Commit graph

200 commits

Author SHA1 Message Date
Joseph Schorr
2caaf84f31 Add caching support to catalog
We will now cache the results of the catalog for 60s and not hit the database at all if cached
2018-06-20 14:58:01 -04:00
Joseph Schorr
3161b60522 Switch V2 pagination back to using IDs, which should be much faster and easier on the DB
Also adds a test for the tags endpoint
2018-06-18 16:11:26 -04:00
Joseph Schorr
0fa1a1d5fd Implement support for blob mounting via the mount parameter on blob uploads
Fixes https://jira.coreos.com/browse/QUAY-893
2018-06-06 11:31:28 -04:00
Joseph Schorr
ef167ab7e3 Rate limit the catalog endpoint by auth token and IP address 2018-06-05 18:24:31 -04:00
Joseph Schorr
2e0edf8f6e Have catalog endpoint return empty if the namespace is disabled 2018-06-05 17:31:00 -04:00
Joseph Schorr
f86c087b3b Prevent registry operations against disabled namespaces
Allows admins to completely wall off a namespace by disabling it

Fixes https://jira.coreos.com/browse/QUAY-869
2018-05-22 18:36:04 -04:00
Joseph Schorr
a59c951aa3 Add support for multiple scope parameters on V2 auth requests
Fixes https://jira.coreos.com/browse/QUAY-892
2018-04-18 20:16:49 +03:00
Joseph Schorr
86aa93aab5 Add a new test suite for the v2auth generate_registry_jwt endpoint 2018-04-18 20:16:49 +03:00
Joseph Schorr
3586955669 Remove license code in Quay
No longer needed under Red Hat rules \o/

Fixes https://jira.coreos.com/browse/QUAY-883
2018-03-20 17:03:35 -04:00
Joseph Schorr
24b77bbc10 Fix serialization of blobs to/from the cache
Also makes sure the test checks that serialization
2018-03-02 14:22:55 -05:00
Joseph Schorr
e220b50543 Refactor auth code to be cleaner and more extensible
We move all the auth handling, serialization and deserialization into a new AuthContext interface, and then standardize a registration model for handling of specific auth context types (user, robot, token, etc).
2018-02-14 15:35:27 -05:00
Joseph Schorr
eae9175950 Allow size of pages in V2 api to be configurable 2018-02-02 13:54:41 -05:00
Joseph Schorr
9e16a989f5 Audit the number of SQL queries we make in writing manifests, and significantly reduce in the common case
Instead of 41 queries now for the simple manifest, we are down to 14.

The biggest changes:
  - Only synthesize the V1 image rows if we haven't already found them in the database
  - Thread the repository object through to the other model method calls, and use it instead of loading again and again
2018-01-25 11:10:43 -05:00
Joseph Schorr
524d77f527 Add an AppSpecificAuthToken data model for app-specific auth tokens. These will be used for the Docker CLI in place of username+password 2018-01-04 15:27:41 -05:00
Joseph Schorr
c1cff32c1e Fix log levels in registry 2018-01-04 13:07:11 -05:00
Joseph Schorr
11e3724919 Return an http 415 (manifest version not supported) for OCI manifest content types
This was breaking skopeo, as it first tries to send the *OCI* manifest type, which we didn't say we didn't support, thus breaking the tool
2017-12-20 11:02:34 -05:00
Joseph Schorr
9e16596854 Add a bunch of logging to the data model caching mechanism
Should help us debug any potential issues
2017-12-18 14:18:37 -05:00
Joseph Schorr
b2485934ed Enable caching of blobs in V2 registry protocol, to avoid DB connections after the cache has been loaded
This should help for bursty pull traffic, as it will avoid DB connections on a huge % of requests
2017-12-14 13:38:24 -05:00
Joseph Schorr
db6007cb37 Change v2 registry auth code to not hit the database when we know we have permissions loaded
Avoids a DB call and, when used in conjunction with blob caching, will avoid a DB *connection*
2017-12-14 13:37:31 -05:00
Joseph Schorr
51e67ab7f5 Fix get_blob_path to not make any database calls and add a test
This will be supported by caching, hopefully removing the need to hit the database when the blob object is cached
2017-12-13 16:27:46 -05:00
Joseph Schorr
56fbbcf7cf Add request IP to get_direct_download_url method 2017-09-25 17:14:28 -04:00
Joseph Schorr
48c79003c6 yap 2017-07-25 17:18:06 -04:00
Joseph Schorr
e7dbc4ee91 Move notification helper code into the root module 2017-07-25 17:00:07 -04:00
Joseph Schorr
ce56031846 Move notifications into its own package 2017-07-25 17:00:06 -04:00
Joseph Schorr
98e2ccf74d Move parse_repository_name into decorators 2017-07-20 16:01:38 -04:00
Joseph Schorr
17f3de811e Move route_show_if into decorators
Also removes unused route_hide_if
2017-07-20 11:07:31 -04:00
Joseph Schorr
9679ec91ec Fix for hard merge 2017-07-19 17:13:49 -04:00
Joseph Schorr
7d4fed6892 Change error message when trying to pull a deleted or expired tag
Will let the users know they can recover the tag via time machine

Note: This was tested with the Docker protocol, but the new error code is *technically* out of spec; we should make sure its okay.
2017-07-19 17:13:48 -04:00
Joseph Schorr
c5d8b5f86b Add support for tag expiration based on a quay.expires-after label 2017-07-19 17:13:06 -04:00
Jimmy Zelinskie
7d1bbbfe19 test: convert registry auth test to pytest
This also moves them into the auth package.
2017-07-12 15:14:12 -04:00
Jimmy Zelinskie
b1434b0380 endpoints.v2: yapf format 2017-06-26 18:22:17 -04:00
Jimmy Zelinskie
0e26a03f7e endpoints.v2: new fs layout for data interface
Fixes QUAY-658
2017-06-26 18:21:35 -04:00
Joseph Schorr
555041876d Make public catalog only enabled via a feature flag 2017-06-02 15:30:51 -07:00
Joseph Schorr
f44df49236 Add support for last param in pagination to match catalog spec 2017-06-02 12:03:50 -07:00
Joseph Schorr
065e327190 Make sure catalog always returns public repositories 2017-05-19 16:24:08 -04:00
Jimmy Zelinskie
4db789b656 add audit logging to app registry endpoints 2017-05-16 15:54:02 -04:00
Evan Cordell
2661db7485 Add flag to enable trust per repo (#2541)
* Add flag to enable trust per repo

* Add api for enabling/disabling trust

* Add new LogEntryKind for changing repo trust settings
Also add tests for repo trust api

* Add `set_trust` method to repository

* Expose new logkind to UI

* Fix registry tests

* Rebase migrations and regen test.db

* Raise downstreamissue if trust metadata can't be removed

* Refactor change_repo_trust

* Add show_if to change_repo_trust endpoint
2017-04-15 08:26:33 -04:00
Evan Cordell
9515f18fb6 Add tufmetadata endpoint 2017-04-05 10:03:27 -04:00
Joseph Schorr
cae9d69376 Better error messages for Docker errors 2017-03-31 17:15:14 -04:00
Evan Cordell
abd78bce56 Use constants for TUF roots 2017-03-27 11:37:17 -04:00
Evan Cordell
6ad107709c Change build_context_and_subject to take kwargs 2017-03-27 11:37:17 -04:00
Evan Cordell
21d969d309 Refactor tests, no g required 2017-03-27 11:37:17 -04:00
Evan Cordell
43dd974dca Determine which TUF root to show based on actual access, not requested
access
2017-03-27 11:37:17 -04:00
Joseph Schorr
95e1cf6673 Make V2 login errors more descriptive
If login fails, we now call validate again to get the reason for the failure, and then surface it to the user of the CLI. This allows for more actionable responses, such as:

$ docker login 10.0.2.2:5000
Username (devtable): devtable
Password:

Error response from daemon: Get http://10.0.2.2:5000/v2/: unauthorized: Client login with unencrypted passwords is disabled. Please generate an encrypted password in the user admin panel for use here.
2017-03-23 15:42:45 -04:00
Joseph Schorr
1bd4422da9 Move auth decorators into a decorators module
The non-decorators will be broken out in the followup change
2017-03-23 15:42:45 -04:00
Jimmy Zelinskie
3ccf3c5f33 Merge pull request #2447 from jzelinskie/cnr-step2
CNR Step 2
2017-03-22 18:45:51 -04:00
Jimmy Zelinskie
48ba59d615 endpoints.v2: only work on docker repositories 2017-03-22 17:26:59 -04:00
Joseph Schorr
ff7f78e990 Have blob uploads be checked against configurable max layer size 2017-03-21 13:16:55 -04:00
Joseph Schorr
239b6d7cf8 Make LayerTooLarge error more informative 2017-03-21 13:14:11 -04:00
Joseph Schorr
dd7f254f96 Have blob uploads be checked against configurable max layer size 2017-03-21 13:14:11 -04:00