fix(api): implement proper superuser permission model and fix access controls
Fixes multiple issues with superuser functionality and implements a comprehensive
permission model for FEATURE_SUPERUSERS_FULL_ACCESS:
**Permission Model:**
- Global Readonly Superusers (auditors): Always have read access to all content,
independent of FEATURE_SUPERUSERS_FULL_ACCESS setting
- Regular Superusers: Can access /v1/superuser endpoints and their own content.
Require FEATURE_SUPERUSERS_FULL_ACCESS=true for cross-namespace read access
- Full Access Superusers: Regular superusers with FULL_ACCESS enabled, can
perform CRUD on content they don't own
- Write operations: Only allowed for full access superusers (global readonly
superusers never get write access)
**Key Fixes:**
1. Fixed superuser panel endpoints returning 403 when FULL_ACCESS was disabled.
Basic panel operations (user list, logs, org list, messages) now work with
just FEATURE_SUPER_USERS enabled.
2. Updated decorators to properly differentiate between basic superuser
operations and permission bypass operations.
3. Implemented license bypass: Superusers with FULL_ACCESS now bypass
license/quota limits when creating or modifying private repositories.
4. Fixed 18 permission checks across 7 files to properly implement cross-namespace
access controls for different superuser types.
**Changes:**
- endpoints/api/__init__.py: Fixed allow_if_superuser(), require_repo_permission, and decorators
- endpoints/api/superuser.py: Updated SuperUserAppTokens permission check
- endpoints/api/organization.py: Updated 4 GET endpoints to require FULL_ACCESS
- endpoints/api/namespacequota.py: Updated 2 GET endpoints to require FULL_ACCESS
- endpoints/api/team.py: Updated 2 GET endpoints to require FULL_ACCESS
- endpoints/api/prototype.py: Updated 1 GET endpoint to require FULL_ACCESS
- endpoints/api/policy.py: Updated auto-prune policy endpoints
- endpoints/api/robot.py: Updated robot endpoints
- endpoints/api/build.py: Updated repository build logs
- endpoints/api/repository.py: Added license bypass for superusers with FULL_ACCESS
- endpoints/api/repository_models_pre_oci.py: Updated repository visibility query
- endpoints/api/logs.py: Fixed log access to require FULL_ACCESS for permission bypass
- endpoints/api/test/test_superuser_full_access.py: Added comprehensive test suite
- endpoints/api/test/test_appspecifictoken.py: Updated test mocking and added 403 test
- test/test_api_usage.py: Updated test expectations for license bypass behavior
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
feat: Add image pull statistics API endpoints and UI integration
- Add new API endpoints for tag and manifest pull statistics
- Integrate pull metrics into web UI with new table columns
- Add FEATURE_IMAGE_PULL_STATS feature flag and PULL_METRICS_REDIS config
- Add pullstatsredisflushworker to supervisord configuration
- Add comprehensive test coverage for pull statistics functionality
Co-authored-by: shudeshp <shudeshp@redhat.com>
Implements global read-only superuser permissions for v1 endpoints, adjusts superuser write checks, and updates app token listing and detail endpoints; includes comprehensive tests.
---------
Co-authored-by: Claude <noreply@anthropic.com>
test(oidc): add comprehensive PKCE test coverage with improved diagnostics (PROJQUAY-9281)
Add extensive test suite for PKCE (Proof Key for Code Exchange) functionality
across multiple layers of the application:
Test Coverage:
- Core PKCE utilities (code_verifier generation, S256 challenge computation)
- OAuth base class integration with PKCE parameters
- OIDC service with PKCE fixtures and authorization scenarios
- Dedicated PKCE flow testing (S256/plain methods, public client support)
- API endpoint integration for user PKCE operations
- Login flow integration with session-based verifier storage
Features Tested:
- S256 and plain code challenge methods
- Public client support (omitting client_secret)
- Session-based code_verifier storage and retrieval
- Error handling for missing/invalid verifiers
- Integration with existing OIDC authorization flows
- Descriptive assertion messages for CI diagnostics
All tests include informative error messages with expected vs actual values
to improve debugging in CI environments.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Implement PKCE (Proof Key for Code Exchange) for OIDC authentication to enable
support for public clients and improve OAuth security.
Changes:
- Add oauth/pkce.py with code_verifier generation and S256/plain challenge methods
- Extend OAuthService to support extra auth/token params and public clients (no client_secret)
- Implement PKCE in OIDCLoginService with code_verifier token exchange
- Store PKCE verifier in session during auth initiation (endpoints/api/user.py)
- Add get_pkce_code_verifier() helper with defensive type checking
* Encapsulates pkce_enabled check and session data extraction
* Uses isinstance(data, dict) for safe type validation
* Centralizes logic across OAuth callbacks (callback, attach, cli)
- Include example Keycloak PKCE config in local-dev/stack/config.yaml
Security improvements:
- PKCE method validation to fail fast on invalid configuration
- Defensive session data validation in OAuth callbacks
- Explicit Content-Type headers for form-encoded OAuth requests
- Optimized non-verified JWT decode (skips unnecessary key fetching)
- Exponential backoff for token exchange retries (0.5s, 1.0s, 2.0s)
Configuration:
- PKCE is opt-in via USE_PKCE config (default: disabled)
- OIDC_SERVER must end with trailing slash
- Use host.containers.internal with podman for local dev
Co-authored-by: Claude <noreply@anthropic.com>
* mirror: Add job timeout to mirror configurations (PROJQUAY-7249)
Previous global job timeout of 5 minutes was inadequate for big images. The timeout should now be configurable in much the same way as sync is. Minimum job length is 300 seconds/5 minutes.
The PR is still work in progress.
* Fix init db, remove reference to user data in logs
* Fix tests, change repo mirror configuration
* Fix tests, make mirroring cancellable through UI
* Add cancel mirror test, change HTML document to reflect mirror timeout
* Flake8 doesn't like when '==' is used with 'None'
* Fix mirror registry tests
* Add new cypress data to fix cypress tests
* Added ability to define upload chunk size to RADOS driver, small changes to repo mirror HTML page
* Fix database migration to follow HEAD
* Upload new database data for Cypress tests
* Make skopeo_timeout_interval mandatory on API calls
---------
Co-authored-by: Ivan Bazulic <ibazulic@redhat.com>
* db: use iterator chain for _get_user_repo_permissions (PROJQUAY-8839)
Unwrapping can cause increase in CPU. Use iterator chain to let
the caller unwrap
* initial checkin for the superuser/config endpoint to show how its intended to return data
bug: fixing NaN value error for quota displayed on member org page (PROJQUAY-6465) (#3224)
bug: fixing NaN value error for quota displayed on member org page (PROJQUAY-6465)
fixed black formatting
fixed flake and black formatting
fixed isort formatting
test need to be updated for superuser endpoints. There is no explicit superuser token test so globalreadonlysuperuser shall succeed too
fixed double json encoding
changed naming to comply with other SuperUserClasses, added SuperUserPermission check as scope only isnt sufficient
fixed another black error
fixed response for devtable check
fixed response for devtable as that is a superuser
fixed black format :/
added allow_if_global_readonly_superuser to config endpoint
repush for checks
fixed app.logger to module specific logger ; added missed SCHEMA return
added unittest for checking superuser config dump API call (no clue if the unittests build up a full setup since we mock all kind of stuff in the other calls)
removed env PWD check as it seems to be unset in the github runners
added missing unittest step
added FeatureFlag for config dump
formatting
* removed wrong commit in the branch
* changed from route decorator to in method check and changed unittests to fail as the default config is to deny the request
* added one test for security_tests
* rebumped the security tests
* db: optimize _get_user_repo_permissions to send to read replica (PROJQUAY-8839)
it uses a union query which doesn't invoke the replica selection
logic. Make this into 2 seperate queries
* fix unit tests
Fixes bug where removing a MW02702 sub after all it's quantities have been bound causes the next item in the subscription list to be skipped over, resulting in a malformed api response for the marketplace endpoint.
Fixes a bug where the annotation is required at the manifest level even if artifactType is present. The modelcard should only be indicated by the artifact type and layer annotation for oci artifacts.
* ui: implement change to render modelcard stored in layers (PROJQUAY-8412)
When a manifest has certain annotations or artifactTypes, render the
applicable modelcard markdown in a new tags detail tab.
* removing untar when fetching model card
* removing extra api calls
* Add modelcar check tests
---------
Co-authored-by: bcaton <bcaton@redhat.com>
* ui: Expand support for customized footer links (PROJQUAY-5648)
Previous iteration only allowed changes to the terms of service. With this push, all footer links should be customizable through the `FOOTER_LINKS` object. Example:
~~~
FOOTER_LINKS:
TERMS_OF_SERVICE_URL: "some_url"
PRIVACY_POLICY_URL: "some_url"
SECURITY_URL: "some_url"
ABOUT_URL: "some_url"
~~~
Missing entries will not be printed out in the UI.
* Fixes to parsing of config object
* Add type annotation
* marketplace: splittable sku for MW02702 (PROJQUAY-8151)
* Alembic migration to drop unique constraint on the orgrhsubscriptions
table
* Can split sub quantities of MW02702 across multiple orgs
* Can specify quantity for the MW02702 SKU across orgs on react UI
* Update angular UI to allow user to specify quantities for MW02702
* auth: Implement is_restricted_user for OIDC and allow super users to create content regardless of set restriction (PROJQUAY-8208)
Currently, if OIDC is set as an authentication mechanism and restricted users is set, Quay will return a `501 Not Implemented` on invocation. Now, Quay will properly check the restricted user whitelist for federated users.
Additionally, if user restriction is in place and super user's username was **not** explicitly whitelisted, super users would not be able to create new content inside the registry. Now, the username is explicitly checked in the UI to allow super users to create both organizations and repos regardless of restricted users whitelist.
* Add tests
* Add tests for usermanager
* logs: Audit export logs requests (PROJQUAY-7679))
We add the ability to audit export logs requests that were previously not tracked.
* Add UI elements to properly render new audit log
* Truncate date/time column on exterme zooms
* Add initdb.py entries
* Fix migration and add test db data
* Add test database and fix migration paths
* Changed logging mechanism to grab raised exceptions
* Fix improper import
* Add date/time timestamp to saved metadata
* Change message on export logs screen in UI
* Changed message in old UI as well
* Change log description in new UI too
* Simplify call logic and add additonal information to logged errors
robots: Add robot federation for keyless auth (PROJQUAY-7652)
adds the ability to configure federated auth for robots by
using external OIDC providers. Each robot can be configured
to have multiple external OIDC providers as the source for
authentication.
Allows users to specify a regex tag pattern when creating namespace/repository autoprune policies via the new UI. Users will have the option to prune tags that only match the tag pattern or exclude tags that match the tag pattern.
* database: adding subject_backfilled index to manifest table (PROJQUAY-7360) (#2963)
adding subject_backfilled index to manifest table
* Rebasing with main
* updating cypress data
* fixing conflicts and rebasing with latest code
* adding tests
* Forcing an empty commit.
* Forcing an empty commit.
* skip_locked test fix
* adding tests
* minor fixes
---------
Co-authored-by: Brandon Caton <bcaton@redhat.com>
* marketplace: change redhatsubscriptions model to return a list of customer ids (PROJQUAY-7129)
* Use list comprehension in model and expect to return None if no rows are
returned
* fix behavior for reconciler and fix unit test for reconciler
Reducing the number of DB calls in the repo list endpoint with quota enabled by:
- Adding the id to RepositoryBaseElement when the repositories are initially fetched, removing the need to fetch the repository ID's again
- Fetching the repository sizes with a single DB call using the IN operator
* feat: Add support for auto pruning at repository level (PROJQUAY-6354)
* Add repositoryautoprunepolicy table to alembic migration script
* Add repository auto-prune policy endpoints
* Add UI for repository auto-pruning policies
* case: apply repo auto-prune policy when no namespace policy given
* case: both namespace and repo pruning policy are given
* Add tests for repository autoprune endpoint
* Add cypress test for repository auto-prune
* Add repo auto-prune policy clean-up for repository deletion
* Add repository auto pruning tables to quay db snapshot for cypress tests
* Address review comments
* Add more tests + fix CI + reformat files
* Address review comments #2
---------
Signed-off-by: harishsurf <hgovinda@redhat.com>
* Adds handling for when a subscription returned from the subscription watch api has a quantity greater than 1. Number of private repos should be correctly calculated using the quantity.
* Updates ui so that subscriptions can only be added to an org as a group, i.e. a subscription with quantity = 2 cannot be split across organizations.
Previously, we weren't returning the total compressed layer size (in bytes) which is part of the manifest table. This makes it cumbersome to identify the real size of an image via `api/v1/repository/{LOCATION}/manifest/{manifestref}` endpoint since only individual layer sizes were returned and the total would then need to be manually summed over each individual layer. With this change, the API endpoint will return the compressed size of all layers if we're referencing a real image, if a reference points to an OCI index or a manifest list, the returned size will be 0.
* billing: marketplace UI
adds UI in billing section for managing user and org-bound skus
add more unit tests for org binding
changed endpoint for bulk attaching skus to orgs
