* config: Set feature flag default for new vulnerability notifications to True
(PROJQUAY-4659)
Change the default from `False` to `True` for
`FEATURE_SECURITY_SCANNING_NOTIFY_ON_NEW_INDEX`.
Since this flag addresses a bug, it should be enabled by default.
* add mock return values for unit tests
* api: allow robot token creation with a pre-defined token (PROJQUAY-5414)
This is for usecases where we want to explicitly create a robot token
with a pre-defined token in case of migration events when we migrate
from one quay to another, we can re-use the same robot token to
avoid resetting it in all places it is used
(PROJQUAY-5600)
Catch exception thrown when looking up tag `lifetime_start_ms` and set
`created_at` property for a manifest to None.
If `created_at` is None, don't calculate indexing SLI for manifest.
Adds the following changes:
- Allows remove_tag_from_timemachine to expire tags even if the time machine window is set to 0, immediately marking them for deletion. This allows the quota proxy pruner to expire tags with the same method call. This wasn't required for normal push/pulls as the user would just call the DELETE /tag endpoint.
- Remove hidden = true when expiring tags. For proxy Quay will attempt to lookup the tag referenced by the manifest in order to extend it's lifetime_end_ms. Hiding this tag prevents that logic from running correctly.
Add new parameter `allow_hidden` to `lookup_manifest_by_digest` method and set this to true on the manifest v2 endpoint.
Enables manifests to be pulled by digest, and fixes issues with recent versions of conftest being unable to push to quay.
Allows superusers to trigger a calculation of the deduplicated registry size. A superuser can go to the organization panel of the superuser page and select Calculate to queue a calculation of the registry total. The total will only be calculated when requested. Includes warning to user of increase of database load when running calculation.
Moves the resetting of child manifest temporary tags to happen on deletion instead of on push/pull. Resetting child manifest temporary tags caused issues in other portions of the code like proxy cache where temporary tags were deleted too early.
Allows for only unique blobs are counted at the namespace and repository level. Calculation includes manifest list sizes.
Add's the following internal configurations that default to true:
QUOTA_INVALIDATE_TOTALS: Invalidates calculated totals when FEATURE_QUOTA_MANAGEMENT is set to false
RESET_CHILD_MANIFEST_EXPIRATION: Resets the expiry for child manifests on push of the manifest list for immediate GC eligibility
PERMANENTLY_DELETE_TAGS: Enables features related to the permanent deletion of tags outside the configured time machine window
* API/UI: Filtering of tags API through query parameter (PROJQUAY-5362)
* Changing syntax of query param to add operation + added propagation of filtering from new UI
* added exception to return 400 on incorrect syntax
* Added tests to test filtering of /tags endpoint
* Minor fixes
* Change error messages in UI during LDAP login (PROJQUAY-4845)
Previously, on installations where LDAP is used, we were telling users whether the username or password was failing when login attempts were made. This might pose a security risk, a malicious user could, via the returned message, identify which users have access to Quay and which don't.
With this change, we return a general message saying the user used wrong credentials instead of providing any details.
* Fixed tests.
* Fix some more tests.
* Readd accidental removal of one assertion.
Prevent creating namespaces/orgs on pushes (CREATE_NAMESPACE_ON_PUSH)
if user is restricted.
Also updates RESTRICTED_USERS_WHITELIST to defaults to all if not set,
given that FEATURE_RESTRICTED_USERS is set.
- Similar to LDAP_SUPERUSER_FILTER, add a specific filter to define
restricted users, based on the LDAP_USER_FILTER
- restrict writes on restricted users' own namespace. Normal
permissions applies on organization membership
- add global readonly superuser GLOBAL_READONLY_SUPER_USERS (PROJQUAY-2604)
- Removes RESTRICTED_USER_INCLUDE_ROBOTS, FEATURE_RESTRICTED_READ_ONLY_USERS
Currently Quay is displaying the Clair response with no
interpretation meaning when Clair reports on vulns per repo
they appear to be duplicated (RHEL based images with multiple
repos and packages existing in more than one). The correct way
to fix this is via an interpretation layer in Quay, this change
is a stop-gap to improve readability for the user.
Signed-off-by: crozzy <joseph.crosland@gmail.com>
Signed-off-by: crozzy <joseph.crosland@gmail.com>
* api: feature to limit org creation to superusers
Introduces the following configuration flags:
FEATURE_SUPERUSERS_ORG_CREATION_ONLY:
Limit org creation to superusers only
FEATURE_SUPERUSERS_FULL_ACCESS:
Grant superusers read/write access to registry content in all namespaces
FEATURE_RESTRICTED_USERS:
Users considered as restricted are not anle to create organization
RESTRICTED_USERS_WHITELIST:
Whitelist for FEATURE_RESTRICTED_USERS
RESTRICTED_USER_INCLUDE_ROBOTS:
Whether or not to include the user namespace's robots
RESTRICTED_USER_READ_ONLY:
Only allow read-only operations for restricted users
* Revert superuser repositorylist endpoint
