Add support for deleting TUF metadata when repo is deleted

config.py

@@ -432,6 +432,9 @@ class DefaultConfig(object):
 
   # Server where TUF metadata can be found
   TUF_SERVER = None
+  
+  # Prefix to add to metadata e.g. <prefix>/<namespace>/<reponame>
+  TUF_GUN_PREFIX = None
 
   # Maximum size allowed for layers in the registry.
   MAXIMUM_LAYER_SIZE = '20G'

endpoints/api/repository.py

@@ -9,7 +9,7 @@ from datetime import timedelta, datetime
 
 from flask import request, abort
 
-from app import dockerfile_build_queue
+from app import dockerfile_build_queue, tuf_metadata_api
 from data import model, oci_model
 from endpoints.api import (truthy_bool, format_date, nickname, log_action, validate_json_request,
                            require_repo_read, require_repo_write, require_repo_admin,
@@ -419,6 +419,9 @@ class Repository(RepositoryParamResource):
 
     # Remove any builds from the queue.
     dockerfile_build_queue.delete_namespaced_items(namespace, repository)
+    
+    if features.SIGNING:
+      tuf_metadata_api.delete_metadata(namespace, repository)
 
     log_action('delete_repo', namespace,
                {'repo': repository, 'namespace': namespace})

util/tufmetadata/api.py

@@ -35,14 +35,25 @@ class TUFMetadataAPI(object):
     self._instance_keys = InstanceKeys(app)
     self._config = config
     self._client = client or config['HTTPCLIENT']
+    self._gun_prefix = config['TUF_GUN_PREFIX'] or config['SERVER_HOSTNAME']
 
   def get_default_tags_with_expiration(self, namespace, repository, targets_file=None):
-    """ Gets the tag -> sha mappings in the 'targets/releases' delegation
-        Returns tags, their hashes, and their 
     """
+    Gets the tag -> sha mappings for a repo, as well as the expiration of the signatures.
+    Does not verify the metadata, this is purely for display purposes.
+    
+    Args:
+      namespace: namespace containing the repository
+      repository: the repo to get tags for
+      targets_file: the specific delegation to read from. Default: targets/releases.json
+
+    Returns:
+      targets, expiration or None, None
+    """
+    
     if not targets_file:
       targets_file = 'targets/releases.json'
-    gun = "%s/%s" % (namespace, repository)
+    gun = self._gun(namespace, repository)
     
     try:
       response = self._get(gun, targets_file)
@@ -67,6 +78,37 @@ class TUFMetadataAPI(object):
     
     return targets, expiration
   
+  def delete_metadata(self, namespace, repository):
+    """
+    Deletes the TUF metadata for a repo
+    
+    Args:
+      namespace: namespace containing the repository
+      repository: the repo to get tags for
+
+    Returns:
+       True if successful, False otherwise
+    """
+    gun = self._gun(namespace, repository)
+    try:
+      self._delete(gun) 
+    except requests.exceptions.Timeout:
+      logger.exception('Timeout when trying to delete metadata for %s', gun)
+      return False
+    except requests.exceptions.ConnectionError:
+      logger.exception('Connection error when trying to delete metadata for %s', gun)
+      return False
+    except (requests.exceptions.RequestException, ValueError):
+      logger.exception('Failed to delete metadata for %s', gun)
+      return False
+    except Non200ResponseException as ex:
+      logger.exception('Failed request for %s: %s', gun, str(ex))
+      return False
+    return True
+  
+  def _gun(self, namespace, repository):
+    return "%s/%s/%s" % (self._gun_prefix, namespace, repository)
+  
   def _parse_signed(self, json_response):
     """ Attempts to parse the targets from a metadata response """
     signed = json_response.get('signed')
@@ -74,21 +116,24 @@ class TUFMetadataAPI(object):
       raise InvalidMetadataException("Could not find `signed` in metadata: %s" % json_response)
     return signed 
   
-  def _auth_header(self, gun):
+  def _auth_header(self, gun, actions):
     """ Generate a registry auth token for apostille"""
     access = [{
       'type': 'repository',
-      'name': '%s/%s' % (self._config['SERVER_HOSTNAME'], gun),
+      'name': gun,
-      'actions': ['pull'],
+      'actions': actions,
     }]
     context, subject = build_context_and_subject(user=None, token=None, oauthtoken=None, tuf_root=QUAY_TUF_ROOT)
-    token = generate_bearer_token("quay", subject, context, access,
+    token = generate_bearer_token(self._config["SERVER_HOSTNAME"], subject, context, access,
                                   TOKEN_VALIDITY_LIFETIME_S, self._instance_keys)
     return {'Authorization': 'Bearer %s' % token}
     
   def _get(self, gun, metadata_file):
-    return self._call('GET', '/v2/%s/_trust/tuf/%s' % (gun, metadata_file), headers=self._auth_header(gun))
+    return self._call('GET', '/v2/%s/_trust/tuf/%s' % (gun, metadata_file), headers=self._auth_header(gun, ['pull']))
-    
+
+  def _delete(self, gun):
+    return self._call('DELETE', '/v2/%s/_trust/tuf/' % (gun), headers=self._auth_header(gun, ['*']))
+  
   def _request(self, method, endpoint, path, body, headers, params, timeout):
     """ Issues an HTTP request to the signing endpoint. """
     url = urljoin(endpoint, path)