Re-enable builds and tag operations in the UI

static/directives/header-bar.html

@@ -89,14 +89,14 @@
                       <i class="fa ci-robot"></i> New Robot Account
                     </a>
                   </li>
-                  <li role="presentation" class="divider" ng-if="currentPageContext.repository && currentPageContext.repository.can_write && !currentPageContext.repository.trust_enabled"></li>
+                  <li role="presentation" class="divider" ng-if="currentPageContext.repository && currentPageContext.repository.can_write && !currentPageContext.repository.tag_operations_disabled"></li>
                   <li role="presentation" class="dropdown-header"
                       ng-if="currentPageContext.repository && currentPageContext.repository.can_write &&
-                             !currentPageContext.repository.trust_enabled">
+                             !currentPageContext.repository.tag_operations_disabled">
                     Repository {{ currentPageContext.repository.namespace }}/{{ currentPageContext.repository.name }}
                   </li>
                   <li ng-if="currentPageContext.repository && currentPageContext.repository.can_write &&
-                             !currentPageContext.repository.trust_enabled">
+                             !currentPageContext.repository.tag_operations_disabled">
                     <a ng-click="startBuild()">
                       <i class="fa fa-tasks"></i> New Dockerfile Build
                     </a>

static/directives/repo-view/repo-panel-builds.html

@@ -1,13 +1,13 @@
 <div class="repo-panel-builds-element">
   <div class="feedback-bar" feedback="feedback"></div>
   <div class="tab-header-controls">
-    <button class="btn btn-primary" ng-click="showNewBuildDialog()" ng-if="!repository.trust_enabled">
+    <button class="btn btn-primary" ng-click="showNewBuildDialog()" ng-if="!repository.tag_operations_disabled">
       <i class="fa fa-play"></i> Start New Build
     </button>
   </div>
   <h3 class="tab-header">Repository Builds</h3>
 
-  <div class="co-alert co-alert-info" ng-if="repository.trust_enabled">
+  <div class="co-alert co-alert-info" ng-if="repository.tag_operations_disabled">
      Builds cannot be performed on this repository because Quay Trust is
      enabled, which requires that all operations be signed by a user.
   </div>
@@ -83,7 +83,7 @@
   </div> <!-- /Builds -->
 
   <!-- Build Triggers -->
-  <div class="co-panel" ng-if="repository.can_admin && TriggerService.getTypes().length && !repository.trust_enabled" id="repoBuildTriggers">
+  <div class="co-panel" ng-if="repository.can_admin && TriggerService.getTypes().length && !repository.tag_operations_disabled" id="repoBuildTriggers">
     <!-- Builds header controls -->
     <div class="co-panel-heading">
       <i class="fa fa-flash"></i>

static/directives/repo-view/repo-panel-info.html

@@ -32,7 +32,7 @@
       <!-- No Builds -->
       <div class="empty" ng-if="builds && !builds.length">
         <div class="empty-primary-msg">No builds have been run for this repository.</div>
-        <div class="empty-secondary-msg" ng-if="repository.can_write && !repository.trust_enabled">
+        <div class="empty-secondary-msg" ng-if="repository.can_write && !repository.tag_operations_disabled">
           Click on the <i class="fa fa-tasks" style="margin-left: 6px"></i> Builds tab to start a new build.
         </div>
       </div>

static/directives/repo-view/repo-panel-tags.html

@@ -53,7 +53,7 @@
         </li>
         <li ng-if="repository.can_write">
           <a ng-click="askDeleteMultipleTags(checkedTags.checked)"
-             ng-class="repository.trust_enabled ? 'disabled-option' : ''">
+             ng-class="repository.tag_operations_disabled ? 'disabled-option' : ''">
             <i class="fa fa-times"></i><span class="text">Delete Tags</span>
           </a>
         </li>
@@ -243,7 +243,7 @@
         <span bo-if="repository.can_write">
           <span class="cor-options-menu">
             <span class="cor-option" option-click="askAddTag(tag)"
-                  ng-class="repository.trust_enabled ? 'disabled-option' : ''">
+                  ng-class="repository.tag_operations_disabled ? 'disabled-option' : ''">
               <i class="fa fa-plus"></i> Add New Tag
             </span>
             <span class="cor-option" option-click="showLabelEditor(tag)"
@@ -251,7 +251,7 @@
               <i class="fa fa-tags"></i> Edit Labels
             </span>
             <span class="cor-option" option-click="askDeleteTag(tag.name)"
-                  ng-class="repository.trust_enabled ? 'disabled-option' : ''">
+                  ng-class="repository.tag_operations_disabled ? 'disabled-option' : ''">
               <i class="fa fa-times"></i> Delete Tag
             </span>
           </span>

static/directives/tag-operations-dialog.html

@@ -144,16 +144,17 @@
           manifest-digest="restoreTagInfo.manifest_digest"></span>?
   </div>
 
-  <!-- Trust Enabled Dialog -->
-  <div class="modal fade" id="trustEnabledModal">
+  <!-- Tag Operations Disabled Dialog -->
+  <div class="modal fade" id="tagOperationsDisabledModal">
     <div class="modal-dialog">
       <div class="modal-content">
         <div class="modal-header">
-          Cannot execute with trust enabled
+          Tag operations have been disabled.
         </div>
         <div class="modal-body">
-          The selected operation cannot be performed on this repository because Quay Trust is
-          enabled, which requires that all operations be signed by a user.
+          The selected operation cannot be performed on this repository because tag operations have been disabled
+          by an administrator. <span ng-if="repository.trust_enabled">Trust is enabled for this repo, so any tag changes
+          should be performed by users with signing keys.</span>
         </div>
       </div><!-- /.modal-content -->
     </div><!-- /.modal-dialog -->

static/js/directives/ui/repository-signing-config/repository-signing-config.component.html

@@ -18,7 +18,11 @@
             Signing is enabled on this repository and all tag operations must be signed via Docker Content Trust.
           </p>
           <p>
-            Note that due to this feature being enabled, all UI-based tag operations and all build support is <strong>disabled on this repository</strong>.
+            When this feature is enabled, it will be possible to use the UI or client tools to change tag data without 
+              signing.
+              This can make a signed tag point to a different image than the actual tag, and the underlying data could
+              be garbage collected. It is important to have a strict separation between tags that are signed and tags
+              that are not.
           </p>
           <button class="btn btn-danger" ng-click="$ctrl.askChangeTrust(false)">Disable Trust</button>
         </div>
@@ -43,12 +47,14 @@
      dialog-title="Enable Trust"
      dialog-action-title="Enable Trust">
      <p>Click "Enable Trust" to enable content trust on this repository.</p>
-     <p>Please note that at this time, having content trust will <strong>disable</strong> the following
-        features under the repository:
+      <p>Please note that this will not prevent users from overwriting signed tags without updating signatures.
+      This means that:
         <ul>
-          <li>Any tag operations in the UI (Add Tag, Delete Tag, Restore Tag)
-          <li>All build triggers and ability to invoke builds
+          <li>Any tag operations in the UI or client can cause inconsistency
+          <li>Builds should not push to signed tags
         </ul>
+      We recommend you maintain a strict separation between signed and unsigned tags to avoid any issues with garbage
+      collection.
      </p>
   </div>
 

static/js/directives/ui/tag-operations-dialog.js

@@ -35,9 +35,9 @@ angular.module('quay').directive('tagOperationsDialog', function () {
         });
       };
 
-      $scope.alertOnTrust = function() {
-        if ($scope.repository.trust_enabled) {
-          $('#trustEnabledModal').modal('show');
+      $scope.alertOnTagOpsDisabled = function() {
+        if ($scope.repository.tag_operations_disabled) {
+          $('#tagOperationsDisabledModal').modal('show');
           return true;
         }
 
@@ -62,7 +62,7 @@ angular.module('quay').directive('tagOperationsDialog', function () {
 
       $scope.createOrMoveTag = function(image, tag) {
         if (!$scope.repository.can_write) { return; }
-        if ($scope.alertOnTrust()) {
+        if ($scope.alertOnTagOpsDisabled()) {
           return;
         }
 
@@ -242,7 +242,7 @@ angular.module('quay').directive('tagOperationsDialog', function () {
 
       $scope.actionHandler = {
         'askDeleteTag': function(tag) {
-          if ($scope.alertOnTrust()) {
+          if ($scope.alertOnTagOpsDisabled()) {
             return;
           }
 
@@ -252,7 +252,7 @@ angular.module('quay').directive('tagOperationsDialog', function () {
         },
 
         'askDeleteMultipleTags': function(tags) {
-          if ($scope.alertOnTrust()) {
+          if ($scope.alertOnTagOpsDisabled()) {
             return;
           }
 
@@ -262,7 +262,7 @@ angular.module('quay').directive('tagOperationsDialog', function () {
         },
 
         'askAddTag': function(image) {
-          if ($scope.alertOnTrust()) {
+          if ($scope.alertOnTagOpsDisabled()) {
             return;
           }
 
@@ -297,7 +297,7 @@ angular.module('quay').directive('tagOperationsDialog', function () {
         },
 
         'askRestoreTag': function(tag, image_id, opt_manifest_digest) {
-          if ($scope.alertOnTrust()) {
+          if ($scope.alertOnTagOpsDisabled()) {
             return;
           }
 

static/js/types/common.types.ts

@@ -81,6 +81,7 @@ export type Repository = {
   kind?: string;
   namespace?: string;
   trust_enabled?: boolean;
+  tag_operations_disabled?: boolean;
 };