Charlton Austin
e6d201e0b0
feat(build runner): added in context, dockerfile_location
...
this is a new feature meant to allow people to use any file as
a dockerfile and any folder as a context directory
2017-03-28 13:55:31 -04:00
Jimmy Zelinskie
65a17dc155
Merge pull request #2473 from coreos-inc/certs-fixes
...
Fixes and improvements around custom certificate handling
2017-03-27 15:08:36 -04:00
Jimmy Zelinskie
8931609775
Merge pull request #2469 from coreos-inc/appr_403_vs_401
...
Use 401 for bad or missing credentials, 403 for forbidden access
2017-03-27 11:39:23 -04:00
Jimmy Zelinskie
024f73ecd4
Merge pull request #2476 from coreos-inc/fix_bug_force_push
...
Fix force push causing duplicated entries
2017-03-27 11:39:12 -04:00
Evan Cordell
abd78bce56
Use constants for TUF roots
2017-03-27 11:37:17 -04:00
Evan Cordell
6ad107709c
Change build_context_and_subject to take kwargs
2017-03-27 11:37:17 -04:00
Evan Cordell
21d969d309
Refactor tests, no g required
2017-03-27 11:37:17 -04:00
Evan Cordell
43dd974dca
Determine which TUF root to show based on actual access, not requested
...
access
2017-03-27 11:37:17 -04:00
Antoine Legrand
d2ed37e158
Fix force push causing duplicated entries
2017-03-27 15:39:57 +02:00
Joseph Schorr
e509eb4cba
Better custom cert handling in the superuser tool
...
We now only allow certificates ending in .crt to be uploaded and we automatically install the certificate once it has been validated
2017-03-24 17:15:26 -04:00
Antoine Legrand
35bebf9e99
Use 401 for bad or missing credentials, 403 for forbidden access
2017-03-24 18:46:13 +01:00
Joseph Schorr
94c5eca286
Add CNR API auth tests for public repos
2017-03-23 21:19:56 -04:00
Jimmy Zelinskie
0ce68706ee
Merge pull request #2465 from coreos-inc/force_push
...
Allow force push for app
2017-03-23 21:05:08 -04:00
Antoine Legrand
16f2479a96
test: push twice same blob from different package
2017-03-24 00:39:04 +01:00
Antoine Legrand
bbd74eabd1
Allow force push for app
2017-03-23 22:50:07 +01:00
Joseph Schorr
ac4a79ae01
Update PR for rebase
2017-03-23 15:57:49 -04:00
Joseph Schorr
95e1cf6673
Make V2 login errors more descriptive
...
If login fails, we now call validate again to get the reason for the failure, and then surface it to the user of the CLI. This allows for more actionable responses, such as:
$ docker login 10.0.2.2:5000
Username (devtable): devtable
Password:
Error response from daemon: Get http://10.0.2.2:5000/v2/ : unauthorized: Client login with unencrypted passwords is disabled. Please generate an encrypted password in the user admin panel for use here.
2017-03-23 15:42:45 -04:00
Joseph Schorr
651666b60b
Refactor our auth handling code to be cleaner
...
Breaks out the validation code from the auth context modification calls, makes decorators easier to define and adds testing for each individual piece. Will be the basis of better error messaging in the following change.
2017-03-23 15:42:45 -04:00
Joseph Schorr
1bd4422da9
Move auth decorators into a decorators module
...
The non-decorators will be broken out in the followup change
2017-03-23 15:42:45 -04:00
Joseph Schorr
abf179eb09
Move fixtures under test, since they are shared globally
2017-03-23 15:42:45 -04:00
Joseph Schorr
c9a5ce6701
Start validating login in CNR
...
Fixes https://www.pivotaltracker.com/story/show/142342305
2017-03-23 15:07:46 -04:00
Joseph Schorr
ef4569f2c5
Add very basic security tests for CNR APIs
2017-03-23 13:14:12 -04:00
Joseph Schorr
b765836cfd
Make sure blobs in CNR are auth checked
2017-03-23 12:41:56 -04:00
Jimmy Zelinskie
77d2b9b290
endpoints.appr.test: mark failing db restore test
...
This test should fail as long as the CNR tests use 'v1' in the
mediatype.
2017-03-23 11:24:15 -04:00
Joseph Schorr
35b500aa2a
Fix test override
2017-03-23 11:17:05 -04:00
Joseph Schorr
e7d7849937
Make sure channels and releases match the tag regex
2017-03-23 00:55:36 -04:00
Joseph Schorr
3277fe9b4e
Make sure repository names in APPR match regex
2017-03-23 00:51:54 -04:00
Joseph Schorr
1145651b7a
Work towards fixing tests
2017-03-23 00:37:39 -04:00
Joseph Schorr
069208f2f1
Break out repo kind checking into its own decorator
...
We then use that decorator both in the API and in the permissions check decorator
2017-03-23 00:01:37 -04:00
Joseph Schorr
4c34b00b38
Prevent CNR methods from auth-ing on non-app repos
2017-03-22 23:56:34 -04:00
Jimmy Zelinskie
3d0e63d8e5
endpoints.appr.decorators: isolate appr decorators
2017-03-22 23:53:03 -04:00
Jimmy Zelinskie
6dfd1ef660
endpoints.appr.test: include CNR fixtures
2017-03-22 23:42:19 -04:00
Jimmy Zelinskie
82bcd45727
endpoints: clarify repo access decorators
2017-03-22 23:41:38 -04:00
Jimmy Zelinskie
cafde81322
endpoints.appr.test: init
2017-03-22 22:57:22 -04:00
Jimmy Zelinskie
102c671587
endpoints.appr: init
2017-03-22 22:57:21 -04:00
Jimmy Zelinskie
3ccf3c5f33
Merge pull request #2447 from jzelinskie/cnr-step2
...
CNR Step 2
2017-03-22 18:45:51 -04:00
Joseph Schorr
df1e7f90e0
Add verb security tests and fix small issues
2017-03-22 18:29:53 -04:00
Jimmy Zelinskie
d5fa2ad0c0
endpoints.verbs: abort 405 for non-container repos
2017-03-22 17:50:58 -04:00
Joseph Schorr
dcb970b783
Add registry app repository failure test
2017-03-22 17:26:59 -04:00
Jimmy Zelinskie
ca7a0f14d8
endpoints.v1: return 405 for non-docker repos
2017-03-22 17:26:59 -04:00
Jimmy Zelinskie
48ba59d615
endpoints.v2: only work on docker repositories
2017-03-22 17:26:59 -04:00
Joseph Schorr
178373293d
Disable web endpoints for app repos
2017-03-22 15:51:19 -04:00
Joseph Schorr
54efed62ee
Make sure start_build
cannot be called for app repos
2017-03-22 15:51:19 -04:00
Joseph Schorr
30b532254c
Disallow non-apps-supported APIs for application repositories
2017-03-22 15:51:19 -04:00
Jimmy Zelinskie
a2bac7dabd
endpoints.v1: only work on docker repositories
2017-03-22 14:31:22 -04:00
Joseph Schorr
ff7f78e990
Have blob uploads be checked against configurable max layer size
2017-03-21 13:16:55 -04:00
Joseph Schorr
239b6d7cf8
Make LayerTooLarge error more informative
2017-03-21 13:14:11 -04:00
Joseph Schorr
dd7f254f96
Have blob uploads be checked against configurable max layer size
2017-03-21 13:14:11 -04:00
josephschorr
4bee4dbfff
Merge pull request #2443 from coreos-inc/build-webhook-tests
...
Add tests for build web hooks endpoint
2017-03-20 16:26:57 -04:00
Joseph Schorr
8bbe0e5e9b
Always allow robot accounts to be selected by admins in trigger setup
...
Currently during trigger setup, if we don't know for sure that a robot account is necessary, we don't show the option to select one. This fails if the user has a Dockerfile in a branch or tag with a private base image *or* they *intend* to add a private base image once the trigger is setup. Following this change, we always show the option to select a robot account, even if it isn't determined to be strictly necessary.
2017-03-20 13:24:55 -04:00
Joseph Schorr
6f567e0850
Add tests for build web hooks endpoint
2017-03-20 13:22:59 -04:00
Joseph Schorr
cfb81c977f
Add UI for editing labels on a manifest
2017-03-14 11:34:43 -04:00
Joseph Schorr
69e476b1f4
Fix param regex for path params with complex filters
2017-03-14 11:34:43 -04:00
Joseph Schorr
e90cab4d77
Change revert tag into restore tag and add manifest support
2017-03-14 11:34:42 -04:00
Joseph Schorr
af743b156b
Show manifest digests in place of V1 ids in the tag view when possible
2017-03-14 11:34:41 -04:00
josephschorr
432b2d3fe8
Merge pull request #2392 from coreos-inc/search-optimization
...
Optimize repository search by changing our lookup strategy
2017-03-10 15:44:26 -05:00
Joseph Schorr
d42ec4e585
Abstract out constant scores into constants
2017-03-10 14:06:39 -05:00
Joseph Schorr
3813d0d23d
Add tests for all notification event calls
2017-03-10 11:26:12 -05:00
Joseph Schorr
48db77b521
Fix bug in QSS notifications
2017-03-10 11:25:55 -05:00
Joseph Schorr
b5bb76cdea
Optimize repository search by changing our lookup strategy
...
Previous to this change, repositories were looked up unfiltered in six different queries, and then filtered using the permissions model, which issued a query per repository found, making search incredibly slow. Instead, we now lookup a chunk of repositories unfiltered and then filter them via a single query to the database. By layering the filtering on top of the lookup, each as queries, we can minimize the number of queries necessary, without (at the same time) using a super expensive join.
Other changes:
- Remove the 5 page pre-lookup on V1 search and simply return that there is one more page available, until there isn't. While technically not correct, it is much more efficient, and no one should be using pagination with V1 search anyway.
- Remove the lookup for repos without entries in the RAC table. Instead, we now add a new RAC entry when the repository is created for *the day before*, with count 0, so that it is immediately searchable
- Remove lookup of results with a matching namespace; these aren't very relevant anyway, and it overly complicates sorting
2017-03-09 19:47:55 -05:00
Jimmy Zelinskie
850c32ebfb
Merge pull request #2298 from jzelinskie/maintainers
...
MAINTAINERS: init owners to subpkgs
2017-03-09 17:30:38 -05:00
Joseph Schorr
0ab6388e30
Add support for null ref, as that can be the value if a default branch is not chosen
2017-03-07 20:39:42 -05:00
josephschorr
aa2f88d321
Merge pull request #2337 from coreos-inc/new-trigger-ux
...
Implement new create and manager trigger UI
2017-03-02 18:15:32 -05:00
Joseph Schorr
9e6c368f7a
Make QSS multiple notification messaging nicer
2017-03-01 16:11:11 -05:00
Joseph Schorr
eff1827d9d
Batch QSS notifications after initial scan
2017-03-01 15:42:49 -05:00
Joseph Schorr
8e863b8cf5
Implement new create and manager trigger UI
...
Implements the new trigger setup user interface, which is now a linear workflow found on its own page, rather than a tiny modal dialog
Fixes #1187
2017-02-28 16:51:42 -05:00
Charlton Austin
59d6cf8a86
Merge pull request #2376 from charltonaustin/quay_jwts_indicate_which_root_a_user_should_see_137968801
...
Adding in what metadata_root_name to JWT
2017-02-23 17:10:21 -05:00
Charlton Austin
e87404c327
Adding in what metadata_root_name to JWT
2017-02-22 16:59:19 -05:00
Joseph Schorr
3f1d394e14
Catch IOErrors when starting builds
...
Fixes https://sentry.io/coreos/backend-production/issues/207144068/
2017-02-22 13:20:04 -05:00
Joseph Schorr
9db20ff961
Catch SSL errors due to timeouts in Github calls
...
Fixes https://sentry.io/coreos/backend-production/issues/219378902/
2017-02-22 13:20:04 -05:00
Joseph Schorr
89b7c13da5
Catch team member invite missing exception
...
Fixes https://sentry.io/coreos/backend-production/issues/195926082/
2017-02-22 13:18:22 -05:00
Joseph Schorr
a319c55616
Don't make permissions request in search for public callers
...
They are unnecessary, so we can skip them
2017-02-17 12:22:21 -05:00
Joseph Schorr
198bdf88bc
Move OAuth login into its own endpoints module
2017-02-16 16:27:54 -05:00
Joseph Schorr
0167e1e7bf
Style fixes
2017-02-16 16:27:54 -05:00
Joseph Schorr
d47696b69c
Add support for sub
binding field
2017-02-16 16:27:53 -05:00
Joseph Schorr
7b386e9d63
Move endpoint test fixtures to a non-conftest file
2017-02-16 16:27:53 -05:00
Joseph Schorr
2c35383724
Allow OAuth and OIDC login engines to bind to fields in internal auth
...
This feature is subtle but very important: Currently, when a user logs in via an "external" auth system (such as Github), they are either logged into an existing bound account or a new account is created for them in the database. While this normally works jut fine, it hits a roadblock when the *internal* auth system configured is not the database, but instead something like LDAP. In that case, *most* Enterprise customers will prefer that logging in via external auth (like OIDC) will also *automatically* bind the newly created account to the backing *internal* auth account. For example, login via PingFederate OIDC (backed by LDAP) should also bind the new QE account to the associated LDAP account, via either username or email. This change allows for this binding field to be specified, and thereafter will perform the proper lookups and bindings.
2017-02-16 16:27:53 -05:00
Joseph Schorr
c6b0376d61
Remove unnecessary email generation in OAuth login
...
Handled by the `emaIl_required` flag already
2017-02-16 16:27:53 -05:00
Joseph Schorr
92c0b5ac3e
Fix handling of None queries
2017-02-16 15:26:45 -05:00
josephschorr
38e079ced2
Merge pull request #2344 from coreos-inc/v1-search-fix
...
Implement the full spec for the old Docker V1 registry search API
2017-02-16 15:08:33 -05:00
Joseph Schorr
a0bc0e9488
Implement the full spec for the old Docker V1 registry search API
...
This API is still (apparently) being used by the Docker CLI for `docker search` (why?!) and we therefore have customers expecting this to work the same way as the DockerHub.
2017-02-16 14:45:33 -05:00
Joseph Schorr
11c931f781
Log more information to the action logs and display the namespaces for superusers
...
This helps superusers understand better what, exactly, is going on in the registry
2017-02-14 14:55:24 -05:00
Joseph Schorr
8d96d8b682
Add tests for missing logs APIs
2017-02-08 16:52:17 -08:00
Charlton Austin
5a06530b43
Merge pull request #2314 from charltonaustin/move_tests_over_to_pytest_no_story
...
update(security_test.py): moving tests to new framework
2017-02-03 16:21:03 -05:00
josephschorr
1edebb804e
Merge pull request #2334 from coreos-inc/manifest-security-api
...
Add API endpoint for retrieving security status by *manifest*, rather than Docker V1 image ID
2017-02-02 22:37:17 -05:00
Joseph Schorr
cf539487a1
Add API endpoint for retrieving security status by *manifest*, rather than Docker V1 image ID
2017-02-02 17:51:18 -05:00
Alec Merdler
7c904f2e21
Merge pull request #2292 from coreos-inc/frontend-typescript
...
Upgrading Front-end Client to TypeScript
2017-02-02 14:24:35 -08:00
Charlton Austin
85bcb63439
update(security_test.py): moving tests to new framework
...
We should be moving tests over to pytest
[none]
2017-02-02 13:40:00 -05:00
josephschorr
01ec22b362
Merge pull request #2300 from coreos-inc/openid-connect
...
OpenID Connect support and OAuth login refactoring
2017-01-31 18:14:44 -05:00
Charlton Austin
2dfae9e892
Merge pull request #2303 from charltonaustin/view_build_logs_as_superuser_137910387
...
feature(superuser panel): ability to view logs
2017-01-27 12:32:31 -05:00
Charlton Austin
dae93dce78
feature(superuser panel): ability to view logs
...
users would like the ability to view build logs in the superuser panel
[None]
2017-01-26 13:54:03 -05:00
Joseph Schorr
05e9e31941
Fix small lookup bug under MySQL
2017-01-25 12:55:56 -05:00
alecmerdler
c9fa22b093
moved Webpack bundle directory out of /static/js because it contains more than just JS files
2017-01-24 14:05:06 -08:00
Joseph Schorr
a9791ea419
Have external login always make an API request to get the authorization URL
...
This makes the OIDC lookup lazy, ensuring that the rest of the registry and app continues working even if one OIDC provider goes down.
2017-01-23 19:06:19 -05:00
Joseph Schorr
fda203e4d7
Add proper and tested OIDC support on the server
...
Note that this will still not work on the client side; the followup CL for the client side is right after this one.
2017-01-23 17:53:34 -05:00
Jimmy Zelinskie
64421db0a3
MAINTAINERS: init owners to subpkgs
2017-01-23 17:46:34 -05:00
alecmerdler
615e233671
moved Angular routes to separate module; load Webpack bundle before other main scripts
2017-01-20 16:24:55 -08:00
Joseph Schorr
19f7acf575
Lay foundation for truly dynamic external logins
...
Moves all the external login services into a set of classes that share as much code as possible. These services are then registered on both the client and server, allowing us in the followup change to dynamically register new handlers
2017-01-20 15:21:08 -05:00
Joseph Schorr
4755d08677
Refactor and rename the standard OAuth services
2017-01-19 15:23:15 -05:00
Joseph Schorr
bee2551dc2
Temporarily remove Dex login support
...
This will be added back in later in this PR as part of proper generic OIDC support
2017-01-19 14:51:12 -05:00