diff --git a/config.py b/config.py index 87d2f99c7..89e1c46ee 100644 --- a/config.py +++ b/config.py @@ -432,6 +432,9 @@ class DefaultConfig(object): # Server where TUF metadata can be found TUF_SERVER = None + + # Prefix to add to metadata e.g. // + TUF_GUN_PREFIX = None # Maximum size allowed for layers in the registry. MAXIMUM_LAYER_SIZE = '20G' diff --git a/endpoints/api/repository.py b/endpoints/api/repository.py index 8605512bf..88b929480 100644 --- a/endpoints/api/repository.py +++ b/endpoints/api/repository.py @@ -9,7 +9,7 @@ from datetime import timedelta, datetime from flask import request, abort -from app import dockerfile_build_queue +from app import dockerfile_build_queue, tuf_metadata_api from data import model, oci_model from endpoints.api import (truthy_bool, format_date, nickname, log_action, validate_json_request, require_repo_read, require_repo_write, require_repo_admin, @@ -419,6 +419,9 @@ class Repository(RepositoryParamResource): # Remove any builds from the queue. dockerfile_build_queue.delete_namespaced_items(namespace, repository) + + if features.SIGNING: + tuf_metadata_api.delete_metadata(namespace, repository) log_action('delete_repo', namespace, {'repo': repository, 'namespace': namespace}) diff --git a/util/tufmetadata/api.py b/util/tufmetadata/api.py index 2ece0c307..64c988521 100644 --- a/util/tufmetadata/api.py +++ b/util/tufmetadata/api.py @@ -35,14 +35,25 @@ class TUFMetadataAPI(object): self._instance_keys = InstanceKeys(app) self._config = config self._client = client or config['HTTPCLIENT'] + self._gun_prefix = config['TUF_GUN_PREFIX'] or config['SERVER_HOSTNAME'] def get_default_tags_with_expiration(self, namespace, repository, targets_file=None): - """ Gets the tag -> sha mappings in the 'targets/releases' delegation - Returns tags, their hashes, and their """ + Gets the tag -> sha mappings for a repo, as well as the expiration of the signatures. + Does not verify the metadata, this is purely for display purposes. + + Args: + namespace: namespace containing the repository + repository: the repo to get tags for + targets_file: the specific delegation to read from. Default: targets/releases.json + + Returns: + targets, expiration or None, None + """ + if not targets_file: targets_file = 'targets/releases.json' - gun = "%s/%s" % (namespace, repository) + gun = self._gun(namespace, repository) try: response = self._get(gun, targets_file) @@ -67,6 +78,37 @@ class TUFMetadataAPI(object): return targets, expiration + def delete_metadata(self, namespace, repository): + """ + Deletes the TUF metadata for a repo + + Args: + namespace: namespace containing the repository + repository: the repo to get tags for + + Returns: + True if successful, False otherwise + """ + gun = self._gun(namespace, repository) + try: + self._delete(gun) + except requests.exceptions.Timeout: + logger.exception('Timeout when trying to delete metadata for %s', gun) + return False + except requests.exceptions.ConnectionError: + logger.exception('Connection error when trying to delete metadata for %s', gun) + return False + except (requests.exceptions.RequestException, ValueError): + logger.exception('Failed to delete metadata for %s', gun) + return False + except Non200ResponseException as ex: + logger.exception('Failed request for %s: %s', gun, str(ex)) + return False + return True + + def _gun(self, namespace, repository): + return "%s/%s/%s" % (self._gun_prefix, namespace, repository) + def _parse_signed(self, json_response): """ Attempts to parse the targets from a metadata response """ signed = json_response.get('signed') @@ -74,21 +116,24 @@ class TUFMetadataAPI(object): raise InvalidMetadataException("Could not find `signed` in metadata: %s" % json_response) return signed - def _auth_header(self, gun): + def _auth_header(self, gun, actions): """ Generate a registry auth token for apostille""" access = [{ 'type': 'repository', - 'name': '%s/%s' % (self._config['SERVER_HOSTNAME'], gun), - 'actions': ['pull'], + 'name': gun, + 'actions': actions, }] context, subject = build_context_and_subject(user=None, token=None, oauthtoken=None, tuf_root=QUAY_TUF_ROOT) - token = generate_bearer_token("quay", subject, context, access, + token = generate_bearer_token(self._config["SERVER_HOSTNAME"], subject, context, access, TOKEN_VALIDITY_LIFETIME_S, self._instance_keys) return {'Authorization': 'Bearer %s' % token} def _get(self, gun, metadata_file): - return self._call('GET', '/v2/%s/_trust/tuf/%s' % (gun, metadata_file), headers=self._auth_header(gun)) - + return self._call('GET', '/v2/%s/_trust/tuf/%s' % (gun, metadata_file), headers=self._auth_header(gun, ['pull'])) + + def _delete(self, gun): + return self._call('DELETE', '/v2/%s/_trust/tuf/' % (gun), headers=self._auth_header(gun, ['*'])) + def _request(self, method, endpoint, path, body, headers, params, timeout): """ Issues an HTTP request to the signing endpoint. """ url = urljoin(endpoint, path)