vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
9003 commits 2 branches 62 tags 205 MiB
Commit graph

899 commits

Author SHA1 Message Date
Evan Cordell
3e3ed11634 Add api for getting all signed tags, separated by delegation 2017-05-15 16:18:30 -04:00
Jake Moshenko
21cb9f1aa1 Handle null executor cancellations separately from other exceptions 2017-05-15 13:45:44 -04:00
josephschorr
19f67bfa1b Merge pull request #2607 from coreos-inc/faster-security-notify 
Batch the tag lookups in the security notification worker in an attempt to significant reduce load
 2017-05-03 13:49:13 -04:00
Joseph Schorr
977bbc20a2 Add filtering onto the images query in get_matching_tags_for_images 
Should make the query even faster in the security notification case
 2017-05-02 18:29:14 -04:00
Joseph Schorr
4e09fff181 Remove test that breaks MySQL full DB tests 2017-05-02 16:04:46 -04:00
Joseph Schorr
98fcae753b Change the security notification system to use get_matching_tags_for_images 
This should vastly reduce the number of database calls we make, as instead of making 2-3 calls per image, we'll make two calls per ~100 images
 2017-05-02 15:39:27 -04:00
Evan Cordell
738f53f61a Merge pull request #2597 from ecordell/sni 
TUF metadata api SNI support
 2017-05-02 13:01:16 -04:00
Evan Cordell
b2569ffbb2 Support SNI in python requests, and only delete tuf metadata if it 
exists
 2017-05-02 09:32:12 -04:00
Joseph Schorr
ae0d1e831b Add prometheus metric for queued builds 2017-05-01 15:16:55 -04:00
josephschorr
8b148bf1d4 Merge pull request #2576 from coreos-inc/full-db-tests-tox 
Reenable full database testing locally and in concourse
 2017-04-27 18:09:15 -04:00
Joseph Schorr
4ea4ee3aa4 Fix time machine config validator on old-style config 
Existing config won't have the keys defined, so make sure we skip in that case (and just use the defaults)
 2017-04-27 14:24:47 -04:00
Joseph Schorr
cb3695a629 Change config validator tests to use the shared fixtures 2017-04-24 16:45:14 -04:00
Joseph Schorr
f296599162 Add additional logging around secscan analyze 2017-04-21 16:52:47 -04:00
Jake Moshenko
3b26e819d3 Merge pull request #2558 from jakedt/betternooper 
Make the nooper impl even smaller!
 2017-04-21 14:29:52 -04:00
Joseph Schorr
3dcbe3c631 If enabled, allow users and orgs to set their time machine expiration 
Fixes https://www.pivotaltracker.com/story/show/142881203
 2017-04-21 11:32:45 -04:00
Jimmy Zelinskie
6bef1d1ff3 Merge pull request #2322 from jzelinskie/acifix 
image/appc: fix volume conversion and add tests
 2017-04-21 10:15:03 -04:00
Jake Moshenko
e97ef09bd3 Make the nooper impl even smaller! 2017-04-20 13:42:49 -04:00
josephschorr
b03771669b Merge pull request #2554 from coreos-inc/no-secscan-delete 
Fix deleting repos when sec scan or signing is disabled
 2017-04-19 17:09:59 -04:00
Joseph Schorr
c5bb9abf11 Fix deleting repos when sec scan or signing is disabled 
Make sure we don't invoke the APIs to non-existent endpoints
 2017-04-19 16:57:36 -04:00
Joseph Schorr
08b9c4b0d4 Fill backfill script for recent changes 
We forgot that we need to lookup by user *object* and we need to lookup locations on their own
 2017-04-19 16:50:51 -04:00
Jake Moshenko
ba07270bb2 Turn off in-app sentry logging, only log 500s at the WSGI layer 2017-04-18 16:38:22 -04:00
Jake Moshenko
22f5934f34 Add error logging to Marketo calls 2017-04-17 10:19:52 -04:00
Evan Cordell
2661db7485 Add flag to enable trust per repo (#2541) 
* Add flag to enable trust per repo

* Add api for enabling/disabling trust

* Add new LogEntryKind for changing repo trust settings
Also add tests for repo trust api

* Add `set_trust` method to repository

* Expose new logkind to UI

* Fix registry tests

* Rebase migrations and regen test.db

* Raise downstreamissue if trust metadata can't be removed

* Refactor change_repo_trust

* Add show_if to change_repo_trust endpoint
 2017-04-15 08:26:33 -04:00
Evan Cordell
ec63e495fc Add repo purge callbacks and register TUF metadata deletion as one 2017-04-12 17:33:51 -04:00
Evan Cordell
883692345b Add unit tests for gun calculation 2017-04-12 17:33:51 -04:00
Evan Cordell
70ae34357f urljoin GUN together instead of manually concatenating 2017-04-12 17:33:51 -04:00
Evan Cordell
68128b938b Add tests for tuf metadata delete 2017-04-12 17:33:51 -04:00
Evan Cordell
abe6f40bc5 Add support for deleting TUF metadata when repo is deleted 2017-04-12 17:33:51 -04:00
josephschorr
2bc619137a Merge pull request #2512 from ecordell/tufmetadata 
Add tufmetadata endpoint
 2017-04-07 17:16:11 -04:00
Evan Cordell
217b4a5ab2 Return hashes and expiration when fetching signed tags 2017-04-07 16:12:28 -04:00
Joseph Schorr
ed3da4697f Add client ID and client secret to OIDC config validator 2017-04-07 11:33:02 -04:00
Jake Moshenko
c7241911a5 Fix old-style flask imports to silence deprecation warnings. 2017-04-06 13:15:48 -04:00
Jake Moshenko
a0817bfd59 Refresh dependencies and fix tests. 2017-04-06 13:15:48 -04:00
Evan Cordell
9515f18fb6 Add tufmetadata endpoint 2017-04-05 10:03:27 -04:00
Joseph Schorr
0b6c062e32 Add superuser panel config for team syncing 2017-04-03 11:31:30 -04:00
Joseph Schorr
a6486b7823 Gitlab validation must allow unspecified endpoint 
Gitlab config validator currently requires the gitlab endpoint to be specified, even though we support leaving it unspecified for non-enterprise installs. Fix the validator to allow this case.
 2017-03-30 12:57:41 -04:00
Joseph Schorr
45179216af Have sec scan retries actually work 
Until this change, if `ping` raised an exception, we wouldn't retry properly
 2017-03-29 16:19:46 -04:00
Jimmy Zelinskie
65a17dc155 Merge pull request #2473 from coreos-inc/certs-fixes 
Fixes and improvements around custom certificate handling
 2017-03-27 15:08:36 -04:00
Evan Cordell
1016641f8d refactor jwt context building 2017-03-27 11:37:17 -04:00
Evan Cordell
abd78bce56 Use constants for TUF roots 2017-03-27 11:37:17 -04:00
Evan Cordell
6ad107709c Change build_context_and_subject to take kwargs 2017-03-27 11:37:17 -04:00
Evan Cordell
43dd974dca Determine which TUF root to show based on actual access, not requested 
access
 2017-03-27 11:37:17 -04:00
Joseph Schorr
b017133cc6 Make QSS validation errors more descriptive 2017-03-24 17:28:16 -04:00
Jimmy Zelinskie
23759a1592 util.config.db: ensure blob locations sync on boot 2017-03-22 22:57:21 -04:00
Joseph Schorr
6ab5b8be45 Have storage replication backfill tool only backfill missing storages 
Prevents overload of the queue
 2017-03-22 11:30:49 -04:00
Joseph Schorr
6476488221 Skip bitbucket pushes without any commits 
Fixes https://sentry.io/coreos/backend-production/issues/178220183/
 2017-03-20 18:23:21 -04:00
josephschorr
432b2d3fe8 Merge pull request #2392 from coreos-inc/search-optimization 
Optimize repository search by changing our lookup strategy
 2017-03-10 15:44:26 -05:00
josephschorr
6d6be63ca6 Merge pull request #2393 from coreos-inc/oidc-ui 
OIDC configuration support in superuser config panel
 2017-03-10 12:13:48 -05:00
Joseph Schorr
b5bb76cdea Optimize repository search by changing our lookup strategy 
Previous to this change, repositories were looked up unfiltered in six different queries, and then filtered using the permissions model, which issued a query per repository found, making search incredibly slow. Instead, we now lookup a chunk of repositories unfiltered and then filter them via a single query to the database. By layering the filtering on top of the lookup, each as queries, we can minimize the number of queries necessary, without (at the same time) using a super expensive join.

Other changes:
- Remove the 5 page pre-lookup on V1 search and simply return that there is one more page available, until there isn't. While technically not correct, it is much more efficient, and no one should be using pagination with V1 search anyway.
- Remove the lookup for repos without entries in the RAC table. Instead, we now add a new RAC entry when the repository is created for *the day before*, with count 0, so that it is immediately searchable
- Remove lookup of results with a matching namespace; these aren't very relevant anyway, and it overly complicates sorting
 2017-03-09 19:47:55 -05:00
Joseph Schorr
eff1827d9d Batch QSS notifications after initial scan 2017-03-01 15:42:49 -05:00
Jimmy Zelinskie
cbb2fff0e2 util.secscan.api: raise exception for !200 status 2017-03-01 00:40:47 -05:00
Jimmy Zelinskie
cba7816caf util.failover: re-raise exceptions on failure 2017-03-01 00:40:47 -05:00
Joseph Schorr
157640e696 Add config validator for OIDC logins 2017-02-28 16:18:19 -05:00
Joseph Schorr
88b808f468 Fix typo 2017-02-24 12:23:18 -05:00
Joseph Schorr
d4eb4f7f3c Pull out github trigger and login validation into validator class 2017-02-24 12:23:18 -05:00
Joseph Schorr
a31f2267e8 Pull out gitlab trigger validation into validator class 2017-02-24 12:23:18 -05:00
Joseph Schorr
7a260d81d3 Pull out bitbucket trigger validation into validator class 2017-02-24 12:23:17 -05:00
Joseph Schorr
49638b081b Pull out google login validation into validator class 2017-02-24 12:23:17 -05:00
Joseph Schorr
620e377faf Pull out ssl validation into validator class 2017-02-24 12:23:17 -05:00
Joseph Schorr
e76b95f0e6 Add S3 storage test to validator tests 2017-02-24 12:23:17 -05:00
Joseph Schorr
09b3cfd549 Pull out torrent validation into validator class 2017-02-24 12:23:17 -05:00
Joseph Schorr
2944a4e13d Pull out signing validation into validator class 2017-02-24 12:23:17 -05:00
Joseph Schorr
8844ecbb7c Fix imports 2017-02-24 12:23:16 -05:00
Joseph Schorr
dcabb36ac7 Add TODO 2017-02-24 12:23:16 -05:00
Joseph Schorr
3db4c15459 Pull out security scanner validation into validator class 2017-02-24 12:23:16 -05:00
Joseph Schorr
c0f7530b29 Pull out JWT auth validation into validator class 
Also fixes a small bug in validation (yay tests!)
 2017-02-24 12:23:16 -05:00
Joseph Schorr
678f868bc4 Pull out keystone validation into validator class 2017-02-24 12:23:15 -05:00
Joseph Schorr
c55ddf7341 Pull out ldap validation into validator class 2017-02-24 12:23:15 -05:00
Joseph Schorr
2d64cf3000 Rename config validation source files 2017-02-24 12:23:15 -05:00
Joseph Schorr
00eceb7ed5 Pull out email validation into validator class 2017-02-24 12:23:15 -05:00
Joseph Schorr
ee4f5ed5d6 Move registry storage validator to new location 2017-02-24 12:23:15 -05:00
Joseph Schorr
b2afe68632 Pull out redis validation into validator class 2017-02-24 12:23:15 -05:00
Joseph Schorr
f933b3e295 Pull out database validation into validator class 2017-02-24 12:23:14 -05:00
Joseph Schorr
484977f728 Refactor security scanner validation from single sleep to polling 2017-02-24 12:23:14 -05:00
Jimmy Zelinskie
c8034deab4 util.secscan.api: failover connection failures 2017-02-23 15:01:32 -05:00
Joseph Schorr
67c0bf6263 Fix docker versioning library to support new versioning scheme 
Fixes: https://sentry.io/coreos/backend-production/issues/222349174/
Reference: https://github.com/docker/docker/pull/31075
 2017-02-22 16:08:17 -05:00
Joseph Schorr
94be8731f3 Change Docker Version tests to pytest 2017-02-22 15:45:06 -05:00
josephschorr
f7a7d30ec2 Merge pull request #2366 from coreos-inc/alert-spam-fixes 
Small fixes for alert spam
 2017-02-22 14:18:18 -05:00
Joseph Schorr
7cc7e54945 Remove unicode before sending it to path parser 
Fixes https://sentry.io/coreos/backend-production/issues/175929456/
 2017-02-22 13:21:12 -05:00
Jake Moshenko
b03e03c389 Read the number of unscanned clair images from the block allocator 2017-02-21 19:13:51 -05:00
josephschorr
8f01cb959a Merge pull request #2354 from coreos-inc/license-sorting 
Change entitlement sorting to sort *valid* entitlements by reverse expiration time
 2017-02-15 16:24:51 -05:00
Joseph Schorr
d506279892 Change entitlement sorting to sort *valid* entitlements by reverse expiration time 
With this change, if all entitlements are valid, we sort to show the entitlement that will expire the farthest in the future, as that defines the point at which the user must act before the license becomes invalid.
 2017-02-15 14:31:24 -05:00
Charlton Austin
3fd8c8a60d feature(app.py): adding queue_metrics to queues 
publishing queue metrics for SRE

[none]
 2017-02-14 16:01:28 -05:00
Jimmy Zelinskie
1d6339e644 test.test_api_usage: fix secscan tests 2017-02-14 15:21:18 -05:00
Jimmy Zelinskie
3286566478 util.secscan.api: reorg try/catch 2017-02-14 15:21:17 -05:00
Jimmy Zelinskie
d2909c0e4d failover: store result in FailoverException 2017-02-14 14:36:36 -05:00
Jimmy Zelinskie
c2c6bc1e90 test: add qss read failover case 2017-02-03 19:20:13 -05:00
Jimmy Zelinskie
1d59095460 utils.secscan: linter fixes 2017-02-03 19:20:13 -05:00
Jimmy Zelinskie
e81926fcba util.secscan.api: init read-only failover 2017-02-03 19:20:13 -05:00
Jimmy Zelinskie
b4efa7e45b util.failover: init 2017-02-03 19:20:13 -05:00
Joseph Schorr
c9bb132339 Increase cloudwatch send timeout to reduce how often we hit the API 2017-02-01 13:09:00 -05:00
Joseph Schorr
b407f88a26 Remove unnecessary CloudWatch metrics 
They are spamming the API and costing us a lot of money
 2017-02-01 13:08:21 -05:00
josephschorr
01ec22b362 Merge pull request #2300 from coreos-inc/openid-connect 
OpenID Connect support and OAuth login refactoring
 2017-01-31 18:14:44 -05:00
Jimmy Zelinskie
7a957c94c8 image/appc: fix volume conversion and add tests 2017-01-31 15:37:16 -05:00
Joseph Schorr
f5dbc350f8 Fix missed tests and revert conftest change (breaks docker build) 2017-01-30 17:28:25 -05:00
Joseph Schorr
d63cca025a DNS name check got reversed; breaks wildcards 2017-01-29 11:51:37 -05:00
Joseph Schorr
d9003d1375 Make sure the parent dir of a file path exists before writing the file 
Fixes when the `extra_ca_certs` directory doesn't exist when using the new custom certs tool
 2017-01-26 15:15:40 -05:00
Joseph Schorr
7c1bb886db Security scanner ordered tuplize bug fix 
If only the old list is present, we still need to tuplize the entries.

Fixes https://sentry.io/coreos/backend-production/issues/207196561/
 2017-01-24 13:16:44 -05:00
Joseph Schorr
19f7acf575 Lay foundation for truly dynamic external logins 
Moves all the external login services into a set of classes that share as much code as possible. These services are then registered on both the client and server, allowing us in the followup change to dynamically register new handlers
 2017-01-20 15:21:08 -05:00
Joseph Schorr
4755d08677 Refactor and rename the standard OAuth services 2017-01-19 15:23:15 -05:00
Joseph Schorr
bee2551dc2 Temporarily remove Dex login support 
This will be added back in later in this PR as part of proper generic OIDC support
 2017-01-19 14:51:12 -05:00
Joseph Schorr
7c7a07fb5a Allow namespaces to be between 2 and 255 characters in length 
[Delivers #137924329]
 2017-01-19 13:10:26 -05:00
Joseph Schorr
462f47924e More detailed namespace validation 
Fixes namespace validation to use the proper regex for checking length, as well as showing the proper messaging if the entered namespace is invalid

[Delivers #137830461]
 2017-01-17 17:31:59 -05:00
josephschorr
aafcb592a6 Merge pull request #2257 from coreos-inc/clair-gc-take2 
feat(gc): Garbage collection for security scanning
 2017-01-17 14:49:36 -05:00
josephschorr
eb2cafacd4 Merge pull request #2249 from coreos-inc/notifier-fixes 
Security notification pagination fix
 2017-01-17 11:33:25 -05:00
josephschorr
ac8cddc5a9 Merge pull request #2274 from coreos-inc/custom-cert-management 
Custom SSL certificates config panel
 2017-01-13 16:24:47 -05:00
josephschorr
6539fa3b20 Merge pull request #2259 from coreos-inc/delete-abuse-tool 
Add tool for handling abusing users
 2017-01-13 16:22:15 -05:00
Joseph Schorr
1cbacbbb63 Add tool for handling abusing users 2017-01-13 14:42:03 -05:00
Joseph Schorr
7e0fbeb625 Custom SSL certificates config panel 
Adds a new panel to the superuser config tool, for managing custom SSL certificates in the config bundle

[Delivers #135586525]
 2017-01-13 14:34:35 -05:00
Joseph Schorr
3a24871422 Add SSL certificate utility and tests 2017-01-10 17:06:13 -05:00
Joseph Schorr
f1c9965edf Add more volume file operations and cleanup k8s provider code 2017-01-10 17:06:13 -05:00
Joseph Schorr
29d6abddb5 Linter fixes 2017-01-10 17:06:13 -05:00
EvB
a7122db250 fix(cloudwatch): randomize sleep interval 2017-01-05 11:41:12 -05:00
Jake Moshenko
6c84b9330b Merge pull request #2251 from jakedt/fixaci 
Fix port mapping for ACI conversion from newer Docker manifests.
 2016-12-27 14:13:03 -05:00
Joseph Schorr
d609e6a1c4 Security scanner garbage collection support 
Adds support for calling GC in the security scanner for any layers+storage removed by GC on the Quay side
 2016-12-22 14:55:26 -05:00
Joseph Schorr
9413e25123 Change georeplication queuing to use new batch system 2016-12-21 17:44:30 -05:00
Jake Moshenko
d58a1ca35a Fix port mapping for ACI conversion from newer Docker manifests. 2016-12-20 14:01:06 -05:00
Joseph Schorr
5b3212ea0e Change security notification code to use the new stream diff reporters 
This ensures that even if security scanner pagination sends Old and New layer IDs on different pages, they will properly be handled across the entire notification.

Fixes https://www.pivotaltracker.com/story/show/136133657
 2016-12-20 12:50:19 -05:00
Joseph Schorr
ced0149520 Implement helper classes for tracking streaming diffs, both indexed and non-indexed 
These classes will be used to handle the Layer ID paginated diffs from Clair.
 2016-12-20 12:50:18 -05:00
Joseph Schorr
405eca074c Security scanner flow changes and auto-retry 
Changes the security scanner code to raise exceptions now for non-successful operations. One of the new exceptions raised is MissingParentLayerException, which, when raised, will cause the security worker to perform a full rescan of all parent images for the current layer, before trying once more to scan the current layer. This should allow the system to be "self-healing" in the case where the security scanner engine somehow loses or corrupts a parent layer.
 2016-12-16 15:38:09 -05:00
josephschorr
9fa16679f8 Merge pull request #2238 from coreos-inc/fake-clair 
Add a fake security scanner class for easier testing
 2016-12-15 20:51:24 -05:00
Brad Ison
2730c26b2e Merge pull request #2237 from coreos-inc/metrics-labels 
Don't record size in chunk upload metrics
 2016-12-15 14:20:34 -05:00
Brad Ison
df7366eace Add chunk size metric 2016-12-15 13:20:16 -05:00
Joseph Schorr
15041ac5ed Add a fake security scanner class for easier testing 
The FakeSecurityScanner mocks out all calls that Quay is expected to make to the security scanner API, and returns faked data that can be adjusted by the calling test case
 2016-12-14 17:11:45 -05:00
Brad Ison
8f59ac1251 Don't record size in chunk upload metrics 2016-12-14 12:16:02 -05:00
Joseph Schorr
6871eb95b1 Send notifications for previously unscannable layers in QSS 
Following this change, if an image was previously indexed unsuccessfully, then we will send notifications once successfully indexed
 2016-12-14 11:25:45 -05:00
Joseph Schorr
624b2a8385 Have security scanner analyze only send notifications for *new* layers 
Following this change, anytime a layer is indexed by the security scanner, we only send notifications out if the layer previously had a security_indexed_engine value of `-1`, thus ensuring it has *never* been indexed previously. This will allow us to change to version of the security scanner upwards, and have all the images be re-indexed, without firing off notifications in a spammy manner.
 2016-12-13 23:17:11 -05:00
Evan Cordell
5686c80af1 Revert "Add GC of layers in Clair" 
This reverts 49872838ab
 2016-12-13 18:40:58 -05:00
Evan Cordell
dd5f7cbe6c Fix the ephemeral build metrics 2016-12-13 18:28:04 -05:00
Joseph Schorr
1e5b97318a Fix loading of public keys for OIDC under Linux 
Python's crypto lib under Linux has issues with loading PEM-encoded keys, so we just load it as a DER here and give PyJWT the key *instance* to use directly.
 2016-12-09 14:26:56 -05:00
Joseph Schorr
dbdcb802b1 Add end-to-end OAuth login and attach tests 2016-12-08 18:35:42 -05:00
Joseph Schorr
49872838ab Add GC of layers in Clair 
Fixes https://www.pivotaltracker.com/story/show/135583207
 2016-12-06 19:52:56 -05:00
Jake Moshenko
21e3001446 Add a bulk insert for queue and notifications. 
Use it for Clair spawned notifications.
 2016-12-06 14:00:16 -05:00
Charlton Austin
edd9dcd7f6 Adding in some metrics around clair sec scan. 2016-12-01 16:50:02 -05:00
Joseph Schorr
236655adb4 Fix config validator for storage and add a test suite 
Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
 2016-11-30 11:58:41 -05:00
Joseph Schorr
1a61ef4e04 Report the user's name and company to Marketo 
Also fixes the API to report the other changes (username and email) as well
 2016-11-14 17:34:50 -05:00
josephschorr
74e54bdbbb Merge pull request #1872 from coreos-inc/qe-torrent 
Add QE setup tool support for BitTorrent downloads
 2016-11-11 13:56:22 -05:00
Jake Moshenko
b5834a8a66 Collapse all migrations prior to 2.0.0 into one. 2016-11-10 17:31:00 -05:00
Joseph Schorr
74c3346562 Add a warning bar when the license will become invalid in a week 2016-11-08 14:24:55 -05:00
Joseph Schorr
4b926ae189 Add new metrics as requested by some customers 
Note that the `status` field on the pull and push metrics will eventually be set to False for failed pulls and pushes in a followup PR
 2016-11-03 15:28:40 -04:00
Joseph Schorr
681f975df5 Add QE setup tool support for BitTorrent downloads 
Fixes #1871
 2016-11-02 17:32:12 -04:00
josephschorr
840ea4e768 Merge pull request #2047 from coreos-inc/external-auth-email-optional 
Make email addresses optional in external auth if email feature is turned off
 2016-10-31 14:16:33 -04:00
Joseph Schorr
3a473cad2a Enable permanent sessions 
Fixes #1955
 2016-10-31 13:52:09 -04:00
Joseph Schorr
d7f56350a4 Make email addresses optional in external auth if email feature is turned off 
Before this change, external auth such as Keystone would fail if a user without an email address tried to login, even if the email feature was disabled.
 2016-10-31 13:50:24 -04:00
josephschorr
934cdecbd6 Merge pull request #1905 from coreos-inc/external-auth-search 
Add support for entity search against external auth users not yet linked
 2016-10-27 16:06:42 -04:00
Joseph Schorr
b3d1d7227c Add support to Keystone Auth for external user linking 
Also adds Keystone V3 support
 2016-10-27 15:42:03 -04:00
Joseph Schorr
fbb524e34e Add support to ExternalJWT Auth for external user linking 2016-10-27 15:42:03 -04:00
Jake Moshenko
45bacbabaa s/Regions/Deployments 2016-10-24 16:04:04 -04:00
josephschorr
67dde6e154 Merge pull request #1852 from coreos-inc/underscore_orgs 
Better handling of namespace validation to fix a number of issues
 2016-10-20 13:36:32 -04:00
Joseph Schorr
3a68740ff7 Better handling of namespace validation to fix a number of issues 
- Fixes a bug which allows for underscores at the beginning of namespaces: Fixes #1849
- Allows dots and dashes for newer Docker clients: Fixes #1188
- Has the UI display better messaging associated with namespace entry
 2016-10-20 13:32:22 -04:00
Joseph Schorr
213cc856e4 Fix UI for real license handling 
Following this change, the user gets detailed errors and entitlement information
 2016-10-19 17:49:15 -04:00
Joseph Schorr
2eabf1a291 Fix tests and test provider for real license format 2016-10-18 23:44:08 -04:00
Jake Moshenko
9f1c12e413 Refactor our license code to be entitlement centric. 2016-10-18 22:33:28 -04:00
Jake Moshenko
d90398e9ff Change the monthly license grace period to 11 months. 2016-10-18 18:46:40 -04:00
Joseph Schorr
67f828279d Switch the license validator to use config_provider and have a test license 
Fixes the broken tests currently which try (and fail) to read the license file
 2016-10-18 11:44:13 -04:00
Joseph Schorr
ee96693252 Add superuser config section for updating license 2016-10-17 21:44:25 -04:00
Jimmy Zelinskie
5fee4d6d19 *: misc formatting cleanup 2016-10-17 21:43:45 -04:00
Jimmy Zelinskie
a42eb09a3e util.license: make bp-modification a method 2016-10-17 21:43:45 -04:00
Jimmy Zelinskie
6eb26d7998 configproviders: pass filemode when opening volume 2016-10-17 21:43:45 -04:00
Jimmy Zelinskie
0c5400b7d1 enforce license across registry blueprints 2016-10-17 21:43:45 -04:00
Joseph Schorr
8fe29c5b89 Add license upload step to the setup flow 
Fixes #853
 2016-10-17 21:43:15 -04:00
Joseph Schorr
5211c407ff Add license checking to Quay 
Based off of mjibson's changes

Fixes #499
 2016-10-17 21:43:15 -04:00
josephschorr
78f87d96bc Merge pull request #1986 from coreos-inc/external-tls 
Add option to properly handle external TLS
 2016-10-15 16:05:28 -04:00
Jake Moshenko
f04b018805 Write our users to Marketo as leads. 2016-10-14 16:29:11 -04:00
Jake Moshenko
013e27f7d5 Clean up mixpanel analytics a bit. 2016-10-13 15:03:04 -04:00
Joseph Schorr
5a8200f17a Add option to properly handle external TLS 
Fixes #1984
 2016-10-13 14:49:29 -04:00
Joseph Schorr
6ea51afa66 Add a configurable prometheus namespace for all metrics 
Fixes #1918
 2016-10-05 10:33:35 +03:00
josephschorr
684ace3b5a Merge pull request #1761 from coreos-inc/nginx-direct-download 
Add feature flag to force all direct download URLs to be proxied
 2016-09-29 22:46:57 +02:00
Evan Cordell
832ee89923 Add duration metric collector decorator (#1885) 
Track time-to-start for builders
Track time-to-build for builders
Track ec2 builder fallbacks
Track build time
 2016-09-29 15:44:06 -04:00
Joseph Schorr
6ae3faf7fc Add explicit config parameter to the JWT auth methods 2016-09-29 11:15:20 +02:00
Joseph Schorr
dd2e086a20 Add feature flag to force all direct download URLs to be proxied 
Fixes #1667
 2016-09-29 11:13:41 +02:00
Jimmy Zelinskie
fc7301be0d *: fix legacy imports 
This change reorganizes imports and renames the legacy flask extensions.
 2016-09-28 20:17:14 -04:00
Jimmy Zelinskie
ae16d24fd1 license: validate via key instance rather than PEM 2016-09-28 15:44:28 -04:00
josephschorr
e1771abe58 Merge pull request #739 from coreos-inc/license 
Add license checking to Quay
 2016-09-27 16:52:08 +02:00
Joseph Schorr
476576bb70 Add license checking to Quay 
Based off of mjibson's changes

Fixes #499
 2016-09-27 10:31:34 +02:00
Joseph Schorr
3c8b87e086 Fix verbs in manifestlist 
All registry_tests now pass
 2016-09-26 14:49:58 -04:00
Jimmy Zelinskie
59529569dc reorder imports 2016-09-26 14:48:05 -04:00
josephschorr
ad4efba802 Merge pull request #1830 from coreos-inc/superuser-dashboard 
Add prometheus stats to enable better dashboarding
 2016-09-26 17:19:22 +02:00
Joseph Schorr
25ed99f9ef Add feature flag to turn off requirement for team invitations 
Fixes #1804
 2016-09-20 16:45:00 -04:00
Joseph Schorr
c7beea2032 Fix handling of custom LDAP cert 
This change moves the LDAP cert installation into a common script and reorganizes the startup scripts for creating and installing these certs

Fixes #1846
 2016-09-19 17:55:08 -04:00
Joseph Schorr
1571b2867a Add executor name to the build metric 2016-09-16 16:26:04 -04:00
Joseph Schorr
30af8aef1a Add a worker for reporting global stats to Prometheus 
Fixes #1789
 2016-09-12 16:19:19 -04:00
Joseph Schorr
818ea38dac Add repo-specific reporting of repository builds 2016-09-09 15:36:54 -04:00
Joseph Schorr
c8a1b8abab Add prom stats for repository push, pull and verb actions 2016-09-09 15:13:58 -04:00
Jake Moshenko
1d8b72235a Add a helper method to Image to parse ancestor string. 2016-09-07 10:48:58 -04:00
josephschorr
480d890442 Merge pull request #1771 from coreos-inc/kubernetes-save-error 
Make sure the Quay Enterprise Kubernetes namespace exists
 2016-08-30 12:59:00 -04:00
Joseph Schorr
3f9c82462f Make sure the Quay Enterprise Kubernetes namespace exists 
Prevents config from failing to save. Also clarifies any other errors that do occur.

Fixes #1449
 2016-08-30 12:58:39 -04:00
Joseph Schorr
aa7c87d765 Fix locking via RedLock 
Fixes #1777
 2016-08-29 16:06:26 -04:00
Joseph Schorr
608ffd9663 Basic labels support 
Adds basic labels support to the registry code (V2), and the API. Note that this does not yet add any UI related support.
 2016-08-26 15:24:26 -04:00
Joseph Schorr
193040a473 Fix tag links 
Fixes #1741
 2016-08-17 15:06:10 -04:00
Joseph Schorr
afc2705b1c Have email read the enterprise logo 2016-08-09 12:18:35 -04:00
Ben Spoon
b0e34692cf Merge pull request #1674 from coreos-inc/new-quay-emails 
New quay emails
 2016-08-09 09:12:54 -07:00
Ben Spoon
2b92fded68 emails: address review feedback 2016-08-08 13:29:47 -07:00
Ben Spoon
004b834c72 emails: only show quay footer if coming from hosted 2016-08-04 11:55:55 -07:00
Ben Spoon
46a720285a emails: update payment failure admin link 
addresses issue #1623
 2016-08-04 11:55:50 -07:00
Ben Spoon
5019ef0b6b emails: change the app_link_handler to return just a uri 
There is no need for an anchor tag any longer.
 2016-08-04 11:55:48 -07:00
Joseph Schorr
770ac0016e Change validate method to work for all storages 2016-08-02 15:01:37 -04:00
Joseph Schorr
0fe3e6510a Prevent invalid tags on builds 
Fixes #1632
 2016-07-25 17:50:35 -07:00
Joseph Schorr
541764d87b Fix get_priority_for_index method for non-int values 
Fixes #1607
 2016-07-11 15:04:50 -04:00
Joseph Schorr
a1009af61c Move aggregator into its own repo and add it to the image 2016-07-05 15:39:51 -04:00
Joseph Schorr
713ba3abaf Further updates to the Prometheus client code 2016-07-01 14:16:51 -04:00
Jake Moshenko
668a8edc50 Refactor prometheus integration 
Move prometheus to SaaS and make it a plugin
Move static callers to use metrics_queue plugin
Change local-docker to support different quay clone dirnames
Change prom_aggregator to use logrus
 2016-07-01 14:16:50 -04:00
Matt Jibson
3d9acf2fff Use prometheus as a metric backend 
This entails writing a metric aggregation program since each worker has its
own memory, and thus own metrics because of python gunicorn. The python
client is a simple wrapper that makes web requests to it.
 2016-07-01 14:16:50 -04:00
Joseph Schorr
9558c0e937 Fix handling of Github API paths and add tests 2016-06-30 14:10:22 -04:00
Joseph Schorr
ab1756306b Switch to using the leeway parameter on JWT validation 2016-06-27 14:42:44 -04:00
Joseph Schorr
2983195a4a Fix OAuth key not found error for Dex 
Fixes #1582
 2016-06-27 13:38:11 -04:00
Joseph Schorr
2653d213c9 Add an allowed amount of clock skew to registry JWTs 2016-06-24 15:08:26 -04:00
Joseph Schorr
30ede029d5 Fix GeneratorFile for working with BufferedReader 
The user files system uses a BufferedReader along with the magic library to determine the mime type of the user file being served. Currently, BufferedReader fails with an exception on Swift storage, because Swift storage returns a GeneratorFile, which is missing the `readable()` method.
 2016-06-23 13:40:57 -04:00
josephschorr
7173d53030 Merge pull request #1549 from coreos-inc/certs 
Switch to install custom LDAP cert by name
 2016-06-21 15:13:44 -04:00
Joseph Schorr
66ec1d81ce Switch to install custom LDAP cert by name 2016-06-21 15:10:26 -04:00
josephschorr
9e6a264f5f Merge pull request #1523 from coreos-inc/verb-tag-cache-fix 
Add a uniqueness hash to derived image storage to break caching over …
 2016-06-20 16:38:25 -04:00
Joseph Schorr
a43b741f1b Add a uniqueness hash to derived image storage to break caching over tags 
This allows converted ACIs and squashed images to be unique based on the specified tag.

Fixes #92
 2016-06-20 16:34:52 -04:00
Jake Moshenko
22562b0156 Merge pull request #1559 from jakedt/finishthejob 
Finish removing the AJAX indexing support.
 2016-06-20 13:42:05 -04:00
Joseph Schorr
986d20bcad Switch to generic RedisError 
Fixes #1558
 2016-06-20 11:20:17 -04:00
Jake Moshenko
4130054ef3 Finish removing the AJAX indexing support. 2016-06-20 10:15:21 -04:00
Jake Moshenko
746728ba24 Remove escaped_fragment snapshot rendering. 2016-06-14 12:53:10 -04:00
josephschorr
58bef472d9 Merge pull request #1526 from coreos-inc/superuser-grant 
Add ability for super users to take ownership of namespaces
 2016-06-13 16:23:10 -04:00
Joseph Schorr
20816804e5 Add ability for super users to take ownership of namespaces 
Fixes #1395
 2016-06-13 16:22:52 -04:00
Jimmy Zelinskie
f15e5483e7 fix identation according to lint 2016-06-08 15:55:47 -04:00
Jimmy Zelinskie
9fb8b585b5 fix broken import 2016-06-08 15:55:29 -04:00
Joseph Schorr
71b2853f40 Make sure to iterate over a copy of the public_keys dictionary 2016-06-07 18:20:42 -04:00
Joseph Schorr
8887f09ba8 Use the instance service key for registry JWT signing 2016-06-07 11:58:10 -04:00
josephschorr
cad8746f9d Merge pull request #1502 from coreos-inc/image-replication 
Enable storage replication for V2 and add backfill tool
 2016-06-02 15:02:53 -04:00
Joseph Schorr
12924784ce Enable storage replication for V2 and add backfill tool 
Fixes #1501
 2016-06-02 14:36:08 -04:00
Jimmy Zelinskie
2317938bfa Merge pull request #1496 from jzelinskie/ripRMS 
dockerfile: add check for GPL pip packages
 2016-06-02 12:28:18 -04:00
Jimmy Zelinskie
8810157586 remove GPL'd timeparse library 2016-06-02 12:27:49 -04:00
Joseph Schorr
c61c3db728 Remove unused safetar file 2016-05-31 16:50:16 -04:00
Joseph Schorr
4ec3a6c231 Make ACI generation consistent across calls 
This will ensure that no matter which signature we write for the generated ACI, it is correct for that image.
 2016-05-26 17:09:19 -04:00
Joseph Schorr
f02d295dd8 Fix missing argument change 2016-05-23 17:44:22 -04:00
Joseph Schorr
f670c4c7a9 Change Signer to use the config provider and fix tests 
Fixes the broken ACI tests
 2016-05-23 17:10:03 -04:00
Jimmy Zelinskie
5568cc77b8 remove all default keys (#1485) 
This change:
- Generates a new BitTorrent pepper by default
- Generates a new pagination key by default
- Changes the pagination key format to base64
- Removes selfsigned JWT certs
- Moves test keys to test/data
 2016-05-23 16:00:48 -04:00
Jake Moshenko
4266ae7ce5 Fix the x5c header in our registry jwts. 2016-05-23 15:05:54 -04:00
Joseph Schorr
64fe11a5f1 Add ACI signing tests 2016-05-13 18:29:57 -04:00
josephschorr
d572a45a57 Merge pull request #1441 from coreos-inc/fastesttests 
Make security scan testing much faster
 2016-05-05 13:57:05 -04:00
Joseph Schorr
343a080833 Make security scan testing much faster 2016-05-05 13:55:24 -04:00
Jake Moshenko
75f5df6369 Add clair auth header in generalized interface 2016-05-05 13:28:06 -04:00
Joseph Schorr
232fa42897 Add testing of the new secscan-for-local endpoint and fix a bug 2016-05-04 21:47:03 -04:00
Jake Moshenko
9221a515de Use the registry API for security scanning 
when the storage engine doesn't support direct download url
 2016-05-04 18:04:06 -04:00
Joseph Schorr
73fa593d02 Various small fixes in prep for QE release 2016-05-04 15:20:27 -04:00
josephschorr
f55fd2049f Merge pull request #1433 from coreos-inc/ldapoptions 
Add additional options for LDAP
 2016-05-04 14:06:29 -04:00
Joseph Schorr
42515ed9ec Add additional options for LDAP 
Fixes #1420
 2016-05-04 13:59:20 -04:00
Joseph Schorr
2cbdecb043 Implement setup tool support for Clair 
Fixes #1387
 2016-05-04 13:40:50 -04:00
Jimmy Zelinskie
437ec84c9f torrent: use quay.pem to mint JWT (#1425) 2016-05-02 18:10:16 -04:00
Evan Cordell
af4106e5c0 Fix generatepresharedkey script 2016-04-29 15:21:19 -05:00
Evan Cordell
2242c6773d Add 'Automatic' ServiceKeyApprovalType 2016-04-29 14:10:33 -04:00
Evan Cordell
c766727d1d address review comments 
- more inline documentation
 - don't explicitly specify audience
 - approver is optional in `generate_key`
 - ADD -> RUN for better caching of jwtproxy
 2016-04-29 14:10:33 -04:00
Evan Cordell
0c2ecec9a9 Don't check for client certs when talking to clair 2016-04-29 14:10:33 -04:00
Evan Cordell
9ffc32f680 Generate preshared key on boot 2016-04-29 14:10:33 -04:00
Evan Cordell
f30a9e56f3 Be really sure about proxy protocol 2016-04-29 14:10:33 -04:00
Evan Cordell
8595140f38 Use signer proxy for all http(s) requests 2016-04-29 14:10:33 -04:00