Joseph Schorr
ab0172d2fd
Switch Quay to using an in-container memcached for data model caching
2018-02-27 16:55:22 -05:00
Joseph Schorr
8bc55a5676
Make namespace deletion asynchronous
...
Instead of deleting a namespace synchronously as before, we now mark the namespace for deletion, disable it, and rename it. A worker then comes along and deletes the namespace in the background. This results in a *significantly* better user experience, as the namespace deletion operation now "completes" in under a second, where before it could take 10s of minutes at the worse.
Fixes https://jira.coreos.com/browse/QUAY-838
2018-02-27 13:12:51 -05:00
josephschorr
d77aa9228f
Merge pull request #3002 from coreos-inc/joseph.schorr/QUAY-822/gc-app-tokens
...
Add a worker to automatically GC expired app specific tokens
2018-02-20 17:21:48 -05:00
Joseph Schorr
4d0ad0074d
Fix config schema for bitbucket trigger
2018-02-20 16:59:34 -05:00
Joseph Schorr
9a452ace11
Add configurable limits for number of builds allowed under a namespace
...
We also support that limit being increased automatically once a successful billing charge has gone through
2018-02-20 16:54:22 -05:00
Joseph Schorr
188ea98441
Add new decorator to prevent reflected text attacks
...
Instead of disabling repo names with periods in them, we simply disallow calls to the API when they are GET requests, whose path ends in a dot, and that do not have a referrer from the frontend.
2018-02-20 11:33:45 -05:00
Joseph Schorr
d45161b120
Add a worker to automatically GC expired app specific tokens
...
Fixes https://jira.coreos.com/browse/QUAY-822
2018-02-12 14:56:01 -05:00
Joseph Schorr
5490e64669
Fill out schema and schema whitelist
2018-02-06 15:27:01 -05:00
Joseph Schorr
7893ef6acc
Add test to ensure that all config.py properties are defined in the config schema
2018-02-06 15:26:31 -05:00
josephschorr
9f7b08d0ff
Merge pull request #2993 from coreos-inc/joseph.schorr/QUAY-797/pagination-size
...
Allow size of pages in V2 api to be configurable
2018-02-02 15:21:15 -05:00
Joseph Schorr
eae9175950
Allow size of pages in V2 api to be configurable
2018-02-02 13:54:41 -05:00
josephschorr
6514bf229f
Merge pull request #2973 from coreos-inc/joseph.schorr/QS-116/cloudfront-storage
...
Add support for configuring cloudfront storage
2018-02-02 10:14:28 -05:00
Joseph Schorr
b0f656731c
Add support for configuring CloudFront storage engine
...
Fixes https://jira.coreos.com/browse/QS-116
2018-01-31 11:22:14 -05:00
IvanCherepov
c228734978
Generates HTML documentation explaining all of configuration fields ( #2952 )
...
* create HTML documentation explaining all of schema's configuration fields
2018-01-24 14:09:29 -05:00
Joseph Schorr
524d77f527
Add an AppSpecificAuthToken data model for app-specific auth tokens. These will be used for the Docker CLI in place of username+password
2018-01-04 15:27:41 -05:00
Joseph Schorr
72bfebdb60
Add license validation to the config validation check
...
Should prevent a customer from accidentally saving a config that violates their license
Fixes https://jira.coreos.com/browse/QS-97
2017-12-19 13:44:08 -05:00
IvanCherepov
c383ac1f9d
Add config validation on startup ( #2903 )
...
* WIP
* Finish schema
Add three sections: security scanning, bittorrent support and feature flags.
2017-12-01 10:46:39 -05:00
Joseph Schorr
74f99ba94a
Ensure encrypted passwords are not enabled with OIDC auth
...
Fixes https://jira.prod.coreos.systems/browse/QS-49
2017-10-31 16:03:28 -04:00
josephschorr
3bef21253d
Merge pull request #2695 from coreos-inc/oidc-internal-auth
...
OIDC internal auth support
2017-10-02 16:51:17 -04:00
Joseph Schorr
f51a863158
Remove access_token from user_info
2017-10-02 16:51:09 -04:00
Joseph Schorr
010dda2c52
Add CloudFrontedS3Storage, which redirects to CloudFront for non-S3 ips
2017-09-28 14:40:58 -04:00
Joseph Schorr
c105123ad4
Add superuser config for prefix autocomplete setting
2017-09-12 15:57:57 -04:00
Joseph Schorr
bc82edb2d1
Add ability to configure OIDC internal auth engine via superuser panel
2017-09-12 12:23:52 -04:00
Joseph Schorr
783799c227
Make team sync timeout config actually configurable
2017-09-06 14:08:30 -04:00
Joseph Schorr
751598056e
Enable support in OIDC for endpoints without user info support
...
The user info endpoint is apparently optional.
2017-08-01 13:24:27 -04:00
Antoine Legrand
2d60ad71b6
Print only first line of s3 error message
2017-07-27 18:05:06 +02:00
josephschorr
96d1fd128d
Merge pull request #2757 from coreos-inc/joseph.schorr/QUAY-606/logarchive-georep
...
Add support for QE customers to enable log rotation
2017-07-12 00:30:04 +03:00
Joseph Schorr
a13235c032
Fix typo
2017-07-10 18:35:51 +03:00
Evan Cordell
939ddfd1d7
Merge v2.4.0-release into cherrypick-2.4.0
2017-07-10 10:25:18 -04:00
Joseph Schorr
176c26e3f7
Add config validation for action log archiving
2017-07-10 13:09:33 +03:00
Antoine Legrand
cdb3722c17
Use $QUAYPATH and $QUAYDIR in conf and init files
2017-07-05 16:23:54 +02:00
Evan Cordell
d64b8b1fcf
Revert to old secret handling, fix license loading
2017-06-28 23:15:14 -04:00
Evan Cordell
ef459a2d18
Update the expected response layout for kubernetes config
2017-06-28 07:28:57 -04:00
Jimmy Zelinskie
e028e159c0
add app registry config to setup tool: default off
2017-06-16 15:44:00 -04:00
Jimmy Zelinskie
7d07c2ed07
util.config.validators: fix torrent validation
...
This code was mistaken the info dict with the params passed in an
announce request. Rather, now we expose a function for creating a jwt
from infohashes directly.
2017-06-09 13:31:38 -04:00
josephschorr
2ec43483a8
Merge pull request #2662 from coreos-inc/direct-login
...
Enable toggling of the direct login feature in the superuser panel
2017-05-24 16:51:43 -04:00
Joseph Schorr
2b9873483a
Enable toggling of the direct login feature in the superuser panel
...
Allows superusers to disable login to the UI via credentials if at least one OIDC provider is configured
2017-05-24 12:57:55 -04:00
Evan Cordell
20da91d879
Add tests for providers and update install script
2017-05-23 15:43:21 -04:00
Evan Cordell
01b59e8d66
ConfigProviders abstract over path construction
...
Fixes issue where certs can't be uploaded in UI in k8s
2017-05-17 08:12:09 -04:00
Joseph Schorr
4e09fff181
Remove test that breaks MySQL full DB tests
2017-05-02 16:04:46 -04:00
josephschorr
8b148bf1d4
Merge pull request #2576 from coreos-inc/full-db-tests-tox
...
Reenable full database testing locally and in concourse
2017-04-27 18:09:15 -04:00
Joseph Schorr
4ea4ee3aa4
Fix time machine config validator on old-style config
...
Existing config won't have the keys defined, so make sure we skip in that case (and just use the defaults)
2017-04-27 14:24:47 -04:00
Joseph Schorr
cb3695a629
Change config validator tests to use the shared fixtures
2017-04-24 16:45:14 -04:00
Joseph Schorr
3dcbe3c631
If enabled, allow users and orgs to set their time machine expiration
...
Fixes https://www.pivotaltracker.com/story/show/142881203
2017-04-21 11:32:45 -04:00
Joseph Schorr
ed3da4697f
Add client ID and client secret to OIDC config validator
2017-04-07 11:33:02 -04:00
Jake Moshenko
c7241911a5
Fix old-style flask imports to silence deprecation warnings.
2017-04-06 13:15:48 -04:00
Joseph Schorr
0b6c062e32
Add superuser panel config for team syncing
2017-04-03 11:31:30 -04:00
Joseph Schorr
a6486b7823
Gitlab validation must allow unspecified endpoint
...
Gitlab config validator currently requires the gitlab endpoint to be specified, even though we support leaving it unspecified for non-enterprise installs. Fix the validator to allow this case.
2017-03-30 12:57:41 -04:00
Joseph Schorr
45179216af
Have sec scan retries actually work
...
Until this change, if `ping` raised an exception, we wouldn't retry properly
2017-03-29 16:19:46 -04:00
Joseph Schorr
b017133cc6
Make QSS validation errors more descriptive
2017-03-24 17:28:16 -04:00
Jimmy Zelinskie
23759a1592
util.config.db: ensure blob locations sync on boot
2017-03-22 22:57:21 -04:00
Joseph Schorr
157640e696
Add config validator for OIDC logins
2017-02-28 16:18:19 -05:00
Joseph Schorr
88b808f468
Fix typo
2017-02-24 12:23:18 -05:00
Joseph Schorr
d4eb4f7f3c
Pull out github trigger and login validation into validator class
2017-02-24 12:23:18 -05:00
Joseph Schorr
a31f2267e8
Pull out gitlab trigger validation into validator class
2017-02-24 12:23:18 -05:00
Joseph Schorr
7a260d81d3
Pull out bitbucket trigger validation into validator class
2017-02-24 12:23:17 -05:00
Joseph Schorr
49638b081b
Pull out google login validation into validator class
2017-02-24 12:23:17 -05:00
Joseph Schorr
620e377faf
Pull out ssl validation into validator class
2017-02-24 12:23:17 -05:00
Joseph Schorr
e76b95f0e6
Add S3 storage test to validator tests
2017-02-24 12:23:17 -05:00
Joseph Schorr
09b3cfd549
Pull out torrent validation into validator class
2017-02-24 12:23:17 -05:00
Joseph Schorr
2944a4e13d
Pull out signing validation into validator class
2017-02-24 12:23:17 -05:00
Joseph Schorr
8844ecbb7c
Fix imports
2017-02-24 12:23:16 -05:00
Joseph Schorr
dcabb36ac7
Add TODO
2017-02-24 12:23:16 -05:00
Joseph Schorr
3db4c15459
Pull out security scanner validation into validator class
2017-02-24 12:23:16 -05:00
Joseph Schorr
c0f7530b29
Pull out JWT auth validation into validator class
...
Also fixes a small bug in validation (yay tests!)
2017-02-24 12:23:16 -05:00
Joseph Schorr
678f868bc4
Pull out keystone validation into validator class
2017-02-24 12:23:15 -05:00
Joseph Schorr
c55ddf7341
Pull out ldap validation into validator class
2017-02-24 12:23:15 -05:00
Joseph Schorr
2d64cf3000
Rename config validation source files
2017-02-24 12:23:15 -05:00
Joseph Schorr
00eceb7ed5
Pull out email validation into validator class
2017-02-24 12:23:15 -05:00
Joseph Schorr
ee4f5ed5d6
Move registry storage validator to new location
2017-02-24 12:23:15 -05:00
Joseph Schorr
b2afe68632
Pull out redis validation into validator class
2017-02-24 12:23:15 -05:00
Joseph Schorr
f933b3e295
Pull out database validation into validator class
2017-02-24 12:23:14 -05:00
Joseph Schorr
484977f728
Refactor security scanner validation from single sleep to polling
2017-02-24 12:23:14 -05:00
josephschorr
01ec22b362
Merge pull request #2300 from coreos-inc/openid-connect
...
OpenID Connect support and OAuth login refactoring
2017-01-31 18:14:44 -05:00
Joseph Schorr
f5dbc350f8
Fix missed tests and revert conftest change (breaks docker build)
2017-01-30 17:28:25 -05:00
Joseph Schorr
d9003d1375
Make sure the parent dir of a file path exists before writing the file
...
Fixes when the `extra_ca_certs` directory doesn't exist when using the new custom certs tool
2017-01-26 15:15:40 -05:00
Joseph Schorr
4755d08677
Refactor and rename the standard OAuth services
2017-01-19 15:23:15 -05:00
Joseph Schorr
bee2551dc2
Temporarily remove Dex login support
...
This will be added back in later in this PR as part of proper generic OIDC support
2017-01-19 14:51:12 -05:00
Joseph Schorr
7e0fbeb625
Custom SSL certificates config panel
...
Adds a new panel to the superuser config tool, for managing custom SSL certificates in the config bundle
[Delivers #135586525 ]
2017-01-13 14:34:35 -05:00
Joseph Schorr
3a24871422
Add SSL certificate utility and tests
2017-01-10 17:06:13 -05:00
Joseph Schorr
f1c9965edf
Add more volume file operations and cleanup k8s provider code
2017-01-10 17:06:13 -05:00
Joseph Schorr
29d6abddb5
Linter fixes
2017-01-10 17:06:13 -05:00
Joseph Schorr
1e5b97318a
Fix loading of public keys for OIDC under Linux
...
Python's crypto lib under Linux has issues with loading PEM-encoded keys, so we just load it as a DER here and give PyJWT the key *instance* to use directly.
2016-12-09 14:26:56 -05:00
Joseph Schorr
dbdcb802b1
Add end-to-end OAuth login and attach tests
2016-12-08 18:35:42 -05:00
Joseph Schorr
236655adb4
Fix config validator for storage and add a test suite
...
Note that the test suite doesn't fully verify that each validation succeeds; rather, it ensures that the proper system (storage, security scanning, etc) is called with the configuration and returns at all (usually with an expected error). This should prevent us from forgetting to update these code paths when we change config-based systems. Longer term, we might want to have these tests stand up fake/mock versions of the endpoint services as well, for end-to-end testing.
2016-11-30 11:58:41 -05:00
josephschorr
74e54bdbbb
Merge pull request #1872 from coreos-inc/qe-torrent
...
Add QE setup tool support for BitTorrent downloads
2016-11-11 13:56:22 -05:00
Joseph Schorr
681f975df5
Add QE setup tool support for BitTorrent downloads
...
Fixes #1871
2016-11-02 17:32:12 -04:00
Joseph Schorr
d7f56350a4
Make email addresses optional in external auth if email feature is turned off
...
Before this change, external auth such as Keystone would fail if a user without an email address tried to login, even if the email feature was disabled.
2016-10-31 13:50:24 -04:00
Joseph Schorr
b3d1d7227c
Add support to Keystone Auth for external user linking
...
Also adds Keystone V3 support
2016-10-27 15:42:03 -04:00
Joseph Schorr
fbb524e34e
Add support to ExternalJWT Auth for external user linking
2016-10-27 15:42:03 -04:00
Joseph Schorr
2eabf1a291
Fix tests and test provider for real license format
2016-10-18 23:44:08 -04:00
Jake Moshenko
9f1c12e413
Refactor our license code to be entitlement centric.
2016-10-18 22:33:28 -04:00
Joseph Schorr
67f828279d
Switch the license validator to use config_provider and have a test license
...
Fixes the broken tests currently which try (and fail) to read the license file
2016-10-18 11:44:13 -04:00
Joseph Schorr
ee96693252
Add superuser config section for updating license
2016-10-17 21:44:25 -04:00
Jimmy Zelinskie
5fee4d6d19
*: misc formatting cleanup
2016-10-17 21:43:45 -04:00
Jimmy Zelinskie
6eb26d7998
configproviders: pass filemode when opening volume
2016-10-17 21:43:45 -04:00
Jimmy Zelinskie
0c5400b7d1
enforce license across registry blueprints
2016-10-17 21:43:45 -04:00
Joseph Schorr
8fe29c5b89
Add license upload step to the setup flow
...
Fixes #853
2016-10-17 21:43:15 -04:00
Joseph Schorr
5211c407ff
Add license checking to Quay
...
Based off of mjibson's changes
Fixes #499
2016-10-17 21:43:15 -04:00
Joseph Schorr
5a8200f17a
Add option to properly handle external TLS
...
Fixes #1984
2016-10-13 14:49:29 -04:00