Add REST API for managing immutability policies at organization and
repository levels. Integrate policy evaluation into tag creation.
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
Add database models, migration, and CRUD functions for namespace and
repository immutability policies. Policies define regex patterns that
automatically mark matching tags as immutable when created.
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
Add label handler for quay.immutable manifest label that automatically
marks associated tags as immutable when images are pushed with
LABEL quay.immutable=true in their Dockerfile. Only "true" value
(case-insensitive) triggers immutability; other values are ignored.
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
* mirror: Add FEATURE_ORG_MIRROR feature flag (PROJQUAY-1266)
Add organization-level repository mirroring feature flag to enable
the new org mirroring functionality. Feature is disabled by default.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* mirror: Add GET endpoint for org mirror config (PROJQUAY-1266)
Implements the GET /v1/organization/<org>/mirror endpoint to retrieve
organization-level mirror configuration. Includes business logic layer
with get_org_mirror_config() and comprehensive unit tests.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* mirror: Add POST endpoint for org mirror config (PROJQUAY-1266)
Add create endpoint for organization-level mirror configuration:
- POST /v1/organization/<orgname>/mirror creates new config
- Validates robot account ownership and credentials
- Returns 201 on success, 409 if config already exists
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* mirror: Add DELETE endpoint for org mirror config (PROJQUAY-1266)
Add delete endpoint for organization-level mirror configuration:
- DELETE /v1/organization/<orgname>/mirror removes config
- Also deletes all associated discovered repositories
- Returns 204 on success, 404 if config doesn't exist
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* mirror: Add PUT endpoint for org mirror config (PROJQUAY-1266)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix test failure
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Eliminate N+1 lazy-load queries by accepting user IDs instead of User objects.
## Problem
When checking organization membership for permissions, the old code triggered
a lazy-load query for EACH permission just to extract the user ID:
```python
# Old caller pattern - triggers N lazy-loads!
users_filter = {perm.user for perm in repo_perms}
org_members = get_organization_member_set(org, users_filter=users_filter)
```
For an endpoint returning 50 permissions, this caused 50 extra SELECT queries.
## Solution
Accept user IDs directly via `user_ids_filter` parameter:
```python
# New pattern - no lazy-loads!
user_ids_filter = {perm.user_id for perm in repo_perms}
org_members = get_organization_member_set(org, user_ids_filter=user_ids_filter)
```
The `user_id` foreign key field is already populated on the model - accessing
it doesn't require a database query.
## Changes
- Renamed `users_filter` → `user_ids_filter` parameter
- Accept set of integer IDs instead of User objects
- Updated 6 call sites in permission_models_pre_oci.py and prototype.py
- Added comprehensive test coverage
## Performance Impact
For get_repo_permissions_by_user with 50 permissions:
- Before: 50 lazy-load queries
- After: 0 queries
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
When a manifest list was pushed with multiple tags, only the first tag
got the expiration from child manifest labels. Subsequent tags showed
"Never" because list_manifest_labels() only checked labels directly on
the manifest list, not on child manifests.
Added _get_expiry_label_for_manifest() helper that properly queries
child manifest labels for manifest lists, matching the intersection
logic used during initial manifest creation.
Co-authored-by: Claude <noreply@anthropic.com>
Replace custom connect() wrapper with peewee's built-in pragmas
parameter to fix SQLite connection failure after OMR upgrade.
The previous implementation called execute_sql() inside connect(),
which triggered retry logic on failure, causing infinite recursion
and connection state corruption. Using peewee's native mechanism
applies PRAGMAs via the raw cursor before connect() returns.
Co-authored-by: Claude <noreply@anthropic.com>
Add database schema for organization-level repository mirroring feature that enables syncing all repositories from a source namespace into a target Quay organization.
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Expose tag immutability through the existing tag REST API endpoint.
This adds:
- immutable field to PUT /api/v1/repository/{repo}/tag/{tag}
- TagImmutable 409 exception for blocked operations
- immutable field in tag list responses
- Exception handling for DELETE and PUT on immutable tags
Write permission required to lock, admin required to unlock.
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
* mirror: Add architecture filter to RepoMirrorConfig (PROJQUAY-10255)
Adds architecture_filter field to filter multi-arch images during mirroring.
Supports amd64, arm64, ppc64le, s390x, 386, and riscv64 architectures.
Empty/null value mirrors all architectures (backwards compatible).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* shrink valid arches for repo mirroring to only the necessary ones
* run formatter on file
* fix unit test
* validate arch before setting
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
This commit implements the core enforcement layer for tag immutability,
which prevents immutable tags from being deleted, overwritten, or
permanently removed from the time machine.
Changes:
- Add ImmutableTagException class with tag_name, operation, and
repository_id fields for detailed error reporting
- Enforce immutability in delete_tag() - raises exception for immutable tags
- Enforce immutability in retarget_tag() - prevents overwriting immutable
tags, respects raise_on_error parameter
- Enforce immutability in remove_tag_from_timemachine() - blocks permanent
deletion for both alive and expired immutable tags
- Add is_tag_immutable() - returns True/False/None for tag lookup
- Add set_tag_immutable() - updates immutability with optimistic locking
The immutable column, indexes, and log entry kind were previously added
in migration 5b8dc452f5c3. This commit adds the enforcement logic and
utility functions that use those database structures.
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
* feat: Add FEATURE_SPARSE_INDEX config for sparse manifest index support
When enabled, manifests in an index that cannot be loaded will be
skipped if their architecture is not in the SPARSE_INDEX_REQUIRED_ARCHS
list. This allows for sparse manifest indexes where not all architectures
are required to be present.
New config options:
- FEATURE_SPARSE_INDEX: Enable sparse manifest index support (default: False)
- SPARSE_INDEX_REQUIRED_ARCHS: List of architectures that must be present
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* chore(pre-commit): match black version with requirements-dev
* run `make black` against repo
* ci: switch to black 24.4.2
* fix: py312
* fix: flake8 errors
* fix: flake8 conflicts
* chore: add git blame ignore revs file
Each LDAP user search was creating two connections: one just to verify
admin credentials worked, then another for the actual search. This
doubled the load on LDAP servers. Consolidated into a single connection
block with proper error handling for INVALID_CREDENTIALS.
Affected methods:
- _ldap_user_search(): Core search used by most LDAP operations
- at_least_one_user_exists(): User existence checks
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
When a tag is deleted and re-pushed, pull statistics now start fresh
at 0 instead of persisting from the deleted tag.
Changes:
- Clear TagPullStatistics in _delete_tag()
- Clear TagPullStatistics in remove_tag_from_timemachine()
- Add tests for tag deletion clearing pull statistics
- Add test for re-push scenario starting with fresh stats
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
* fix(oauth): prevent redirect URI validation bypass (PROJQUAY-9849)
Co-authored-by: Claude <noreply@anthropic.com>
* test(oauth): add comprehensive coverage for redirect URI validation (PROJQUAY-9849)
Co-authored-by: Claude <noreply@anthropic.com>
* fix(oauth): add percent-encoding protection and improve test coverage (PROJQUAY-9849)
Co-authored-by: Claude <noreply@anthropic.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
* fix(test): prevent MySQL deadlocks in parallel proxy model tests (PROJQUAY-0000)
Mark all registry proxy model test classes to run serially using
pytest-xdist group markers. These tests all use the same "quayio-cache"
organization and were causing MySQL deadlocks when run in parallel
across multiple workers with pytest -n auto.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix(test): resolve Flask app naming conflict in quotaregistrysizeworker tests (PROJQUAY-0000)
Import Flask app with alias to avoid conflict with pytest 'app' fixture.
The test was using 'app.config' but 'app' resolved to a pytest fixture
definition instead of the Flask application object.
Follows the same pattern as test_securityscanningnotificationworker.py.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Brady Pratt <bpratt@redhat.com>
---------
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
* chore: update ci to use new large ubuntu 24.04 runner
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-Authored-By: Dave O'Connor <doconnor@redhat.com>
* fix: add libfreetype6-dev for Ubuntu 24.04 compatibility
The reportlab package requires FreeType development headers to build.
On Ubuntu 24.04, this dependency is not pulled in transitively and
must be explicitly installed. This fixes the "cannot find ft2build.h"
build error.
Added libfreetype6-dev to all jobs that install system dependencies
in CI.yaml and CI-nightly.yaml workflows.
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-Authored-By: Dave O'Connor <doconnor@redhat.com>
* chore: set the TEST_DATETIME to a static value
this caused an issue in xdist when generating test names
Signed-off-by: Brady Pratt <bpratt@redhat.com>
* chore: cache pip packages in CI
Signed-off-by: Brady Pratt <bpratt@redhat.com>
* chore: run registry tests with -n auto
Signed-off-by: Brady Pratt <bpratt@redhat.com>
* chore: run psql with -n auto
Signed-off-by: Brady Pratt <bpratt@redhat.com>
* chore: add file locking to prevent parallel test db init race condition
When running pytest -n auto with multiple workers, both workers would
simultaneously execute populate_database(), causing duplicate key
violations on shared tables like imagestoragelocation:
Worker 1: Check if User "devtable" exists → No → Start populating
Worker 2: Check if User "devtable" exists → No → Start populating
Both: INSERT INTO imagestoragelocation (name) VALUES ('local_eu')
Result: IntegrityError - duplicate key violation
Solution: Wrap init_db_path fixture with FileLock to ensure only one
worker initializes the database at a time. The lock file is created
in pytest's shared temp directory, coordinating across all workers.
- First worker acquires lock and populates database
- Subsequent workers wait at lock, then see database is already
populated (via User.get() check in populate_database())
- Works for both PostgreSQL and MySQL
- 300-second timeout prevents deadlocks
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* chore: run mysql with -n auto
Signed-off-by: Brady Pratt <bpratt@redhat.com>
---------
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Dave O'Connor <doconnor@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
pullstats: updated bulk upsert function to track correct pull count and timestamp in case of race condition
Co-authored-by: shudeshp <shudeshp@redhat.com>
feat: Add image pull statistics API endpoints and UI integration
- Add new API endpoints for tag and manifest pull statistics
- Integrate pull metrics into web UI with new table columns
- Add FEATURE_IMAGE_PULL_STATS feature flag and PULL_METRICS_REDIS config
- Add pullstatsredisflushworker to supervisord configuration
- Add comprehensive test coverage for pull statistics functionality
Co-authored-by: shudeshp <shudeshp@redhat.com>
Implements global read-only superuser permissions for v1 endpoints, adjusts superuser write checks, and updates app token listing and detail endpoints; includes comprehensive tests.
---------
Co-authored-by: Claude <noreply@anthropic.com>
Add retry with exponential backoff for sqlite (PROJQUAY-8758)
Sqlite runs into db lock contention, when run with a
single worker count is set to 1. This adds retry logic
to resolve lock contention
Signed-off-by: harishsurf <hgovinda@redhat.com>
BREAKING CHANGE: LDAP lookup of robot accounts in the UI for granting permission has been dropped in context of permissions granting. This impacts Users from LDAP if they have not logged in to Quay already (pre provisioning) as a Federation User will only be available after logging in or being part of a Team.
* mirror: Add job timeout to mirror configurations (PROJQUAY-7249)
Previous global job timeout of 5 minutes was inadequate for big images. The timeout should now be configurable in much the same way as sync is. Minimum job length is 300 seconds/5 minutes.
The PR is still work in progress.
* Fix init db, remove reference to user data in logs
* Fix tests, change repo mirror configuration
* Fix tests, make mirroring cancellable through UI
* Add cancel mirror test, change HTML document to reflect mirror timeout
* Flake8 doesn't like when '==' is used with 'None'
* Fix mirror registry tests
* Add new cypress data to fix cypress tests
* Added ability to define upload chunk size to RADOS driver, small changes to repo mirror HTML page
* Fix database migration to follow HEAD
* Upload new database data for Cypress tests
* Make skopeo_timeout_interval mandatory on API calls
---------
Co-authored-by: Ivan Bazulic <ibazulic@redhat.com>
* proxycache: Download blob not cached when pulling manifests with blob available locally (PROJQUAY-6708)
* Skip downloading blobs without placeholders
fixing CVE-2025-4374 by extending the create_repository method to understand if we are requesting a proxy_cache repository
added unittests for create_repository when proxy_cache.
* Revert "bug: Adding allow hidden flag while looking up for manifests (PROJQUAY-8536) (#3722)"
This reverts commit f0c153fab5.
* Revert "proxy: moving manifest check to after upstream manifest fetch (PROJQUAY-8536) (#3814)"
This reverts commit 944edd064b.
