Joseph Schorr
6b42e3e4ca
Allow anonymous access to the discovery endpoint
...
Fixes https://jira.coreos.com/browse/QS-101
2017-12-22 16:13:23 -05:00
josephschorr
ef42124085
Merge pull request #2951 from coreos-inc/joseph.schorr/QS-100/revert-tag
...
Change tag history revert operation to apply to the *current* entry, rather than the "next"
2017-12-20 16:25:35 -05:00
Joseph Schorr
d95a9e3c59
Change tag history revert operation to apply to the *current* entry, rather than the "next"
...
Before this change, the restore operation next to a history entry would bring the tag back to the state *at that entry*, rather than *before that entry*, which is neither the expected behavior, nor allowed for an immediate restore when moving a tag. This fixes the problem.
Fixes https://jira.coreos.com/browse/QS-100
2017-12-20 16:23:17 -05:00
josephschorr
b4df9fb805
Merge pull request #2950 from coreos-inc/joseph.schorr/QS-99/fix-oci
...
Prevent 500s when receiving bad manifests or OCI manifests
2017-12-20 13:11:15 -05:00
Joseph Schorr
3ce9d68a3e
Fix broken registry test
...
Flask now returns a 404 error, rather than redirecting like it used to do
2017-12-20 11:43:55 -05:00
Joseph Schorr
f9bd7ef42b
Add validation of Docker V2_1 schemas and add a test for PUTing an invalid schema
2017-12-20 11:43:03 -05:00
Joseph Schorr
11e3724919
Return an http 415 (manifest version not supported) for OCI manifest content types
...
This was breaking skopeo, as it first tries to send the *OCI* manifest type, which we didn't say we didn't support, thus breaking the tool
2017-12-20 11:02:34 -05:00
josephschorr
db3e0307b7
Merge pull request #2948 from coreos-inc/joseph.schorr/QS-97/license-validator
...
Add license validation to the config validation check
2017-12-19 13:59:26 -05:00
Joseph Schorr
72bfebdb60
Add license validation to the config validation check
...
Should prevent a customer from accidentally saving a config that violates their license
Fixes https://jira.coreos.com/browse/QS-97
2017-12-19 13:44:08 -05:00
josephschorr
024c183f67
Merge pull request #2944 from coreos-inc/joseph.schorr/QS-91/v2-caching
...
V2 registry blob caching
2017-12-18 14:42:02 -05:00
Joseph Schorr
9e16596854
Add a bunch of logging to the data model caching mechanism
...
Should help us debug any potential issues
2017-12-18 14:18:37 -05:00
josephschorr
a829260091
Merge pull request #2945 from coreos-inc/joseph.schorr/QS-53/new-pricing
...
New Quay.io pricing
2017-12-18 13:21:49 -05:00
Joseph Schorr
097cbbeaae
Add new Quay pricing plans
2017-12-18 13:12:16 -05:00
josephschorr
a251373f11
Merge pull request #2946 from coreos-inc/fix-custom-cert-install
...
Fix the custom cert install process to install to the new certifi location, in addition to the old location
2017-12-18 11:45:37 -05:00
Joseph Schorr
0a176d0abe
Fix plans manager display to be less confusing when we show deprecated plans
2017-12-18 11:45:15 -05:00
Joseph Schorr
6de96ee8a5
Fix the custom cert install process to install to the new certifi location, in addition to the old location
...
Also updates our requirements around requests
2017-12-15 17:26:44 -05:00
Joseph Schorr
60bc655695
Fix flakiness in a test when comparing date times
2017-12-14 14:00:20 -05:00
Joseph Schorr
b2485934ed
Enable caching of blobs in V2 registry protocol, to avoid DB connections after the cache has been loaded
...
This should help for bursty pull traffic, as it will avoid DB connections on a huge % of requests
2017-12-14 13:38:24 -05:00
Joseph Schorr
db6007cb37
Change v2 registry auth code to not hit the database when we know we have permissions loaded
...
Avoids a DB call and, when used in conjunction with blob caching, will avoid a DB *connection*
2017-12-14 13:37:31 -05:00
Joseph Schorr
3c72e9878d
Add the concept of a data model cache, for caching of Namedtuple objects from the data model
...
Will be used to cache blobs, thus removing the need to hit the database in most blob requests
2017-12-14 13:36:51 -05:00
Joseph Schorr
51e67ab7f5
Fix get_blob_path to not make any database calls and add a test
...
This will be supported by caching, hopefully removing the need to hit the database when the blob object is cached
2017-12-13 16:27:46 -05:00
Jimmy Zelinskie
e06a83faf9
Merge pull request #2941 from jzelinskie/reduce-rate-limit-simple
...
nginx: rate limit 1r/s
2017-12-13 13:16:16 -05:00
Jimmy Zelinskie
e36bf25a5e
nginx: rate limit 1r/s
...
This reduces our rate limiting down to to 1 request per second.
2017-12-13 13:15:32 -05:00
josephschorr
7e27e7f7eb
Merge pull request #2943 from coreos-inc/rev-base
...
Revise our base image again
2017-12-13 12:03:52 -05:00
Joseph Schorr
56ff068637
Revise our base image again
2017-12-13 12:01:22 -05:00
josephschorr
44c77b4cbb
Merge pull request #2931 from coreos-inc/joseph.schorr/QS-76/oidc-scopes
...
Allow admins to configure the login scopes for OIDC login
2017-12-08 13:33:06 -05:00
josephschorr
c733c87312
Merge pull request #2940 from coreos-inc/verbs-logs
...
Add additional logs and an additional test for verbs
2017-12-07 15:42:31 -05:00
Joseph Schorr
a706d99849
Add additional logs and an additional test for verbs
2017-12-07 15:22:20 -05:00
josephschorr
b2db266747
Merge pull request #2935 from coreos-inc/joseph.schorr/QS-80/password-reset-expire
...
Add maximum lifetime of 30m on password recovery tokens
2017-12-07 14:21:32 -05:00
josephschorr
a21dad3e07
Merge pull request #2937 from coreos-inc/joseph.schorr/QS-83/hide-aws-metadata
...
Add systemd unit to disable the AWS metadata service by routing all requests to 1.1.1.1
2017-12-07 14:11:20 -05:00
Joseph Schorr
2ffdfa1434
Add systemd unit to disable the AWS metadata service by routing all requests to 1.1.1.1
...
While this isn't strictly a security issue, it *appears* to be and we got audited as such, so just turn it off
Fixes https://jira.coreos.com/browse/QS-83
2017-12-07 13:29:14 -05:00
josephschorr
6db2ecc19f
Merge pull request #2928 from coreos-inc/joseph.schorr/QS-74/fix-restart
...
Have Quay lookup the sbin/my_init PID to kill
2017-12-07 13:25:16 -05:00
josephschorr
1861d7dee9
Merge pull request #2938 from coreos-inc/joseph.schorr/QS-85/signout-all
...
Invalidate all session tokens when a user signs out
2017-12-07 13:25:00 -05:00
Joseph Schorr
1d1c6f0606
Invalidate all session tokens when a user signs out
...
Fixes https://jira.coreos.com/browse/QS-85
2017-12-07 13:03:11 -05:00
josephschorr
6c12cb8328
Merge pull request #2936 from coreos-inc/joseph.schorr/QS-84/content-disposition
...
Ensure user files are always sent with the Content-Disposition header
2017-12-07 11:42:10 -05:00
Joseph Schorr
d38a1fc851
Ensure user files are always sent with the Content-Disposition header
...
This prevents them from being executed in the browser directly
Fixes https://jira.coreos.com/browse/QS-84
2017-12-06 17:12:00 -05:00
Joseph Schorr
5dd95038cf
Add maximum lifetime of 30m on password recovery tokens
...
Fixes https://jira.coreos.com/browse/QS-80
2017-12-06 17:06:03 -05:00
Joseph Schorr
c55ad59f1f
Allow admins to configure the login scopes for OIDC login
...
Some OIDC implementations return a larger set of scopes than is necessary, so we allow admins to override.
2017-12-06 15:54:26 -05:00
josephschorr
d405f6f158
Merge pull request #2899 from coreos-inc/joseph.schorr/QS-36/appr-auth-improvement
...
Allow app registry to use robots and tokens to login
2017-12-06 15:04:22 -05:00
josephschorr
b9ad8bbb5d
Merge pull request #2934 from coreos-inc/joseph.schorr/QS-78/email-recovery
...
Security fixes for password recovery
2017-12-06 14:53:02 -05:00
Joseph Schorr
a204dc20fb
Require CAPTCHA for password recovery
...
https://jira.coreos.com/browse/QS-79
2017-12-06 14:25:34 -05:00
josephschorr
8d7381336a
Merge pull request #2910 from coreos-inc/joseph.schorr/QS-58/oidc-auth-bug
...
Don't add a "password required" notification for non-database auth via OIDC
2017-12-06 14:19:49 -05:00
Joseph Schorr
927d469db0
In password recovery, don't reveal whether an e-mail address is valid (unless it is an org's e-mail address)
2017-12-06 14:07:38 -05:00
josephschorr
10ddf98e0c
Merge pull request #2930 from coreos-inc/joseph.schorr/QS-68/squashed-image-postgres
...
Make sure to close the database connection before forking in verbs
2017-12-06 14:03:17 -05:00
Joseph Schorr
3bf8973fd9
Change app registry to use the credentials verification system
...
Allows for tokens, OAuth tokens and robot accounts to be used as well
Fixes https://jira.prod.coreos.systems/browse/QS-36
2017-12-06 13:52:25 -05:00
Joseph Schorr
aa49b37ad2
Change Docker V1 index to use verify_credentials
2017-12-06 13:52:25 -05:00
Joseph Schorr
0bcda90c6e
Add kind to credentials validate call
2017-12-06 13:52:24 -05:00
Joseph Schorr
6f3d9a6fce
Extract credential handling into its own module
...
Will be used in Docker V1 and APPR protocols
2017-12-06 13:52:24 -05:00
josephschorr
afbb2d2168
Merge pull request #2933 from coreos-inc/joseph.schorr/QS-82/xss-fix
...
Fix XSS in usage log viewer
2017-12-06 13:51:30 -05:00
josephschorr
a1595cd723
Merge pull request #2932 from coreos-inc/joseph.schorr/QS-81/xss-fix
...
Fix XSS in access token display page
2017-12-06 13:49:37 -05:00