ldap: Get federated login identifier and use that when checking user privileges in FederatedUserManager (PROJQUAY-8879) (PROJQUAY-5880)
Co-authored-by: Elliot Gustafsson <elliot.gustafsson@fortnox.se>
BREAKING CHANGE: LDAP lookup of robot accounts in the UI for granting permission has been dropped in context of permissions granting. This impacts Users from LDAP if they have not logged in to Quay already (pre provisioning) as a Federation User will only be available after logging in or being part of a Team.
Co-authored-by: Michaela Lang <milang@redhat.com>
* proxycache: include hidden manifests when querying for child manifests on tag creation (PROJQUAY-8536)
* Fix mocked call
---------
Co-authored-by: Kenny Lee Sin Cheong <kenny.lee28@gmail.com>
Co-authored-by: Brandon Caton <bcaton@redhat.com>
* proxycache: fix queueitem payload for proxycachblobworker (PROJQUAY-9018)
* Add feature flag for proxycacheblobworker
* PROXY_CACHE_BLOB_DOWNLOAD stub
---------
Co-authored-by: Kenny Lee Sin Cheong <kenny.lee28@gmail.com>
Previous global job timeout of 5 minutes was inadequate for big images. The timeout should now be configurable in much the same way as sync is. Minimum job length is 300 seconds (5 minutes), maximum job length is 43200 seconds (12 hours). The option to change skopeo timeout is added to the repo mirroring settings. Additionally, repository mirroring will now correctly react to pressing of the Cancel button in the UI or invoking the cancel mirror API request. When invoked, the sync will be immediately terminated once the current tag finishes upload and will not be queued again until again explicitly enqueued. Previously, pressing the Cancel button would not stop the sync and the worker would still continue to work as if nothing happened.
Push of very large images with very large layers (> 50 GiB) is currently impossible with Ceph/RADOS driver. S3 protocol allows up to 10 thousand chunks to be uploaded per file, with 5 MiB chunk size the maximum theoretical limit for the layer size is 50 GiB. This PR adds an additional optional argument to RadosGWStorage and RHOCSStorage drivers called minimum_chunk_size_mb that allows user to define the upload chunk size. If the parameter is not defined, the driver defaults to 5 MiB.
---------
Co-authored-by: Ivan Bazulic <ibazulic@redhat.com>
Co-authored-by: Ivan Bazulic <ibazulic@laptop.skynet>
* proxycache: Download blob not cached when pulling manifests with blob available locally (PROJQUAY-6708)
* Skip downloading blobs without placeholders
---------
Co-authored-by: Kenny Lee Sin Cheong <kenny.lee28@gmail.com>
Co-authored-by: Brandon Caton <bcaton@redhat.com>
fix: do not fail on splunk errors when flag set (PROJQUAY-8595)
Co-authored-by: Jonathan King <jonathankingfc@gmail.com>
Co-authored-by: Brandon Caton <bcaton@redhat.com>
fixing CVE-2025-4374 by extending the create_repository method to understand if we are requesting a proxy_cache repository
added unittests for create_repository when proxy_cache.
* Revert "bug: Adding allow hidden flag while looking up for manifests (PROJQUAY-8536) (#3722)"
This reverts commit f0c153fab5.
* Revert "proxy: moving manifest check to after upstream manifest fetch (PROJQUAY-8536) (#3814)"
This reverts commit 944edd064b.
* db: use iterator chain for _get_user_repo_permissions (PROJQUAY-8839)
Unwrapping can cause increase in CPU. Use iterator chain to let
the caller unwrap
* db: optimize _get_user_repo_permissions to send to read replica (PROJQUAY-8839)
it uses a union query which doesn't invoke the replica selection
logic. Make this into 2 seperate queries
* fix unit tests
When an image is pulled by digest, a temp tag is created to prevent the manifest from being garbage collected. This is true when a manifest list is pulled by tag as well. However, if this temporary tag expires (default is 1 day for proxied organizations) and the same manifest is pulled again by digest, the system attempts to create the manifest again, leading to an integrity error because the manifest already exists in the database.
---------
Co-authored-by: shudeshp <shudeshp@redhat.com>
Adds an include_orgs param to the active users query used by the reconciler and sets it to true for reconciler runs
Reconciler is not including orgs as a candidate for creating corresponding RH entitlements. As a result it misses users with stripe billing that are considered orgs.
* marketplace: splittable sku for MW02702 (PROJQUAY-8151)
* Alembic migration to drop unique constraint on the orgrhsubscriptions
table
* Can split sub quantities of MW02702 across multiple orgs
* Can specify quantity for the MW02702 SKU across orgs on react UI
* Update angular UI to allow user to specify quantities for MW02702
* upgrade elasticsearch and elasticsearch-dsl to 8.13.0
* update tests and elasticsearch logs to handle new major version
* pinning elasticsearch-transport according to check requirements.txt test
* auth: Implement is_restricted_user for OIDC and allow super users to create content regardless of set restriction (PROJQUAY-8208)
Currently, if OIDC is set as an authentication mechanism and restricted users is set, Quay will return a `501 Not Implemented` on invocation. Now, Quay will properly check the restricted user whitelist for federated users.
Additionally, if user restriction is in place and super user's username was **not** explicitly whitelisted, super users would not be able to create new content inside the registry. Now, the username is explicitly checked in the UI to allow super users to create both organizations and repos regardless of restricted users whitelist.
* Add tests
* Add tests for usermanager
* notifications: fetch autoprune tags with multiple policies for image expiry notification(PROJQUAY-8117)
* don't fetch notifications if tags expiry is greater than notification days + add tests
* logs: Audit export logs requests (PROJQUAY-7679))
We add the ability to audit export logs requests that were previously not tracked.
* Add UI elements to properly render new audit log
* Truncate date/time column on exterme zooms
* Add initdb.py entries
* Fix migration and add test db data
* Add test database and fix migration paths
* Changed logging mechanism to grab raised exceptions
* Fix improper import
* Add date/time timestamp to saved metadata
* Change message on export logs screen in UI
* Changed message in old UI as well
* Change log description in new UI too
* Simplify call logic and add additonal information to logged errors
