* Adds handling for when a subscription returned from the subscription watch api has a quantity greater than 1. Number of private repos should be correctly calculated using the quantity.
* Updates ui so that subscriptions can only be added to an org as a group, i.e. a subscription with quantity = 2 cannot be split across organizations.
* billing: marketplace UI
adds UI in billing section for managing user and org-bound skus
add more unit tests for org binding
changed endpoint for bulk attaching skus to orgs
* update reconciliationworker to use webCustomerId instead of
ebsAccountNumber
* fix reconciler where it was incorrectly using the ebsAccountNumber to
create subscriptions
* add job to reconciler so that it reconciles different ids between the
database and the user api
* separate skus to be used by billing and skus to be used by reconciler
* api: add caching for get_repository method (PROJQUAY-6472)
* fixing formatting
* using pickle to serialize and deserialize objects
* adding model_cache parameter to lookup_repository func for interface and registry_proxy_model
* adding test
* formatting fix
* - added env option to select if we want to follow LDAP referrals
- added check on LDAP if the result is a list, it is an LDAP referral
* - change to config.yaml parameter option for enabling/disabling LDAP
referral lookups
- removed the per/method parameter and moved the referral into the Base
class
- verified behavior with changing the config.yaml option
`LDAP_FOLLOW_REFERRALS`
```
$ grep LDAP_FOLLOW_REFERRALS config.yaml
LDAP_FOLLOW_REFERRALS: 0
$ ./update_bundle
secret "quay-config-secret" deleted
secret/quay-config-secret created
deployment.apps/quay restarted
$ oc -n quay logs -f deploy/quay | grep referrals
gunicorn-web stdout | 2023-05-25 09:41:36,524 [74] [DEBUG] [data.users] LDAPUsers return referrals value 0
gunicorn-secscan stdout | 2023-05-25 09:41:38,093 [73] [DEBUG] [data.users] LDAPUsers return referrals value 0
gunicorn-registry stdout | 2023-05-25 09:41:38,410 [72] [DEBUG] [data.users] LDAPUsers return referrals value 0
$ sed -i -e " s#LDAP_FOLLOW_REFERRALS: 0#LDAP_FOLLOW_REFERRALS: 1#; " config.yaml
$ grep LDAP_FOLLOW_REFERRALS config.yaml
LDAP_FOLLOW_REFERRALS: 1
$ ./update_bundle
secret "quay-config-secret" deleted
secret/quay-config-secret created
deployment.apps/quay restarted
$ oc -n quay logs -f deploy/quay | grep referrals
gunicorn-secscan stdout | 2023-05-25 09:42:22,466 [72] [DEBUG] [data.users] LDAPUsers return referrals value 1
gunicorn-web stdout | 2023-05-25 09:42:22,496 [73] [DEBUG] [data.users] LDAPUsers return referrals value 1
gunicorn-registry stdout | 2023-05-25 09:42:23,658 [71] [DEBUG] [data.users] LDAPUsers return referrals value 1
```
* reformatted LDAPConnectionBulder call according to PEP
* fixed the formatting change according to pip black
* BREAKING CHANGE: LDAP lookup of robot accounts in the UI for granting
permission has been dropped. This impacts Users from LDAP
if they have not logged in already (pre provisioning).
the functions:
* _ldap_single_user_search
* _ldap_user_search
have been updated to provide `context` for dropping the LDAP query. As
the functions are used during login as well as during setting
permissions it is mandatory to be able to distinguish the context.
the functions:
* get_nonrobot_user
* find_user_by_email
from the module `data.model.user` have been utilized to identify, if the
user should be looked up in LDAP or not.
* Adding keepalive setting for LDAP connection in complex network
scenarios.
* removed PROJQUAY-5137 (part one) to simplify merging and rollback
-> Revert "BREAKING CHANGE: LDAP lookup of robot accounts in the UI for granting"
This reverts commit 8765093d73.
* fixed black
Currently if a new manifest is created that re-uses blobs already existing in the registry but not within the namespace it's possible for that manifest to be blocked if the newly referenced blobs exceed the quota limit. The issue being that the rejection only happens after the manifest has been created and tagged. This change blocks the manifest upload before the creation of the tag and prevents that tag from appearing in the UI and being pullable.
If the manifest upload get's rejected before the tag has been created for a new manifest, a temporary tag is created outside the time machine window so it is immediately available for GC.
* chore: pass config to isort as it doesn't always detect it
* chore: mark package "test" as local, not stdlib
* chore: remove "isort: skip_file"
* chore: fix app in test_load_security_information
* chore: fix app in test_notification
* chore: fix app in test_index_report
* add Postgresql client certificate authentication option
* user(robots): disallow robot login and create PROJQUAY-5968
Add a config flag `ROBOTS_DISALLOW` to turn off Robot login and creation
in Quay for all accounts.
with the Flag set existing Robots cannot login anymore
```
$ podman login -u milang+test2 -p W7B...HQA quay.example.com
Error: logging into "quay.example.com": invalid username/password
```
This behavior will be reported in the logs accordingly
```
gunicorn-registry stdout | 2023-08-24 19:08:01,907 [253] [WARNING] [auth.credentials] Failed to validate credentials for robot milang+test2: Robot account has been disabled. Please contact your administrator.
```
as well as in the UI when creating a Robot Account which will display
the `Robot account has been disabled. Please contact your
administrator.` message.
* Revert "add Postgresql client certificate authentication option"
need to branch for PR (stupid me)
This reverts commit f8f54eead2.
* fixed error message to proper english and added schema definition for the option
* add migration for orgrhskus table
* add endpoints for managing and listing skus bound to an org
* create checks in billing flow to look for org-bound skus
* refactor RH marketplace api objects to be more usable in tests
* update cypress test db data and exclude it from pre-commit hook formatting
In Clair 4.7, an API field documented to have version information in no
particular format may URL encode it. This change attempts to decode and
read a known field that contains the "fixed" version. If that fails, the
value will be passed through, as it is now.
Signed-off-by: Hank Donnay <hdonnay@redhat.com>
* Pagination: Fixing paginate for /api/v1/superuser/logs API
* using offset to fetch next page items
* adding datetime parsing
* using black to format code
* removing use_offset
* Removing redundant declaration
Garbage collect manifests no longer referenced in Quay from the
security scanner service.
Also moved quota related code from data/registry_model/ to data/model/
to avoid circular dependencies.
* config: Set feature flag default for new vulnerability notifications to True
(PROJQUAY-4659)
Change the default from `False` to `True` for
`FEATURE_SECURITY_SCANNING_NOTIFY_ON_NEW_INDEX`.
Since this flag addresses a bug, it should be enabled by default.
* add mock return values for unit tests
* api: allow robot token creation with a pre-defined token (PROJQUAY-5414)
This is for usecases where we want to explicitly create a robot token
with a pre-defined token in case of migration events when we migrate
from one quay to another, we can re-use the same robot token to
avoid resetting it in all places it is used
(PROJQUAY-5600)
Catch exception thrown when looking up tag `lifetime_start_ms` and set
`created_at` property for a manifest to None.
If `created_at` is None, don't calculate indexing SLI for manifest.
