When images are pulled by digest only (not by tag), the API endpoint
was returning 0 for manifest_pull_count because it ignored manifest_stats
when tag_stats was None.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude <noreply@anthropic.com>
When FEATURE_SUPERUSERS_FULL_ACCESS=false, regular superusers could
create/update/delete quotas for other users' organizations (returning 201/200),
but couldn't view them (returning 403). This was a security bug - both read
and write operations should require FULL_ACCESS permission to access other
organizations' quotas.
Root cause: Organization quota write endpoints used SuperUserPermission().can()
instead of allow_if_superuser_with_full_access(), allowing any superuser to
modify other orgs' quotas regardless of the FULL_ACCESS setting.
Changes:
- endpoints/api/namespacequota.py: Replace SuperUserPermission().can() with
allow_if_superuser_with_full_access() in all quota write operations:
* OrganizationQuotaList.post() - create quota
* OrganizationQuota.put() - update quota
* OrganizationQuota.delete() - delete quota
* OrganizationQuotaLimitList.post() - create quota limit
* OrganizationQuotaLimit.put() - update quota limit
* OrganizationQuotaLimit.delete() - delete quota limit
- endpoints/api/test/test_superuser_full_access.py: Add comprehensive tests
for quota operations with and without FULL_ACCESS enabled (6 new tests)
Note: Superuser panel endpoints (/v1/superuser/users/<namespace>/quota)
were intentionally NOT changed - these are admin panel functions that should
work with basic superuser permission, consistent with other panel operations.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude <noreply@anthropic.com>
* fix(ui): Enable organization/user visibility for read-only superusers (PROJQUAY-6882)
Users listed under GLOBAL_READONLY_SUPER_USERS can now see all
organizations and users in the UI, matching regular superuser visibility
with read-only restrictions on actions.
- Update UseCurrentUser to include global_readonly_super_user in isSuperUser check
- Add Cypress tests for read-only superuser visibility and action restrictions
- Settings column actions correctly hidden via existing canModify permission
* fix(ui): Add global_readonly_super_user field to API responses (PROJQUAY-6882)
- Add global_readonly_super_user field to user API response in endpoints/api/user.py
- Allow read-only superusers to view organization teams in endpoints/api/organization.py
- Allow read-only superusers to view robot permissions in endpoints/api/robot.py
* fix(ui): Prevent read-only superusers from deleting orgs/users
Security fix: Read-only superusers should not be able to delete
orgs or users they don't own, even though they can view them.
* Fix inline import + incorrect assert + add codecov tests
---------
Co-authored-by: Claude <noreply@anthropic.com>
This fixes an issue where global readonly superusers were blocked from
accessing organization quota limit endpoints when FEATURE_SUPERUSERS_FULL_ACCESS
was set to false.
Fixed endpoints in endpoints/api/namespacequota.py:
- OrganizationQuotaLimitList.get() - List quota limits
- OrganizationQuotaLimit.get() - Get individual quota limit
Both endpoints now use the consistent permission pattern:
permission.can() OR
allow_if_global_readonly_superuser() OR
allow_if_superuser_with_full_access()
Added comprehensive tests in test_global_readonly_superuser.py:
- test_global_readonly_superuser_can_access_quota_limit_list
- test_global_readonly_superuser_can_access_individual_quota_limit
- test_regular_superuser_cannot_access_quota_limits_without_full_access
Test implementation uses autouse fixture to ensure FEATURE_SUPERUSERS_FULL_ACCESS
is disabled for all tests in the class, following the pattern from
TestOrganizationLogsAccessWithoutFullAccess.
Tests verify:
1. Global readonly superusers CAN access quota limits for auditing,
regardless of FEATURE_SUPERUSERS_FULL_ACCESS setting
2. Regular superusers are still blocked when FEATURE_SUPERUSERS_FULL_ACCESS
is false (correct security behavior)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude <noreply@anthropic.com>
* fix: allow global readonly superusers to access all organization data without FULL_ACCESS (PROJQUAY-9798)
This is a comprehensive fix for multiple endpoints where global readonly superusers
were incorrectly blocked from accessing organization data when
FEATURE_SUPERUSERS_FULL_ACCESS was set to false.
Fixed endpoints in endpoints/api/logs.py:
- OrgLogs.get() - Organization audit logs
- OrgAggregateLogs.get() - Aggregated organization logs
- ExportOrgLogs.post() - Export organization logs
Fixed endpoints in endpoints/api/team.py:
- TeamMemberList.get() - Team member list
- TeamPermissions.get() - Team repository permissions
Fixed endpoints in endpoints/api/organization.py:
- OrganizationMemberList.get() - Organization member list
- OrganizationMember.get() - Individual member details
- OrganizationApplications.get() - OAuth application list
- OrganizationApplication.get() - Individual application details
Fixed endpoints in endpoints/api/prototype.py:
- PermissionPrototypeList.get() - Default permission prototypes
All endpoints now use consistent permission logic:
permission.can() OR
allow_if_global_readonly_superuser() OR
allow_if_superuser_with_full_access()
Added comprehensive tests verifying:
1. Global readonly superusers CAN access all data for auditing, regardless
of FEATURE_SUPERUSERS_FULL_ACCESS setting
2. Regular superusers are still blocked when FEATURE_SUPERUSERS_FULL_ACCESS
is false (correct behavior)
* fix(test): ensure owners team exists for testorglogs org in test setup
Addresses review feedback from PR #4549 comment #2539202868.
The test was attempting to access the 'owners' team in 'testorglogs'
org, but the fixture only created the organization without creating
any teams. This could cause the test to receive a 404 (team not found)
instead of 403 (permission denied), making it pass for the wrong reason.
Also simplified the test logic to only expect 403 since the team now
exists in the fixtures, ensuring the test validates permission blocking
rather than missing resources.
This fixes a bug where global readonly superusers were incorrectly blocked
from accessing organization logs when FEATURE_SUPERUSERS_FULL_ACCESS was
set to false.
Changes:
- Updated OrgLogs.get() to allow global readonly superusers
- Updated OrgAggregateLogs.get() to allow global readonly superusers
- Updated ExportOrgLogs.post() to allow global readonly superusers
- Added comprehensive tests verifying the fix
The fix ensures that:
1. Global readonly superusers can ALWAYS access organization logs for
auditing purposes, regardless of FEATURE_SUPERUSERS_FULL_ACCESS setting
2. Regular superusers are still blocked from accessing organization logs
when FEATURE_SUPERUSERS_FULL_ACCESS is false (correct behavior)
All three endpoints now use consistent permission logic:
permission.can() OR
allow_if_global_readonly_superuser() OR
allow_if_superuser_with_full_access()
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude <noreply@anthropic.com>
* Fix: Add lazy Redis connection with retry logic for pull metrics
- Implement lazy initialization to prevent startup failures when Redis unavailable
- Add retry logic (3 attempts, 1s delay) for automatic reconnection
- Add health checks before each Redis operation
- Improve error logging from DEBUG to WARNING level
- Fix silent failures after pod restart when Redis not immediately available
This fixes the issue where pull statistics tracking was permanently broken
after registry component restart if Redis wasn't available at startup.
---------
Co-authored-by: shudeshp <shudeshp@redhat.com>
fix(api): implement proper superuser permission model and fix access controls
Fixes multiple issues with superuser functionality and implements a comprehensive
permission model for FEATURE_SUPERUSERS_FULL_ACCESS:
**Permission Model:**
- Global Readonly Superusers (auditors): Always have read access to all content,
independent of FEATURE_SUPERUSERS_FULL_ACCESS setting
- Regular Superusers: Can access /v1/superuser endpoints and their own content.
Require FEATURE_SUPERUSERS_FULL_ACCESS=true for cross-namespace read access
- Full Access Superusers: Regular superusers with FULL_ACCESS enabled, can
perform CRUD on content they don't own
- Write operations: Only allowed for full access superusers (global readonly
superusers never get write access)
**Key Fixes:**
1. Fixed superuser panel endpoints returning 403 when FULL_ACCESS was disabled.
Basic panel operations (user list, logs, org list, messages) now work with
just FEATURE_SUPER_USERS enabled.
2. Updated decorators to properly differentiate between basic superuser
operations and permission bypass operations.
3. Implemented license bypass: Superusers with FULL_ACCESS now bypass
license/quota limits when creating or modifying private repositories.
4. Fixed 18 permission checks across 7 files to properly implement cross-namespace
access controls for different superuser types.
**Changes:**
- endpoints/api/__init__.py: Fixed allow_if_superuser(), require_repo_permission, and decorators
- endpoints/api/superuser.py: Updated SuperUserAppTokens permission check
- endpoints/api/organization.py: Updated 4 GET endpoints to require FULL_ACCESS
- endpoints/api/namespacequota.py: Updated 2 GET endpoints to require FULL_ACCESS
- endpoints/api/team.py: Updated 2 GET endpoints to require FULL_ACCESS
- endpoints/api/prototype.py: Updated 1 GET endpoint to require FULL_ACCESS
- endpoints/api/policy.py: Updated auto-prune policy endpoints
- endpoints/api/robot.py: Updated robot endpoints
- endpoints/api/build.py: Updated repository build logs
- endpoints/api/repository.py: Added license bypass for superusers with FULL_ACCESS
- endpoints/api/repository_models_pre_oci.py: Updated repository visibility query
- endpoints/api/logs.py: Fixed log access to require FULL_ACCESS for permission bypass
- endpoints/api/test/test_superuser_full_access.py: Added comprehensive test suite
- endpoints/api/test/test_appspecifictoken.py: Updated test mocking and added 403 test
- test/test_api_usage.py: Updated test expectations for license bypass behavior
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* notifications: Support slash in repository names (PROJQUAY-7538)
Fix for PROJQUAY-7538 discussed in #3069 by only considering the first slash when separating namespace and repository.
* Test and devcontainer
* Remove devcontainer.json
* Revert irrelevant test change.
feat: Add image pull statistics API endpoints and UI integration
- Add new API endpoints for tag and manifest pull statistics
- Integrate pull metrics into web UI with new table columns
- Add FEATURE_IMAGE_PULL_STATS feature flag and PULL_METRICS_REDIS config
- Add pullstatsredisflushworker to supervisord configuration
- Add comprehensive test coverage for pull statistics functionality
Co-authored-by: shudeshp <shudeshp@redhat.com>
Update global read‑only superuser capability for API v2 and standardize registry authentication/authorization behavior. Centralize permission checks via decorators, refine bearer token issuance and scope handling, and align HTTP status codes across v2 endpoints. Update unit, integration, and protocol tests to validate the new contract.
* Fix missing axios import
* Rewrite OAuth error for react to show a new error component
* Rewrite tests for OAuth flow
* Fix navigating to /signin from Headertoolbar
* replace url_for() with urlencode + add config setting for test suite
* Add checks before embedding redirect url + redesign OAUTH error screen
Implements global read-only superuser permissions for v1 endpoints, adjusts superuser write checks, and updates app token listing and detail endpoints; includes comprehensive tests.
---------
Co-authored-by: Claude <noreply@anthropic.com>
* Add ngnix routing logic to default to react UI for downstream
* Remove defaulting from env, update Makefile to build react by default for local
* Add cypress test for signin and create account workflow
* Add missing routes + fallback to backend server
* Hide UI toggle when defaulting to new UI
* Adds forgot password + recovery email, recaptcha, missing login checks
* Add external login screen + support for other login types for new UI
* Add new screen for update user after external login
* Add authorized apps section under external logins tab
* Implement updateuser react component + fix cypress test
* Fix external login OAuth flow for react
* switch logic to default to new ui
* Add DEFAULT_UI: angular to config for cypress CI
* Fix cypress tests for oauth-callback
* Rebase and fix merge conflicts
---------
Signed-off-by: harishsurf <hgovinda@redhat.com>
test(oidc): add comprehensive PKCE test coverage with improved diagnostics (PROJQUAY-9281)
Add extensive test suite for PKCE (Proof Key for Code Exchange) functionality
across multiple layers of the application:
Test Coverage:
- Core PKCE utilities (code_verifier generation, S256 challenge computation)
- OAuth base class integration with PKCE parameters
- OIDC service with PKCE fixtures and authorization scenarios
- Dedicated PKCE flow testing (S256/plain methods, public client support)
- API endpoint integration for user PKCE operations
- Login flow integration with session-based verifier storage
Features Tested:
- S256 and plain code challenge methods
- Public client support (omitting client_secret)
- Session-based code_verifier storage and retrieval
- Error handling for missing/invalid verifiers
- Integration with existing OIDC authorization flows
- Descriptive assertion messages for CI diagnostics
All tests include informative error messages with expected vs actual values
to improve debugging in CI environments.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Implement PKCE (Proof Key for Code Exchange) for OIDC authentication to enable
support for public clients and improve OAuth security.
Changes:
- Add oauth/pkce.py with code_verifier generation and S256/plain challenge methods
- Extend OAuthService to support extra auth/token params and public clients (no client_secret)
- Implement PKCE in OIDCLoginService with code_verifier token exchange
- Store PKCE verifier in session during auth initiation (endpoints/api/user.py)
- Add get_pkce_code_verifier() helper with defensive type checking
* Encapsulates pkce_enabled check and session data extraction
* Uses isinstance(data, dict) for safe type validation
* Centralizes logic across OAuth callbacks (callback, attach, cli)
- Include example Keycloak PKCE config in local-dev/stack/config.yaml
Security improvements:
- PKCE method validation to fail fast on invalid configuration
- Defensive session data validation in OAuth callbacks
- Explicit Content-Type headers for form-encoded OAuth requests
- Optimized non-verified JWT decode (skips unnecessary key fetching)
- Exponential backoff for token exchange retries (0.5s, 1.0s, 2.0s)
Configuration:
- PKCE is opt-in via USE_PKCE config (default: disabled)
- OIDC_SERVER must end with trailing slash
- Use host.containers.internal with podman for local dev
Co-authored-by: Claude <noreply@anthropic.com>
This PR adds the OAuth application workflow to the new Quay UI.
All UI components and functionality that existed in the legacy UI should now be working in the new React-based UI with Patternfly 5. Also added a full test suite for the OAuth application functionality.
* mirror: Add job timeout to mirror configurations (PROJQUAY-7249)
Previous global job timeout of 5 minutes was inadequate for big images. The timeout should now be configurable in much the same way as sync is. Minimum job length is 300 seconds/5 minutes.
The PR is still work in progress.
* Fix init db, remove reference to user data in logs
* Fix tests, change repo mirror configuration
* Fix tests, make mirroring cancellable through UI
* Add cancel mirror test, change HTML document to reflect mirror timeout
* Flake8 doesn't like when '==' is used with 'None'
* Fix mirror registry tests
* Add new cypress data to fix cypress tests
* Added ability to define upload chunk size to RADOS driver, small changes to repo mirror HTML page
* Fix database migration to follow HEAD
* Upload new database data for Cypress tests
* Make skopeo_timeout_interval mandatory on API calls
---------
Co-authored-by: Ivan Bazulic <ibazulic@redhat.com>
* v2: Disallow push of manifests with negative layer size (PROJQUAY-8560)
Under certain conditions, clients may create a manifest (OCI or Docker v2) that contains negative layer sizes. Our current validation schema does not take that corner case into account, it only checks if the manifest is properly formatted or not. With this change, Quay will reject manifests that have negative layer sizes and raise a `400` with a proper exception. An example can be seen here:
~~~
gunicorn-registry stdout | 2025-02-10 22:34:54,930 [377] [ERROR] [endpoints.v2.manifest] failed to parse manifest when writing by tagname
gunicorn-registry stdout | Traceback (most recent call last):
gunicorn-registry stdout | File "/quay-registry/endpoints/v2/manifest.py", line 362, in _parse_manifest
gunicorn-registry stdout | return parse_manifest_from_bytes(
gunicorn-registry stdout | File "/quay-registry/image/shared/schemas.py", line 40, in parse_manifest_from_bytes
gunicorn-registry stdout | return DockerSchema2Manifest(manifest_bytes)
gunicorn-registry stdout | File "/quay-registry/image/docker/schema2/manifest.py", line 172, in __init__
gunicorn-registry stdout | raise MalformedSchema2Manifest("layer size is negative")
gunicorn-registry stdout | image.docker.schema2.manifest.MalformedSchema2Manifest: layer size is negative
gunicorn-registry stdout | 2025-02-10 22:34:54,931 [377] [DEBUG] [endpoints.v2] sending response: b'{"errors":[{"code":"MANIFEST_INVALID","detail":{"message":"failed to parse manifest: layer size is negative"},"message":"manifest invalid"}]}\n
~~~
* Add tests, changed error message on malformed manifest exception
* Fix v2 API test
* Add match expression to pytest to make sure a proper exception is raised
* Add exception for layers with size 0 bytes, fix tests
* Fix indentation on previous changes
* Fix indetation
* db: use iterator chain for _get_user_repo_permissions (PROJQUAY-8839)
Unwrapping can cause increase in CPU. Use iterator chain to let
the caller unwrap
* initial checkin for the superuser/config endpoint to show how its intended to return data
bug: fixing NaN value error for quota displayed on member org page (PROJQUAY-6465) (#3224)
bug: fixing NaN value error for quota displayed on member org page (PROJQUAY-6465)
fixed black formatting
fixed flake and black formatting
fixed isort formatting
test need to be updated for superuser endpoints. There is no explicit superuser token test so globalreadonlysuperuser shall succeed too
fixed double json encoding
changed naming to comply with other SuperUserClasses, added SuperUserPermission check as scope only isnt sufficient
fixed another black error
fixed response for devtable check
fixed response for devtable as that is a superuser
fixed black format :/
added allow_if_global_readonly_superuser to config endpoint
repush for checks
fixed app.logger to module specific logger ; added missed SCHEMA return
added unittest for checking superuser config dump API call (no clue if the unittests build up a full setup since we mock all kind of stuff in the other calls)
removed env PWD check as it seems to be unset in the github runners
added missing unittest step
added FeatureFlag for config dump
formatting
* removed wrong commit in the branch
* changed from route decorator to in method check and changed unittests to fail as the default config is to deny the request
* added one test for security_tests
* rebumped the security tests
* db: optimize _get_user_repo_permissions to send to read replica (PROJQUAY-8839)
it uses a union query which doesn't invoke the replica selection
logic. Make this into 2 seperate queries
* fix unit tests
Fixes bug where removing a MW02702 sub after all it's quantities have been bound causes the next item in the subscription list to be skipped over, resulting in a malformed api response for the marketplace endpoint.
Fixes a bug where the annotation is required at the manifest level even if artifactType is present. The modelcard should only be indicated by the artifact type and layer annotation for oci artifacts.
* ui: implement change to render modelcard stored in layers (PROJQUAY-8412)
When a manifest has certain annotations or artifactTypes, render the
applicable modelcard markdown in a new tags detail tab.
* removing untar when fetching model card
* removing extra api calls
* Add modelcar check tests
---------
Co-authored-by: bcaton <bcaton@redhat.com>
* ui: Expand support for customized footer links (PROJQUAY-5648)
Previous iteration only allowed changes to the terms of service. With this push, all footer links should be customizable through the `FOOTER_LINKS` object. Example:
~~~
FOOTER_LINKS:
TERMS_OF_SERVICE_URL: "some_url"
PRIVACY_POLICY_URL: "some_url"
SECURITY_URL: "some_url"
ABOUT_URL: "some_url"
~~~
Missing entries will not be printed out in the UI.
* Fixes to parsing of config object
* Add type annotation
* marketplace: splittable sku for MW02702 (PROJQUAY-8151)
* Alembic migration to drop unique constraint on the orgrhsubscriptions
table
* Can split sub quantities of MW02702 across multiple orgs
* Can specify quantity for the MW02702 SKU across orgs on react UI
* Update angular UI to allow user to specify quantities for MW02702
* auth: Implement is_restricted_user for OIDC and allow super users to create content regardless of set restriction (PROJQUAY-8208)
Currently, if OIDC is set as an authentication mechanism and restricted users is set, Quay will return a `501 Not Implemented` on invocation. Now, Quay will properly check the restricted user whitelist for federated users.
Additionally, if user restriction is in place and super user's username was **not** explicitly whitelisted, super users would not be able to create new content inside the registry. Now, the username is explicitly checked in the UI to allow super users to create both organizations and repos regardless of restricted users whitelist.
* Add tests
* Add tests for usermanager
* logs: Audit export logs requests (PROJQUAY-7679))
We add the ability to audit export logs requests that were previously not tracked.
* Add UI elements to properly render new audit log
* Truncate date/time column on exterme zooms
* Add initdb.py entries
* Fix migration and add test db data
* Add test database and fix migration paths
* Changed logging mechanism to grab raised exceptions
* Fix improper import
* Add date/time timestamp to saved metadata
* Change message on export logs screen in UI
* Changed message in old UI as well
* Change log description in new UI too
* Simplify call logic and add additonal information to logged errors
robots: Add robot federation for keyless auth (PROJQUAY-7652)
adds the ability to configure federated auth for robots by
using external OIDC providers. Each robot can be configured
to have multiple external OIDC providers as the source for
authentication.
Allows users to specify a regex tag pattern when creating namespace/repository autoprune policies via the new UI. Users will have the option to prune tags that only match the tag pattern or exclude tags that match the tag pattern.
* api: Add ability to delete tags via v2 call (PROJQUAY-7599)
The deletion of tags was previously not supported by the Docker v2 API. Current versions of both the OCI spec and Docker v2 API provide this ability, hence adding it to Quay as well. See [OCI spec](https://github.com/opencontainers/distribution-spec/blob/main/spec.md) for more details.
* Fix test call
* Add missing argument to test
* Add security tests
* Enable conformance tests
* Switch to v1.1.0 instead of release candidate for conformance tests
* Revert changes to conformance tests
* storage: Disable pushes on registry (PROJQUAY-6870)
The current read-only option for Quay is not sometimes feasible, since it requires an insert of the service key and other manual config changes. For instance, if you want to just recalculate quota on the registry, but would like to allow all registry operations (including UI) without the possibility of pushes until recalculation is done, setting the whole registry `read-only` cannot be done since it makes the database read only as well.
This PR introduces a new flag called `DISABLE_PUSHES` which allows all registry operations to continue (changing tags, repo editing, robot account creation/deletion, user creation etc.) but will disable pushes of new images to the registry (i.e. backend storage will not change). If a registry already contains the image and a new tag is simply being added, that operation should succeed.
The following message would appear in the logs:
~~~
gunicorn-registry stdout | 2024-03-13 20:19:49,414 [369] [DEBUG] [endpoints.v2] sending response: b'{"errors":[{"code":"METHOD NOT ALLOWED","detail":{},"message":"Pushes to the registry are currently disabled. Please contact the administrator for more information."}]}\n'
gunicorn-registry stdout | 2024-03-13 20:19:49,414 [369] [INFO] [gunicorn.access] 172.17.0.1 - - [13/Mar/2024:20:19:49 +0000] "PUT /v2/ibazulic/mariadb/manifests/sha256:c4694ba424e0259694a5117bbb510d67340051f0bdb7f9fa8033941a2d66e53e HTTP/1.1" 405 169 "-" "skopeo/1.9.3"
nginx stdout | 172.17.0.1 (-) - - [13/Mar/2024:20:19:49 +0000] "PUT /v2/ibazulic/mariadb/manifests/sha256:c4694ba424e0259694a5117bbb510d67340051f0bdb7f9fa8033941a2d66e53e HTTP/1.1" 405 169 "-" "skopeo/1.9.3" (0.002 3813 0.002)
~~~
The flag defaults to `False` (pushes enabled), unless set otherwise.
* Removed constraint on storage replication when pushes are disabled
* Rebase
* Fix isort sorting
* Fix isort sorting #2
* Removed constraint on storage replication when pushes are disabled
* Rebase
* Remove constraint on storage replication worker
* Fix linting on config.py
