuild
+
+ADMIN_ACCESS_USER = 'devtable'
+SIMPLE_REPO = 'simple'
+
+class TestSpecificQueries(unittest.TestCase):
+  def setUp(self):
+    setup_database_for_testing(self)
+    self.app = app.test_client()
+    self.ctx = app.test_request_context()
+    self.ctx.__enter__()
+
+  def tearDown(self):
+    finished_database_for_testing(self)
+    self.ctx.__exit__(True, None, None)
+
+  def test_archivable_buildlogs(self):
+    # Make sure there are no archivable logs.
+    result = model.build.get_archivable_build()
+    self.assertIsNone(result)
+
+    # Add a build that we know needs to be archived.
+    repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
+    token = model.token.create_access_token(repo, 'write')
+    created = RepositoryBuild.create(repository=repo, access_token=token,
+                                     phase=model.build.BUILD_PHASE.COMPLETE,
+                                     logs_archived=False, job_config='{}',
+                                     display_name='')
+
+    # Make sure we now find an archivable build.
+    result = model.build.get_archivable_build()
+    self.assertEquals(created.id, result.id)
+
+if __name__ == '__main__':
+  unittest.main()
\ No newline at end of file
diff --git a/workers/buildlogsarchiver.py b/workers/buildlogsarchiver.py
index f4882c453..86fb13387 100644
--- a/workers/buildlogsarchiver.py
+++ b/workers/buildlogsarchiver.py
@@ -24,34 +24,34 @@ class ArchiveBuildLogsWorker(Worker):
   def _archive_redis_buildlogs(self):
     """ Archive a single build, choosing a candidate at random. This process must be idempotent to
         avoid needing two-phase commit. """
-    try:
-      # Get a random build to archive
-      to_archive = model.build.archivable_buildlogs_query().order_by(db_random_func()).get()
-      logger.debug('Archiving: %s', to_archive.uuid)
-
-      length, entries = build_logs.get_log_entries(to_archive.uuid, 0)
-      to_encode = {
-        'start': 0,
-        'total': length,
-        'logs': entries,
-      }
-
-      with SpooledTemporaryFile(MEMORY_TEMPFILE_SIZE) as tempfile:
-        with GzipFile('testarchive', fileobj=tempfile) as zipstream:
-          for chunk in StreamingJSONEncoder().iterencode(to_encode):
-            zipstream.write(chunk)
-
-        tempfile.seek(0)
-        log_archive.store_file(tempfile, JSON_MIMETYPE, content_encoding='gzip',
-                               file_id=to_archive.uuid)
-
-      to_archive.logs_archived = True
-      to_archive.save()
-
-      build_logs.expire_log_entries(to_archive.uuid)
-
-    except RepositoryBuild.DoesNotExist:
+    # Get a random build to archive
+    to_archive = model.build.get_archivable_build()
+    if to_archive is None:
       logger.debug('No more builds to archive')
+      return
+
+    logger.debug('Archiving: %s', to_archive.uuid)
+
+    length, entries = build_logs.get_log_entries(to_archive.uuid, 0)
+    to_encode = {
+      'start': 0,
+      'total': length,
+      'logs': entries,
+    }
+
+    with SpooledTemporaryFile(MEMORY_TEMPFILE_SIZE) as tempfile:
+      with GzipFile('testarchive', fileobj=tempfile) as zipstream:
+        for chunk in StreamingJSONEncoder().iterencode(to_encode):
+          zipstream.write(chunk)
+
+      tempfile.seek(0)
+      log_archive.store_file(tempfile, JSON_MIMETYPE, content_encoding='gzip',
+                             file_id=to_archive.uuid)
+
+    to_archive.logs_archived = True
+    to_archive.save()
+
+    build_logs.expire_log_entries(to_archive.uuid)
 
 
 if __name__ == "__main__":

From d55ab78fbe9861841494c7fc2f837a1d24184386 Mon Sep 17 00:00:00 2001
From: Jimmy Zelinskie <jimmy.zelinskie@coreos.com>
Date: Wed, 9 Sep 2015 15:29:50 -0400
Subject: [PATCH 11/34] fix pagination of tags in API

Fixes #461.
---
 endpoints/api/tag.py   |  2 +-
 test/test_api_usage.py | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/endpoints/api/tag.py b/endpoints/api/tag.py
index 5246ee9c6..b8ad1906a 100644
--- a/endpoints/api/tag.py
+++ b/endpoints/api/tag.py
@@ -43,7 +43,7 @@ class ListRepositoryTags(RepositoryParamResource):
 
     specific_tag = args.get('specificTag') or None
 
-    page = min(1, args.get('start', 1))
+    page = max(1, args.get('page', 1))
     limit = min(100, max(1, args.get('limit', 50)))
 
     # Note: We ask for limit+1 here, so we can check to see if there are
diff --git a/test/test_api_usage.py b/test/test_api_usage.py
index c39ac4fec..163a10977 100644
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@@ -2079,6 +2079,7 @@ class TestRevertTag(ApiTestCase):
     self.assertEquals(previous_image_id, json['tags'][0]['docker_image_id'])
 
 
+
 class TestListAndDeleteTag(ApiTestCase):
   def test_listdeletecreateandmovetag(self):
     self.login(ADMIN_ACCESS_USER)
@@ -2166,6 +2167,19 @@ class TestListAndDeleteTag(ApiTestCase):
 
     self.assertEquals(prod_images, json['images'])
 
+  def test_listtagpagination(self):
+    self.login(ADMIN_ACCESS_USER)
+
+    for i in xrange(1, 100):
+      model.tag.create_or_update_tag(ADMIN_ACCESS_USER, "complex", "tag" + str(i),
+                                     "1d8cbff4e0363d1826c6a0b64ef0bc501d8cbff4e0363d1826c6a0b64ef0bc50")
+
+    json = self.getJsonResponse(ListRepositoryTags,
+                                params=dict(repository=ADMIN_ACCESS_USER + '/complex', page=2))
+
+    # Make sure that we're able to see the second page of results.
+    assert json['page'] == 2
+    assert len(json['tags']) == 50
 
 class TestRepoPermissions(ApiTestCase):
   def listUserPermissions(self, namespace=ADMIN_ACCESS_USER, repo='simple'):

From ebdee55585c665927d0bd371d1a8cc7c8aff5520 Mon Sep 17 00:00:00 2001
From: Jimmy Zelinskie <jimmy.zelinskie@coreos.com>
Date: Wed, 9 Sep 2015 15:51:19 -0400
Subject: [PATCH 12/34] list_repository_tag_history fallback orderby name

If tags are created at the same time (usually from a tight loop), it is
possible that they will be order nondeterministically unless we fallback
to another orderby.
---
 data/model/tag.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/model/tag.py b/data/model/tag.py
index 199d99704..5875c95b1 100644
--- a/data/model/tag.py
+++ b/data/model/tag.py
@@ -134,6 +134,7 @@ def list_repository_tag_history(repo_obj, page=1, size=100, specific_tag=None):
            .where(RepositoryTag.repository == repo_obj)
            .where(RepositoryTag.hidden == False)
            .order_by(RepositoryTag.lifetime_start_ts.desc())
+           .order_by(RepositoryTag.name)
            .paginate(page, size))
 
   if specific_tag:

From cb6b6c40919cc5f8969126c0743d08280408f6e4 Mon Sep 17 00:00:00 2001
From: Jimmy Zelinskie <jimmy.zelinskie@coreos.com>
Date: Wed, 9 Sep 2015 16:53:19 -0400
Subject: [PATCH 13/34] buildman: add silas keys to builders

---
 buildman/templates/cloudconfig.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/buildman/templates/cloudconfig.yaml b/buildman/templates/cloudconfig.yaml
index 5a9946659..af83464ce 100644
--- a/buildman/templates/cloudconfig.yaml
+++ b/buildman/templates/cloudconfig.yaml
@@ -7,6 +7,7 @@ ssh_authorized_keys:
 - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAo/JkbGO6R7g1ZxARi0xWVM7FOfN02snRAcIO6vT9M7xMUkWVLgD+hM/o91lk+UFiYdql0CATobpFWncRL36KaUqsbw9/1BlI40wg296XHXSSnxhxZ4L7ytf6G1tyN319HXlI2kh9vAf/fy++yDvkH8dI3k1oLoW+mZPET6Pff04/6AXXrRlS5mhmGv9irGwiDHtVKpj6lU8DN/UtOrv1tiQ0pgwEJq05fLGoQfgPNaBCnW2z4Ubpn2gyMcMBMpSwo4hCqJePd349e4bLmFcT+gXYg7Mnup1DoTDlowFFN56wpxQbdp96IxWzU+jYPaIAuRo+BJzCyOS8qBv0Z4RZrgop0qp2JYiVwmViO6TZhIDz6loQJXUOIleQmNgTbiZx8Bwv5GY2jMYoVwlBp7yy5bRjxfbFsJ0vU7TVzNAG7oEJy/74HmHmWzRQlSlQjesr8gRbm9zgR8wqc/L107UOWFg7Cgh8ZNjKuADbXqYuda1Y9m2upcfS26UPz5l5PW5uFRMHZSi8pb1XV6/0Z8H8vwsh37Ur6aLi/5jruRmKhdlsNrB1IiDicBsPW3yg7HHSIdPU4oBNPC77yDCT3l4CKr4el81RrZt7FbJPfY+Ig9Q5O+05f6I8+ZOlJGyZ/Qfyl2aVm1HnlJKuBqPxeic8tMng/9B5N7uZL6Y3k5jFU8c= quentin
 - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDI7LtxLItapmUbt3Gs+4Oxa1i22fkx1+aJDkAjiRWPSX3+cxOzuPfHX9uFzr+qj5hy4J7ErrPp8q9alu+il9lE26GQuUxOZiaUrXu4dRCXXdCqTHARWBxGUXjkxdMp2HIzFpBxmVqcRubrgM36LBzKapdDOqQdz7XnNm5Jmf0tH/N0+TgV60P0WVY1CxmTya+JHNFVgazhd+oIGEhTyW/eszMGcFUgZet7DQFytYIQXYSwwGpGdJ+0InKAJ2SzCt/yuUlSrhrVM8vSGeami1XYmgQiyth1zjteMd8uTrc9NREH7bZTNcMFBqVYE3BYQWGRrv8pMMgP9gxgLbxtVsUl barakmich-titania
 - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDUWB4aSjSRHCz5/6H9/EJhJVvRmPThvEzyHinaWPsuM9prBSLci9NF9WneVl30nczkvllA+w34kycdrS3fKpjTbODaEOLHBobWl3bccY0I6kr86q5z67NZffjCm/P/RL+dBaOiBWS8PV8oiDF1P6YdMo8Jk46n9fozmLCXHUuCw5BJ8PGjQqbsEzA3qFMeKZYdJHOizOfeIfKfCWYrrumVRY9v6SAUDoFOl4PZEM7QdGp9EoRYb9MNLgKLnZ4RjbcLoFwiqxY4KEM4zfjZPNOECiLCuJqvHM2QawwuO1klJ16HpJk+FzOTWQoZtT47LoE/XNSOcNtAOiD+OQ449ia1EArhm7+1DnLXvHXKIl1JtuqJz+wFCsbNSdB7P562OHAGRIxYK3DfE+0CZH1BeHYl7xiRBeCtZ+OZMIocqeJtq8taIS7Un5wnGcQWxFtQnr/f65EgbIi7G2dxPcjhr6K+GWYezsiReVVKnIClq2MHhABG9QOncKDIa47L3nyx3pm4ZfMbC2jmnK2pFgGGSfYDy4487JnAUOG1mzZ9vm4gDhatT+vZFSBOwv1e4CErBh/wYXooF5I0nGmE6y6zkKFqP+ZolJ6iXmXQ7Ea2oaGeyaprweBjkhHgghi4KbwKbClope4Zo9X9JJYBLQSW33sEEuy8MlSBpdZAbz9t/FvJaw== mjibson
+- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDiNawWSZL2MF99zwG9cFjGmML6agsKwaacQEoTsjcjHGixyUnqHXaLdrGma5i/uphZPkI5XRBKiuIROACY/aRoIxJUpV7AQ1Zx87cILx6fDVePvU5lW2DdhlCDUdwjuzDb/WO/c/qMWjOPqRG4q8XvB7nhuORMMgdpDXWVH4LXPmFez1iIBCKNk04l6Se7wiEOQjaBnTDiBDYlWD78r6RdiAU5eIxpq+lKBDTcET0vegwcA/WE4YOlYBbOrgtHrgwWqG/pXxUu77aapDOmfjtDrgim6XP5kEnytg5gCaN9iLvIpT8b1wD/1Z+LoNSZg6m9gkcC2yTRI0apOBa2G8lz silas@pro.local
 
 write_files:
 - path: /root/overrides.list

From 474fffd01f3e0208454fbb3ed23b5c4b345111fd Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Wed, 9 Sep 2015 21:43:48 -0400
Subject: [PATCH 14/34] Select the full RepositoryBuild record

If we just return the ID, then peewee just fills in the other fields with defaults (such as UUID).
---
 data/model/build.py  |  3 ++-
 test/test_queries.py | 13 +++++++++++--
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/data/model/build.py b/data/model/build.py
index 7f2479772..6fc4324bb 100644
--- a/data/model/build.py
+++ b/data/model/build.py
@@ -175,11 +175,12 @@ def get_archivable_build():
           .alias('candidates'))
 
   try:
-    return (RepositoryBuild
+    found_id = (RepositoryBuild
              .select(candidates.c.id)
              .from_(candidates)
              .order_by(db_random_func())
              .get())
+    return RepositoryBuild.get(id=found_id)
   except RepositoryBuild.DoesNotExist:
     return None
 
diff --git a/test/test_queries.py b/test/test_queries.py
index 6ef9b24d9..d538bea74 100644
--- a/test/test_queries.py
+++ b/test/test_queries.py
@@ -24,17 +24,26 @@ class TestSpecificQueries(unittest.TestCase):
     result = model.build.get_archivable_build()
     self.assertIsNone(result)
 
-    # Add a build that we know needs to be archived.
+    # Add a build that cannot (yet) be archived.
     repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
     token = model.token.create_access_token(repo, 'write')
     created = RepositoryBuild.create(repository=repo, access_token=token,
-                                     phase=model.build.BUILD_PHASE.COMPLETE,
+                                     phase=model.build.BUILD_PHASE.WAITING,
                                      logs_archived=False, job_config='{}',
                                      display_name='')
 
+    # Make sure there are no archivable logs.
+    result = model.build.get_archivable_build()
+    self.assertIsNone(result)
+
+    # Change the build to being complete.
+    created.phase = model.build.BUILD_PHASE.COMPLETE
+    created.save()
+
     # Make sure we now find an archivable build.
     result = model.build.get_archivable_build()
     self.assertEquals(created.id, result.id)
+    self.assertEquals(created.uuid, result.uuid)
 
 if __name__ == '__main__':
   unittest.main()
\ No newline at end of file

From 840e4cd64b027c8604c55ee1f4683b2a3242d4f9 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 10 Sep 2015 11:57:43 -0400
Subject: [PATCH 15/34] Add missing requirement

---
 requirements-nover.txt | 1 +
 requirements.txt       | 1 +
 2 files changed, 2 insertions(+)

diff --git a/requirements-nover.txt b/requirements-nover.txt
index 5eb9dff3c..95e6bae3f 100644
--- a/requirements-nover.txt
+++ b/requirements-nover.txt
@@ -53,3 +53,4 @@ Flask-Testing
 pyjwt
 toposort
 rfc3987
+pyjwkest
diff --git a/requirements.txt b/requirements.txt
index ba6dcbb2a..3df8ec547 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -58,6 +58,7 @@ pycparser==2.14
 pycrypto==2.6.1
 pygpgme==0.3
 PyJWT==1.4.0
+pyjwkest==1.0.1
 PyMySQL==0.6.6
 pyOpenSSL==0.15.1
 PyPDF2==1.24

From c2fe751d152b73d20adb71b7b306f46142ec4dae Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 10 Sep 2015 12:09:01 -0400
Subject: [PATCH 16/34] Despite being disabled, OAuth config is still read, so
 switch to .get

---
 util/config/oauth.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/config/oauth.py b/util/config/oauth.py
index 0bd4473b8..0868c2c40 100644
--- a/util/config/oauth.py
+++ b/util/config/oauth.py
@@ -295,10 +295,10 @@ class OIDCConfig(OAuthConfig):
       raise Exception("Could not parse OIDC discovery information")
 
   def authorize_endpoint(self):
-    return self._oidc_config['authorization_endpoint'] + '?'
+    return self._oidc_config.get('authorization_endpoint', '') + '?'
 
   def token_endpoint(self):
-    return self._oidc_config['token_endpoint']
+    return self._oidc_config.get('token_endpoint')
 
   def user_endpoint(self):
     return None

From 88a04441de9402e50097bf8a968ecae19ed04cc3 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Fri, 24 Jul 2015 14:52:19 -0400
Subject: [PATCH 17/34] Extract the config provider into its own sub-module

---
 app.py                               |  13 +-
 endpoints/api/suconfig.py            |  32 ++---
 endpoints/decorated.py               |   2 +-
 test/test_suconfig_api.py            |   8 +-
 util/config/provider.py              | 181 ---------------------------
 util/config/provider/__init__.py     |  10 ++
 util/config/provider/baseprovider.py |  77 ++++++++++++
 util/config/provider/fileprovider.py |  66 ++++++++++
 util/config/provider/testprovider.py |  45 +++++++
 util/config/validator.py             |   8 +-
 10 files changed, 230 insertions(+), 212 deletions(-)
 delete mode 100644 util/config/provider.py
 create mode 100644 util/config/provider/__init__.py
 create mode 100644 util/config/provider/baseprovider.py
 create mode 100644 util/config/provider/fileprovider.py
 create mode 100644 util/config/provider/testprovider.py

diff --git a/app.py b/app.py
index 68e527ee2..cdbc7d08a 100644
--- a/app.py
+++ b/app.py
@@ -32,7 +32,8 @@ from util.config.oauth import (GoogleOAuthConfig, GithubOAuthConfig, GitLabOAuth
 from util.security.signing import Signer
 from util.saas.cloudwatch import start_cloudwatch_sender
 from util.saas.metricqueue import MetricQueue
-from util.config.provider import FileConfigProvider, TestConfigProvider
+from util.saas.queuemetrics import QueueMetrics
+from util.config.provider import get_config_provider
 from util.config.configutil import generate_secret_key
 from util.config.superusermanager import SuperUserManager
 
@@ -42,8 +43,6 @@ OVERRIDE_CONFIG_PY_FILENAME = 'conf/stack/config.py'
 
 OVERRIDE_CONFIG_KEY = 'QUAY_OVERRIDE_CONFIG'
 
-CONFIG_PROVIDER = FileConfigProvider(OVERRIDE_CONFIG_DIRECTORY, 'config.yaml', 'config.py')
-
 app = Flask(__name__)
 logger = logging.getLogger(__name__)
 
@@ -57,9 +56,11 @@ class RegexConverter(BaseConverter):
 app.url_map.converters['regex'] = RegexConverter
 
 # Instantiate the default configuration (for test or for normal operation).
-if 'TEST' in os.environ:
-  CONFIG_PROVIDER = TestConfigProvider()
+is_testing = 'TEST' in os.environ
+config_provider = get_config_provider(OVERRIDE_CONFIG_DIRECTORY, 'config.yaml', 'config.py',
+                                      testing=is_testing)
 
+if is_testing:
   from test.testconfig import TestConfig
   logger.debug('Loading test config.')
   app.config.from_object(TestConfig())
@@ -70,7 +71,7 @@ else:
   app.teardown_request(database.close_db_filter)
 
 # Load the override config via the provider.
-CONFIG_PROVIDER.update_app_config(app.config)
+config_provider.update_app_config(app.config)
 
 # Update any configuration found in the override environment variable.
 OVERRIDE_CONFIG_KEY = 'QUAY_OVERRIDE_CONFIG'
diff --git a/endpoints/api/suconfig.py b/endpoints/api/suconfig.py
index 1b24da70c..a4edf6839 100644
--- a/endpoints/api/suconfig.py
+++ b/endpoints/api/suconfig.py
@@ -9,7 +9,7 @@ from endpoints.api import (ApiResource, nickname, resource, internal_only, show_
                            require_fresh_login, request, validate_json_request, verify_not_prod)
 
 from endpoints.common import common_login
-from app import app, CONFIG_PROVIDER, superusers
+from app import app, config_provider, superusers
 from data import model
 from data.database import configure
 from auth.permissions import SuperUserPermission
@@ -56,13 +56,13 @@ class SuperUserRegistryStatus(ApiResource):
     """ Returns the status of the registry. """
 
     # If there is no conf/stack volume, then report that status.
-    if not CONFIG_PROVIDER.volume_exists():
+    if not config_provider.volume_exists():
       return {
         'status': 'missing-config-dir'
       }
 
     # If there is no config file, we need to setup the database.
-    if not CONFIG_PROVIDER.yaml_exists():
+    if not config_provider.yaml_exists():
       return {
         'status': 'config-db'
       }
@@ -76,7 +76,7 @@ class SuperUserRegistryStatus(ApiResource):
     # If we have SETUP_COMPLETE, then we're ready to go!
     if app.config.get('SETUP_COMPLETE', False):
       return {
-        'requires_restart': CONFIG_PROVIDER.requires_restart(app.config),
+        'requires_restart': config_provider.requires_restart(app.config),
         'status': 'ready'
       }
 
@@ -107,10 +107,10 @@ class SuperUserSetupDatabase(ApiResource):
     """ Invokes the alembic upgrade process. """
     # Note: This method is called after the database configured is saved, but before the
     # database has any tables. Therefore, we only allow it to be run in that unique case.
-    if CONFIG_PROVIDER.yaml_exists() and not database_is_valid():
+    if config_provider.yaml_exists() and not database_is_valid():
       # Note: We need to reconfigure the database here as the config has changed.
       combined = dict(**app.config)
-      combined.update(CONFIG_PROVIDER.get_yaml())
+      combined.update(config_provider.get_yaml())
 
       configure(combined)
       app.config['DB_URI'] = combined['DB_URI']
@@ -185,7 +185,7 @@ class SuperUserConfig(ApiResource):
   def get(self):
     """ Returns the currently defined configuration, if any. """
     if SuperUserPermission().can():
-      config_object = CONFIG_PROVIDER.get_yaml()
+      config_object = config_provider.get_yaml()
       return {
         'config': config_object
       }
@@ -199,7 +199,7 @@ class SuperUserConfig(ApiResource):
     """ Updates the config.yaml file. """
     # Note: This method is called to set the database configuration before super users exists,
     # so we also allow it to be called if there is no valid registry configuration setup.
-    if not CONFIG_PROVIDER.yaml_exists() or SuperUserPermission().can():
+    if not config_provider.yaml_exists() or SuperUserPermission().can():
       config_object = request.get_json()['config']
       hostname = request.get_json()['hostname']
 
@@ -207,7 +207,7 @@ class SuperUserConfig(ApiResource):
       add_enterprise_config_defaults(config_object, app.config['SECRET_KEY'], hostname)
 
       # Write the configuration changes to the YAML file.
-      CONFIG_PROVIDER.save_yaml(config_object)
+      config_provider.save_yaml(config_object)
 
       # If the authentication system is not the database, link the superuser account to the
       # the authentication system chosen.
@@ -238,7 +238,7 @@ class SuperUserConfigFile(ApiResource):
 
     if SuperUserPermission().can():
       return {
-       'exists': CONFIG_PROVIDER.volume_file_exists(filename)
+       'exists': config_provider.volume_file_exists(filename)
       }
 
     abort(403)
@@ -252,12 +252,12 @@ class SuperUserConfigFile(ApiResource):
 
     # Note: This method can be called before the configuration exists
     # to upload the database SSL cert.
-    if not CONFIG_PROVIDER.yaml_exists() or SuperUserPermission().can():
+    if not config_provider.yaml_exists() or SuperUserPermission().can():
       uploaded_file = request.files['file']
       if not uploaded_file:
         abort(400)
 
-      CONFIG_PROVIDER.save_volume_file(filename, uploaded_file)
+      config_provider.save_volume_file(filename, uploaded_file)
       return {
         'status': True
       }
@@ -309,7 +309,7 @@ class SuperUserCreateInitialSuperUser(ApiResource):
     #
     # We do this special security check because at the point this method is called, the database
     # is clean but does not (yet) have any super users for our permissions code to check against.
-    if CONFIG_PROVIDER.yaml_exists() and not database_has_users():
+    if config_provider.yaml_exists() and not database_has_users():
       data = request.get_json()
       username = data['username']
       password = data['password']
@@ -319,9 +319,9 @@ class SuperUserCreateInitialSuperUser(ApiResource):
       superuser = model.user.create_user(username, password, email, auto_verify=True)
 
       # Add the user to the config.
-      config_object = CONFIG_PROVIDER.get_yaml()
+      config_object = config_provider.get_yaml()
       config_object['SUPER_USERS'] = [username]
-      CONFIG_PROVIDER.save_yaml(config_object)
+      config_provider.save_yaml(config_object)
 
       # Update the in-memory config for the new superuser.
       superusers.register_superuser(username)
@@ -369,7 +369,7 @@ class SuperUserConfigValidate(ApiResource):
     # Note: This method is called to validate the database configuration before super users exists,
     # so we also allow it to be called if there is no valid registry configuration setup. Note that
     # this is also safe since this method does not access any information not given in the request.
-    if not CONFIG_PROVIDER.yaml_exists() or SuperUserPermission().can():
+    if not config_provider.yaml_exists() or SuperUserPermission().can():
       config = request.get_json()['config']
       return validate_service_for_config(service, config, request.get_json().get('password', ''))
 
diff --git a/endpoints/decorated.py b/endpoints/decorated.py
index b51e1ee2e..d1e654da0 100644
--- a/endpoints/decorated.py
+++ b/endpoints/decorated.py
@@ -4,7 +4,7 @@ import json
 from flask import make_response
 from app import app
 from util.useremails import CannotSendEmailException
-from util.config.provider import CannotWriteConfigException
+from util.config.provider.baseprovider import CannotWriteConfigException
 from data import model
 
 logger = logging.getLogger(__name__)
diff --git a/test/test_suconfig_api.py b/test/test_suconfig_api.py
index 7e049f610..795ab8fe5 100644
--- a/test/test_suconfig_api.py
+++ b/test/test_suconfig_api.py
@@ -1,7 +1,7 @@
 from test.test_api_usage import ApiTestCase, READ_ACCESS_USER, ADMIN_ACCESS_USER
 from endpoints.api.suconfig import (SuperUserRegistryStatus, SuperUserConfig, SuperUserConfigFile,
                                     SuperUserCreateInitialSuperUser, SuperUserConfigValidate)
-from app import CONFIG_PROVIDER
+from app import config_provider
 from data.database import User
 
 import unittest
@@ -10,11 +10,11 @@ import unittest
 class ConfigForTesting(object):
 
   def __enter__(self):
-    CONFIG_PROVIDER.reset_for_test()
-    return CONFIG_PROVIDER
+    config_provider.reset_for_test()
+    return config_provider
 
   def __exit__(self, type, value, traceback):
-    CONFIG_PROVIDER.reset_for_test()
+    config_provider.reset_for_test()
 
 
 class TestSuperUserRegistryStatus(ApiTestCase):
diff --git a/util/config/provider.py b/util/config/provider.py
deleted file mode 100644
index 32bc4c6f9..000000000
--- a/util/config/provider.py
+++ /dev/null
@@ -1,181 +0,0 @@
-import os
-import yaml
-import logging
-import json
-from StringIO import StringIO
-
-logger = logging.getLogger(__name__)
-
-class CannotWriteConfigException(Exception):
-  """ Exception raised when the config cannot be written. """
-  pass
-
-def _import_yaml(config_obj, config_file):
-  with open(config_file) as f:
-    c = yaml.safe_load(f)
-    if not c:
-      logger.debug('Empty YAML config file')
-      return
-
-    if isinstance(c, str):
-      raise Exception('Invalid YAML config file: ' + str(c))
-
-    for key in c.iterkeys():
-      if key.isupper():
-        config_obj[key] = c[key]
-
-  return config_obj
-
-
-def _export_yaml(config_obj, config_file):
-  try:
-    with open(config_file, 'w') as f:
-      f.write(yaml.safe_dump(config_obj, encoding='utf-8', allow_unicode=True))
-  except IOError as ioe:
-    raise CannotWriteConfigException(str(ioe))
-
-
-class BaseProvider(object):
-  """ A configuration provider helps to load, save, and handle config override in the application.
-  """
-
-  def update_app_config(self, app_config):
-    """ Updates the given application config object with the loaded override config. """
-    raise NotImplementedError
-
-  def get_yaml(self):
-    """ Returns the contents of the YAML config override file, or None if none. """
-    raise NotImplementedError
-
-  def save_yaml(self, config_object):
-    """ Updates the contents of the YAML config override file to those given. """
-    raise NotImplementedError
-
-  def yaml_exists(self):
-    """ Returns true if a YAML config override file exists in the config volume. """
-    raise NotImplementedError
-
-  def volume_exists(self):
-    """ Returns whether the config override volume exists. """
-    raise NotImplementedError
-
-  def volume_file_exists(self, filename):
-    """ Returns whether the file with the given name exists under the config override volume. """
-    raise NotImplementedError
-
-  def get_volume_file(self, filename, mode='r'):
-    """ Returns a Python file referring to the given name under the config override volumne. """
-    raise NotImplementedError
-
-  def save_volume_file(self, filename, flask_file):
-    """ Saves the given flask file to the config override volume, with the given
-        filename.
-    """
-    raise NotImplementedError
-
-  def requires_restart(self, app_config):
-    """ If true, the configuration loaded into memory for the app does not match that on disk,
-        indicating that this container requires a restart.
-    """
-    raise NotImplementedError
-
-
-class FileConfigProvider(BaseProvider):
-  """ Implementation of the config provider that reads the data from the file system. """
-  def __init__(self, config_volume, yaml_filename, py_filename):
-    self.config_volume = config_volume
-    self.yaml_filename = yaml_filename
-    self.py_filename = py_filename
-
-    self.yaml_path = os.path.join(config_volume, yaml_filename)
-    self.py_path = os.path.join(config_volume, py_filename)
-
-  def update_app_config(self, app_config):
-    if os.path.exists(self.py_path):
-      logger.debug('Applying config file: %s', self.py_path)
-      app_config.from_pyfile(self.py_path)
-
-    if os.path.exists(self.yaml_path):
-      logger.debug('Applying config file: %s', self.yaml_path)
-      _import_yaml(app_config, self.yaml_path)
-
-  def get_yaml(self):
-    if not os.path.exists(self.yaml_path):
-      return None
-
-    config_obj = {}
-    _import_yaml(config_obj, self.yaml_path)
-    return config_obj
-
-  def save_yaml(self, config_obj):
-    _export_yaml(config_obj, self.yaml_path)
-
-  def yaml_exists(self):
-    return self.volume_file_exists(self.yaml_filename)
-
-  def volume_exists(self):
-    return os.path.exists(self.config_volume)
-
-  def volume_file_exists(self, filename):
-    return os.path.exists(os.path.join(self.config_volume, filename))
-
-  def get_volume_file(self, filename, mode='r'):
-    return open(os.path.join(self.config_volume, filename), mode)
-
-  def save_volume_file(self, filename, flask_file):
-    try:
-      flask_file.save(os.path.join(self.config_volume, filename))
-    except IOError as ioe:
-      raise CannotWriteConfigException(str(ioe))
-
-  def requires_restart(self, app_config):
-    file_config = self.get_yaml()
-    if not file_config:
-      return False
-
-    for key in file_config:
-      if app_config.get(key) != file_config[key]:
-        return True
-
-    return False
-
-class TestConfigProvider(BaseProvider):
-  """ Implementation of the config provider for testing. Everything is kept in-memory instead on
-      the real file system. """
-  def __init__(self):
-    self.files = {}
-    self._config = None
-
-  def update_app_config(self, app_config):
-    self._config = app_config
-
-  def get_yaml(self):
-    if not 'config.yaml' in self.files:
-      return None
-
-    return json.loads(self.files.get('config.yaml', '{}'))
-
-  def save_yaml(self, config_obj):
-    self.files['config.yaml'] = json.dumps(config_obj)
-
-  def yaml_exists(self):
-    return 'config.yaml' in self.files
-
-  def volume_exists(self):
-    return True
-
-  def volume_file_exists(self, filename):
-    return filename in self.files
-
-  def save_volume_file(self, filename, flask_file):
-    self.files[filename] = ''
-
-  def get_volume_file(self, filename, mode='r'):
-    return StringIO(self.files[filename])
-
-  def requires_restart(self, app_config):
-    return False
-
-  def reset_for_test(self):
-    self._config['SUPER_USERS'] = ['devtable']
-    self.files = {}
diff --git a/util/config/provider/__init__.py b/util/config/provider/__init__.py
new file mode 100644
index 000000000..4445d696c
--- /dev/null
+++ b/util/config/provider/__init__.py
@@ -0,0 +1,10 @@
+from util.config.provider.fileprovider import FileConfigProvider
+from util.config.provider.testprovider import TestConfigProvider
+
+def get_config_provider(config_volume, yaml_filename, py_filename, testing=False):
+  """ Loads and returns the config provider for the current environment. """
+  if testing:
+    return TestConfigProvider()
+
+  return FileConfigProvider(config_volume, yaml_filename, py_filename)
+
diff --git a/util/config/provider/baseprovider.py b/util/config/provider/baseprovider.py
new file mode 100644
index 000000000..10a63b7c9
--- /dev/null
+++ b/util/config/provider/baseprovider.py
@@ -0,0 +1,77 @@
+import yaml
+import logging
+
+logger = logging.getLogger(__name__)
+
+class CannotWriteConfigException(Exception):
+  """ Exception raised when the config cannot be written. """
+  pass
+
+def import_yaml(config_obj, config_file):
+  with open(config_file) as f:
+    c = yaml.safe_load(f)
+    if not c:
+      logger.debug('Empty YAML config file')
+      return
+
+    if isinstance(c, str):
+      raise Exception('Invalid YAML config file: ' + str(c))
+
+    for key in c.iterkeys():
+      if key.isupper():
+        config_obj[key] = c[key]
+
+  return config_obj
+
+
+def export_yaml(config_obj, config_file):
+  try:
+    with open(config_file, 'w') as f:
+      f.write(yaml.safe_dump(config_obj, encoding='utf-8', allow_unicode=True))
+  except IOError as ioe:
+    raise CannotWriteConfigException(str(ioe))
+
+
+class BaseProvider(object):
+  """ A configuration provider helps to load, save, and handle config override in the application.
+  """
+
+  def update_app_config(self, app_config):
+    """ Updates the given application config object with the loaded override config. """
+    raise NotImplementedError
+
+  def get_yaml(self):
+    """ Returns the contents of the YAML config override file, or None if none. """
+    raise NotImplementedError
+
+  def save_yaml(self, config_object):
+    """ Updates the contents of the YAML config override file to those given. """
+    raise NotImplementedError
+
+  def yaml_exists(self):
+    """ Returns true if a YAML config override file exists in the config volume. """
+    raise NotImplementedError
+
+  def volume_exists(self):
+    """ Returns whether the config override volume exists. """
+    raise NotImplementedError
+
+  def volume_file_exists(self, filename):
+    """ Returns whether the file with the given name exists under the config override volume. """
+    raise NotImplementedError
+
+  def get_volume_file(self, filename, mode='r'):
+    """ Returns a Python file referring to the given name under the config override volumne. """
+    raise NotImplementedError
+
+  def save_volume_file(self, filename, flask_file):
+    """ Saves the given flask file to the config override volume, with the given
+        filename.
+    """
+    raise NotImplementedError
+
+  def requires_restart(self, app_config):
+    """ If true, the configuration loaded into memory for the app does not match that on disk,
+        indicating that this container requires a restart.
+    """
+    raise NotImplementedError
\ No newline at end of file
diff --git a/util/config/provider/fileprovider.py b/util/config/provider/fileprovider.py
new file mode 100644
index 000000000..2f616aa44
--- /dev/null
+++ b/util/config/provider/fileprovider.py
@@ -0,0 +1,66 @@
+import os
+import logging
+
+from util.config.provider.baseprovider import (BaseProvider, import_yaml, export_yaml,
+                                               CannotWriteConfigException)
+
+logger = logging.getLogger(__name__)
+
+class FileConfigProvider(BaseProvider):
+  """ Implementation of the config provider that reads the data from the file system. """
+  def __init__(self, config_volume, yaml_filename, py_filename):
+    self.config_volume = config_volume
+    self.yaml_filename = yaml_filename
+    self.py_filename = py_filename
+
+    self.yaml_path = os.path.join(config_volume, yaml_filename)
+    self.py_path = os.path.join(config_volume, py_filename)
+
+  def update_app_config(self, app_config):
+    if os.path.exists(self.py_path):
+      logger.debug('Applying config file: %s', self.py_path)
+      app_config.from_pyfile(self.py_path)
+
+    if os.path.exists(self.yaml_path):
+      logger.debug('Applying config file: %s', self.yaml_path)
+      import_yaml(app_config, self.yaml_path)
+
+  def get_yaml(self):
+    if not os.path.exists(self.yaml_path):
+      return None
+
+    config_obj = {}
+    import_yaml(config_obj, self.yaml_path)
+    return config_obj
+
+  def save_yaml(self, config_obj):
+    export_yaml(config_obj, self.yaml_path)
+
+  def yaml_exists(self):
+    return self.volume_file_exists(self.yaml_filename)
+
+  def volume_exists(self):
+    return os.path.exists(self.config_volume)
+
+  def volume_file_exists(self, filename):
+    return os.path.exists(os.path.join(self.config_volume, filename))
+
+  def get_volume_file(self, filename, mode='r'):
+    return open(os.path.join(self.config_volume, filename), mode)
+
+  def save_volume_file(self, filename, flask_file):
+    try:
+      flask_file.save(os.path.join(self.config_volume, filename))
+    except IOError as ioe:
+      raise CannotWriteConfigException(str(ioe))
+
+  def requires_restart(self, app_config):
+    file_config = self.get_yaml()
+    if not file_config:
+      return False
+
+    for key in file_config:
+      if app_config.get(key) != file_config[key]:
+        return True
+
+    return False
diff --git a/util/config/provider/testprovider.py b/util/config/provider/testprovider.py
new file mode 100644
index 000000000..1e237f3b7
--- /dev/null
+++ b/util/config/provider/testprovider.py
@@ -0,0 +1,45 @@
+import json
+from StringIO import StringIO
+
+from util.config.provider.baseprovider import BaseProvider
+
+class TestConfigProvider(BaseProvider):
+  """ Implementation of the config provider for testing. Everything is kept in-memory instead on
+      the real file system. """
+  def __init__(self):
+    self.files = {}
+    self._config = None
+
+  def update_app_config(self, app_config):
+    self._config = app_config
+
+  def get_yaml(self):
+    if not 'config.yaml' in self.files:
+      return None
+
+    return json.loads(self.files.get('config.yaml', '{}'))
+
+  def save_yaml(self, config_obj):
+    self.files['config.yaml'] = json.dumps(config_obj)
+
+  def yaml_exists(self):
+    return 'config.yaml' in self.files
+
+  def volume_exists(self):
+    return True
+
+  def volume_file_exists(self, filename):
+    return filename in self.files
+
+  def save_volume_file(self, filename, flask_file):
+    self.files[filename] = ''
+
+  def get_volume_file(self, filename, mode='r'):
+    return StringIO(self.files[filename])
+
+  def requires_restart(self, app_config):
+    return False
+
+  def reset_for_test(self):
+    self._config['SUPER_USERS'] = ['devtable']
+    self.files = {}
diff --git a/util/config/validator.py b/util/config/validator.py
index 67def6a76..e66cb341d 100644
--- a/util/config/validator.py
+++ b/util/config/validator.py
@@ -19,7 +19,7 @@ from auth.auth_context import get_authenticated_user
 from util.config.oauth import GoogleOAuthConfig, GithubOAuthConfig, GitLabOAuthConfig
 from bitbucket import BitBucket
 
-from app import app, CONFIG_PROVIDER, get_app_url, OVERRIDE_CONFIG_DIRECTORY
+from app import app, config_provider, get_app_url, OVERRIDE_CONFIG_DIRECTORY
 
 logger = logging.getLogger(__name__)
 
@@ -223,10 +223,10 @@ def _validate_ssl(config, _):
     return
 
   for filename in SSL_FILENAMES:
-    if not CONFIG_PROVIDER.volume_file_exists(filename):
+    if not config_provider.volume_file_exists(filename):
       raise Exception('Missing required SSL file: %s' % filename)
 
-  with CONFIG_PROVIDER.get_volume_file(SSL_FILENAMES[0]) as f:
+  with config_provider.get_volume_file(SSL_FILENAMES[0]) as f:
     cert_contents = f.read()
 
   # Validate the certificate.
@@ -239,7 +239,7 @@ def _validate_ssl(config, _):
     raise Exception('The specified SSL certificate has expired.')
 
   private_key_path = None
-  with CONFIG_PROVIDER.get_volume_file(SSL_FILENAMES[1]) as f:
+  with config_provider.get_volume_file(SSL_FILENAMES[1]) as f:
     private_key_path = f.name
 
   if not private_key_path:

From fd3a21fba9a1a2cc418e4c9d4b2bfbc752065811 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Mon, 27 Jul 2015 11:17:44 -0400
Subject: [PATCH 18/34] Add Kubernetes configuration provider which writes
 config to a secret

Fixes #145
---
 app.py                               |   6 +-
 endpoints/api/suconfig.py            |  26 +++----
 endpoints/web.py                     |   6 +-
 health/healthcheck.py                |  18 +++--
 test/test_suconfig_api.py            |   2 +-
 util/config/provider/__init__.py     |   8 +-
 util/config/provider/baseprovider.py |  21 ++++--
 util/config/provider/fileprovider.py |  17 +++--
 util/config/provider/k8sprovider.py  | 109 +++++++++++++++++++++++++++
 util/config/provider/testprovider.py |  10 ++-
 10 files changed, 179 insertions(+), 44 deletions(-)
 create mode 100644 util/config/provider/k8sprovider.py

diff --git a/app.py b/app.py
index cdbc7d08a..0fcda573c 100644
--- a/app.py
+++ b/app.py
@@ -32,7 +32,6 @@ from util.config.oauth import (GoogleOAuthConfig, GithubOAuthConfig, GitLabOAuth
 from util.security.signing import Signer
 from util.saas.cloudwatch import start_cloudwatch_sender
 from util.saas.metricqueue import MetricQueue
-from util.saas.queuemetrics import QueueMetrics
 from util.config.provider import get_config_provider
 from util.config.configutil import generate_secret_key
 from util.config.superusermanager import SuperUserManager
@@ -55,10 +54,11 @@ class RegexConverter(BaseConverter):
 
 app.url_map.converters['regex'] = RegexConverter
 
-# Instantiate the default configuration (for test or for normal operation).
+# Instantiate the configuration.
 is_testing = 'TEST' in os.environ
+is_kubernetes = 'KUBERNETES_SERVICE_HOST' in os.environ
 config_provider = get_config_provider(OVERRIDE_CONFIG_DIRECTORY, 'config.yaml', 'config.py',
-                                      testing=is_testing)
+                                      testing=is_testing, kubernetes=is_kubernetes)
 
 if is_testing:
   from test.testconfig import TestConfig
diff --git a/endpoints/api/suconfig.py b/endpoints/api/suconfig.py
index a4edf6839..aaea5a309 100644
--- a/endpoints/api/suconfig.py
+++ b/endpoints/api/suconfig.py
@@ -62,7 +62,7 @@ class SuperUserRegistryStatus(ApiResource):
       }
 
     # If there is no config file, we need to setup the database.
-    if not config_provider.yaml_exists():
+    if not config_provider.config_exists():
       return {
         'status': 'config-db'
       }
@@ -107,10 +107,10 @@ class SuperUserSetupDatabase(ApiResource):
     """ Invokes the alembic upgrade process. """
     # Note: This method is called after the database configured is saved, but before the
     # database has any tables. Therefore, we only allow it to be run in that unique case.
-    if config_provider.yaml_exists() and not database_is_valid():
+    if config_provider.config_exists() and not database_is_valid():
       # Note: We need to reconfigure the database here as the config has changed.
       combined = dict(**app.config)
-      combined.update(config_provider.get_yaml())
+      combined.update(config_provider.get_config())
 
       configure(combined)
       app.config['DB_URI'] = combined['DB_URI']
@@ -185,7 +185,7 @@ class SuperUserConfig(ApiResource):
   def get(self):
     """ Returns the currently defined configuration, if any. """
     if SuperUserPermission().can():
-      config_object = config_provider.get_yaml()
+      config_object = config_provider.get_config()
       return {
         'config': config_object
       }
@@ -196,18 +196,18 @@ class SuperUserConfig(ApiResource):
   @verify_not_prod
   @validate_json_request('UpdateConfig')
   def put(self):
-    """ Updates the config.yaml file. """
+    """ Updates the config override file. """
     # Note: This method is called to set the database configuration before super users exists,
     # so we also allow it to be called if there is no valid registry configuration setup.
-    if not config_provider.yaml_exists() or SuperUserPermission().can():
+    if not config_provider.config_exists() or SuperUserPermission().can():
       config_object = request.get_json()['config']
       hostname = request.get_json()['hostname']
 
       # Add any enterprise defaults missing from the config.
       add_enterprise_config_defaults(config_object, app.config['SECRET_KEY'], hostname)
 
-      # Write the configuration changes to the YAML file.
-      config_provider.save_yaml(config_object)
+      # Write the configuration changes to the config override file.
+      config_provider.save_config(config_object)
 
       # If the authentication system is not the database, link the superuser account to the
       # the authentication system chosen.
@@ -252,7 +252,7 @@ class SuperUserConfigFile(ApiResource):
 
     # Note: This method can be called before the configuration exists
     # to upload the database SSL cert.
-    if not config_provider.yaml_exists() or SuperUserPermission().can():
+    if not config_provider.config_exists() or SuperUserPermission().can():
       uploaded_file = request.files['file']
       if not uploaded_file:
         abort(400)
@@ -309,7 +309,7 @@ class SuperUserCreateInitialSuperUser(ApiResource):
     #
     # We do this special security check because at the point this method is called, the database
     # is clean but does not (yet) have any super users for our permissions code to check against.
-    if config_provider.yaml_exists() and not database_has_users():
+    if config_provider.config_exists() and not database_has_users():
       data = request.get_json()
       username = data['username']
       password = data['password']
@@ -319,9 +319,9 @@ class SuperUserCreateInitialSuperUser(ApiResource):
       superuser = model.user.create_user(username, password, email, auto_verify=True)
 
       # Add the user to the config.
-      config_object = config_provider.get_yaml()
+      config_object = config_provider.get_config()
       config_object['SUPER_USERS'] = [username]
-      config_provider.save_yaml(config_object)
+      config_provider.save_config(config_object)
 
       # Update the in-memory config for the new superuser.
       superusers.register_superuser(username)
@@ -369,7 +369,7 @@ class SuperUserConfigValidate(ApiResource):
     # Note: This method is called to validate the database configuration before super users exists,
     # so we also allow it to be called if there is no valid registry configuration setup. Note that
     # this is also safe since this method does not access any information not given in the request.
-    if not config_provider.yaml_exists() or SuperUserPermission().can():
+    if not config_provider.config_exists() or SuperUserPermission().can():
       config = request.get_json()['config']
       return validate_service_for_config(service, config, request.get_json().get('password', ''))
 
diff --git a/endpoints/web.py b/endpoints/web.py
index 8018b3666..154483faf 100644
--- a/endpoints/web.py
+++ b/endpoints/web.py
@@ -9,7 +9,7 @@ from health.healthcheck import get_healthchecker
 
 from data import model
 from data.database import db
-from app import app, billing as stripe, build_logs, avatar, signer, log_archive
+from app import app, billing as stripe, build_logs, avatar, signer, log_archive, config_provider
 from auth.auth import require_session_login, process_oauth
 from auth.permissions import (AdministerOrganizationPermission, ReadRepositoryPermission,
                               SuperUserPermission, AdministerRepositoryPermission,
@@ -209,7 +209,7 @@ def v1():
 @web.route('/health/instance', methods=['GET'])
 @no_cache
 def instance_health():
-  checker = get_healthchecker(app)
+  checker = get_healthchecker(app, config_provider)
   (data, status_code) = checker.check_instance()
   response = jsonify(dict(data=data, status_code=status_code))
   response.status_code = status_code
@@ -221,7 +221,7 @@ def instance_health():
 @web.route('/health/endtoend', methods=['GET'])
 @no_cache
 def endtoend_health():
-  checker = get_healthchecker(app)
+  checker = get_healthchecker(app, config_provider)
   (data, status_code) = checker.check_endtoend()
   response = jsonify(dict(data=data, status_code=status_code))
   response.status_code = status_code
diff --git a/health/healthcheck.py b/health/healthcheck.py
index 98de22435..c212c694d 100644
--- a/health/healthcheck.py
+++ b/health/healthcheck.py
@@ -4,14 +4,15 @@ from health.services import check_all_services
 
 logger = logging.getLogger(__name__)
 
-def get_healthchecker(app):
+def get_healthchecker(app, config_provider):
   """ Returns a HealthCheck instance for the given app. """
-  return HealthCheck.get_checker(app)
+  return HealthCheck.get_checker(app, config_provider)
 
 
 class HealthCheck(object):
-  def __init__(self, app):
+  def __init__(self, app, config_provider):
     self.app = app
+    self.config_provider = config_provider
 
   def check_instance(self):
     """
@@ -52,20 +53,21 @@ class HealthCheck(object):
     data = {
       'services': service_statuses,
       'notes': notes,
-      'is_testing': self.app.config['TESTING']
+      'is_testing': self.app.config['TESTING'],
+      'config_provider': self.config_provider.provider_id
     }
 
     return (data, 200 if is_healthy else 503)
 
 
   @classmethod
-  def get_checker(cls, app):
+  def get_checker(cls, app, config_provider):
     name = app.config['HEALTH_CHECKER'][0]
     parameters = app.config['HEALTH_CHECKER'][1] or {}
 
     for subc in cls.__subclasses__():
       if subc.check_name() == name:
-        return subc(app, **parameters)
+        return subc(app, config_provider, **parameters)
 
     raise Exception('Unknown health check with name %s' % name)
 
@@ -77,8 +79,8 @@ class LocalHealthCheck(HealthCheck):
 
 
 class ProductionHealthCheck(HealthCheck):
-  def __init__(self, app, access_key, secret_key, db_instance='quay'):
-    super(ProductionHealthCheck, self).__init__(app)
+  def __init__(self, app, config_provider, access_key, secret_key, db_instance='quay'):
+    super(ProductionHealthCheck, self).__init__(app, config_provider)
     self.access_key = access_key
     self.secret_key = secret_key
     self.db_instance = db_instance
diff --git a/test/test_suconfig_api.py b/test/test_suconfig_api.py
index 795ab8fe5..6cbdcafa8 100644
--- a/test/test_suconfig_api.py
+++ b/test/test_suconfig_api.py
@@ -166,7 +166,7 @@ class TestSuperUserConfig(ApiTestCase):
       self.assertTrue(json['exists'])
 
       # Verify the config file exists.
-      self.assertTrue(config.yaml_exists())
+      self.assertTrue(config.config_exists())
 
       # Try writing it again. This should now fail, since the config.yaml exists.
       self.putResponse(SuperUserConfig, data=dict(config={}, hostname='barbaz'), expected_code=403)
diff --git a/util/config/provider/__init__.py b/util/config/provider/__init__.py
index 4445d696c..ce2301912 100644
--- a/util/config/provider/__init__.py
+++ b/util/config/provider/__init__.py
@@ -1,10 +1,16 @@
 from util.config.provider.fileprovider import FileConfigProvider
 from util.config.provider.testprovider import TestConfigProvider
+from util.config.provider.k8sprovider import KubernetesConfigProvider
 
-def get_config_provider(config_volume, yaml_filename, py_filename, testing=False):
+import os
+
+def get_config_provider(config_volume, yaml_filename, py_filename, testing=False, kubernetes=False):
   """ Loads and returns the config provider for the current environment. """
   if testing:
     return TestConfigProvider()
 
+  if kubernetes:
+    return KubernetesConfigProvider(config_volume, yaml_filename, py_filename)
+
   return FileConfigProvider(config_volume, yaml_filename, py_filename)
 
diff --git a/util/config/provider/baseprovider.py b/util/config/provider/baseprovider.py
index 10a63b7c9..1cf9c654f 100644
--- a/util/config/provider/baseprovider.py
+++ b/util/config/provider/baseprovider.py
@@ -24,10 +24,13 @@ def import_yaml(config_obj, config_file):
   return config_obj
 
 
+def get_yaml(config_obj):
+  return yaml.safe_dump(config_obj, encoding='utf-8', allow_unicode=True)
+
 def export_yaml(config_obj, config_file):
   try:
     with open(config_file, 'w') as f:
-      f.write(yaml.safe_dump(config_obj, encoding='utf-8', allow_unicode=True))
+      f.write(get_yaml(config_obj))
   except IOError as ioe:
     raise CannotWriteConfigException(str(ioe))
 
@@ -36,20 +39,24 @@ class BaseProvider(object):
   """ A configuration provider helps to load, save, and handle config override in the application.
   """
 
+  @property
+  def provider_id(self):
+    raise NotImplementedError
+
   def update_app_config(self, app_config):
     """ Updates the given application config object with the loaded override config. """
     raise NotImplementedError
 
-  def get_yaml(self):
-    """ Returns the contents of the YAML config override file, or None if none. """
+  def get_config(self):
+    """ Returns the contents of the config override file, or None if none. """
     raise NotImplementedError
 
-  def save_yaml(self, config_object):
-    """ Updates the contents of the YAML config override file to those given. """
+  def save_config(self, config_object):
+    """ Updates the contents of the config override file to those given. """
     raise NotImplementedError
 
-  def yaml_exists(self):
-    """ Returns true if a YAML config override file exists in the config volume. """
+  def config_exists(self):
+    """ Returns true if a config override file exists in the config volume. """
     raise NotImplementedError
 
   def volume_exists(self):
diff --git a/util/config/provider/fileprovider.py b/util/config/provider/fileprovider.py
index 2f616aa44..fe2b69df5 100644
--- a/util/config/provider/fileprovider.py
+++ b/util/config/provider/fileprovider.py
@@ -16,6 +16,10 @@ class FileConfigProvider(BaseProvider):
     self.yaml_path = os.path.join(config_volume, yaml_filename)
     self.py_path = os.path.join(config_volume, py_filename)
 
+  @property
+  def provider_id(self):
+    return 'file'
+
   def update_app_config(self, app_config):
     if os.path.exists(self.py_path):
       logger.debug('Applying config file: %s', self.py_path)
@@ -25,7 +29,7 @@ class FileConfigProvider(BaseProvider):
       logger.debug('Applying config file: %s', self.yaml_path)
       import_yaml(app_config, self.yaml_path)
 
-  def get_yaml(self):
+  def get_config(self):
     if not os.path.exists(self.yaml_path):
       return None
 
@@ -33,10 +37,10 @@ class FileConfigProvider(BaseProvider):
     import_yaml(config_obj, self.yaml_path)
     return config_obj
 
-  def save_yaml(self, config_obj):
+  def save_config(self, config_obj):
     export_yaml(config_obj, self.yaml_path)
 
-  def yaml_exists(self):
+  def config_exists(self):
     return self.volume_file_exists(self.yaml_filename)
 
   def volume_exists(self):
@@ -49,13 +53,16 @@ class FileConfigProvider(BaseProvider):
     return open(os.path.join(self.config_volume, filename), mode)
 
   def save_volume_file(self, filename, flask_file):
+    filepath = os.path.join(self.config_volume, filename)
     try:
-      flask_file.save(os.path.join(self.config_volume, filename))
+      flask_file.save(filepath)
     except IOError as ioe:
       raise CannotWriteConfigException(str(ioe))
 
+    return filepath
+
   def requires_restart(self, app_config):
-    file_config = self.get_yaml()
+    file_config = self.get_config()
     if not file_config:
       return False
 
diff --git a/util/config/provider/k8sprovider.py b/util/config/provider/k8sprovider.py
new file mode 100644
index 000000000..4a5a6ef9d
--- /dev/null
+++ b/util/config/provider/k8sprovider.py
@@ -0,0 +1,109 @@
+import os
+import logging
+import json
+import base64
+
+from requests import Request, Session
+
+from util.config.provider.baseprovider import get_yaml, CannotWriteConfigException
+from util.config.provider.fileprovider import FileConfigProvider
+
+logger = logging.getLogger(__name__)
+
+KUBERNETES_API_HOST = 'kubernetes.default.svc.cluster.local'
+
+SERVICE_ACCOUNT_TOKEN_PATH = '/var/run/secrets/kubernetes.io/serviceaccount/token'
+
+ER_NAMESPACE = 'quay'
+ER_CONFIG_SECRET = 'quay-config-secret'
+
+class KubernetesConfigProvider(FileConfigProvider):
+  """ Implementation of the config provider that reads and writes configuration
+      data from a Kubernetes Secret. """
+  def __init__(self, config_volume, yaml_filename, py_filename):
+    super(KubernetesConfigProvider, self).__init__(config_volume, yaml_filename, py_filename)
+
+    self.yaml_filename = yaml_filename
+
+    # Load the service account token from the local store.
+    if not os.path.exists(SERVICE_ACCOUNT_TOKEN_PATH):
+      raise Exception('Cannot load Kubernetes service account token')
+
+    with open(SERVICE_ACCOUNT_TOKEN_PATH, 'r') as f:
+      self._service_token = f.read()
+
+    # Make sure the configuration volume exists.
+    if not self.volume_exists():
+      os.makedirs(config_volume)
+
+  @property
+  def provider_id(self):
+    return 'k8s'
+
+  def save_config(self, config_obj):
+    self._update_secret_file(self.yaml_filename, get_yaml(config_obj))
+    super(KubernetesConfigProvider, self).save_config(config_obj)
+
+  def save_volume_file(self, filename, flask_file):
+    filepath = super(KubernetesConfigProvider, self).save_volume_file(filename, flask_file)
+
+    try:
+      with open(filepath, 'r') as f:
+        self._update_secret_file(filename, f.read())
+    except IOError as ioe:
+      raise CannotWriteConfigException(str(ioe))
+
+  def _assert_success(self, response):
+    if response.status_code != 200:
+      logger.error('K8s API call failed with response: %s => %s', response.status_code,
+                   response.text)
+      raise CannotWriteConfigException('K8s API call failed. Please report this to support')
+
+  def _update_secret_file(self, filename, value):
+    secret_data = {}
+    secret_data[filename] = base64.b64encode(value)
+
+    data = {
+      "kind": "Secret",
+      "apiVersion": "v1",
+      "metadata": {
+        "name": ER_CONFIG_SECRET
+      },
+      "data": secret_data
+    }
+
+    secret_url = 'namespaces/%s/secrets/%s' % (ER_NAMESPACE, ER_CONFIG_SECRET)
+    secret = self._lookup_secret()
+    if not secret:
+      self._assert_success(self._execute_k8s_api('POST', secret_url, data))
+      return
+
+    if not 'data' in secret:
+      secret['data'] = {}
+
+    secret['data'][filename] = base64.b64encode(value)
+    self._assert_success(self._execute_k8s_api('PUT', secret_url, secret))
+
+
+  def _lookup_secret(self):
+    secret_url = 'namespaces/%s/secrets/%s' % (ER_NAMESPACE, ER_CONFIG_SECRET)
+    response = self._execute_k8s_api('GET', secret_url)
+    if response.status_code != 200:
+      return None
+
+    return json.loads(response.text)
+
+  def _execute_k8s_api(self, method, relative_url, data=None):
+    headers = {
+      'Authorization': 'Bearer ' + self._service_token
+    }
+
+    if data:
+      headers['Content-Type'] = 'application/json'
+
+    data = json.dumps(data) if data else None
+    session = Session()
+    url = 'https://%s/api/v1/%s' % (KUBERNETES_API_HOST, relative_url)
+
+    request = Request(method, url, data=data, headers=headers)
+    return session.send(request.prepare(), verify=False, timeout=2)
diff --git a/util/config/provider/testprovider.py b/util/config/provider/testprovider.py
index 1e237f3b7..96ccf77ae 100644
--- a/util/config/provider/testprovider.py
+++ b/util/config/provider/testprovider.py
@@ -10,19 +10,23 @@ class TestConfigProvider(BaseProvider):
     self.files = {}
     self._config = None
 
+  @property
+  def provider_id(self):
+    return 'test'
+
   def update_app_config(self, app_config):
     self._config = app_config
 
-  def get_yaml(self):
+  def get_config(self):
     if not 'config.yaml' in self.files:
       return None
 
     return json.loads(self.files.get('config.yaml', '{}'))
 
-  def save_yaml(self, config_obj):
+  def save_config(self, config_obj):
     self.files['config.yaml'] = json.dumps(config_obj)
 
-  def yaml_exists(self):
+  def config_exists(self):
     return 'config.yaml' in self.files
 
   def volume_exists(self):

From 96d5bbb155dfe845c78d25383707a4c56229ee1a Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 10 Sep 2015 14:12:16 -0400
Subject: [PATCH 19/34] Fix exceptions raised by the diffs worker

Fixes #465
---
 data/queue.py          | 7 ++++++-
 workers/diffsworker.py | 6 ++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/data/queue.py b/data/queue.py
index 289b99ada..a2a7ba879 100644
--- a/data/queue.py
+++ b/data/queue.py
@@ -185,7 +185,12 @@ class WorkQueue(object):
 
   def complete(self, completed_item):
     with self._transaction_factory(db):
-      completed_item_obj = self._item_by_id_for_update(completed_item.id)
+      try:
+        completed_item_obj = self._item_by_id_for_update(completed_item.id)
+      except QueueItem.DoesNotExist:
+        self._currently_processing = False
+        return
+
       completed_item_obj.delete_instance(recursive=True)
       self._currently_processing = False
 
diff --git a/workers/diffsworker.py b/workers/diffsworker.py
index 073bfbe9c..406e3564e 100644
--- a/workers/diffsworker.py
+++ b/workers/diffsworker.py
@@ -23,6 +23,12 @@ class DiffsWorker(QueueWorker):
       msg = ('Image does not exist in database \'%s\' for repo \'%s/\'%s\'' %
              (image_id, namespace, repository))
       logger.warning(msg)
+    except IOError:
+      # This exception is unrecoverable, and the item should continue and be
+      # marked as complete.
+      msg = ("Data could not be retrieved for image %s under repo %s/%s" %
+             (image_id, namespace, repository))
+      logger.exception(msg)
 
     return True
 

From 9ecfd7623a79d97534d0fc9273459f073e4cd4ea Mon Sep 17 00:00:00 2001
From: Jimmy Zelinskie <jimmy.zelinskie@coreos.com>
Date: Thu, 10 Sep 2015 14:16:19 -0400
Subject: [PATCH 20/34] CHANGELOG: cut 1.12.0

---
 CHANGELOG.md | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f59fc5333..aec3c5752 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,29 @@
+### v1.12.0
+
+- Added experimental Dex login support (#447, #468)
+- Fixed tag pagination in API (#463)
+- Improved performance for archiving build logs (#462, #466)
+- Optimized cloud storage copying (#460)
+- Fixed bug where LDN directory was given a relative domain not absolute (#458)
+- Allow robot account names to have underscores (#453)
+- Added missing SuperUser aggregate logs endpoint (#449)
+- Made JWT validation more strict (#446, #448)
+- Added dialog around restarting the container after setup (#441)
+- Added selection of Swift API version (#444)
+- Improved UX around organization name validation (#437)
+- Stopped relying on undocumented behavior for OAuth redirects (#432)
+- Hardened against S3 upload failures (#434)
+- Added experimental automatic storage replication (#191)
+- Deduplicated logging to syslog (#431, #440)
+- Added list org member permissions back to API (#429)
+- Fixed bug in parsing unicode Dockerfiles (#426)
+- Added CloudWatch metrics for multipart uploads (#419)
+- Updated CloudWatch metrics to send the max metrics per API call (#412)
+- Limited the items auto-loaded from GitHub in trigger setup to 30 (#382)
+- Tweaked build UX (#381, #386, #384, #410, #420, #422)
+- Changed webhook notifications to also send client SSL certs (#374)
+- Improved internal test suite (#381, #374, #388, #455, #457)
+
 ### v1.11.2
 
 - Fixed security bug with LDAP login (#376)

From 6ca33ca1080a8dd0af05bf537b9181030274ff2d Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 10 Sep 2015 16:14:29 -0400
Subject: [PATCH 21/34] Use a proper HTML parser with BS and catch exceptions

Fixes #473
---
 util/seo.py | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/util/seo.py b/util/seo.py
index f33cf667f..6212443dd 100644
--- a/util/seo.py
+++ b/util/seo.py
@@ -32,11 +32,13 @@ def render_snapshot(url):
   # Remove script tags
   logger.info('Removing script tags: %s' % url)
 
-  soup = BeautifulSoup(out_html.decode('utf8'))
-  to_extract = soup.findAll('script')
-  for item in to_extract:
-    item.extract()
-
-  logger.info('Snapshotted url: %s' % url)
+  try:
+    soup = BeautifulSoup(out_html.decode('utf8'), 'html.parser')
+    to_extract = soup.findAll('script')
+    for item in to_extract:
+      item.extract()
+  except:
+    logger.exception('Exception when trying to parse served HTML')
+    return out_html
 
   return str(soup)

From b25660bc881250e222030bf4c2200a754d72a11f Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Mon, 14 Sep 2015 15:42:52 -0400
Subject: [PATCH 22/34] Fix auto-open of build error command

Fixes #481
---
 static/js/directives/ui/build-logs-view.js | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/static/js/directives/ui/build-logs-view.js b/static/js/directives/ui/build-logs-view.js
index 478481d2e..9f8e1e9fe 100644
--- a/static/js/directives/ui/build-logs-view.js
+++ b/static/js/directives/ui/build-logs-view.js
@@ -72,17 +72,16 @@ angular.module('quay').directive('buildLogsView', function () {
         // Process the logs we've received.
         $scope.logStartIndex = processLogs(logsData['logs'], logsData['start'], logsData['total']);
 
-        // If the build status is an error, open the last two log entries.
+        // If the build status is an error, automatically open the last command run.
         var currentBuild = $scope.currentBuild;
-        if (currentBuild['phase'] == 'error' && $scope.logEntries.length > 1) {
-          var openLogEntries = function(entry) {
-            if (entry.logs) {
-              entry.logs.setVisible(true);
+        if (currentBuild['phase'] == 'error') {
+          for (var i = $scope.logEntries.length - 1; i >= 0; i--) {
+            var currentEntry = $scope.logEntries[i];
+            if (currentEntry['type'] == 'command') {
+              currentEntry['logs'].setVisible(true);
+              break;
             }
-          };
-
-          openLogEntries($scope.logEntries[$scope.logEntries.length - 2]);
-          openLogEntries($scope.logEntries[$scope.logEntries.length - 1]);
+          }
         }
 
         // If the build phase is an error or a complete, then we mark the channel

From 39dc4c7d8daec186fbd27778e2408f47f2627ff6 Mon Sep 17 00:00:00 2001
From: Matt Jibson <matt.jibson@gmail.com>
Date: Mon, 14 Sep 2015 15:57:08 -0400
Subject: [PATCH 23/34] Monitor various sizes for queues

see #304
---
 app.py        |  7 ++++---
 data/queue.py | 17 +++++++++++++----
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/app.py b/app.py
index 0fcda573c..2b7c2d643 100644
--- a/app.py
+++ b/app.py
@@ -142,11 +142,12 @@ dex_login = DexOAuthConfig(app.config, 'DEX_LOGIN_CONFIG')
 
 oauth_apps = [github_login, github_trigger, gitlab_trigger, google_login, dex_login]
 
-image_diff_queue = WorkQueue(app.config['DIFFS_QUEUE_NAME'], tf)
-image_replication_queue = WorkQueue(app.config['REPLICATION_QUEUE_NAME'], tf)
+image_diff_queue = WorkQueue(app.config['DIFFS_QUEUE_NAME'], tf, metric_queue=metric_queue)
+image_replication_queue = WorkQueue(app.config['REPLICATION_QUEUE_NAME'], tf, metric_queue=metric_queue)
 dockerfile_build_queue = WorkQueue(app.config['DOCKERFILE_BUILD_QUEUE_NAME'], tf,
+                                   metric_queue=metric_queue,
                                    reporter=MetricQueueReporter(metric_queue))
-notification_queue = WorkQueue(app.config['NOTIFICATION_QUEUE_NAME'], tf)
+notification_queue = WorkQueue(app.config['NOTIFICATION_QUEUE_NAME'], tf, metric_queue=metric_queue)
 
 database.configure(app.config)
 model.config.app_config = app.config
diff --git a/data/queue.py b/data/queue.py
index a2a7ba879..b787d22be 100644
--- a/data/queue.py
+++ b/data/queue.py
@@ -26,9 +26,10 @@ class MetricQueueReporter(object):
 
 class WorkQueue(object):
   def __init__(self, queue_name, transaction_factory,
-               canonical_name_match_list=None, reporter=None):
+               canonical_name_match_list=None, reporter=None, metric_queue=None):
     self._queue_name = queue_name
     self._reporter = reporter
+    self._metric_queue = metric_queue
     self._transaction_factory = transaction_factory
     self._currently_processing = False
 
@@ -86,12 +87,20 @@ class WorkQueue(object):
     return (running_count, available_not_running_count, available_count)
 
   def update_metrics(self):
-    if self._reporter is None:
+    if self._reporter is None and self._metric_queue is None:
       return
 
     (running_count, available_not_running_count, available_count) = self.get_metrics()
-    self._reporter(self._currently_processing, running_count,
-                   running_count + available_not_running_count)
+
+    if self._metric_queue:
+      dim = {'queue': self._queue_name}
+      self._metric_queue.put('Running', running_count, dimensions=dim)
+      self._metric_queue.put('AvailableNotRunning', available_not_running_count, dimensions=dim)
+      self._metric_queue.put('Available', available_count, dimensions=dim)
+
+    if self._reporter:
+      self._reporter(self._currently_processing, running_count,
+                     running_count + available_not_running_count)
 
   def has_retries_remaining(self, item_id):
     """ Returns whether the queue item with the given id has any retries remaining. If the

From 6f2271d0aef0d717787b0b2257a917e4fec61500 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Mon, 14 Sep 2015 17:49:35 -0400
Subject: [PATCH 24/34] Add support for direct download in Swift storage engine

Fixes #483
---
 .../directives/config/config-setup-tool.html  |  3 +
 static/js/core-config-setup.js                | 17 +++-
 storage/basestorage.py                        |  5 +-
 storage/local.py                              |  2 +-
 storage/swift.py                              | 82 ++++++++++++++++---
 util/config/validator.py                      |  2 +-
 6 files changed, 93 insertions(+), 18 deletions(-)

diff --git a/static/directives/config/config-setup-tool.html b/static/directives/config/config-setup-tool.html
index ae85f6d48..9edbffd75 100644
--- a/static/directives/config/config-setup-tool.html
+++ b/static/directives/config/config-setup-tool.html
@@ -232,6 +232,9 @@
                             ng-selected="config.DISTRIBUTED_STORAGE_CONFIG.local[1][field.name] == value">{{ value }}</option>
                   </select>
                 </div>
+                <div class="help-text" ng-if="field.help_text">
+                  {{ field.help_text }}
+                </div>
                 <div class="help-text" ng-if="field.help_url">
                   See <a href="{{ field.help_url }}" target="_blank">Documentation</a> for more information
                 </div>
diff --git a/static/js/core-config-setup.js b/static/js/core-config-setup.js
index 889e13341..e3d5c3483 100644
--- a/static/js/core-config-setup.js
+++ b/static/js/core-config-setup.js
@@ -90,14 +90,23 @@ angular.module("core-config-setup", ['angularFileUpload'])
 
           'SwiftStorage': [
             {'name': 'auth_version', 'title': 'Swift Version', 'kind': 'option', 'values': [1, 2]},
-            {'name': 'auth_url', 'title': 'Swift Auth URL', 'placeholder': '', 'kind': 'text'},
-            {'name': 'swift_container', 'title': 'Swift Container Name', 'placeholder': 'mycontainer', 'kind': 'text'},
+            {'name': 'auth_url', 'title': 'Swift Auth URL', 'placeholder': 'http://swiftdomain/auth/v1.0', 'kind': 'text'},
+            {'name': 'swift_container', 'title': 'Swift Container Name', 'placeholder': 'mycontainer', 'kind': 'text',
+             'help_text': 'The swift container for all objects. Must already exist inside Swift.'},
+
             {'name': 'storage_path', 'title': 'Storage Path', 'placeholder': '/path/inside/container', 'kind': 'text'},
 
-            {'name': 'swift_user', 'title': 'Username', 'placeholder': 'accesskeyhere', 'kind': 'text'},
-            {'name': 'swift_password', 'title': 'Password/Key', 'placeholder': 'secretkeyhere', 'kind': 'text'},
+            {'name': 'swift_user', 'title': 'Username', 'placeholder': 'accesskeyhere', 'kind': 'text',
+             'help_text': 'Note: For Swift V1, this is "username:password" (-U on the CLI).'},
+            {'name': 'swift_password', 'title': 'Key/Password', 'placeholder': 'secretkeyhere', 'kind': 'text',
+             'help_text': 'Note: For Swift V1, this is the API token (-K on the CLI).'},
 
             {'name': 'ca_cert_path', 'title': 'CA Cert Filename', 'placeholder': 'conf/stack/swift.cert', 'kind': 'text', 'optional': true},
+
+            {'name': 'temp_url_key', 'title': 'Temp URL Key (optional)', 'placholder': 'key-here', 'kind': 'text', 'optional': true,
+             'help_url': 'https://coreos.com/products/enterprise-registry/docs/latest/swift-temp-url.html',
+             'help_text': 'If enabled, will allow for faster pulls directly from Swift.'},
+
             {'name': 'os_options', 'title': 'OS Options', 'kind': 'map',
              'keys': ['tenant_id', 'auth_token', 'service_type', 'endpoint_type', 'tenant_name', 'object_storage_url', 'region_name']}
           ]
diff --git a/storage/basestorage.py b/storage/basestorage.py
index e085a5a08..9406fffec 100644
--- a/storage/basestorage.py
+++ b/storage/basestorage.py
@@ -58,8 +58,9 @@ class BaseStorage(StoragePaths):
     """ Called to perform any storage system setup. """
     pass
 
-  def validate(self):
-    """ Called to perform any custom storage system validation. """
+  def validate(self, client):
+    """ Called to perform any custom storage system validation. The client is an HTTP
+        client to use for any external calls. """
     pass
 
   def get_direct_download_url(self, path, expires_in=60, requires_cors=False):
diff --git a/storage/local.py b/storage/local.py
index b2cbc458c..333c9724d 100644
--- a/storage/local.py
+++ b/storage/local.py
@@ -144,7 +144,7 @@ class LocalStorage(BaseStorageV2):
     else:
       logger.debug('Content already exists at path: %s', final_path_abs)
 
-  def validate(self):
+  def validate(self, client):
     # Load the set of disk mounts.
     try:
       mounts = psutil.disk_partitions(all=True)
diff --git a/storage/swift.py b/storage/swift.py
index 42023c3c0..928715fb4 100644
--- a/storage/swift.py
+++ b/storage/swift.py
@@ -2,8 +2,12 @@
 from swiftclient.client import Connection, ClientException
 from storage.basestorage import BaseStorage
 from util.registry.generatorfile import GeneratorFile
-
+from urlparse import urlparse
 from random import SystemRandom
+from hashlib import sha1
+from time import time
+
+import hmac
 import string
 import logging
 
@@ -12,7 +16,8 @@ logger = logging.getLogger(__name__)
 
 class SwiftStorage(BaseStorage):
   def __init__(self, swift_container, storage_path, auth_url, swift_user,
-               swift_password, auth_version=None, os_options=None, ca_cert_path=None):
+               swift_password, auth_version=None, os_options=None, ca_cert_path=None,
+               temp_url_key=None):
     self._swift_container = swift_container
     self._storage_path = storage_path
 
@@ -22,6 +27,8 @@ class SwiftStorage(BaseStorage):
     self._swift_user = swift_user
     self._swift_password = swift_password
 
+    self._temp_url_key = temp_url_key
+
     try:
       self._auth_version = int(auth_version or '2')
     except ValueError:
@@ -51,8 +58,12 @@ class SwiftStorage(BaseStorage):
 
     return path
 
-  def _normalize_path(self, path=None):
-    path = self._storage_path + (path or '')
+  def _normalize_path(self, object_path=None):
+    path = self._storage_path
+    if not path.endswith('/'):
+      path = path + '/'
+
+    path = path + (object_path or '')
 
     # Openstack does not like paths starting with '/' and we always normalize
     # to remove trailing '/'
@@ -116,15 +127,66 @@ class SwiftStorage(BaseStorage):
       logger.exception('Could not head object: %s', path)
       return None
 
-  def get_direct_download_url(self, path, expires_in=60, requires_cors=False):
+  def get_direct_download_url(self, object_path, expires_in=60, requires_cors=False):
     if requires_cors:
       return None
 
-    # TODO(jschorr): This method is not strictly necessary but would result in faster operations
-    # when using this storage engine. However, the implementation (as seen in the link below)
-    # is not clean, so we punt on this for now.
-    # http://docs.openstack.org/juno/config-reference/content/object-storage-tempurl.html
-    return None
+    # Reference: http://docs.openstack.org/juno/config-reference/content/object-storage-tempurl.html
+    if not self._temp_url_key:
+      return None
+
+    # Retrieve the auth details for the connection.
+    try:
+      object_url_value, _ = self._get_connection().get_auth()
+    except ClientException:
+      logger.exception('Got client exception when trying to load Swift auth')
+      return None
+
+    object_url = urlparse(object_url_value)
+    scheme = object_url.scheme
+    path = object_url.path
+    hostname = object_url.netloc
+
+    if not path.endswith('/'):
+      path = path + '/'
+
+    object_path = self._normalize_path(object_path)
+
+    # Generate the signed HMAC body.
+    method = 'GET'
+    expires = int(time() + expires_in)
+    full_path = '%s%s/%s' % (path, self._swift_container, object_path)
+
+    hmac_body = '%s\n%s\n%s' % (method, expires, full_path)
+    sig = hmac.new(self._temp_url_key.encode('utf-8'), hmac_body.encode('utf-8'), sha1).hexdigest()
+
+    surl = '{scheme}://{host}{full_path}?temp_url_sig={sig}&temp_url_expires={expires}'
+    return surl.format(scheme=scheme, host=hostname, full_path=full_path, sig=sig, expires=expires)
+
+  def validate(self, client):
+    if self._temp_url_key:
+      # Add a file to test direct download.
+      self.put_content('dd_path', 'testing 3456')
+
+      # Generate a direct download URL.
+      dd_url = self.get_direct_download_url('dd_path')
+
+      if not dd_url:
+        self.remove('dd_path')
+        raise Exception('Could not validate direct download URL; the token may be invalid.')
+
+      # Try to retrieve the direct download URL.
+      response = client.get(dd_url, timeout=2)
+
+      # Remove the test file.
+      self.remove('dd_path')
+
+      if response.status_code != 200:
+        logger.debug('Direct download failure: %s => %s with body %s', dd_url,
+                     response.status_code, response.text)
+
+        msg = 'Direct download URL failed with status code %s. Please check your temp-url-key.'
+        raise Exception(msg % response.status_code)
 
   def get_content(self, path):
     return self._get_object(path)
diff --git a/util/config/validator.py b/util/config/validator.py
index e66cb341d..d4dc1cd39 100644
--- a/util/config/validator.py
+++ b/util/config/validator.py
@@ -83,7 +83,7 @@ def _validate_registry_storage(config, _):
   driver = get_storage_provider(config)
 
   # Run custom validation on the driver.
-  driver.validate()
+  driver.validate(app.config['HTTPCLIENT'])
 
   # Put and remove a temporary file to make sure the normal storage paths work.
   driver.put_content('_verify', 'testing 123')

From b56de3355c59c92cea3cc596c3ac6b94314e975d Mon Sep 17 00:00:00 2001
From: Jake Moshenko <jake.moshenko@coreos.com>
Date: Tue, 15 Sep 2015 11:53:31 -0400
Subject: [PATCH 25/34] Migrate data back to Image in preparation for v2

---
 data/database.py                              |   6 ++++
 ..._migrate_image_data_back_to_image_table.py |  34 ++++++++++++++++++
 data/model/image.py                           |  16 +++++++--
 endpoints/v1/registry.py                      |   5 +--
 initdb.py                                     |   9 ++++-
 test/data/test.db                             | Bin 815104 -> 847872 bytes
 test/test_gc.py                               |   8 ++++-
 7 files changed, 72 insertions(+), 6 deletions(-)
 create mode 100644 data/migrations/versions/545794454f49_migrate_image_data_back_to_image_table.py

diff --git a/data/database.py b/data/database.py
index cc802ac59..660976bcf 100644
--- a/data/database.py
+++ b/data/database.py
@@ -561,6 +561,12 @@ class Image(BaseModel):
 
   storage = ForeignKeyField(ImageStorage, index=True, null=True)
 
+  created = DateTimeField(null=True)
+  comment = TextField(null=True)
+  command = TextField(null=True)
+  aggregate_size = BigIntegerField(null=True)
+  v1_json_metadata = TextField(null=True)
+
   class Meta:
     database = db
     read_slaves = (read_slave,)
diff --git a/data/migrations/versions/545794454f49_migrate_image_data_back_to_image_table.py b/data/migrations/versions/545794454f49_migrate_image_data_back_to_image_table.py
new file mode 100644
index 000000000..17af21eb3
--- /dev/null
+++ b/data/migrations/versions/545794454f49_migrate_image_data_back_to_image_table.py
@@ -0,0 +1,34 @@
+"""Migrate image data back to image table
+
+Revision ID: 545794454f49
+Revises: 3a3bb77e17d5
+Create Date: 2015-09-15 11:48:47.554255
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '545794454f49'
+down_revision = '3a3bb77e17d5'
+
+from alembic import op
+import sqlalchemy as sa
+
+
+def upgrade(tables):
+    ### commands auto generated by Alembic - please adjust! ###
+    op.add_column('image', sa.Column('aggregate_size', sa.BigInteger(), nullable=True))
+    op.add_column('image', sa.Column('command', sa.Text(), nullable=True))
+    op.add_column('image', sa.Column('comment', sa.Text(), nullable=True))
+    op.add_column('image', sa.Column('created', sa.DateTime(), nullable=True))
+    op.add_column('image', sa.Column('v1_json_metadata', sa.Text(), nullable=True))
+    ### end Alembic commands ###
+
+
+def downgrade(tables):
+    ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column('image', 'v1_json_metadata')
+    op.drop_column('image', 'created')
+    op.drop_column('image', 'comment')
+    op.drop_column('image', 'command')
+    op.drop_column('image', 'aggregate_size')
+    ### end Alembic commands ###
diff --git a/data/model/image.py b/data/model/image.py
index 0da208b46..aef076336 100644
--- a/data/model/image.py
+++ b/data/model/image.py
@@ -255,7 +255,7 @@ def find_create_or_link_image(docker_image_id, repo_obj, username, translations,
 
 
 def set_image_metadata(docker_image_id, namespace_name, repository_name, created_date_str, comment,
-                       command, parent=None):
+                       command, v1_json_metadata, parent=None):
   with db_transaction():
     query = (Image
              .select(Image, ImageStorage)
@@ -273,7 +273,10 @@ def set_image_metadata(docker_image_id, namespace_name, repository_name, created
 
     # We cleanup any old checksum in case it's a retry after a fail
     fetched.storage.checksum = None
-    fetched.storage.created = datetime.now()
+    now = datetime.now()
+    # TODO stop writing to storage when all readers are removed
+    fetched.storage.created = now
+    fetched.created = now
 
     if created_date_str is not None:
       try:
@@ -282,8 +285,12 @@ def set_image_metadata(docker_image_id, namespace_name, repository_name, created
         # parse raises different exceptions, so we cannot use a specific kind of handler here.
         pass
 
+    # TODO stop writing to storage fields when all readers are removed
     fetched.storage.comment = comment
     fetched.storage.command = command
+    fetched.comment = comment
+    fetched.command = command
+    fetched.v1_json_metadata = v1_json_metadata
 
     if parent:
       fetched.ancestors = '%s%s/' % (parent.ancestors, parent.id)
@@ -323,13 +330,18 @@ def set_image_size(docker_image_id, namespace_name, repository_name, image_size,
                     .where(Image.id << ancestors)
                     .scalar()) + image_size
 
+      # TODO stop writing to storage when all readers are removed
       image.storage.aggregate_size = total_size
+      image.aggregate_size = total_size
     except Image.DoesNotExist:
       pass
   else:
+      # TODO stop writing to storage when all readers are removed
     image.storage.aggregate_size = image_size
+    image.aggregate_size = image_size
 
   image.storage.save()
+  image.save()
 
   return image
 
diff --git a/endpoints/v1/registry.py b/endpoints/v1/registry.py
index e1838730d..5b94c48b5 100644
--- a/endpoints/v1/registry.py
+++ b/endpoints/v1/registry.py
@@ -456,7 +456,8 @@ def put_image_json(namespace, repository, image_id):
 
   logger.debug('Parsing image JSON')
   try:
-    data = json.loads(request.data.decode('utf8'))
+    v1_metadata = request.data
+    data = json.loads(v1_metadata.decode('utf8'))
   except ValueError:
     pass
 
@@ -530,7 +531,7 @@ def put_image_json(namespace, repository, image_id):
 
   logger.debug('Setting image metadata')
   model.image.set_image_metadata(image_id, namespace, repository, data.get('created'),
-                                 data.get('comment'), command, parent_image)
+                                 data.get('comment'), command, v1_metadata, parent_image)
 
   logger.debug('Putting json path')
   store.put_content(repo_image.storage.locations, json_path, request.data)
diff --git a/initdb.py b/initdb.py
index 57024f00d..29b151601 100644
--- a/initdb.py
+++ b/initdb.py
@@ -99,9 +99,16 @@ def __create_subtree(repo, structure, creator_username, parent, tag_map):
     creation_time = REFERENCE_DATE + timedelta(weeks=image_num) + timedelta(days=model_num)
     command_list = SAMPLE_CMDS[image_num % len(SAMPLE_CMDS)]
     command = json.dumps(command_list) if command_list else None
+
+    v1_metadata = {
+      'id': docker_image_id,
+    }
+    if parent is not None:
+      v1_metadata['parent'] = parent.docker_image_id
+
     new_image = model.image.set_image_metadata(docker_image_id, repo.namespace_user.username,
                                                repo.name, str(creation_time), 'no comment', command,
-                                               parent)
+                                               v1_metadata, parent)
 
     compressed_size = random.randrange(1, 1024 * 1024 * 1024)
     model.image.set_image_size(docker_image_id, repo.namespace_user.username, repo.name,
diff --git a/test/data/test.db b/test/data/test.db
index ec924222189c6f0386b5125c81985e123cddcdbb..762ad4378cd754cf9f9eac84483c7c46ca30d4df 100644
GIT binary patch
delta 28988
zcmeIbcYKsp_CNkiOJ?SIG7|_L0ttl9%sjnN(@01!kOYDXQ%Pun5SpSP*gF#Cv4gt0
zENk6WvNo{mx+>PyRoAw=cGs?07QW})CwV618FfD|e}Da6yRVlS_ul88_qpeud+s^s
z7Pr5}ZGTJHIV#QBNm10{OLFE8hJOpZ>vF;Wb^HGcf2rH<Shvb=8~MlA{h{s3VgC>Q
zZ~UM8KlZ;%@ALlX-Qs!Cv&G|g$I=g^vuPKk@vgtP#yZzIK6Dh@-?w+#p0`b+uBX;_
z56a>7oy%!&UM$Wlae-F@Q8p0|h_a{#!h#$L#Kfo;<Ki)15ZLaUcWz;3H9URR!a;X8
ztbXXJG2QGXdl_!^(cSZTPQ~Bu*Du-Q8+>KS^P}j{7nF^z%&O=<ch^#%CouGV=9NDc
zQ`C_=p4!^|#ja}K+#Bs>O@BOmjG{h0<G>}|)!mo-oYy>fUD~FNr%=?3<?rj=Uv+Qs
zjeWZP*6HK+UI;?CWzsj@CttcZJK%g|%Dl9j6^gq3%{v!#O&h{c4U~}EHQniSxx1gc
zIj?)^WvhKNmOOUW+~H-p6m|NmpXGGFaM@BuyZpQS+Uvi$ps8!>mEALUSC7tqpKYG{
z#{S{>+m$=0mrl0R>2!Bj-jdh-`0n_q5zoAQ!T5UvkDPkW!OyxJnKZ##hEV#m43pQr
zS}(~ScK-eu<905(fugQ_dH4RV>Hc0y0m9L>K<RURjc?p8*Qgo%3!hWe85JL&*4=XX
zUOE=IiJkbj9kILLi*;vRvDD}OvB=3>dgAjGbpy|Q+r90IYM=VYb;oML*K$Bx`tz6F
zuUv6CGj7HndHQeO_*Zzx;;*{5UAcuBp;R^HzUO+Yu;K25yRO>HOdGp;#msMGJMp*s
z=BxJjBzNPr<#XTMPf@#eyf1Yxxq2xxcJ$EircM0l;uBB4MDKp!>S~6$=C02M{qFMG
zdCN|@wtLhymyhBfeDu~*f9aR_+vRZf>v?zhw!H4ot|=KqUFN!udiFXPu(L}aXS=35
z`gOd!_S#*(nSamuO?}Jbl@xW>A0E88``_2@VfgJ&x=Ze?rYm0B`%(85duk{ArHcV=
zesmrDd2kW@xkrURcaO2dUz`60_)9(hM`rJne%oW+A6z$e$L$Ahw>j4hPWRtI`M>sm
z=zrb+g8wo9-TpiNI4I{TzdJ46L1o3_TlBj__KLK0{~sv-A9~!ZeV^Z*?#Qx1O?uBg
z^X#uZ+8Ik|vcL<`Ktzef0-~6Z0$L=>24pdo;MlMbkMe3{<JPsS!|f~L)1&S2a7SBv
zq^+Z%wp^A(p_#9%lcmC@60xeHhOKWZlBybN<Z`Z}u%=F3$Sbu<@q%Jb;tCp?i%P21
zW}&)h!6Lq{v65#wDZpx-0Zz){q?v*^Q;>rkFGxH$cq7#{!JkPra8y@@n{s>H?gED=
z#>-(&O9%m$XQhD1D~W)r3UWYBgjpdRiNvB}ILT<+=CyHTvs782HA`9z-_*cXX^YD0
zO6FH;3x(>%^XtlLs!J<6YZo^cRPjYDyQrzLN~}_ggsS?&!g987Nn>U6LP_rB^LREn
zS=KaUbCM6(RQj{Ysw^Mlxp*L^^5K9O2cbry;b?%1h+;IF;CWV-l5DQ+jBjphU(wzM
ztS*v@s<?(ip}D-NroN$gae28QlrL&7t1Mbv+ay;uh?NV=3)uw=Yl@UAdH%vmzPz!Z
zsg~19xFW7V6^l}F$|{Pe5`pGr0H;EKPUG=}6zSv>a)6WLAkl;>1tQ_N5@5q3E5+g>
zA627CR-<igs|laARb^b=f<=nRvg+c+%|cTNS6y0GDJ_zk%DCq8+9FO`P*~aAw5VFB
zDOBsriyG>xY8J`d!urB$S!R#tbAIp0voa?N0*G`Q<EI+NQ6V=6!;a$)e5i@I5D6%1
zLJWxEI2TZ35iTHwd0y1wd^F6*^ai&>?Ch^etf*+Bf<rWshK}cUxu$w3Aczz>h2vuh
zH4%u$SpkfEj15G@s1V>aPL;wkFR4+rZDYrV)>s_ICXWy2aeUsY#zwiNyfj?hxF9Sq
zsFy26z9>?&HB`HyU5GAfoZnH|SuVsI1t}p%7jCI356xdOzqM&?8=v3N5?;G%LonL5
z#yUb=ke3C4mypr%USM=|e?|pf=0!<V0%}}_xfxNy0Zo&YfClSKR2F3+&P%;B61dcm
z%{B6RDaZ-!b*)QE7DiTUOJbE()$x;y%GU9VgN1xN*1n*oanpv<Rcl)#C$ETyH#BXC
z@cIKD$FP3lV}qI^3kr{1<$8dtk^Q++BC#;&Ml>MDWEs?k<3M}@7m)c#A|b{&F`f{?
zOvK{ty`pQ9<MHyshSu8prmZKRyrpF!-=c+U*!7j`+9a)DU2Acqq%B<Cxuuy87D}7q
z1-0$*=FP#iZQRd_jt$Bx&k96z6WzUI4A#OJ<EShvQiP8MVseZF(aBOkRn&Mu6J%bE
zb8I3UmNu^46mM@$w8mq|XeUUoeaQxHRivPHN$uuHN3{}KxnN^+@y4np?2>3hOJa@C
z)}mCes*6hVH*3`kR=3neVw-DA*S1N&z^I_H0?!g<OdqI>aWJuLj8y`iych;fW56j$
zKN`?jF($-BRgJJ(dw6ZEZOz6FrbxjOwpDH|tKU$Z*bwPp#fA=HYe`L6gk4wASh{J|
zx{_dHo4T59EuAlOwaR9(xS&O7UE3!945OVh1vbdRoYu&+nVbfkYW?knB7w?@f)wDn
zFjzKC6#{CM7Xq<ZI0`~mBZ)AdXpe7bK|ZI4*S2-E#M_C*P!{pkHI0j;`CtXA8@WX#
zO_j}!jrA2v6n05r^Mcaag>sG9sV(Lz8W-27g-vB(E@~RorsC3Kwp1$QMeD?2gRCa<
z2CE?#usW{GHP4*kF!pLJ9*+bPFhc?&D{_Ib0t*IA9*t9YB^*{Hlhs}=m13nrtxyzW
z*RS9;jf;kstS;YJP$Si}f<;&rO|WvoLN-<+)Rk;301ar5E~sBp8Pr`Fj@;zb;kBU3
z3WAE33|ukb3#QH-ldqVf;wlghB*@eeK|eJy9uM$QO_LIW5SL|c-Nwl3)@UzN?JKL)
z+Tuj>hT@GKU<6mTv=x=C+gMzy*2o>I*cx22IJ{=v0)JRdw3hIzv=xgtapl!(^gA;g
zIma<2ah%AJbs*OPOa=OnYn0Ps(TJ)BcopZf7J(Iu7r^_CM&lAJ$6*P~WqeadII=oE
zJ=Q@+w5CbsDpakcq`0wCtf{M8Sk_QbQd(P7S16W9Y@txkRd#aCg?v?Ub#n=;O7%Qn
zQQRahSy<AbRW~+k^_CF@$w{oJN<?zJ9hl7Sa+UT;&Mj~vD~F@ti6>-WO=PuzDuK<G
zqlyH^P=qBb9&6ozJd)YW@p9hk(u$IfRg0rdT)c8qN4rp7u9by0R+n%It#N%r-DUwy
zVslGzb74bWd0mIvsI3%Mm+DW}II{Jz84mYgb3Fmxcvgd1sn7E}hP6nbMr;HOV3^|*
z0g;P?ClX~NfpA=8qrhZT2y=Y`>mA32(&om3`CE!NmTs=qDmHJ}oLIH6c4Otjc%(Ac
zUQ)C^zHSLynW$Fej*g-Ys~3jD>tpNI==b{_!G2t*K@A-wt>-^}2hB3RV;SukfAVkl
z6=xjn8ItdaW_12qrz~^6vn#{)OFq+2x=fwDK9ir2`L+Ixk5Ku)cpF1fxf}Yq)s9p0
z|0@&pGZsiMu5lFP{}*civs&NtXpLh_@K+DhDW_Jr(kYv*D`Sw~@qZt!&f`5?pyuqQ
z=5zeoK?7orUSb)JpBTH&|JqdqYW7}gX^vkzgh0$jh!tlHayWkVP#*1ccyk#4dS9LI
z3JAQW`rd}nYmTq8)CJ>WbNt$=nAS_@|2n*#0|OXWFQH#Mvd&&QKQX9%W7_$P{=cJ_
z(61d&dkIR~Ghiek9!;?r{p_qfaJ%D&>M3GH;gY%qMHReOCNv85vQnV&+M+tCq`bNm
z!r98g+ETuZZz$3a9dk_77aVicOetEtP$|_4D$0wMazQSK5Vx?1uTdKs#6pOO8tbI`
z!m5VFB{e<J<g-v6C&eRCCCUf5Fhto9KEWE6P=tUIlNHD>DJ(BV+T-imW`<*HTGw{O
zH*|Egt%|Shzf`I-d2S{r2U&$vHT3}NeBGb--;g~k-+3V4b>B&OY(k1fqp*ZV1n`DM
z1>!0-CUFq+L#)q<8XIRL`din!By=AZ#@FQ_dS8If<pfyx-}o6h<2%}x#lju&@iTMA
zFWMNN0blg{S|&kV-`A)1?*M011tm#VWxmU4^H2>oPnWB}9SN)8870&J7v~@<8xm1@
z$VmunAS`oHDWdQRf!Fu#ag_{0hLUsyjq5qK$MtN8Fq$k!`u1!`fhRRQX?ECkr@!*Q
z5s7`Wqro$P!&D6R9DCEX)!!M8fNv63#Q-nGz(YvLLLdxoazKMT1(#652~Ogj_K@98
z*%~}x$Qc%**+@K^2(X+2!xE3k0hNW+0k85hsE7h_eAwX#*+>H$Wn(xVq8Tl$1UQKA
zaU4NT5QPQ!IJ8I?MJXZ5TF=o>U9P9{6!74pvJ?)46Hy?JPD@x2K>5HMWn*$eN@!ty
z@_lKu^B{KRq%bhb$D=AZfRGW;AP5b>(8R?=Se78B*3Z5#Es)1T*e&u9mC6YXLesDU
zAMsHsz$vl@QKl@5Y(jtKzBDN>EMPVPQmU%J0;ik^siuU&1)|`VM<Jl#wJ4`^_ovOw
zQ&k1RTUHFjqZ-VQC=Wr92AK(P$D^9aDk4ND`o;IBjn4yb9CRWY3$Rh}TSY~J-gCeV
z1jGXP_8Q1u(_gwjZT1Nf1sIBJY9JwpVI;!9Vi@v80U-e`wHO}-pHogtr#!hfs$m7>
zxWa2YHip;QV*;yjiFgd0I!F|VFf#)hB!K}YD#93oe0W}8b1*F*B$0@RCGY_gFf{_A
zszCqZS~S1{$FYb2BP&Y!a|hEV=SeXZ3;;N-U<b5-D9Mn?;Dm61O$ajdD8ee5s*gF8
zHZ4yEh3B}q8c-k$2Q)b?5K$vxNXoG=(!3mn<dVMf5J)1fNgNA#rGTV?&WLeH7DSXN
zqzJTx5>aHxb8wt~`=PWMc}gOtM5HjFs~qG}qL4b%Sco`<xT3&pOeEr*bl`!swA-DZ
zQvOeS2IbiP<sam?xhRi2*PKG)f$ix(`kfl6-GN$XTBh@J%Ktfj`<~zLb9!=<lTEyd
zwdLQGZ_B*X{ck^UVvVUO1vTi7A|J?fZ=KbzTn$Q^!fUL4euaBiUX+6bycX61vXlU!
z%32~2iGc>ILL?D`B&Dj!yk1c09+8SdO^th~zP-}Trm8%r+C5$Wq|!Y(Rb^jGm!4nc
z&QJ9PG@qj1Q<WN+R5I1>p+i7GT%VCLdv+Xkr@pY-or@o`mJfkWP3oGDs@=6v!)lf`
zKs-Nn%?&kfIb}`HCpGSyPa<)mF*bdiGGiSDHgn8PYui^%|9rLg=c_#fsylmac^`H6
zfcgQ|>Bm)Dgq(I<wMDcpYjrE8p8LR^{p+n#cKm$xam$Uh^?}>nXZli!JI84&u+cvw
z@L&4C`%52q%nv#->rS%S$B((&{Ng7*NFVTlRrCWsunHeP=<L@~%NNe$Nmxbb80Vyt
zs%fpakA-^E2wCgBRFC}u_v%!mFpL@Rf??>#o<;FJ^e=vr;r+!=Jf88c&R;@u{~{T8
z`oK>tBa)Ri@RL4?cbXcX>H4W}lAkySd}5Vrx+B*G17jKu>lZop9Q>kpY*O2!V~5>0
z`j-|+Rcd{45mzG#3#4+kUe!u#N{TqKT3S$BTVAKulrNDajb|GcE)nN9l~yfo6sn7b
zMa4yh<=p(rD%oqDNU-QAqM&Htp1B_!m;Y-K?(|$4`mdI#o`WGz@rnJ`5%Ana4t$)R
zAs2d<*^aLO_d#WQ&b$aJs*^4*u&#lN0()?+t7Cz+;WhCL*b8J_H&U(})9TZ{Nx#i|
zuJ<T?F*Awj$(Wb%w6B`EEh9VQ0sm(EBX-GlCG{xvAnb1k^tZnAMx4;p*)#nT&oP^x
z^P_ib&$Mn&i@oRe%RIkx)29c!My3xRKHPqmrpK=JJgzU?;~d<5i+4h|jUG8{6Sr*T
zhPJiK*2Fu&LF@>R&sj8o@gjZwR(ExGjUxaqxW~0_EbV^+w<@18_u=33zvKVA{}tGs
ze8&F-@KKbxV|qpgq#tb)Z3VfLT|4IO9^<VZWgRjeQf}ZUi29(H>ES+OEBKVjt+B~7
zb0$NReE;MbIg{6g+v96HplIV{J+zz7A3XWg9itgSejJdefIKOm;|OUXjty~Kh)D&-
zDXOGtYuj>QlV%N2G`5-h;0Or|UgxEBeiq;@qkY(&k$~5g?F2xq7~cz+!l?5>4*I1E
z-JkEw(|5i>2N~SKHnFg^1?$*jM&D+8N#C*nYZ*de`8b41q4Ru@1?O7e07qbOPuzsS
zRu+hzCwfVDvOJ_ae(X-b*_EqfMYbbk8r7s~0s=%)BBwtnFwJDU-Gu0)*6JqIMkBT9
zI2r-Ko?s72AvvUk+}5$+f*OROvI1OZchB238%7>C>rKMg-opE`ZbLld(}{S71KMO1
z50>W|VCgBLSPk}@iH0$F0>DJUh8C3DE-_HD(#%1i5CzL6L`h49p-KS4CRGa$7MM8L
z)PnOVfTLp3uH;B$<49mdwmsxZ3Bz)Hf1SeP3MLFT#Hmr>M9w`p8q07n3U+~}hPV(P
z5<<>YR25#(BndSL#sLpEm?W{Oh4X?34bE3MkaG`?Lsx(RK}8M$a-@WTnJ&mgjQ|JF
zNF;Hfr3L3OfTM&Wc7lV`0XAEpLs&5uaO|m2WC6kszE80jJb7WlU_%Scp-v*Ut|}W5
zo8N<K1>*qa1t}~R7lg=4lQg1F)gu@E^&frYxri2zhT{@1gKd1eD-Hhsc?<k`Vio*(
zWEuQ<cp?0Gs1*L(Hyi%k3kO}OKTU)`JtN`Ifs6w=-n7h~w0!UP{_Ee$Wbjmo-M<?C
zQcv|Twce=T_JF=_nYYY#NWZGyTe5q(m$p6G!z}kM^V<&UtJ}O4w)^$$uy?_Mb>2gC
z-I19WjR<+DY`e_~8>Xuvk+Y$LQ>gPZ8n7lfutuiNHEIF_Yb5GyQln>X^A7LC#?uFW
zB2cFrji(K)VL?d{a2RaOkGAz=MeD@!3x`b^P_CY8lusT|uAD;3%Z5!FP$6$M8cZBe
zE^Q{|!}EZp{=gi+kyPlPZu1TsjVz2G&{AwSKFB%MJM;wnAZNe_{95us);JF})F8dC
zy)71FphFi79qXY+_Qx}dv$Bu-b~%mT>X)4A9Rd=)VCd)pjZW}D{rN*j4JdAMlj4yB
zitE#{IBSFnu?c*T1!<&kc(PCmvZYvfUe>T=q1YK@=NqL%lchqC%{K~%n1$HK=~#H~
z(5wLr7{$W|n{wLF5nj={cEvREdDbA4#wJ)#rWl2py@ib1jg-f`kg|T;Y2KkAk#n<r
z$F&(pYDZ=mxXwO(9_55ar@=qx3}pteG#snW8Ah8d!Nd*os+j4(@+_}O9>I;mVIJe-
zPM9w$EUOVo^^>oMxlJm)9W%<a(oHJRF+Rf}oz}mQ>n(KkFJyZQon|32;kE;3XAgCF
z<{qy=M)_bne(b@yj2~m~&K?4p)saS-F~3Raf$iQ0Lk{R<&m*^auO3JKEqd5{P3G=(
zHs_SVj{7Nhj{6k%KRgAV+r0IRhuM`uXI$x%{ND6i(`UOrb5%HZIqrvzj!PUpBfj!}
z?$9qf<_*|x*KOUlq57-edKvxi$Gj8t8~1pYI^tcU^_54w6K%iIcOLQ1b1dx|qccam
zx%$ONyhHUusOdR;#Cs^s=IybuwqxTCWYQ1&%NEyGE-I<3;>4Q8^ToQl=IORH$|eOo
z_LUo=Ep6@X`F&ffc%p_?m9nzR;sxc47jd=qT(g%L#+NBL0s1m<`4|7xA&!7;AW3_c
zBj6d>^Z-jcbH-*+amvqT{DleA*<Qc<yYv^+T3q$cEc+d{ZYusi2NrTA|8rpf=fL&`
zV#N2g_)Y(FVE=#Mz%u<ESaf;w^Cq84QV-N`DW9G(g?_`k)pMtNXL_FNPG_tA2ixDE
zq7f{lLf1h&?6;wJO6i|eGx=H0(5M}uktA#iU~q;p0lUPTuP+$k9h}0I=7TE7^U2^J
zkIVNt)1;wA=PFyhB*Ymvf}l(W6cYVod4V&;sUc1a@ob3aLL;of0UuOE1vbu-VVZFs
z-^4^R7R)zwBMeyu`3dMT_N*%#yLKOT?T4T0n!>YiToU3CBm9Sm2haJNP}tZ4#XV(2
za0`Z+-6Ihkmg|ipz5bL!loi-GlzYQByg6WkU^@#)Uw_sNCH=|8{*dquEA(4OdYRNH
zu$ifv(Hq`IFk!Hv1*WD~Y^_5GOfols6%+c#YDlV4k~BCcto4O(AUV9%V4`7r3)-RH
zv`}sqk=#&JKMWPIJcoc~r9=`WNtKM$0N#`^L9m?#<k;m#q*yqZfMD{3!blOz1!rh*
zDg;nCMdgwjhu1Gm6l_Q$+(AS}n9MSgOSg~mR*XzZPLx$ue=trjWbl%PNeLQQ`Mqtl
zF<VMA3BQ<%BkFX)DsTRjzFe6Y;-pY!Dl7r!ihv0$Obg&;4-*XuSft~>%;?N&f3h<~
zudqVDYP6S5saFEWLQ11AD}c8}Oc-ovfx%9p%o08VLlSZ%D*zP>QX=rOD)C~UIx%<w
z#e_g=76{Co^_f99OXNEzqn+WsPkU~4ccy2#Zg4KPe`cQ!6$ii!>c^SE!&%<KL6dgm
zPCQ-<bBB0KQm`fjMcnK*lAlcN&YPby`GOW!zScn@BzU?C^N!a)C@+HR66B^uzdauy
z&uOBdCY5jQqLn@q0;!=O;}eJ=i5)QP+7NGLN^S)S6asU0rb&BDo4ME|cwZ`>ZTIw=
zwDE*zwAe%k2MzVsqy}MmxT?~tbq_2Y{+dZ2npkAAyUFOpn%rb3Q0cH-|J~4(woC}}
zFpD6Ag9%Mg?OW1B69n5?^a1;Tl4{K%AW2h(75dSkUQf!Nz{LfHtN?u}&g<j@<IUb+
zTMLqZxG`gAj5DQ0R?*C1KOrr+bEC3qZ}!|~|K_1tCIGat0zB7a496G<fnYJiK_?3+
zmh1b5c^SC5V$~x&Ew1#-ZbD8=dh-ku2^(9wazDTm+m@Xa8c{E(C`&0X7<d5cuU>oK
zRFe5@BxphD6WE+Fq(5l)Ny;3`Q_naSmKIe-^<wZ+pV<c_WT8IpN@L)&Mw31yv*lQk
z?Fx;y3X2cIK8^_KW|A$(Yl0?3AGM962sHtCHL~UCJn0_}_YO^I@>RGqBX{TS0#zk<
z3{862%)&DITZM)THwG>}`mgZ)+n1klPsT9jKBnQnzby%tEu!CCOaJc*Bwn}t-xbLJ
zZ>~V<S1hBKo`@mGgiVjF$6pLJ#!!z?{$}4%-(?x^XUt^oWPJ3Ubd~pd&sUzc?kC;r
z-0A7fX}6|LaqVzTa^COEbVTg0+hyCUw)M~uZrQ^Bwl{Q5CI3R{%ip9YR(FKkH*8!p
zeM3u_m*knE9EoWP7lET?(I}i@W8sdKBuj9jE3U!eH1(J2^@GdlJ-$%1GG5s9Tr*|+
z_^gEo^;KbdsZV^Xu&O-mVU@DoKOudI{$iM}_RW07eyBct&3ejqPT`}B&PM3VeR&UD
zc9GEG?51p0D<7)T{~DpU_{Lm%;N>Zf#B$0uW&eyr`Uz2buP=1dxLJjFo%Asr{TsUR
zecc-a+}tsDPYNz=y^5k<Z)?0o?}-8KkQ*F}#{5%x4fYV~uQ^-Ki36_3|L6whwp-IF
z>ZaSS6!dLzz|FeolRcxue;h<n*X()m0eyUe-jc0+dFj#W2FH^WbzbIsxm{BO$$PAD
z75LeGdHQP!dJSW{;KnBV^s2Y&v+F15jVpkWS##dpQU96x0o+BVKl(v;w9rdOPc8Uo
zr}ofI6#)9XBWEw3W?Y=5$gSdv-{tAow9wh3-B+ex%y?f8pV~6S-IY7F|J7r?BAdz6
ze`ulOOx~PjxA6DXAL@99*{ZK?1qlUi8h75j_jkd4=v$`@FV(+lrT32U-1G3=8G8mh
zV9dL|y}xV9q+V)pA=;_mzLLI#nIxaBN}cD8-t@TW)N5AJOPRs53lEMwd*==4Vd)1}
z(bWt(LQRF=zlFbg=4z1CMEe=C@NE4bC<=WV{lIF#&#L?fHQF`jDT+crM4!Ee-kVJy
zKJD(zbN+d?;Wl(l%SqzHE$Mr`(3|YF^lG2D;ls4DwjpaN3Rivovb8X3Gaq=Tr@mlL
zf+7pGesnF2+T_OHKBf%*@Ev1G)tlSs%Y)*WRo5^0YWHmvg$tk&jnAiiyE7)yufb*a
zrS2JN_d~YQYu{r#nVJu#dSd1do+Aq&E-J)h*jo<{&_@^3LsKlZVvq&Lo)>!E2BJge
zs)7wItI7ot!!H@n5)_PqiQ9nX`kk5H!71GaO#x5txczq2OcMzkTaXTC8g4^Nh%A!m
zFB;J{RHSwoHICys+`TltQq*-51qoVE#zc+&%nzDw5b;W}d{SCSkVAqJ5~UEHP8e`d
zN(ic|%1V9lHqIdv3!7W84qs(B5iNnFBNV{c6f5-m2K|Kh2$!A(INnO!2%Li^2sX2T
zV7!3d*6JAqggEnLC;pj1KjF+nRLXJaXZLxhIH^q#Xl4a@c5ttEI-N)j$A;+I=!10r
z6jN$kNaRD)QwdJt;bN2i9LJ0RuN&=!35OIceL8fL;j50CW)2eBiN|vN-oaibWy~XM
za1XPe(xK5Yaj>Zc2fKx`TRt^8K;(!ARHXJ);c_XQy*5>jL6c=-AUO*Ljt}n5FPLJA
zjwsyW>*@TdeWDZ8kf4R8q!OJ3hh}B;jWHHSYiPnD1q<8>4c>ymr|wuYIjIdK6o>MB
z{hq9!2#eqbAk5dkun6s|iGl=u1CHWAuuJ5&Vp39W#{PVkw=9J#3-PE1(Js2O3>s&X
zI1;jS0VS4WII=WVL;23kNTYA|hTKQe??}sYb~`59E~je1_HmgzN@f$GZtSy4%WeP#
z8GSx2r?5&Q#M}bg|ELCK-`VpHZ!&|8EzB&dfb{0%Q%`4Rk*>CxRtYQgE6=Belx7xg
zw5kFI8-1q9zI6GyE0a*r*a8*WV`zQrOwy@VfFhcL<@&G-Xf`Dh+#P^xyM}()x#wDU
znjqND0#b7Uu}P=<G}50a_J=44RIEu2fT;xI3=qU2U%vmZWSRzvSrL9~Ab3@Ra3UfQ
zgH!_*y6ZxET1psRlN1)SroC2)_*!OPu&o6t47LNOR<S|^)&xkzDq*?4<wAOLY9I*?
z;u)Dg=nr~tCJHvRpd9KQ7EvZBb$~)vKrGkazmU#LscVqk<~b#qfH8bR6A2qzk=l%D
zb+SYxSAmivf%74#&>JqIb5nMRgBuwtYCxZ^5mz$_1&u9GofjFRYZ6JP<^vSbH7GwR
zHHfGv0;bZy3=y~0q>rR5^k3d<EPdPHbI3N#!>$lD!wP-U#q{VDW&*qu4U+Wwby0Ac
z3`f{R!FCoD?mh!$3r|oqL?Nn%75aG>(<4&$1>TO3CG(&Vm{oMIO(bk<K|<fiKKaxG
zJL!@6!(aDq_YU{0bl>Mz(|4uIX@}GDTw9!9>Fl#~V;)=)*6^YWT+_f8hTvXJK*J{#
z;1vr_g(oc{u|!PY|17wovtuVOS#-hg%c>sF_&|3)M_<kiigfQB(fG`6{MGk82aagQ
z*0-M@{P&j*Q8wqx`qg^yc?cCo*5!<wu)g~wiu(4%yPnive;zz^pY6~sSywZQDe4X8
zvfu0Hz5o)O_Hb3ttT(hPDC$}7OGouDUZAV9efxh%A9Buj9*VlL^qkVJ2~|m#99|W=
z{f0cf>qR>58-9LwYtA=U&7i2=S6`T~fAJ!u1H^0jqO$!ZCw69j_p-j}C3-L8&VIUx
zKH=kO<?WAOs*nFGy@&C?av(G;6yI35==(bT>A!*p&TlIoUvkTlAMsZgUk1NdyqQ^C
zcK`mjAu^fEj?#C&3_iG4eo05I#Jef#y4UZLb@>&*8)4h@P3~1Uo!_!+!bAE!uRzDM
zXLDan`Q**BDC(U9!B_Q`zd^_CPrT`Oyz3eQPwQ;`@qK;htI+XD*Vf)9XTH1?PF&rQ
z{WtxzSE1wT!MAH_)?fD$MO{7k>1kcL1<8&>>~r;vd3wfc5Q+?bc%FY$@%g7j7k>1b
zzWp@}MXH|NFmLr|dnrfo!fjza?R8*e?BVYonm%FLCdy%(_xpeAcfJmc%=@6`nI&8Q
znnT&&Y5T(rJ^XiIWY9C)XN>sd-QQ65>(7duq(Aw0=)Tmn_=)mcwpAF5k3Q)Q=>F7;
z$Gti;_!vi#RYHI24ZxlA{uzTCfB*4FiWqgh{!MysFg<d~1K!4`7{d%>ctBHEQoi42
zq|;H)KiysFku<@1&@ta`hvG6=B4-?zqy7k1ogrzV1v}!UWWFR5zaez2t~!fOwE-l;
zt#rsGC!HRcFgQx)gu%v^33K~dhJnd1AqIvVNkrEd%2Rn(Vo-(0Sp=Mv0)r!NQb$4-
z>U~b{run2JB%wyk%Wu&EC_MWof*<g#IZo+wb5My)7;I>PS$?)*U)qZa4A}rA_5~{H
zQ<@e9x<UNIKHnO((gZ<z7LePnGbA;mh)Bxxt+8DH;cPn9)}I(uWJmxTM_XY$P|r;i
zY-m9Vl`&+k98*Y8%=9mo&+T(VWhqo>^+5p)?&hgtzr~D9A`=j4SO714(vaQq0wOz-
zIw!t0R!rzaEJy_hud>0DRpx@m;AAwxu(<`SPan4B6EIkDde^g0uLdFhcn)2da<t&_
zCr$2M)X4NUQLvo_rR-cfe+c-3x%2$EsCA{As~XgFrbLir1va62HI7&d69TDOAUdxx
zAhPEg5H@p3!x}y7JbHF&9N2P@(ckRVJ7R=PC~Rwi3PTbZy{E=GL?ccCB*S~cob(mv
z(OPOCNTZwE4#cdPC`izPf=+ecjvDnW<$K%bXZF!^Jm0!6NMDi0J9`|e?G32t1Z%bY
zIBWHB7hO1b(GGec8B&sgC#R%?2OtCQ4lT55js!1^aB}}s(zuYC{9!}va8o_$u<7%(
z?E}d^zJnf{qQg=Uu7*k?Ib;tm2`<7WJ#1&`@4t8SIzDxT?WE%a6-!eB;ASh#<lZeQ
zT+&ShBxXUlzmh~GJGRskgrw7h75c8zQ#w6TP>^JJnJlRx#8EJju&o6t{EQ(mzJ>_Q
z%rIfO{^jW@jVu7cr2(nWzb3ASiGmF+D1**0P{vmi6f?sF<?yPEB?}`3dB|UALVs(7
zzKjWi^eiCPJ!%X~OBE4XGP#5m`psvgw6XvtsBjq6v_xQO(H}CQu(1Vd+<v1!MU|vK
zXlcpD6qZj)4=F-O5kra;>U$xt-@Yxp>;<n2X~rsuewK-ZjV(wc&+P3~1?dzqu_V6)
z6{!|kATPnwXuUgB=(U;jk(7o0F;H+!kHpFeecWO*j^SfP4(UpHssRF{%Jn;lkItY8
zgiS3#p+6Imb=8y+k>Ok?2l25yJ3UmE5=7KE!Px&KPNs>_OKiuO1*ZH-yoTP7xzZ_Y
zXn~a~xH>9oSAX3?C)K2lG%Vbshtg-_Y!fNp2N@4B4c>oxzH#qP-<DSEe8cgC{T!%x
z5lq}&$C)_)tzhlx(DEJ2mnBD#ERxUsC*=sr@SL2gaLHhgsft{;%482(S=q}uYUtyf
zlZZUbjZ!F2wNVNX94m;p*)K2?_p}Z&sUsmv=l4JtP)D*(Bt1xOl(rqEi&EG-cmq;}
zD>H@@#(3VIag|BGk5t<UgcO;h#M@eSFU-*&j{d|PMZZz&f1l|7dzZav62-O_rj=U^
zkxX4`st8&7uzZpyq^coR3u$a<sZ~X!Al%i1!yA1W^mD?QXPRKx-U9aN%?8-;W&(z@
zlq55;T<ZgCPKhMKiy{4T2pe3(%S|k7Zo#_em@yhBE=kT<qEAqfYOtlC0^4JJGEv3U
zj%9b47)Z{7aou)fvaVW8`hz3B49`MAd8z>i2n8Q&H1uiX@?_2&38Ct&ZAy-}kskj&
zjCY{xC&n9|n8cG?Bt5=qzhkV)?O|wU;dUMrBFM@{0zyI_lB&dtN$!v;gj6x4N}<M7
zBLI&iDrAR&xK+%CSI+yb35NtMaLalJJFmeUY~!XHluzhGYe)qJCu~5EjRR?IkL-(>
zI7rfh1I`igWri#wI5??^QbBo1isU$WMsU-M>$hlP(!qp4Y8D7|mmuY_yOth0u8H37
zJ?cH#^H<L{&rtWu^n>X$({`uLcD(@mvRfQqbc;I|<;CFLJy}S=OBE{YoQU`wN(7$6
zfp<WZFdK%qNW&39|IJ$v*^hpw?77LFE6*2pemh2=@-}1=hTnQiMegK7t@x|I_%?*o
z8LNUb2LCz#H<Zo$Orl%wdI!R3{^?0$OUFqkQq+H<>I(hCcOb6MoK638*gc!!ZQUn#
z4=(G<UDX%YI~=epchYd!mD~Cc4D64DMqRWIp51Lui|Zf%0|M+(J6kTC$nJvMS@)Fs
zWWD{Lu*c}V<K@l1Bj0bJs67X6{9V_ymVSGDdhlQLC8NECp*G(M`<|hw%bd^fD^?iW
zo|DN-$+sigkN={lWy~2?^K`?R*M9^%tq)zRbMMl%^xuvgoBHHKN2_kG{zkvxUHbBo
zq30XEE&Ou+B>e5N#mt9?o%)>j=vB<vr(at)Jx7q&ezWW>{lI%5q`_Kd)yUI_JzqQJ
zjA44@eMq;=xVxxx?$t*|%=vV~pY@Cn=%phD$!z(E5&LcUyLfqWPgdXl0bR(9{d(q-
z=}mRFt!{el5&hW@AmcRoVYOM=|Nd#XjOZO7;@}*dy=l_Rx$S8B^&=kwE*j~K7hfU2
z`fomh!I7G4YRd1peilWct<~#3hQS%S^t)Nv?@j#^MWIR5@A()qT;tz;_X+m(*Y7~X
zr4RW8@TTp1HazR@3HP9x(f{-by=BxyFbU%NoFM*oO>OEGIJ_zC)XV=(?;34?Zp&uJ
z7k&n(de@Z3<bXihX5RI%=lUtVdZaV!o%yc2+P=pL8gDSi1U_kjPoDUcp2p<<=gO_2
z-E)73bL&#3XqJcOUGLLN=`-kC=)cm(m?>$qnL6K}(grgpr{BWdz&yo#oiR2oo>7{y
zF5`-fhcZ6$4N3R-=J*o6i|;y(dCWPDSEKMIW(4$If#-kWI3K*X5*NfkII6IM647`z
z7N;(p>S(a*pR-I}&n_2pic6pKJe}9g-r(w4Ml)wQ^sW!+Jlpb~w|&gGL2ynEE`C#A
zQ@(%r1~L2Td7kgwAEm#Lw$CLy4%t^j#c#laIP*9UV#Rk5B(2`jv5HtX5^a!-u??bR
z-Tys3I^_}!FKa5&aVL~<TA1bl8(Yl5#rGQ)r*<W=I0~A5JPVEG`iAf6;VF?+$m)}P
z2<~3tJTpPCodsmXG$Xd@XeIp#0f><{#tQv~@9C`6D2gD+<_Tq-x+V-Zw7`7&y|E~?
zwIo*_;%Puds;y=@sPgc3Pyanroc$&U(zAeUtuf;3DJzJ;@Q5#QGO&DN2HaNX;2%D;
z!nzm$91E!lxzEP{8}hJ;h0QHkwsHe&Xo6tj#ayx+V7X#oB~sxi@WhiKCEZ=LP9_pI
zwjeDBdE$BsNn*@_5Py$^<ybK~BNR^s13s(RZM$}oaUC8Fo(Y1@FeopI5zftMDRdj1
zKamM(N=Q>fnih(sq6@EgOK^ZVPEXY5MQJ~Sw$h}G6fEo?f<k1!B}&*&hD=zYKlLN+
zNwF^>2jSHxO(FXd3|e0k16x@z-uThLh(!oSGHim1R8AO>hjV@$Mtz2xf#%$VKx!6<
zXYVw8u$nND8jb=9n6NyX358P$OOPeV;u;PHE)OO`FR>k?mYYLBln0{|{qFzJsdn2T
zO3=XK^^25nO)*JgQw!4=o%F^@8B~JuJ(F=hWAlFG+3&tO{fxAw&QBaC+b^(9rxIZ0
ziZi<kx0rpS(7#;uHJ$3Lvl5hK0bb2YD)GF3Hz(7_(25NBNt?-FkSpuNBcAa`csl^5
z2HYIkY!#ORJJ#^}bn?hEvuaIc^4u#nw)Ag(9#Q44Rhvx4iDQiA*%_ftDN!I-q8Nu#
z=YBc;9#eqW2K98^M#46Ug-C+?Pk=lH*%sg*IKj`!p^d2s!%%}oG<MRcdpr0OOwvff
z!uwGuM7&iU1P_gsv6F@s`bXc;sgCd~K{%-*i<m&|OLw2~hp!SQ61KG<?dzTJlQs}3
z5wqxob>!GLbVUl|4j2&TYlbakPTRiX3zIyw_-XP(+X;Eo5+W>GLXcZ~DtW;UD)`??
zC0e%c`twXAY&@_dyW!|FF@)=h#7sko<uKaoQ-XlGB2Ql!JGG3s;;s+-K(HMe!nx~A
z#!1@f({Jh0lyZS>Urr^-YX%+ZJ~}!yurRB4O*ix@t1ZbbdHn+`fZeuK?82EHGh2k7
zxe3ur?ez4ugj$oSE%T<rGX0k$DR<r#*xeN%*i32*aqUf_*mj_hbq?~9D3$y*L@G6C
z=+NuHa(&i!^n{e6VZqjk=H>_n3nmISw4i_&MNmSk2}&uTkdzUWFH4bvl!KZK4{rB6
zYGgzoCJ55AfS^}}TgW*~TITFGDgOz6yYH%ue`n;w`Roz&LAuF%vzPL0bHCy~%{@GQ
zRocNc&2_0ub3W&s=-6Wa(q3)*(sn-eCUp{+$8kMTmKkef#?E@Xa@xX|ocOC>$T24{
zq00HA3zhCKmhPA{O#hl=YM2?)w?EAJ*W@GktJm_(70j^vHrI`N@weWE$L<@Wf6X&n
znK?zpe`$E6dk6mNCkxDV%(VM*J7&EYd}+q|Gq&oJMP@H!yDRFl$C}pQul|AvSm}%1
zd%O#nL33i)->c7(083`B98>Z8xs&l%-z@>ww5a&vtft$S&i?vdyFN<>tiij^3XY;0
zHsG)RfDBmfTi$A5Chgrk`<5Z2^fd}#3CDy-7yRYcxA0dVsWM9$xoFQ{Dvp$lX~`S^
zlD=JKsu}LB)4lUw`0%&*tG}u;morlueBY^?hkR4^>`FyHO=Gq&xu-0h8+`NK3HYnq
zX9DFR??3Czp8uIkeN}Vmx6WktFcUs+wefY|t-xP>$t=LKJ1@J@{(|ye!55#c&>xru
zSh%Dt+5WFh_^Xea4OlZy&Utcf@ugL`Ea(Sk0~Xrv#kq47{M8HRFnh<y56=0fa^HmW
z;jAtg;I3&M$>7DMADzQo;+yELdtG>K-U|4S<$&STubK<!V_$x>WqNSPNoebI`#eCO
zp8xUQ*%yt-LYt(YFb~ktaFm^R^j7>mkk2?X;eJXv<$EpTG3G?N&Fk}&x%1L9T-Q7Q
z;HZJzW0)!jrI|E%M^;ywG5_r(l?$tCFvR4K%?MFvSq*?1giR$uF!v0I2ADdI4blEh
z=yDkb3rLbwN7r~Je>_-Pfe%q<rlQKhe=R}k&D^5um?W{KW!fADvj8|<MP1}^8=D_+
zC?{}^6(VqcMoJ73_ImrJ&QKvu9Bc{ucsrJLk#}rt!-1r6`)+zkFYj!KIz1I#c<P>G
zlQ&fuRBMwiwzly98LS=1|LQI~krVPy+ybmX$?r&s1OL?!!N{56JTW1#5wgCb%SHy0
zuuhU@e+EO2V&~Nm)nz5Az%yg4B8f)c3}>226I)u?-tz~t5eXVY4bT{@LB6-A1cAfF
zB(gL-S)9Kn4mLzvKEBgX7_{ZM^4|?&%R$cNP-jY-m_8(jM;V;`COvFt;rkdA0!UZk
zX@<1Xl%uv_xsVY$Efs(&;eK;+?MI7ZqF_VR^OH_B1P%lZUAb^FLmWt645fGhS%I{t
z%5u0q_b&Eml}xJG*uwj^K(7P2&E%bE3YL$_2yIKnJ8aD39ZE9<LQ7|&U_<0RaY~YR
zqAZ<X{e)8?!#Pd(&mfTGDw;@>6tu81{9LI)fAGnMj-YI&qqMOCyo!@kaSS<CSu=e`
zVt!2&Y)4dN>+vcw`s<(I7e)?V2R4ElG}k62Xkq0SgMkso$<p-n=P9^$awAhnpW<EQ
znUntf9|z^!mp&L~R)!%gn5XbS8tA8gzA>{zFbWr1djwC5VmhUFW>viVQ1Y!eY-t(g
zCr>h_a8?&%NDYCA)S#v~g+BuTJf6VmbDYSkZ*~;P;TTWoq79h=IWn!7V6QC$gK&N-
zw&AXt)@O&&T`);vOAFgSOd>d7hmAMtOgoGfXot^BiNV5NQa`sEoe&cTTN-xQlN31#
z&IW<0AZv&mqRvf4SCHU8UzE&XG3d&ebg{LC|7&0@3_I*LW*5kb%r2}zdv;Dr9D#%X
zatlaaAU=`_fsG71oStNzXv?R$y<!(b)Y+*>!VaFm_3mGwcV*JVmKL^gnMJR0IrEjD
R3G9D+-@H#}eS}K({{UQ~6%+sf

delta 17258
zcmeHud2|$27I#%|sqU)o4v-MGKmuW>(zSJ0RoJ?-uie=?8wm7L4S{Sx0to`4)lpGV
zA<6?c5Cj=TLB&K60rzpmZPam`5gZpp$8A(}bl|&Hov=hkXFkvO$9K+f4qd6=z3;yJ
z-hIox_q|$kj9+t%y>XaH{}qN|&#q6IF%bTuKQbEOm9W1Fzu4XfS{B*yVGq4)cdVKC
zto=v(clNLBpV>bmcaxZ9rTK01O7kFMLENFZ4AV`f4CCv@35FH=Z;;@oD$^tvrvyYL
zM7vx{gcd>pjt)iwE;__1yfZAY0mjL8ZM(6ZN;RAm(lZkF%(~3{x2|#Pw^A9aM(rtk
zfA00_v+K3>TWr)<?t=qIu6qN+j<0?H<*v>Rvuwk%m;-4~EnkRXZ*1B&u<OJIug$RI
z_)1gsk9in&z`wYrE4yoxZTx#LtQBAT<S>R0xj}fh>tt8EE#u6emX~i1?ZmJz_taN(
zwcNBdd0Nj4i~V@10mB~NbHlsQ2?-SD$N1FfWP`y#biKMet*h+j25OYOYRlwH-@CW{
z)KiPPUbuM{mG=9jV|+zwL+y#i7rVHP-r>%f{?7`p{p()!867jAS4y(MU?jSV?@Q}C
zyipmRv456W?t1Ve4BMRE(;UU)Nv*EAP*vA-v}m~b;Wdw2(LT?D`WsBq@%COBv|bOI
z+yOE^L5-Ff4_d3A88~O3EvGBIX)Ag4-@HuijEp&Lv!yQk=2^Dsr#iP+9r^GB3_En#
z>+Wjb?6o=bla3W`N^QWfHP60$d)FJAH&OPk>8~fgJf^Owv-`2G_FLL1=jB=77M}e6
zv8kW6pX~bSmaUYjUig;yVed8SvuoF_TWr&=zB{GzaOpe@yKnNP|LpSLHjCnv+8=Y*
zeK5CW+Z*q69lXs;joSB3cuMHtbu*@~c&}^l?VE;;y!y&ZCmkNWTYW}x!@1@XU4cDm
zU7y{aJB(eG^=eN3_t!3*Jms0_M15bI)h_Ygv4L_3^JioZo-{_f@5HxVpWm^CB5KQj
zBKNxgY3_*jbZy>JI_9Y;1%vf)3;Z0agr6P>e!55K;1{>Q4!_tF4^dm6x8sj@eRAi-
z%l3Bf#SJa-Ci{NO{;mC_{ayR(_Gj$-9~!{yu%rDBU6H|LKY;aE7~L-W`cg~Jftk8L
zKiwG&@@&xMl4vf>IB6lmMd)Bi3D8nFD9B+}ka>m=wskZ$1eVNKCWn?Nf!5|F!RA)M
zCHwp(g*ACKSwdM}VQy(@o`<i>$}TD^$@S+~bCp>|F18|vsV*<8Dy=Ckmjy8^x3)UB
zx~|-lm0!bg4C|yBxsztt6jsV$*$k(YF1Q3nat>_6qGRmwn4iU>Rsti;1mV$}6-8k}
zfuKZ(BVm|$yui^C7f@(U3<YE$F-k}}r)cx?CPh`#$9vfFtYVKprzX=^EfzSve0FwT
zadoz@G+V9|Dmx2`M8RJol;qWBW|e2kg#|eRSL`n;sVyt0&h_}Rd-c3fO{XBsqN?UN
z8>lIsucnjXLySvy(qX5Qh4mrC)4_09p#ftRnGcAJi#w-gQ>U`LdCB}G&7f*lfvY4d
zry$!amzVJ6zO1^U>_VZqvc&KAcyq<PvYf0M$yLI8YuS9sCsyVQKB=-=%9HZ5Dk}VJ
zfp~FE8QICHnx<JnQ~rESg&-SYI~CAUc7|nIU<8H^NP!3~MR<`3@IltavgcF{H8(eC
zdWuZBkdt30RMb^?$}{tG{G~OyT#>7yyr_iFDt0n*X}Pmn_PMfrUZyUqO3E!R^yT{a
z%$nj-p)S`cT%c!8pXCLH=Tt>kQg+Ng3Ud%Fm|eBIGvt!A9uyQ8Xc?9xv>XXI>0m%+
zLNGu@&KW{}LN9b)Fp_wIkp;EkV@YUuYScK<jDbK^VuW=H5m^pGLtzjJ3M}S9MPg_r
zz{sKkiU^|8+}66ZKCFOk(zrkx%caTb<-y=`CO>EC;*#R5#mn;=3mnZ#Q+sP>%lt@v
z30o29tZr_rtt)GaDEZ6k_?l2eEXrzX=G?6d0!@pSriYpvFKD^eaA&$K@Dig9`Oy|o
zbolv-@=A~o3ZR)NsAEZRDYVRqG93{VKFmj0g_FhJ83|g-s+vs=>5lvrl?z3_p}|!c
z36{7TtFqf%LNn7`Qd8$^aV%?dH8zBo`-<|UrGmd^zOP#9Ku65_!RK|KGu<h<B!*YJ
zFVzfM4Lx5gC7`&%u-VZ}AQXgQ16l<In22GH3o&ev5AY!#mWi;kq_^vMS7l=(Ge2CK
zS5mjgS>ThUAZ()93l>&}+PKyZ&NW|XDPG=LS+KB-X>RhB2Xi7qy|1a6{gtlcU@Xb9
zW@Dn)#;{t%Y^?Ay$2vKd7Nv+n3r;6P2StXZS&37aKtSSHR&HxrrYxzC)GJ|C(N5^S
zD!JIt=5)wKLZK(ix41Ybuf^|dYcFc9%?osNC^c+zuufP|T33-<*;rb>K=9@HWKh)k
zi;4>AGK^A@(G-pAKNy`tSRIQZ4Kpz)z=9!2bbt@QRE)S7ITVhF(8?u&rf_p(+tRaL
z>MzI*xr&wYl1OzySxu>b5tHB0<m+e+R@XNPbrp_kM}Ek^u(~|h?p?gFgy$+MpnOxa
z@C%A|W;lg(7;K#6QZ*fK0!`)f*Nae)iNIFjq(kZ=At+9n4v3KeEX6J^B84SJaJeE&
zl%)$)Jtqg6np+nrOSBcEt~5vT=ZRi_zMNZ;E!O$-y<Al>!xUD)`o(!%-Yl`Ay3>~}
z)WFJDQd;OOuFV%@7w60=^}D=9dF4N!IH0Oalmu;vI*g#|sHkz~*%=;^89u@XBQz|(
z>ZZoav?Rh{a0-&dL`3k~0)ext_Ks3#NiAQZEXgWp@#Qe3`3tiO^E(Qw6qmn_Ve33)
z^-VchZP`+e*DI{3EzS(omW%m~wLWCD>Qm2~Izl=l$ReX{4wDU_7fhY$XZ4D(0Tz}k
zo>qh~tUO#;qys@N1j_LtIl{?27i3%7f(`YdzNu3jYUhj7vnv<6TG<XyL4}gtz9e0S
z;TLFWEH7$t7RZh^uRXk&T~M1_U6z%bxoAa4HQHy@r<|u0pDwaI=hCK1sveZ0&$lb@
z3`&Ai4ACK0Qg<vqOa~Y#M8m)f!aQNZN(3hJverPbL75zG)ht@$<>kWatemRcTvu+s
zlwX;j&-?tDWsEDkBo|hHr%>A|u`=tgVrq&DYfG#7{OY1Qx!Uik&aN(S<`w_kqM#(h
zvVu1FI2|aN95v?k^&G*$Rv!q!axI5A7cICX*Z@K<7p?9M&Tt48M4k)RFI9EaW;4sV
z(!_RQq0s7YZ*aCRb+lD3Z>@G#a=xW`O|2cdSv9_8^-`I?xH_0ul3iQT%Cs$NtSl{F
zjGp)DlhH`4o)~y;KjG6kS#?d&OuK&Y0+$n<4~FAlB1A-52*3gz;2{_QkI5+q1SY~s
zVqb^#+R^J+-cVXpUYaE_HK9<W($UT|ioVK5o-4>+n%kJQxTd;H3PxB@Lvz3(<qOq|
zmgOtxF}ptfJT16%+3Dh3QqRBadXk~6OKjQJ)7D4qYiwtF65RTbwez<+W$`(Ns1^S;
zpXuMaOr5<xlU)<@Tm2cECgs2JHWDu8ZlJYZ{iW{zXbJj-6$oYf^d9$rFzkPE)b~8?
z)3>MpW;0#7s>m3J;ds<Kz^?!At<`y<hYQjSz0z#@-)b}vrtcMI)&CpYb^gb$B1qHq
zN;Bzys|i6Et_jPw4$$j=vnfw^>Mbdxt;{~rcHFkvzTe*ExsiV;g&}R7c}6e|uK%sG
z(bOyFzqN2@{}{&DE9kcx*U&5H-`KU!tew9a0_b}M{Z^Cea@C$T_cJDU(f#NbCua9v
z{g2)WvZtWD!p~H(&SF6<$&<x`noLQ~FBUw-p5ltkoc!W!ra%yL(cv@tu_*tH-Zvpz
z%FM2C)m2rx^0N!8g#4Pi;t~%li+pWWVHQ(f&G-xXtjgT#9w_pqqf7w@fCq1omIYTB
z8~`<r5x|?`B0S>)PcY~TIF~3b%^87kV|`Prvb43ed6Cj|-fqb;5GZHx5GxC!#L3-^
z;az*$e<Joux1rl@JUA!KrLf^pgk@<aqCh|;J0)5UOClW(%Zw;<LD4CN(6Kv=PSt~`
zP+C&d+WTU3R|?I*ztK}tMz=Q44F_74(HSYDE8CPQDHm|dT6ojPz3RLMutJQK&Pg)o
z6r%>*jQMeM)aW6?0Z9tTVS!eh4D?O{=t4_;NTNeQUV=afTsRT!+G5Ndpl;3Q<cO@?
zb7qV26$f)6uFBUX>pkX+SFaU2YTRcp{!h9@H(u{I_tWrV3ih0N&)8w_6y=~Z9F!#5
z6^N*AJs+ZFSHww2Sb>*ap#X&I5rfX5BQV@=hP9kx`JgMzvJr4;7>HQF`=aF_gjI?J
zfjSdn)#mH<4qPjMV>lILSWXlJ5`<tf_-)}ZPs<Q~(Tt=Ba$L|E35OWI=kymw<BMs6
zz=y?<8tRLJ>f?c468LsBBr-Wc4g`V`E{w(>G)+sBBSIjok|0U~z4;)7$!ri5lER`W
zhPY5z44|tHn&>oE3MkNpE;<~5q!El_kg1O9po<T3G8156fTFh#nw)7)Q3|pmC(;ny
zfZH1Zvj!P4OhYzAk>!9(;#~q_A2Vg7aZVW=tsqB(pA503ON}uC&>adNP(m)nDT#uJ
zZg|WzI!%NKRSrl3t@+ae157f*GIS^aHS?@f3d#cd<71|2v%{k7Vi@Rp2vyZ!z{SwA
zBug~pjl!G~hT0(0VT!}dsW|4J4{5GIQ)^qGNf+W}C-ksFJHr8(CtR4Nr2zC^1cD@|
z5)5;Utf0n2CU=??hFT$Vq9xUD2GhZ;hBPo8WW$m(tcZfbap=`UrtxWzuizyXGG9&w
z+<qY}2EoYSI*MTkW+1lW17QJ;IBc4f#)}~lf<N#oWd)o}=oSbS;75T#0iu^640Q=D
zJPbX-^C4D=Fpw5tTwq&CWN1lYgW!&GFr6SP=87<A?_txFG?oz=CMdcf*QfAmuFnac
zK4jEDAS;HMfGBXm?jt7CUc={@{qvpy4E}+AU_5Tba3a+dn?n-Kv)yarezF_1zfy=Z
zc8kfPWhB4E>^-S_O-D)C1cw;n?FKy6d|s)Y4DR0P#^d)9pW6qXo2RglL267CyW@$D
zspsKxx>ICbqKK|7A~vK2`7jfLbQHwzvYG^nK#UTC#nTDh&W9D~Ul)%&#l(<{N$~lI
zM6{-uU@k_y+DlAEe=jD+UyRsS(umw8g!^I~P<#S9P;&8#H6rCD5)&Z3D)p^cXIplG
zbOWmJ5~(Vq_%lY3<GVQJQ!i1fQd~bP1H#=Gr)>8Tu8UH7{_Z1o&(Y$>*xK5sDK%2>
z!MRw%R!f9lNG5-oZ24ufxgWW+cVX|VoajgIM~*v3zE~%lE+GG`YmGlA*Q=@MzRC?3
z(0|s;`d=oWxA$DkM%{af-`OtK-6;m#gOk6|;lIXU`85XfS%ywE3x5%#5@$L74MW`d
z3>WSCehfeFe3hZIuc08~XB>upB7SawQ3kAUXkM&~bt8e^yZv8`ZoztVM~H@tSz$0W
z+6ZRoQ}1GZWF~)=#cKIg7PEP@vGdnzB7Rj25qAO0#Vj(&)SsoV$2-rC_;};L<2lD-
z=+E*qyTs{JjbNDGMdM;UpQ1}qIeKk#@%8A;QDTREmR#n~<BR>J`C^$rx1^BsWP38j
zTCtQZFRgZp9v557mgcieA(xvei3M4llgVUq%7uc;{A#{Z%CE8fd?Klv4(ucx_-e%C
zqujr>hJEH+9RJZ4)pN*U&c5WleFPNY8QI15B&;*f#V;gqf+$Emzq=j?Wf$z1tcw#|
z!M6H_Fx?brRIIT3T8(=#<6hGxad_MT%T1)2yoF+^C#;3mw{5ld9n@XcJlkpeRk~Ys
z7(N+uLIGs?!t!0u(>I#W;5~bg`AQv{wV1fSr(&b|$2jt`{OHiQq@*O>6^*F&4)e39
zX%%5ZM^+Itx_o*XjXGhO-M!UpXzA43zXVy>GujdQmo|s>J?lEFhx!M#jq;MG$em=l
z<wwiimRT0ce88-jt;B;wUEG<tJLCLuCeuFCTvMF!VdFd_VR*<e-!Me~jDE3xsP0+a
z65TNTX?!U@5_<+)1oCT{I7nFHG%hN^ARNCdtOBPi0Rbg%BU$wPo#a4sl|y40kE6ZY
zNFPy=uDzzB#T6D0s=JG%%%!vj4aZUZ4$?i)<ltQnUUbkEQ(~+*dU+>VY_6KzCurI(
z(r2!i)JHx1Ch11^{+^_W(upxi=xC+Ib5_vAstJ81kG=-1lXsJLqGEikIGW|RcoO>R
z<R!=W(s8{)?gYwNA>&HMYH%Ws4(%b`cCEzN!ZZ!E<7m{Yq?<B1(kjNp<l+clswzEN
zdxh5D@ElaVtCh5yD^mMd0&S!_(dghr2PZjr&XHQ0qLH90UR?%V(ML+D8g*7oyV{8(
zV-nD-)zFEjJJe20?kjocrBKnxOG&f2WQ2x+%EwoN%9^whg~K%vRAyFz%0|cV*~2u1
z$5C@96#dg`GLfhqs$n#8)ItrX=Bb7pqCwD<;(Ci4O$<U)YLjAYIHE#iIZ-t@#)9xV
zD78PVHa1a%QgQU&v(Q+BgOwbt?BEzjVrha#g2tYiPr3*6krGM<X?P;?94DuvFY7D@
zbZh}>G8YciaM1kBA4oT8a11OTpdq8s+*wfH^9xDR?2p%=u{ipC5$QFT+hZI!vOf)N
z>u4lN!e`U4p@^Mr@x<#LvV&zDHorAi5Dj^h@+9@5EbCx7hqavQlTtRo;!Ze6q<myd
z7WCafi+eyXg)Fvc@F1|`AdB0k!j?j_hJpI=i554hcbH2F4H=H6d`Ef)>Ksmo%ON@l
zZ=41v;b`uYV73?@R}6s=OtnEMFvsGtsi3J4a*Y6i#FSx{EW!uLLddxcNA4#`4{984
zA&3%4`2m!K*k+4}N|P-XyMuLb4!xSa0|F?xWu(Pz1yGj{IXHmqX5=1aVdG(TABht1
zyT1m09$~suET;JFrepCvCdTqlJEdNB(AnXJ2ZlY}LzP-WcKk8aGS^aoA4Ip7TXHwf
zvyk|cJ=8qQTs!_KYG}3;;RjH1z>?qHVmVBfeR#5Yh{KE}>u>`c4K_f&VreTYV%J*z
zDkZ%?#f7bnQRw~@Cw7%aLGddsNu6rp$^BV)?DAOQN&P7dG+C{1FdRY;$Inwm?u_9R
z`r*>57(TuqE?%nP1%t=+Be*(Z1;+Nnoy#>mDGgLQzhaha(+KE`m6pN7KRnqqcyzy#
z!V;CC38k#EB+gbDQu;A)O&Y_XQD!VLCc0%wb2v<?r4mP)v7zVJ7lQ{SU%)$$)M{A2
z%8~#*+LSoFU!mD%P1dk}a5bU9L;JzyaVk7$$k{5Exzd?@6M&6_lFot7bS5tb4n7A8
zo#{+Y3{5<T^688_1}2;Z)izGnz{ElQ6o|ot2cGSxrLBSa^-c39#bgXPD`Od#&P<4b
z@x35L5US+SMpa$3XSF2}dZclX?Se9+H0n@mtX@OkcpheeLP7Z7kVy4YDM=+Y3?|R2
z<doO|CkgR-6(3|dD_*TU1`amIm^)#<NCL+PoswPS9!#8-(%Y~YJ}B<26lfS{jfpm$
z53;?W@qCc!1r29GRS80;HAHWoap3@p;RAIlvss<XDznzQ1V|tbjbX9*t)bm(ERQ?%
z(8!*r_E>HkrTrB;YPmgL%|UEz!42aE7>1~Ki{=wY&C|`tNJOPjo2?V9Pue!wua85f
zBI8cO-wi|H`qbz8p2z-X`AV;!6&;Q~I$=pg+fP^$(TGnhWA#dO1X_K<G8V;s0?;ET
zER%aYpI8o?(ET4<XnYUCyYNKR`LTsU|N7W6W*_<FC`is{7T59FTxD@~UbW0;O~y?a
z?xfASg-b&VnwKnb_njT8S4QfDY^J8PvL>@OFQ=>`$FHVZboRF}`&;(U)CA27_K694
z8t*StH%L#L`<LxzNJ9!TxTyh?Yk&Ewqu#6gTDKN|7iX~DT?3c~v~3OfzZ;F}?aBY$
zX#Bst(TFzRK+f{wDd~^mU9DTxry946zz$*dI@@X6&DN9FX;e2APj-_&%Qo{j<|g6~
zL<6CZt1|6^uyv&|#n5B0=x6KR)G_!Q_#!B{4u+-|t#(tEG%3hM;2fTTYblU27vN48
z4T)vANyCWh$pI%RybC>bBe}(9nCbnU@#~BO82;*^*G{6v>q)qEJLMTEZAW4h!(ZyW
zLP77WC*j&{^1y!>pC|#ohsqDp$hCpoWD^!Vd{x2R@LCMt<GeQmy}N;Iw<Vt3_0h=t
zKWoGA6)%4K5DIpYTWwR4KAk-M(ZP_Z55Hgh5{kbG>K*-F2g|&+Y&nKY&j+@l$8Lgp
z<8|eu2iNa(V0hxm6N}Nfo1xyMx80jl1K+@rfbqmeAG+*jsCV+#grBAlD(%9s&*S~w
zXu?LaJvnt6w>$l+6=`q@w8ecOI+;FqzZCA}zOpL~9p6Yc+Sql1K4)(Js~C2tV6&k*
z1gZ@FF70T_*vO-R{UtmO#cd*I4byp#OZur(y%@IcmFh^{q}YX43@-Vim7B=SWb78#
zTi9D4&BL&3qs!8xV<w(|4Hy+QQfcU4n@Ghr+^rOk8~2TfVb^>-vl=yRhAtYn@2>Y<
z4D90ATMM3BgudBKZXFT#z4r=oLgQy}8GB#a+UTTlz4G94vJvgQg<Nlw6Mp=s?<Bn*
z!*)ITrV*9gO3tD(K8ikF-ge?x^UiljwC`5ZO9@A6atq!`Ojn=Cb{lk-?a$vnm+;cH
z#Ta&FT16JxcN=J6?=d|&7@KwvhHWHHZ$=rnlUtMR=38bbS{LsFzOqwqMkl14)4)KW
zN9&+P!|xy)sNv64pmFcFnU?2YvI5<F2bj(H#I^-Q{L1g)TJAWy37x(J%*HMrVayS~
zi31-tbgc>1Z6P;xPHs^~PJ3nDjZnka&A2+;83<?X-S&F>FxzvsRsWCUWjzGU$hHmQ
zk^e==|BI0S7a{+D86kVB)pcV6wh6OuvwLiRu`RPv)-6^Cb&$#>Un0vauUUNNKbU6_
z4-j(+OWcET)utazcbm$M|1v&c3>xDNj~YS-LVu6GK=+|;wT{F8hOft`VIN>!smDD;
zVT~G$<977QDbhok9W_<e8UWdsqko2l!#S0L+)9;(L2iYePPr2ahr~N1!67*vRi%E7
z1i6(pKpNOb@|RR<IHZJ{XHssvhF2C=XdvVfj;ByrW~E$v%>kabp{n%J)JP&&reQPD
zbtfUWuyzbJ+&s5bgJc}tIhJxGVk|X;nC;Ur9?d%qY?qCrAd}?PAQ~O~380?w)Ig%D
zM1#hot=|IlmkDZ9iZuwDGU^@Dofzj3d50)CM5m*;v`8aCQ@oR@0&_{B_6jXH1KQa&
z&ceb14TKhqN{1Fy<o8MYDxE4eSLF4*E*=1yei~0fzARV6K<W{|&ZhZtXXj`*B*W+g
z;N3WgN;KDIYZxrrM-!-Wb5)l13a0ofk#Y~|%N@EPedBUuRb*;ZXh}*E809=_W~oOb
zL7g*)Q0@VJBu~`hCRA&qttZGV<Qzt2lF_)C8WfGgQR;9|<l*7eOfqVi5kqktb-o0)
zsZFM)nWNZrP41;=-XRK-bt5U+ylR>TwLuPPFS(3ZF;#nQMspy!g+6(J<ju=7G^id&
zj-w!H`9maQZk07Ggrl;3fPJu!q|J*Z4Z8%|(*syrH#y1NBx+bSjvntJ=M#%u+G`o|
zltCIUe?OUKUf|TAA{@C7kO4vwwAUQ;lFISZqvS|)kk_D@I7)hqoJGv#v{xB1pTU@T
z^AHJxiPaz;Z7GLBH*X~qyN{4V-AV6QAP6@vAPx|&xEtdH(@WrmE;D?6GecFS!Ih4X
z0(Su5q6(b03k>+25)YRo-~c}aDe8bAbIi^6P+n@{nXeXRy!c2UC-bI9kpZVRQNuI0
zmyMg0^p^TWyKt)AHeuJ$YU$Ie-58#guys00*HK$-)8$i>{5|V3Fnn0Ul^>yZb<`GH
z;_&pL$=5ACh+%)>Za9e6>Zw__QQYZMlka<>7Q_CK6xfcw)>Gc(Nnd7vJS~~d0>|lt
z;O=N@$vIaIzP8%CJq<+-ltSs{@?(a}TTQFJNq!oAW1!k8{f{^7HFgD`Tyfy}4^g|3
z+Dc6skaf-U2cG(7+2N^9lxCu~P>GvQ7mb|$uiFamJ9RHQYNBRQ&OtxSEA&nLOno9(
z9Obn+UQX%C{QJC@Fzom7O9-?fj@o47jVrIpYf5+w!*=Jr^b?W@sLy=s@`cu=?q@qP
z%i7RE0-8N`!j6z&+*gfZKL~G6LkrE&?4(WCp;Y22_}=Laiu)5vvOu%P?%(ja@X9S~
zFzn#cotbEj1)5Dwnlo<zk-Q&#yaR(Oqhmbhnhg%|Z9CGCoum}ouoLfmGIqDJ8ywUd
z_I-oakYIsPkGnpZ()v*cru*=ZH+CTt1*!~qZOi^4|JYrR>7Gfby$9{1K$WqpDs~Dh
zJtr{TKF|KIP{0bRq#Covr)R8pVY=&|iWH&et<VAd`;W}c-~RHan6B~gm^3ub1|1+>
zwIR!w#!td@^1BP4Mlaf^_7V1(bI&B!?B9gx@XEI@i%yn%Ri;%Zxa>x9Ec%_DYAj8u
z+Oe6=h2$9ibz=MFv9Reb%#Lg)ZPToeSQDrNR2g}f<$Fu3`4w|3oU#Pty5ktrbtcaE
z0)$OV^q=W-btiRE2%9EgcVSB*Y!YH&6I`U=LO}t(sNvO1CZQl)GLhkyMZ^ggtl^$Z
zD5$V#w;OCVW#X_Y(_c^99#}V^9Wfpl8_v+F;=;q@4eArU>w)fJ27FtTRa{+<;ddv#
zZbfS|p?h5H;!Q<=eQhd+FW3L&3G{U)SZef};|DQM*ME%R?$;V7MaL{U-%@DKeDJ)Z
zS(Gwj`b)RJS#@RB91KtXDJLnaUwHN_J0pP}s0OyQY%15ry;yc#-bnH(3_F&7w+FRn
zQ(Kc~IF-+;ldj(j-}D9j4@V~~=&eHg_7T0KmaWa98irWO-KK$A*EBUx`QkZceoX#&
z_(Bi8mjg-n5%-iNPDtI798AqZQ*)_Oa$37<!snh3bC!K~KiZf}Z5lcuV|BY!_JK!z
zM)l!y3ZlF`YLPAJ*!Gmv#s{Wg*iBz{tVM_Npx<V`Z{AbeeD{P^_BZR%!hD!h!|wb2
zZDVV%vQDR8Jb)4ls98ftuNgCvDgM`Y>a%X%xmb)q2j_t5_Z3jdHhPxn+nJp$V=(Nl
zl!b@Un+34AOnqbb(TXQ){L7vWJ&#rtg56RlJ(8c^jGxZ<vinDLx)ACg`t<3C(h}K#
z`b75>f!*jit8brqMd6>Jvz~nM6I5Lcc5}Wz^OB<GuYK@orQ$6{M~Y!Fv)^cUB|dlm
zhlQ8hzCgoDpg#7KAODzhoW3OE>ofb&p%SWnnAxoVfZ8eTP@mDs)#nfBQZKb3*?#rx
znTdx!z81qC`r?Iy(MeV33<I-t=C(AH>Z2Nlr*NYN&;!3Og2v5nUNzr;)-u4f0GOWl
zQIk4neEsMHH7Q%?VAvJT(uP=k)q>d{u+OzyY!BKZwj}G*))s3T^+)P*DxG|v+(6E-
zd}O)CGRgdmc@FV4aTzS_AI04gS7`dqv<=QVP8;tBpJ|}s8N)KeB>g-3>-95qU+V7A
zmEx!Iz4#nF9+D0%;Erkkiil|JV8xDZdzkXrtPbpIU$pm7MTfpv5Boiwc<_P)yQ(M}
zJ65sl(5S~Lx5|5^FB&^nNz$R{hF)IIf&H#1svWT4z<YFajQ0v(R6Ak8fj96Zm2WAE
zY6mMS&zHAQZY#*U%oo*8R`4XWxSR5*Rl{i?7A=Zm+Ww|i{VbJDcssS%B=iVy*;Ou=
zqqA^zj0c?tkg_^fdsoG{z|(o2$}<<PjM2d#cmW(A@1=dz!&|^<xc@~ejwoEwE8>+N
zO~eXsM;}x3QOX^!*2FkE3fuc69Rd`pYWFVh<C_+x@`%D^y>b@+4O~*IV_8+327n(l
z`wFP+h0DQ@D{s}XQ8+q%1yy7&U)uM2|0ZC$_ezR1dzWY!9B+|Vg9{4Pv%F(T;bIN7
zqcb0o9@6Sq>}`p$p&yTt9#u&=i)$%tj&b2AdaI^nb5oOsfGaW+Y=X+Kqs9{p8#T;_
zn1kT${COQUhKMw1P#(JTLvSxf-aw5af{Qe0=Ei>llDn81PRv=TAtJi|?*JWKLM55&
z>NUuLqgR$v73Qi1+AB1<@Mfs(sy50_l+V|&QK<be<w*cV88|d#ILCZ%L?b{$*DsIt
zGf*OhiiU!#Iu8a2^rKP{))4R*9q)mMRj@*JPeU38u43t>s?!_PUcu>IvkLl*a>$}1
zSQzM&l)74Vdgt|tvHulZXwo6`4q0%>PRG2`xqZ?Ob%NvBN19tQCngqM15t)ugXa`p
z(kFEbh@nWwB~`OE1RDK?K>5rSv$R)Gcb*HJ>(V;y6*T?gUC{nTk%EKgS`7nr@0O_C
zjipr9RF0fwJV9PT-bcPko}ngCWu|G=3es#ENNtb1k9v{%);iLfXHsBQ*lc~m`l&6!
zHa*S^E5!}AM|xJ5QqLGBi3;Qr;k!b(9}Byo0ACf;0VgZaEHA=0$BY7>D2K3h6ZL+W
z;#;Y-o(+ELQlq*oPwcVIqW0)}KAb}hAJBaxWs0A69J9~1>uk4LzqDpjhp1uX5wg~D
zzeQ(WO}s;_A%?~^nvR&J8aEoJ8eTVy*RRlh3ro$n_&V%3HV=7j#7Fl8w^GSCHRh39
zdN|z@UVWl#@1$l^i9_fAGkNW)Q~vlbmZN{%N%^Rmr><I6yY8_)>JxdlQJblW)idJc
zW7n8x-GAtN^p9;+2gOyd`6_osv`l@X_U+W2lznK`>clY}gGW`(c@d4h3$};&>4bOi
zqi;8=PxR_tP?v5%dyVeH%!G-b>pPIV1L_+8?zO4n%d-RO6Wz1}>PjZ=5+>|;aL@Gi
zD~BU_C)AbFeEeg&zImDYM2B`lUDmc6z8d(}b5|s{ZYR*9yP+=onL$Z|m0|nUCra7{
z&Sc6<)kXAYdAf{G*X>2CcfqDJY@|y`yYazw>Jz=a3pSnU4Tlc<Pv5np{pzE7wDR|`
z$xR&*pIv_BZyVI-#(O|;#_QSlm)HGpWV-am9JKo$*kg6d4SV%<Kh0L3sQO;0YWxe?
z%f#*}JDA)bu0@CLg{p{4A5J8Xg-)tZG-Nka<@k8zWm)mZFPk0td>=ZvTlIrFmvA$R
zO*!flx$mR4j+i)f(1Y^Y=ns(Pn}29+bVBR79nFA#x{q2<N%xiTzFOmbmw4}a3*CA@
z)SZz{y;ruOebJl`7haBZd!X(iI~IOCI_k(uyYrH}(Cj@>H~Hh&kHtTmvQ2$<@1+d!
zHlwWxv)^x@XSdmo*qY#AYPQYni^eV#Bq1AYLh7n7Fb-^8Q8ad!09Jk9pQvn$FB-c+
z02>H(NAG3>yTi3b(byFNyKdvVv3=wkUo>`uAPL34PkIQD2p46rwcW?4Z|qdkbsa@1
Mr~aawnv<aWKQ7{3x&QzG

diff --git a/test/test_gc.py b/test/test_gc.py
index 27f67f82a..a5992188b 100644
--- a/test/test_gc.py
+++ b/test/test_gc.py
@@ -68,8 +68,14 @@ class TestGarbageCollection(unittest.TestCase):
         if not image_id in image_map:
           image_map[image_id] = self.createImage(image_id, repo, namespace)
 
+        v1_metadata = {
+          'id': image_id,
+        }
+        if parent is not None:
+          v1_metadata['parent'] = parent.docker_image_id
+
         # Set the ancestors for the image.
-        parent = model.image.set_image_metadata(image_id, namespace, name, '', '', '',
+        parent = model.image.set_image_metadata(image_id, namespace, name, '', '', '', v1_metadata,
                                                 parent=parent)
 
       # Set the tag for the image.

From fbfe7fdb541441017d78ccd0b7aa161698c71953 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Tue, 15 Sep 2015 14:33:35 -0400
Subject: [PATCH 26/34] Make change repo visibility and create repo raise a 402
 when applicable

We now check the user or org's subscription plan and raise a 402 if the user attempts to create/make a repo private over their limit
---
 endpoints/api/billing.py    | 32 ++++++++++++++++++++++++++++-
 endpoints/api/repository.py | 24 ++++++++++++++++++++--
 test/test_api_usage.py      | 40 +++++++++++++++++++++++++++++++++++++
 test/testconfig.py          |  1 +
 4 files changed, 94 insertions(+), 3 deletions(-)

diff --git a/endpoints/api/billing.py b/endpoints/api/billing.py
index d889c7c82..aae577908 100644
--- a/endpoints/api/billing.py
+++ b/endpoints/api/billing.py
@@ -12,12 +12,42 @@ from auth.permissions import AdministerOrganizationPermission
 from auth.auth_context import get_authenticated_user
 from auth import scopes
 from data import model
-from data.billing import PLANS
+from data.billing import PLANS, get_plan
 
 import features
 import uuid
 import json
 
+def lookup_allowed_private_repos(namespace):
+  """ Returns false if the given namespace has used its allotment of private repositories. """
+  # Lookup the namespace and verify it has a subscription.
+  namespace_user = model.user.get_namespace_user(namespace)
+  if namespace_user is None:
+    return False
+
+  if not namespace_user.stripe_id:
+    return False
+
+  # Ask Stripe for the subscribed plan.
+  # TODO: Can we cache this or make it faster somehow?
+  try:
+    cus = billing.Customer.retrieve(namespace_user.stripe_id)
+  except stripe.APIConnectionError:
+    abort(503, message='Cannot contact Stripe')
+
+  if not cus.subscription:
+    return False
+
+  # Find the number of private repositories used by the namespace and compare it to the
+  # plan subscribed.
+  private_repos = model.user.get_private_repo_count(namespace)
+  current_plan = get_plan(cus.subscription.plan.id)
+  if current_plan is None:
+    return False
+
+  return private_repos < current_plan['privateRepos']
+
+
 def carderror_response(e):
   return {'carderror': e.message}, 402
 
diff --git a/endpoints/api/repository.py b/endpoints/api/repository.py
index 215931785..b241a70a0 100644
--- a/endpoints/api/repository.py
+++ b/endpoints/api/repository.py
@@ -2,6 +2,7 @@
 
 import logging
 import datetime
+import features
 
 from datetime import timedelta
 
@@ -15,7 +16,8 @@ from endpoints.api import (truthy_bool, format_date, nickname, log_action, valid
                            require_repo_read, require_repo_write, require_repo_admin,
                            RepositoryParamResource, resource, query_param, parse_args, ApiResource,
                            request_error, require_scope, Unauthorized, NotFound, InvalidRequest,
-                           path_param)
+                           path_param, ExceedsLicenseException)
+from endpoints.api.billing import lookup_allowed_private_repos
 
 from auth.permissions import (ModifyRepositoryPermission, AdministerRepositoryPermission,
                               CreateRepositoryPermission)
@@ -26,6 +28,18 @@ from auth import scopes
 logger = logging.getLogger(__name__)
 
 
+def check_allowed_private_repos(namespace):
+  """ Checks to see if the given namespace has reached its private repository limit. If so,
+      raises a ExceedsLicenseException.
+  """
+  # Not enabled if billing is disabled.
+  if not features.BILLING:
+    return
+
+  if not lookup_allowed_private_repos(namespace):
+    raise ExceedsLicenseException()
+
+
 @resource('/v1/repository')
 class RepositoryList(ApiResource):
   """Operations for creating and listing repositories."""
@@ -87,6 +101,8 @@ class RepositoryList(ApiResource):
         raise request_error(message='Repository already exists')
 
       visibility = req['visibility']
+      if visibility == 'private':
+        check_allowed_private_repos(namespace_name)
 
       repo = model.repository.create_repository(namespace_name, repository_name, owner, visibility)
       repo.description = req['description']
@@ -339,7 +355,11 @@ class RepositoryVisibility(RepositoryParamResource):
     repo = model.repository.get_repository(namespace, repository)
     if repo:
       values = request.get_json()
-      model.repository.set_repository_visibility(repo, values['visibility'])
+      visibility = values['visibility']
+      if visibility == 'private':
+        check_allowed_private_repos(namespace)
+
+      model.repository.set_repository_visibility(repo, visibility)
       log_action('change_repo_visibility', namespace,
                  {'repo': repository, 'visibility': values['visibility']},
                  repo=repo)
diff --git a/test/test_api_usage.py b/test/test_api_usage.py
index 163a10977..20a8a8fec 100644
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@@ -315,8 +315,18 @@ class TestGetUserPrivateAllowed(ApiTestCase):
 
   def test_allowed(self):
     self.login(ADMIN_ACCESS_USER)
+
+    # Change the subscription of the namespace.
+    self.putJsonResponse(UserPlan, data=dict(plan='personal-30'))
+
     json = self.getJsonResponse(PrivateRepositories)
     assert json['privateCount'] >= 6
+    assert not json['privateAllowed']
+
+    # Change the subscription of the namespace.
+    self.putJsonResponse(UserPlan, data=dict(plan='bus-large-30'))
+
+    json = self.getJsonResponse(PrivateRepositories)
     assert json['privateAllowed']
 
 
@@ -1435,6 +1445,36 @@ class TestUpdateRepo(ApiTestCase):
 
 class TestChangeRepoVisibility(ApiTestCase):
   SIMPLE_REPO = ADMIN_ACCESS_USER + '/simple'
+
+  def test_trychangevisibility(self):
+    self.login(ADMIN_ACCESS_USER)
+
+    # Make public.
+    self.postJsonResponse(RepositoryVisibility,
+                          params=dict(repository=self.SIMPLE_REPO),
+                          data=dict(visibility='public'))
+
+    # Verify the visibility.
+    json = self.getJsonResponse(Repository,
+                                params=dict(repository=self.SIMPLE_REPO))
+
+    self.assertEquals(True, json['is_public'])
+
+    # Change the subscription of the namespace.
+    self.putJsonResponse(UserPlan, data=dict(plan='personal-30'))
+
+    # Try to make private.
+    self.postJsonResponse(RepositoryVisibility,
+                          params=dict(repository=self.SIMPLE_REPO),
+                          data=dict(visibility='private'),
+                          expected_code=402)
+
+    # Verify the visibility.
+    json = self.getJsonResponse(Repository,
+                                params=dict(repository=self.SIMPLE_REPO))
+
+    self.assertEquals(True, json['is_public'])
+
   def test_changevisibility(self):
     self.login(ADMIN_ACCESS_USER)
 
diff --git a/test/testconfig.py b/test/testconfig.py
index 2ee3e89bb..34ae8da48 100644
--- a/test/testconfig.py
+++ b/test/testconfig.py
@@ -20,6 +20,7 @@ TEST_DB_FILE = NamedTemporaryFile(delete=True)
 class TestConfig(DefaultConfig):
   TESTING = True
   SECRET_KEY = 'a36c9d7d-25a9-4d3f-a586-3d2f8dc40a83'
+  BILLING_TYPE = 'FakeStripe'
 
   TEST_DB_FILE = TEST_DB_FILE
   DB_URI = os.environ.get('TEST_DATABASE_URI', 'sqlite:///{0}'.format(TEST_DB_FILE.name))

From 502f5e4c8a062817ecbe477040a80491b696db5d Mon Sep 17 00:00:00 2001
From: Jake Moshenko <jake.moshenko@coreos.com>
Date: Tue, 15 Sep 2015 15:57:55 -0400
Subject: [PATCH 27/34] Missed one place to duplicate metadata.

---
 data/model/image.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/data/model/image.py b/data/model/image.py
index aef076336..d0433708a 100644
--- a/data/model/image.py
+++ b/data/model/image.py
@@ -280,7 +280,10 @@ def set_image_metadata(docker_image_id, namespace_name, repository_name, created
 
     if created_date_str is not None:
       try:
-        fetched.storage.created = dateutil.parser.parse(created_date_str).replace(tzinfo=None)
+        # TODO stop writing to storage fields when all readers are removed
+        parsed_created_time = dateutil.parser.parse(created_date_str).replace(tzinfo=None)
+        fetched.created = parsed_created_time
+        fetched.storage.created = parsed_created_time
       except:
         # parse raises different exceptions, so we cannot use a specific kind of handler here.
         pass

From a8183ed87b74d46685f5d899e9d0498e2d595df8 Mon Sep 17 00:00:00 2001
From: Silas Sewell <silas@sewell.org>
Date: Tue, 15 Sep 2015 15:23:06 -0400
Subject: [PATCH 28/34] Sample pull_repo events

---
 endpoints/trackhelper.py | 10 +++++++---
 endpoints/v1/index.py    |  2 +-
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/endpoints/trackhelper.py b/endpoints/trackhelper.py
index b3e2d86eb..7635d2a19 100644
--- a/endpoints/trackhelper.py
+++ b/endpoints/trackhelper.py
@@ -1,4 +1,5 @@
 import logging
+import random
 
 from app import analytics, app, userevents
 from data import model
@@ -7,7 +8,7 @@ from auth.auth_context import get_authenticated_user, get_validated_token, get_v
 
 logger = logging.getLogger(__name__)
 
-def track_and_log(event_name, repo, **kwargs):
+def track_and_log(event_name, repo, analytics_name=None, analytics_sample=1, **kwargs):
   repository = repo.name
   namespace = repo.namespace_user.username
   metadata = {
@@ -62,8 +63,11 @@ def track_and_log(event_name, repo, **kwargs):
     event.publish_event_data('docker-cli', user_event_data)
 
   # Save the action to mixpanel.
-  logger.debug('Logging the %s to Mixpanel', event_name)
-  analytics.track(analytics_id, event_name, extra_params)
+  if random.random() < analytics_sample:
+    if analytics_name is None:
+      analytics_name = event_name
+    logger.debug('Logging the %s to Mixpanel', analytics_name)
+    analytics.track(analytics_id, analytics_name, extra_params)
 
   # Log the action to the database.
   logger.debug('Logging the %s to logs system', event_name)
diff --git a/endpoints/v1/index.py b/endpoints/v1/index.py
index 457ffd43d..4d701b918 100644
--- a/endpoints/v1/index.py
+++ b/endpoints/v1/index.py
@@ -270,7 +270,7 @@ def get_repository_images(namespace, repository):
     resp = make_response(json.dumps([]), 200)
     resp.mimetype = 'application/json'
 
-    track_and_log('pull_repo', repo)
+    track_and_log('pull_repo', repo, analytics_name='pull_repo_100x', analytics_sample=0.01)
     return resp
 
   abort(403)

From 2739cf47ba82656b71c44dc24d6ec8531a22830f Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Wed, 16 Sep 2015 14:00:06 -0400
Subject: [PATCH 29/34] Prevent change visibility of a repo in the UI when
 disallowed by billing plan

Fixes #486

- Extracts out the check plan logic and UI from the new repo page into its own directive (repo-count-checker)
- Adds the new directive to the repo settings panel
- Some additional UI improvements for the repo settings panel
---
 .../repo-view/repo-panel-settings.css         | 12 +++
 .../css/directives/ui/repo-count-checker.css  | 26 ++++++
 static/directives/repo-count-checker.html     | 24 ++++++
 .../repo-view/repo-panel-settings.html        | 33 +++++---
 static/js/directives/ui/repo-count-checker.js | 81 +++++++++++++++++++
 static/js/pages/new-repo.js                   | 76 -----------------
 static/js/services/user-service.js            |  4 +
 static/partials/new-repo.html                 | 26 +-----
 8 files changed, 173 insertions(+), 109 deletions(-)
 create mode 100644 static/css/directives/ui/repo-count-checker.css
 create mode 100644 static/directives/repo-count-checker.html
 create mode 100644 static/js/directives/ui/repo-count-checker.js

diff --git a/static/css/directives/repo-view/repo-panel-settings.css b/static/css/directives/repo-view/repo-panel-settings.css
index ff626b9ba..8925365eb 100644
--- a/static/css/directives/repo-view/repo-panel-settings.css
+++ b/static/css/directives/repo-view/repo-panel-settings.css
@@ -29,6 +29,18 @@
   margin-top: -7px !important;
 }
 
+.repo-panel-settings-element .repo-count-checker {
+  margin-top: 20px;
+}
+
+.repo-panel-settings-element .co-alert {
+  margin-bottom: 0px;
+}
+
+.repo-panel-settings-element .panel-body {
+  border-bottom: 0px;
+}
+
 @media (max-width: 767px) {
   .repo-panel-settings-element .delete-btn {
     float: none;
diff --git a/static/css/directives/ui/repo-count-checker.css b/static/css/directives/ui/repo-count-checker.css
new file mode 100644
index 000000000..d357afdba
--- /dev/null
+++ b/static/css/directives/ui/repo-count-checker.css
@@ -0,0 +1,26 @@
+.repo-count-checker .btn {
+  margin-top: 0px !important;
+}
+
+.repo-count-checker .co-alert {
+  margin-bottom: 6px !important;
+  padding-right: 120px;
+}
+
+.repo-count-checker .co-alert .btn {
+    position: absolute;
+    top: 10px;
+    right: 10px;
+}
+
+@media (max-width: 767px) {
+    .repo-count-checker .co-alert {
+        padding-right: 10px;
+    }
+
+    .repo-count-checker .co-alert .btn {
+        position: relative;
+        margin-top: 20px;
+        margin-bottom: 10px;
+    }
+}
\ No newline at end of file
diff --git a/static/directives/repo-count-checker.html b/static/directives/repo-count-checker.html
new file mode 100644
index 000000000..4b89b1204
--- /dev/null
+++ b/static/directives/repo-count-checker.html
@@ -0,0 +1,24 @@
+<div class="repo-count-checker-element">
+  <div class="required-plan" ng-show="isEnabled && planRequired && planRequired.title">
+    <div class="co-alert co-alert-info">
+      In order to make this repository private under
+      <strong ng-if="isUserNamespace">your personal namespace</strong>
+      <strong ng-if="!isUserNamespace">organization <b>{{ repo.namespace }}</b></strong>, you will need to upgrade your plan to
+      <b style="border-bottom: 1px dotted black;" data-html="true"
+         data-title="{{ '<b>' + planRequired.title + '</b><br>' + planRequired.privateRepos + ' private repositories' }}" bs-tooltip>
+        {{ planRequired.title  }}
+      </b>.
+      This will cost $<span>{{ planRequired.price / 100 }}</span>/month.
+        <a class="btn btn-primary" ng-click="upgradePlan()" ng-show="!planChanging">Upgrade now</a>
+      </div>
+      <span ng-if="isUserNamespace && user.organizations.length == 1" style="margin-left: 6px; display: inline-block;">or did you mean to have this repository under the <b>{{ user.organizations[0].name }}</b> namespace?</span>
+      <div class="cor-loader-inline" ng-show="planChanging"></div>
+    </div>
+    <div class="cor-loader-inline" ng-show="isEnabled && checkingPlan"></div>
+    <div class="required-plan" ng-show="isEnabled && planRequired && !isUserNamespace && !planRequired.title">
+      <div class="co-alert co-alert-warning">
+        This organization has reached its private repository limit. Please contact your administrator.
+      </div>
+    </div>
+  </div>
+</div>
\ No newline at end of file
diff --git a/static/directives/repo-view/repo-panel-settings.html b/static/directives/repo-view/repo-panel-settings.html
index b49d835b2..d6c6d7996 100644
--- a/static/directives/repo-view/repo-panel-settings.html
+++ b/static/directives/repo-view/repo-panel-settings.html
@@ -22,12 +22,10 @@
     <div class="repository-events-table" repository="repository"
          is-enabled="isEnabled"></div>
 
-    <!-- Other settings -->
+    <!-- Visibility settings -->
     <div class="co-panel">
-      <div class="co-panel-heading"><i class="fa fa-gears"></i> Repository Settings</div>
-
+      <div class="co-panel-heading"><i class="fa fa-unlock-alt"></i> Repository Visibility</div>
       <div class="cor-loader" ng-show="!repository"></div>
-
       <div ng-show="repository">
         <!-- Public/Private -->
         <div class="panel-body panel-section lock-section" ng-if="!repository.is_public">
@@ -44,12 +42,23 @@
 
           <div>This repository is currently <b>public</b> and is visible to all users, and may be pulled by all users.</div>
 
-          <button class="btn btn-default" ng-click="askChangeAccess('private')">
+          <button class="btn btn-default" ng-click="askChangeAccess('private')" ng-show="!planRequired">
             <i class="fa fa-lock"></i>Make Private
           </button>
-        </div>
 
-        <!-- Delete Repository -->
+          <!-- Payment -->
+          <div class="repo-count-checker" namespace="repository.namespace" plan-required="planRequired"
+               is-enabled="repository.is_public">
+          </div>
+        </div>
+      </div>
+    </div>
+
+    <!-- Delete repository -->
+    <div class="co-panel">
+      <div class="co-panel-heading"><i class="fa fa-trash"></i> Delete Repository</div>
+      <div class="cor-loader" ng-show="!repository"></div>
+      <div ng-show="repository">
         <div class="panel-body panel-section">
           <div class="co-alert co-alert-danger">
             <button class="btn btn-danger delete-btn" ng-click="askDelete()">
@@ -60,10 +69,16 @@
             Deleting a repository <b>cannot be undone</b>. Here be dragons!
           </div>
         </div>
+      </div>
+    </div>
 
-        <!-- Build Status Badge -->
-        <div class="panel-body panel-section hidden-xs">
 
+    <!-- Build Status Badge -->
+    <div class="co-panel hidden-xs">
+      <div class="co-panel-heading"><i class="fa fa-tasks"></i> Build Status Badge</div>
+      <div class="cor-loader" ng-show="!repository"></div>
+      <div ng-show="repository">
+        <div class="panel-body panel-section">
           <!-- Token Info Banner -->
           <div class="co-alert co-alert-info" ng-if="!repository.is_public">
              Note: This badge contains a token so the badge can be seen by external users. The token does not grant any other access and is safe to share!
diff --git a/static/js/directives/ui/repo-count-checker.js b/static/js/directives/ui/repo-count-checker.js
new file mode 100644
index 000000000..9cec0f1c4
--- /dev/null
+++ b/static/js/directives/ui/repo-count-checker.js
@@ -0,0 +1,81 @@
+/**
+ * An element which displays a message when the maximum number of private repositories has been
+ * reached.
+ */
+angular.module('quay').directive('repoCountChecker', function () {
+  var directiveDefinitionObject = {
+    priority: 0,
+    templateUrl: '/static/directives/repo-count-checker.html',
+    replace: false,
+    transclude: true,
+    restrict: 'C',
+    scope: {
+      'namespace': '=namespace',
+      'planRequired': '=planRequired',
+      'isEnabled': '=isEnabled'
+    },
+    controller: function($scope, $element, ApiService, UserService, PlanService, Features) {
+      var refresh = function() {
+        $scope.planRequired = null;
+
+        if (!$scope.isEnabled || !$scope.namespace || !Features.BILLING) {
+          return;
+        }
+
+        $scope.checkingPlan = true;
+        $scope.isUserNamespace = UserService.isUserNamespace($scope.namespace);
+
+        ApiService.getPrivateAllowed($scope.isUserNamespace ? null : $scope.namespace).then(function(resp) {
+          $scope.checkingPlan = false;
+
+          if (resp['privateAllowed']) {
+            $scope.planRequired = null;
+            return;
+          }
+
+          if (resp['privateCount'] == null) {
+            // Organization where we are not the admin.
+            $scope.planRequired = {};
+            return;
+          }
+
+          // Otherwise, lookup the matching plan.
+          PlanService.getMinimumPlan(resp['privateCount'] + 1, !$scope.isUserNamespace, function(minimum) {
+            $scope.planRequired = minimum;
+          });
+        });
+      };
+
+      var subscribedToPlan = function(sub) {
+        $scope.planChanging = false;
+        $scope.subscription = sub;
+
+        PlanService.getPlan(sub.plan, function(subscribedPlan) {
+          $scope.subscribedPlan = subscribedPlan;
+          refresh();
+        });
+      };
+
+      $scope.$watch('namespace', refresh);
+      $scope.$watch('isEnabled', refresh);
+
+      $scope.upgradePlan = function() {
+        var callbacks = {
+          'started': function() { $scope.planChanging = true; },
+          'opened': function() { $scope.planChanging = true; },
+          'closed': function() { $scope.planChanging = false; },
+          'success': subscribedToPlan,
+          'failure': function(resp) {
+            $('#couldnotsubscribeModal').modal();
+            $scope.planChanging = false;
+          }
+        };
+
+        var isUserNamespace = UserService.isUserNamespace($scope.namespace);
+        var namespace = isUserNamespace ? null : $scope.namespace;
+        PlanService.changePlan($scope, namespace, $scope.planRequired.stripeId, callbacks);
+      };
+    }
+  };
+  return directiveDefinitionObject;
+});
\ No newline at end of file
diff --git a/static/js/pages/new-repo.js b/static/js/pages/new-repo.js
index a4145d735..2e532ab9b 100644
--- a/static/js/pages/new-repo.js
+++ b/static/js/pages/new-repo.js
@@ -22,22 +22,6 @@
       'initialize': ''
     };
 
-    // Watch the namespace on the repo. If it changes, we update the plan and the public/private
-    // accordingly.
-    $scope.isUserNamespace = true;
-    $scope.$watch('repo.namespace', function(namespace) {
-      // Note: Can initially be undefined.
-      if (!namespace) { return; }
-
-      var isUserNamespace = (namespace == $scope.user.username);
-
-      $scope.planRequired = null;
-      $scope.isUserNamespace = isUserNamespace;
-
-      // Determine whether private repositories are allowed for the namespace.
-      checkPrivateAllowed();
-    });
-
     $scope.changeNamespace = function(namespace) {
       $scope.repo.namespace = namespace;
     };
@@ -108,65 +92,5 @@
         });
       });
     };
-
-    $scope.upgradePlan = function() {
-      var callbacks = {
-        'started': function() { $scope.planChanging = true; },
-        'opened': function() { $scope.planChanging = true; },
-        'closed': function() { $scope.planChanging = false; },
-        'success': subscribedToPlan,
-        'failure': function(resp) {
-          $('#couldnotsubscribeModal').modal();
-          $scope.planChanging = false;
-        }
-      };
-
-      var namespace = $scope.isUserNamespace ? null : $scope.repo.namespace;
-      PlanService.changePlan($scope, namespace, $scope.planRequired.stripeId, callbacks);
-    };
-
-    var checkPrivateAllowed = function() {
-      if (!$scope.repo || !$scope.repo.namespace) { return; }
-
-      if (!Features.BILLING) {
-        $scope.checkingPlan = false;
-        $scope.planRequired = null;
-        return;
-      }
-
-      $scope.checkingPlan = true;
-
-      var isUserNamespace = $scope.isUserNamespace;
-      ApiService.getPrivateAllowed(isUserNamespace ? null : $scope.repo.namespace).then(function(resp) {
-        $scope.checkingPlan = false;
-
-        if (resp['privateAllowed']) {
-          $scope.planRequired = null;
-          return;
-        }
-
-        if (resp['privateCount'] == null) {
-          // Organization where we are not the admin.
-          $scope.planRequired = {};
-          return;
-        }
-
-        // Otherwise, lookup the matching plan.
-        PlanService.getMinimumPlan(resp['privateCount'] + 1, !isUserNamespace, function(minimum) {
-          $scope.planRequired = minimum;
-        });
-      });
-    };
-
-    var subscribedToPlan = function(sub) {
-      $scope.planChanging = false;
-      $scope.subscription = sub;
-
-      PlanService.getPlan(sub.plan, function(subscribedPlan) {
-        $scope.subscribedPlan = subscribedPlan;
-        $scope.planRequired = null;
-        checkPrivateAllowed();
-      });
-    };
   }
 })();
\ No newline at end of file
diff --git a/static/js/services/user-service.js b/static/js/services/user-service.js
index d6bce37cc..10e5460f2 100644
--- a/static/js/services/user-service.js
+++ b/static/js/services/user-service.js
@@ -126,6 +126,10 @@ function(ApiService, CookieService, $rootScope, Config) {
     return userResponse;
   };
 
+  userService.isUserNamespace = function(namespace) {
+    return namespace == userResponse.username;
+  };
+
   // Update the user in the root scope.
   userService.updateUserIn($rootScope);
 
diff --git a/static/partials/new-repo.html b/static/partials/new-repo.html
index a8975e747..03a034e84 100644
--- a/static/partials/new-repo.html
+++ b/static/partials/new-repo.html
@@ -88,31 +88,9 @@
               </div>
 
               <!-- Payment -->
-              <div class="required-plan" ng-show="repo.is_public == '0' && planRequired && planRequired.title">
-                <div class="co-alert co-alert-warning">
-                In order to make this repository private under
-                <strong ng-if="isUserNamespace">your personal namespace</strong>
-                <strong ng-if="!isUserNamespace">organization <b>{{ repo.namespace }}</b></strong>, you will need to upgrade your plan to
-                <b style="border-bottom: 1px dotted black;" data-html="true"
-                   data-title="{{ '<b>' + planRequired.title + '</b><br>' + planRequired.privateRepos + ' private repositories' }}" bs-tooltip>
-                  {{ planRequired.title  }}
-                </b>.
-                This will cost $<span>{{ planRequired.price / 100 }}</span>/month.
-                </div>
-                <a class="btn btn-primary" ng-click="upgradePlan()" ng-show="!planChanging">Upgrade now</a>
-                <span ng-if="isUserNamespace && user.organizations.length == 1" style="margin-left: 6px; display: inline-block;">or did you mean to create this repository
-                  under <a href="javascript:void(0)" ng-click="changeNamespace(user.organizations[0].name)"><b>{{ user.organizations[0].name }}</b></a>?</span>
-                <div class="cor-loader-inline" ng-show="planChanging"></div>
+              <div class="repo-count-checker" namespace="repo.namespace" plan-required="planRequired"
+                   is-enabled="repo.is_public == '0'">
               </div>
-
-              <div class="cor-loader-inline" ng-show="repo.is_public == '0' && checkingPlan"></div>
-
-              <div class="required-plan" ng-show="repo.is_public == '0' && planRequired && !isUserNamespace && !planRequired.title">
-                <div class="co-alert co-alert-warning">
-                  This organization has reached its private repository limit. Please contact your administrator.
-                </div>
-              </div>
-            </div>
           </div>
         </div>
 

From 30379a2dd870835cb68382cd985633770cd76ab9 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Wed, 16 Sep 2015 15:34:20 -0400
Subject: [PATCH 30/34] Fix interleaved repo delete with RAC via a transaction

The RepositoryActionCount table can have entries added while a repository deletion is in progress. We now perform the repository deletion under a transaction and explicitly test for RAC entries in the deletion unit test (which doesn't test interleaving, but it was missing this check).

Fixes #494
---
 data/database.py       | 20 +++++++++++++-------
 data/model/__init__.py |  6 +-----
 test/test_api_usage.py | 23 ++++++++++++++++++++++-
 3 files changed, 36 insertions(+), 13 deletions(-)

diff --git a/data/database.py b/data/database.py
index 660976bcf..4af55e044 100644
--- a/data/database.py
+++ b/data/database.py
@@ -119,6 +119,7 @@ db = Proxy()
 read_slave = Proxy()
 db_random_func = CallableProxy()
 db_for_update = CallableProxy()
+db_transaction = CallableProxy()
 
 
 def validate_database_url(url, db_kwargs, connect_timeout=5):
@@ -164,6 +165,10 @@ def configure(config_object):
   if read_slave_uri is not None:
     read_slave.initialize(_db_from_url(read_slave_uri, db_kwargs))
 
+  def _db_transaction():
+    return config_object['DB_TRANSACTION_FACTORY'](db)
+
+  db_transaction.initialize(_db_transaction)
 
 def random_string_generator(length=16):
   def random_string():
@@ -373,14 +378,15 @@ class Repository(BaseModel):
       return sorted_models.index(cmp_fk.model_class.__name__)
     filtered_ops.sort(key=sorted_model_key)
 
-    for query, fk in filtered_ops:
-      model = fk.model_class
-      if fk.null and not delete_nullable:
-        model.update(**{fk.name: None}).where(query).execute()
-      else:
-        model.delete().where(query).execute()
+    with db_transaction():
+      for query, fk in filtered_ops:
+        model = fk.model_class
+        if fk.null and not delete_nullable:
+          model.update(**{fk.name: None}).where(query).execute()
+        else:
+          model.delete().where(query).execute()
 
-    return self.delete().where(self._pk_expr()).execute()
+      return self.delete().where(self._pk_expr()).execute()
 
 class Star(BaseModel):
   user = ForeignKeyField(User, index=True)
diff --git a/data/model/__init__.py b/data/model/__init__.py
index 8c1214c54..a8326ff96 100644
--- a/data/model/__init__.py
+++ b/data/model/__init__.py
@@ -1,4 +1,4 @@
-from data.database import db
+from data.database import db, db_transaction
 
 
 class DataModelException(Exception):
@@ -80,10 +80,6 @@ class Config(object):
 config = Config()
 
 
-def db_transaction():
-  return config.app_config['DB_TRANSACTION_FACTORY'](db)
-
-
 # There MUST NOT be any circular dependencies between these subsections. If there are fix it by
 # moving the minimal number of things to _basequery
 # TODO document the methods and modules for each one of the submodules below.
diff --git a/test/test_api_usage.py b/test/test_api_usage.py
index 163a10977..16fc67867 100644
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@@ -1,6 +1,7 @@
 # coding=utf-8
 
 import unittest
+import datetime
 import json as py_json
 
 from urllib import urlencode
@@ -15,6 +16,7 @@ from endpoints.trigger import BuildTriggerHandler
 from app import app
 from initdb import setup_database_for_testing, finished_database_for_testing
 from data import database, model
+from data.database import RepositoryActionCount
 
 from endpoints.api.team import TeamMember, TeamMemberList, TeamMemberInvite, OrganizationTeam
 from endpoints.api.tag import RepositoryTagImages, RepositoryTag, RevertTag, ListRepositoryTags
@@ -1468,6 +1470,10 @@ class TestDeleteRepository(ApiTestCase):
   def test_deleterepo(self):
     self.login(ADMIN_ACCESS_USER)
 
+    # Verify the repo exists.
+    self.getResponse(Repository,
+                     params=dict(repository=self.SIMPLE_REPO))
+
     self.deleteResponse(Repository, params=dict(repository=self.SIMPLE_REPO))
 
     # Verify the repo was deleted.
@@ -1478,6 +1484,10 @@ class TestDeleteRepository(ApiTestCase):
   def test_deleterepo2(self):
     self.login(ADMIN_ACCESS_USER)
 
+    # Verify the repo exists.
+    self.getResponse(Repository,
+                     params=dict(repository=self.COMPLEX_REPO))
+
     self.deleteResponse(Repository, params=dict(repository=self.COMPLEX_REPO))
 
     # Verify the repo was deleted.
@@ -1488,7 +1498,11 @@ class TestDeleteRepository(ApiTestCase):
   def test_populate_and_delete_repo(self):
     self.login(ADMIN_ACCESS_USER)
 
-    # Make sure the repository has come images and tags.
+    # Verify the repo exists.
+    self.getResponse(Repository,
+                     params=dict(repository=self.COMPLEX_REPO))
+
+    # Make sure the repository has some images and tags.
     self.assertTrue(len(list(model.image.get_repository_images(ADMIN_ACCESS_USER, 'complex'))) > 0)
     self.assertTrue(len(list(model.tag.list_repository_tags(ADMIN_ACCESS_USER, 'complex'))) > 0)
 
@@ -1524,6 +1538,13 @@ class TestDeleteRepository(ApiTestCase):
     model.repository.create_email_authorization_for_repo(ADMIN_ACCESS_USER, 'complex', 'a@b.com')
     model.repository.create_email_authorization_for_repo(ADMIN_ACCESS_USER, 'complex', 'b@c.com')
 
+    # Create some repository action count entries.
+    RepositoryActionCount.create(repository=repository, date=datetime.datetime.now(), count=1)
+    RepositoryActionCount.create(repository=repository,
+                                 date=datetime.datetime.now() - datetime.timedelta(days=1), count=2)
+    RepositoryActionCount.create(repository=repository,
+                                 date=datetime.datetime.now() - datetime.timedelta(days=3), count=6)
+
     # Delete the repository.
     self.deleteResponse(Repository, params=dict(repository=self.COMPLEX_REPO))
 

From 386c017d9975e23c08a9ef2ee3ce35f985a58b14 Mon Sep 17 00:00:00 2001
From: Silas Sewell <silas@sewell.org>
Date: Wed, 16 Sep 2015 11:44:58 -0400
Subject: [PATCH 31/34] Add quay releases

---
 .dockerignore                                 |  4 +-
 .gitignore                                    |  1 +
 Dockerfile                                    |  6 ++
 conf/init/zz_release.sh                       |  8 +++
 data/database.py                              | 30 +++++++++-
 data/migrations/env.py                        | 24 +++++++-
 .../versions/1c0f6ede8992_quay_releases.py    | 55 +++++++++++++++++++
 data/model/release.py                         | 23 ++++++++
 release.py                                    | 26 +++++++++
 9 files changed, 174 insertions(+), 3 deletions(-)
 create mode 100755 conf/init/zz_release.sh
 create mode 100644 data/migrations/versions/1c0f6ede8992_quay_releases.py
 create mode 100644 data/model/release.py
 create mode 100644 release.py

diff --git a/.dockerignore b/.dockerignore
index fb1e0c080..15479142e 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -4,10 +4,12 @@ tools
 test/data/registry
 venv
 .git
+!.git/HEAD
+!.git/refs
 .gitignore
 Bobfile
 README.md
 requirements-nover.txt
 run-local.sh
 .DS_Store
-*.pyc
\ No newline at end of file
+*.pyc
diff --git a/.gitignore b/.gitignore
index 00e24caf7..9354014ce 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,3 +10,4 @@ node_modules
 static/ldn
 static/fonts
 stack_local
+GIT_HEAD
diff --git a/Dockerfile b/Dockerfile
index ef834f2b6..135a262cd 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -43,6 +43,7 @@ ADD conf/init/doupdatelimits.sh /etc/my_init.d/
 ADD conf/init/copy_syslog_config.sh /etc/my_init.d/
 ADD conf/init/runmigration.sh /etc/my_init.d/
 ADD conf/init/syslog-ng.conf /etc/syslog-ng/
+ADD conf/init/zz_release.sh /etc/my_init.d/
 
 ADD conf/init/service/ /etc/service/
 
@@ -53,6 +54,11 @@ RUN mkdir static/fonts static/ldn
 RUN venv/bin/python -m external_libraries
 RUN mkdir /usr/local/nginx/logs/
 
+# We exclude everything except .git/{HEAD,refs} in .dockerignore so we don't
+# leak data into the image layer.
+RUN cat ".git/$( cat .git/HEAD | cut -d' ' -f 2 )" > GIT_HEAD
+RUN rm -fr .git
+
 # Run the tests
 RUN TEST=true venv/bin/python -m unittest discover -f
 RUN TEST=true venv/bin/python -m test.registry_tests -f
diff --git a/conf/init/zz_release.sh b/conf/init/zz_release.sh
new file mode 100755
index 000000000..152494cff
--- /dev/null
+++ b/conf/init/zz_release.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+
+source venv/bin/activate
+
+export PYTHONPATH=.
+
+python /release.py
diff --git a/data/database.py b/data/database.py
index 660976bcf..2a991f111 100644
--- a/data/database.py
+++ b/data/database.py
@@ -756,6 +756,33 @@ class RepositoryAuthorizedEmail(BaseModel):
     )
 
 
+class QuayService(BaseModel):
+  name = CharField(index=True, unique=True)
+
+
+class QuayRegion(BaseModel):
+  name = CharField(index=True, unique=True)
+
+
+class QuayRelease(BaseModel):
+  service = ForeignKeyField(QuayService)
+  version = CharField()
+  region = ForeignKeyField(QuayRegion)
+  reverted = BooleanField(default=False)
+  created = DateTimeField(default=datetime.now, index=True)
+
+  class Meta:
+    database = db
+    read_slaves = (read_slave,)
+    indexes = (
+      # unique release per region
+      (('service', 'version', 'region'), True),
+
+      # get recent releases
+      (('service', 'region', 'created'), False),
+    )
+
+
 
 all_models = [User, Repository, Image, AccessToken, Role, RepositoryPermission, Visibility,
               RepositoryTag, EmailConfirmation, FederatedLogin, LoginService, QueueItem,
@@ -766,4 +793,5 @@ all_models = [User, Repository, Image, AccessToken, Role, RepositoryPermission,
               ExternalNotificationEvent, ExternalNotificationMethod, RepositoryNotification,
               RepositoryAuthorizedEmail, ImageStorageTransformation, DerivedImageStorage,
               TeamMemberInvite, ImageStorageSignature, ImageStorageSignatureKind,
-              AccessTokenKind, Star, RepositoryActionCount, TagManifest, UserRegion]
+              AccessTokenKind, Star, RepositoryActionCount, TagManifest, UserRegion,
+              QuayService, QuayRegion, QuayRelease]
diff --git a/data/migrations/env.py b/data/migrations/env.py
index 108c4c496..c53421f50 100644
--- a/data/migrations/env.py
+++ b/data/migrations/env.py
@@ -1,8 +1,11 @@
 from __future__ import with_statement
 
+import logging
 import os
 
 from alembic import context
+from alembic.revision import ResolutionError
+from alembic.util import CommandError
 from sqlalchemy import engine_from_config, pool
 from logging.config import fileConfig
 from urllib import unquote, quote
@@ -11,6 +14,7 @@ from peewee import SqliteDatabase
 from data.database import all_models, db
 from app import app
 from data.model.sqlalchemybridge import gen_sqlalchemy_metadata
+from release import GIT_HEAD, REGION, SERVICE
 from util.morecollections import AttrDict
 
 config = context.config
@@ -21,6 +25,8 @@ config.set_main_option('sqlalchemy.url', unquote(app.config['DB_URI']))
 if config.config_file_name:
     fileConfig(config.config_file_name)
 
+logger = logging.getLogger(__name__)
+
 # add your model's MetaData object here
 # for 'autogenerate' support
 # from myapp import mymodel
@@ -77,7 +83,23 @@ def run_migrations_online():
 
     try:
         with context.begin_transaction():
-            context.run_migrations(tables=tables)
+            try:
+                context.run_migrations(tables=tables)
+            except (CommandError, ResolutionError) as ex:
+                if 'No such revision' not in str(ex):
+                    raise
+
+                if not REGION or not GIT_HEAD:
+                    raise
+
+                from data.model.release import get_recent_releases
+
+                # ignore revision error if we're running the previous release
+                releases = list(get_recent_releases(SERVICE, REGION).offset(1).limit(1))
+                if releases and releases[0].version == GIT_HEAD:
+                    logger.warn('Skipping database migration because revision not found')
+                else:
+                    raise
     finally:
         connection.close()
 
diff --git a/data/migrations/versions/1c0f6ede8992_quay_releases.py b/data/migrations/versions/1c0f6ede8992_quay_releases.py
new file mode 100644
index 000000000..92583881d
--- /dev/null
+++ b/data/migrations/versions/1c0f6ede8992_quay_releases.py
@@ -0,0 +1,55 @@
+"""Quay releases
+
+Revision ID: 1c0f6ede8992
+Revises: 545794454f49
+Create Date: 2015-09-15 15:46:09.784607
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '1c0f6ede8992'
+down_revision = '545794454f49'
+
+from alembic import op
+import sqlalchemy as sa
+
+
+def upgrade(tables):
+    ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('quayregion',
+    sa.Column('id', sa.Integer(), nullable=False),
+    sa.Column('name', sa.String(length=255), nullable=False),
+    sa.PrimaryKeyConstraint('id', name=op.f('pk_quayregion'))
+    )
+    op.create_index('quayregion_name', 'quayregion', ['name'], unique=True)
+    op.create_table('quayservice',
+    sa.Column('id', sa.Integer(), nullable=False),
+    sa.Column('name', sa.String(length=255), nullable=False),
+    sa.PrimaryKeyConstraint('id', name=op.f('pk_quayservice'))
+    )
+    op.create_index('quayservice_name', 'quayservice', ['name'], unique=True)
+    op.create_table('quayrelease',
+    sa.Column('id', sa.Integer(), nullable=False),
+    sa.Column('service_id', sa.Integer(), nullable=False),
+    sa.Column('version', sa.String(length=255), nullable=False),
+    sa.Column('region_id', sa.Integer(), nullable=False),
+    sa.Column('reverted', sa.Boolean(), nullable=False),
+    sa.Column('created', sa.DateTime(), nullable=False),
+    sa.ForeignKeyConstraint(['region_id'], ['quayregion.id'], name=op.f('fk_quayrelease_region_id_quayregion')),
+    sa.ForeignKeyConstraint(['service_id'], ['quayservice.id'], name=op.f('fk_quayrelease_service_id_quayservice')),
+    sa.PrimaryKeyConstraint('id', name=op.f('pk_quayrelease'))
+    )
+    op.create_index('quayrelease_created', 'quayrelease', ['created'], unique=False)
+    op.create_index('quayrelease_region_id', 'quayrelease', ['region_id'], unique=False)
+    op.create_index('quayrelease_service_id', 'quayrelease', ['service_id'], unique=False)
+    op.create_index('quayrelease_service_id_region_id_created', 'quayrelease', ['service_id', 'region_id', 'created'], unique=False)
+    op.create_index('quayrelease_service_id_version_region_id', 'quayrelease', ['service_id', 'version', 'region_id'], unique=True)
+    ### end Alembic commands ###
+
+
+def downgrade(tables):
+    ### commands auto generated by Alembic - please adjust! ###
+    op.drop_table('quayrelease')
+    op.drop_table('quayservice')
+    op.drop_table('quayregion')
+    ### end Alembic commands ###
diff --git a/data/model/release.py b/data/model/release.py
new file mode 100644
index 000000000..883ae146e
--- /dev/null
+++ b/data/model/release.py
@@ -0,0 +1,23 @@
+from data.database import QuayRelease, QuayRegion, QuayService
+
+
+def set_region_release(service_name, region_name, version):
+  service, _ = QuayService.create_or_get(name=service_name)
+  region, _ = QuayRegion.create_or_get(name=region_name)
+
+  return QuayRelease.create_or_get(service=service, version=version, region=region)
+
+
+def get_recent_releases(service_name, region_name):
+  return (QuayRelease
+    .select(QuayRelease)
+    .join(QuayService)
+    .switch(QuayRelease)
+    .join(QuayRegion)
+    .where(
+      QuayService.name == service_name,
+      QuayRegion.name == region_name,
+      QuayRelease.reverted == False,
+    )
+    .order_by(QuayRelease.created.desc())
+  )
diff --git a/release.py b/release.py
new file mode 100644
index 000000000..91a46f796
--- /dev/null
+++ b/release.py
@@ -0,0 +1,26 @@
+import os
+
+
+_GIT_HEAD_PATH = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'GIT_HEAD')
+
+SERVICE = 'quay'
+GIT_HEAD = None
+REGION = os.environ.get('QUAY_REGION')
+
+
+# Load git head if available
+if os.path.isfile(_GIT_HEAD_PATH):
+  with open(_GIT_HEAD_PATH) as f:
+    GIT_HEAD = f.read().strip()
+
+
+def main():
+  from app import app
+  from data.model.release import set_region_release
+
+  if REGION and GIT_HEAD:
+    set_region_release(SERVICE, REGION, GIT_HEAD)
+
+
+if __name__ == '__main__':
+  main()

From eff9ff7a6610d9bbfbfa2f85eeea2d433f5acaf2 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Wed, 16 Sep 2015 17:53:53 -0400
Subject: [PATCH 32/34] Migrate all GitHub build triggers to use deploy keys

---
 data/database.py                              |  3 +
 ..._migrate_github_triggers_to_use_deploy_.py | 28 ++++++
 ..._add_legacy_column_for_github_backfill_.py | 26 ++++++
 util/migrate/migratebitbucketservices.py      | 28 +++++-
 util/migrate/migrategithubdeploykeys.py       | 87 +++++++++++++++++++
 5 files changed, 171 insertions(+), 1 deletion(-)
 create mode 100644 data/migrations/versions/3ff4fbc94644_migrate_github_triggers_to_use_deploy_.py
 create mode 100644 data/migrations/versions/4d5f6716df0_add_legacy_column_for_github_backfill_.py
 create mode 100644 util/migrate/migrategithubdeploykeys.py

diff --git a/data/database.py b/data/database.py
index 4af55e044..a7755c9bf 100644
--- a/data/database.py
+++ b/data/database.py
@@ -471,6 +471,9 @@ class RepositoryBuildTrigger(BaseModel):
   pull_robot = QuayUserField(allows_robots=True, null=True, related_name='triggerpullrobot',
                              robot_null_delete=True)
 
+  # TODO(jschorr): Remove this column once we verify the backfill has succeeded.
+  used_legacy_github = BooleanField(null=True, default=False)
+
 
 class EmailConfirmation(BaseModel):
   code = CharField(default=random_string_generator(), unique=True, index=True)
diff --git a/data/migrations/versions/3ff4fbc94644_migrate_github_triggers_to_use_deploy_.py b/data/migrations/versions/3ff4fbc94644_migrate_github_triggers_to_use_deploy_.py
new file mode 100644
index 000000000..820b21548
--- /dev/null
+++ b/data/migrations/versions/3ff4fbc94644_migrate_github_triggers_to_use_deploy_.py
@@ -0,0 +1,28 @@
+"""Migrate GitHub triggers to use deploy keys
+
+Revision ID: 3ff4fbc94644
+Revises: 4d5f6716df0
+Create Date: 2015-09-16 17:50:22.034146
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '3ff4fbc94644'
+down_revision = '4d5f6716df0'
+
+from alembic import op
+import sqlalchemy as sa
+
+from util.migrate.migrategithubdeploykeys import backfill_github_deploykeys
+
+
+def upgrade(tables):
+    ### commands auto generated by Alembic - please adjust! ###
+    backfill_github_deploykeys()
+    ### end Alembic commands ###
+
+
+def downgrade(tables):
+    ### commands auto generated by Alembic - please adjust! ###
+    pass
+    ### end Alembic commands ###
diff --git a/data/migrations/versions/4d5f6716df0_add_legacy_column_for_github_backfill_.py b/data/migrations/versions/4d5f6716df0_add_legacy_column_for_github_backfill_.py
new file mode 100644
index 000000000..94a036548
--- /dev/null
+++ b/data/migrations/versions/4d5f6716df0_add_legacy_column_for_github_backfill_.py
@@ -0,0 +1,26 @@
+"""Add legacy column for GitHub backfill tracking
+
+Revision ID: 4d5f6716df0
+Revises: 545794454f49
+Create Date: 2015-09-16 17:49:40.334540
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '4d5f6716df0'
+down_revision = '545794454f49'
+
+from alembic import op
+import sqlalchemy as sa
+
+
+def upgrade(tables):
+    ### commands auto generated by Alembic - please adjust! ###
+    op.add_column('repositorybuildtrigger', sa.Column('used_legacy_github', sa.Boolean(), nullable=True))
+    ### end Alembic commands ###
+
+
+def downgrade(tables):
+    ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column('repositorybuildtrigger', 'used_legacy_github')
+    ### end Alembic commands ###
diff --git a/util/migrate/migratebitbucketservices.py b/util/migrate/migratebitbucketservices.py
index 880f5308e..c342654e7 100644
--- a/util/migrate/migratebitbucketservices.py
+++ b/util/migrate/migratebitbucketservices.py
@@ -2,7 +2,8 @@ import logging
 import json
 
 from app import app
-from data.database import configure, RepositoryBuildTrigger, BuildTriggerService
+from data.database import configure, BaseModel, uuid_generator
+from peewee import *
 from bitbucket import BitBucket
 from endpoints.trigger import BitbucketBuildTrigger
 
@@ -10,6 +11,31 @@ configure(app.config)
 
 logger = logging.getLogger(__name__)
 
+# Note: We vendor the RepositoryBuildTrigger and its dependencies here
+class Repository(BaseModel):
+  pass
+
+class BuildTriggerService(BaseModel):
+  name = CharField(index=True, unique=True)
+
+class AccessToken(BaseModel):
+  pass
+
+class User(BaseModel):
+  pass
+
+class RepositoryBuildTrigger(BaseModel):
+  uuid = CharField(default=uuid_generator)
+  service = ForeignKeyField(BuildTriggerService, index=True)
+  repository = ForeignKeyField(Repository, index=True)
+  connected_user = ForeignKeyField(User)
+  auth_token = CharField(null=True)
+  private_key = TextField(null=True)
+  config = TextField(default='{}')
+  write_token = ForeignKeyField(AccessToken, null=True)
+  pull_robot = ForeignKeyField(User, related_name='triggerpullrobot')
+
+
 def run_bitbucket_migration():
   bitbucket_trigger = BuildTriggerService.get(BuildTriggerService.name == "bitbucket")
 
diff --git a/util/migrate/migrategithubdeploykeys.py b/util/migrate/migrategithubdeploykeys.py
new file mode 100644
index 000000000..2d717f74e
--- /dev/null
+++ b/util/migrate/migrategithubdeploykeys.py
@@ -0,0 +1,87 @@
+import logging
+import logging.config
+import json
+
+from data.database import RepositoryBuildTrigger, BuildTriggerService, db, db_for_update
+from app import app
+from endpoints.trigger import BuildTriggerHandler
+from util.security.ssh import generate_ssh_keypair
+from github import GithubException
+
+logger = logging.getLogger(__name__)
+
+def backfill_github_deploykeys():
+  """ Generates and saves private deploy keys for any GitHub build triggers still relying on
+      the old buildpack behavior. """
+  logger.setLevel(logging.DEBUG)
+  logger.debug('GitHub deploy key backfill: Began execution')
+
+  encountered = set()
+  github_service = BuildTriggerService.get(name='github')
+
+  while True:
+    build_trigger_ids = list(RepositoryBuildTrigger
+                              .select(RepositoryBuildTrigger.id)
+                              .where(RepositoryBuildTrigger.private_key >> None)
+                              .where(RepositoryBuildTrigger.service == github_service)
+                              .limit(10))
+
+    filtered_ids = [trigger.id for trigger in build_trigger_ids if trigger.id not in encountered]
+    if len(filtered_ids) == 0:
+      # We're done!
+      logger.debug('GitHub deploy key backfill: Backfill completed')
+      return
+
+    logger.debug('GitHub deploy key backfill: Found %s records to update', len(filtered_ids))
+    for trigger_id in filtered_ids:
+      encountered.add(trigger_id)
+      logger.debug('Updating build trigger: %s', trigger_id)
+
+      with app.config['DB_TRANSACTION_FACTORY'](db):
+        try:
+          query = RepositoryBuildTrigger.select(RepositoryBuildTrigger.id == trigger_id)
+          trigger = db_for_update(query).get()
+        except RepositoryBuildTrigger.DoesNotExist:
+          logger.debug('Could not find build trigger %s', trigger_id)
+          continue
+
+        handler = BuildTriggerHandler.get_handler(trigger)
+
+        config = handler.config
+        build_source = config['build_source']
+        gh_client = handler._get_client()
+
+        # Find the GitHub repository.
+        try:
+          gh_repo = gh_client.get_repo(build_source)
+        except GithubException:
+          logger.exception('Cannot find repository %s for trigger %s', build_source, trigger.id)
+          continue
+
+        # Add a deploy key to the GitHub repository.
+        public_key, private_key = generate_ssh_keypair()
+        config['credentials'] = [
+          {
+            'name': 'SSH Public Key',
+            'value': public_key,
+          },
+        ]
+
+        logger.debug('Adding deploy key to build trigger %s', trigger.id)
+        try:
+          deploy_key = gh_repo.create_key('%s Builder' % app.config['REGISTRY_TITLE'], public_key)
+          config['deploy_key_id'] = deploy_key.id
+        except GithubException:
+          logger.exception('Cannot add deploy key to repository %s for trigger %s', build_source, trigger.id)
+          continue
+
+        logger.debug('Saving deploy key for trigger %s', trigger.id)
+        trigger.used_legacy_github = True
+        trigger.private_key = private_key
+        trigger.config = json.dumps(config)
+        trigger.save()
+
+
+if __name__ == "__main__":
+  logging.config.fileConfig('conf/logging_debug.conf', disable_existing_loggers=False)
+  backfill_github_deploykeys()

From 3f4361bb17a3f1476e0251b39df9510fd56091ea Mon Sep 17 00:00:00 2001
From: Silas Sewell <silas@sewell.org>
Date: Wed, 16 Sep 2015 18:25:01 -0400
Subject: [PATCH 33/34] Make GIT_HEAD work on quay

---
 .dockerignore | 1 -
 Dockerfile    | 6 ++----
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/.dockerignore b/.dockerignore
index 15479142e..86ed5ed2a 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -5,7 +5,6 @@ test/data/registry
 venv
 .git
 !.git/HEAD
-!.git/refs
 .gitignore
 Bobfile
 README.md
diff --git a/Dockerfile b/Dockerfile
index 135a262cd..6b7cbf557 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -54,10 +54,8 @@ RUN mkdir static/fonts static/ldn
 RUN venv/bin/python -m external_libraries
 RUN mkdir /usr/local/nginx/logs/
 
-# We exclude everything except .git/{HEAD,refs} in .dockerignore so we don't
-# leak data into the image layer.
-RUN cat ".git/$( cat .git/HEAD | cut -d' ' -f 2 )" > GIT_HEAD
-RUN rm -fr .git
+# TODO(ssewell): only works on a detached head, make work with ref
+RUN cat .git/HEAD > GIT_HEAD
 
 # Run the tests
 RUN TEST=true venv/bin/python -m unittest discover -f

From b807accfb5a1a09b992a4dda953ef4139562130a Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Wed, 16 Sep 2015 18:34:42 -0400
Subject: [PATCH 34/34] Fix migration head

---
 .../4d5f6716df0_add_legacy_column_for_github_backfill_.py     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/migrations/versions/4d5f6716df0_add_legacy_column_for_github_backfill_.py b/data/migrations/versions/4d5f6716df0_add_legacy_column_for_github_backfill_.py
index 94a036548..17f4360b5 100644
--- a/data/migrations/versions/4d5f6716df0_add_legacy_column_for_github_backfill_.py
+++ b/data/migrations/versions/4d5f6716df0_add_legacy_column_for_github_backfill_.py
@@ -1,14 +1,14 @@
 """Add legacy column for GitHub backfill tracking
 
 Revision ID: 4d5f6716df0
-Revises: 545794454f49
+Revises: 1c0f6ede8992
 Create Date: 2015-09-16 17:49:40.334540
 
 """
 
 # revision identifiers, used by Alembic.
 revision = '4d5f6716df0'
-down_revision = '545794454f49'
+down_revision = '1c0f6ede8992'
 
 from alembic import op
 import sqlalchemy as sa