Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Vulnerability Scanning #524

Open
wants to merge 25 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
8864448
chore: Vuln Scanning
jay-dee7 Dec 14, 2023
06a1296
refactor: JWT signing key operations
jay-dee7 Dec 21, 2023
660c56e
fix: Create build project options
jay-dee7 Dec 21, 2023
92d07a0
feat: Add multiple users to org in a single request
jay-dee7 Dec 21, 2023
f14a3c5
feat: Vulnerability Scanning via Clair
jay-dee7 Dec 21, 2023
d5964b5
fix: Skip Mock DFS config parsing if not set
jay-dee7 Dec 21, 2023
ba9721d
fix: User catalog list and search queries
jay-dee7 Dec 21, 2023
6a83b7d
refactor: Internal UUID package references
jay-dee7 Dec 21, 2023
2bb28ee
fix: Search repositories query
jay-dee7 Dec 23, 2023
2734cc4
fix: Storing parsed value in ctx for AddUsersToOrgRequest
jay-dee7 Dec 23, 2023
7db8f96
fix: Remove repositories from fav list API
jay-dee7 Dec 23, 2023
7c5536b
feat: Honeycomb configuration via yaml
jay-dee7 Dec 23, 2023
c2faba2
fix: Concurrent map-write bug in mock DFS
jay-dee7 Dec 24, 2023
ea04584
fix: Clear webauthn session data at EOL
jay-dee7 Dec 24, 2023
c7eadb7
feat: CORS for ConnectRPC APIs
jay-dee7 Dec 25, 2023
8efb411
feat: Auth tokens for client-side usage
jay-dee7 Dec 26, 2023
a88203f
fix: Database model definitions
jay-dee7 Dec 27, 2023
0a3a905
feat: List favorite repositories
jay-dee7 Dec 30, 2023
2b364bf
fix: Create project query
jay-dee7 Jan 7, 2024
d2dc3a4
fix: Filebase PreSignedURL generation
jay-dee7 Jan 9, 2024
e13c85e
add: Logs for failed clair requests
jay-dee7 Jan 9, 2024
09d76e8
remove: Makefile
jay-dee7 Feb 5, 2024
81b6789
Merge branch 'main' into feat/vuln-scanning
jay-dee7 Oct 12, 2024
7b5b7a8
Merge branch 'main' into feat/vuln-scanning
jay-dee7 Oct 13, 2024
5a2ee4f
chore: Sync & bump Buf Connect RPC packages & implementation
jay-dee7 Oct 13, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .dockerignore
Original file line number Diff line number Diff line change
@@ -1 +0,0 @@
.go-skynet/
17 changes: 6 additions & 11 deletions .github/workflows/oci-dist-spec-content-discovery.yml
Original file line number Diff line number Diff line change
@@ -1,28 +1,23 @@
name: OCI Distribution Spec - Content Discovery

on:
pull_request:
push:
branches:
- main
branches: [main]
workflow_dispatch:
inputs:
debug_enabled:
type: boolean
description: 'Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)'
description: Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)
required: false
default: false

concurrency:
group: content-discovery-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true

env:
PGUSER: postgres
POSTGRES_DB: open_registry
POSTGRES_PASSWORD: Qwerty@123
POSTGRES_USER: postgres

jobs:
conformance:
runs-on: ubuntu-latest
Expand All @@ -39,9 +34,9 @@ jobs:
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 5432:5432
ports: [5432:5432]
steps:
- run: sudo snap install --edge --classic just
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
Expand All @@ -58,7 +53,7 @@ jobs:
yq e -i '.dfs.mock.type = "FS"' config.yaml
go mod download
go build
make certs
just certs
./OpenRegistry migrations init \
--admin-db="postgres" \
--admin-db-username="postgres" \
Expand Down Expand Up @@ -93,7 +88,7 @@ jobs:
OCI_DEBUG: 0
- name: Setup tmate session if mode is debug and OpenRegistry or OCI Tests Fail
uses: mxschmitt/action-tmate@v3
if: ${{ always() && (github.event_name == 'workflow_dispatch') && inputs.debug_enabled }}
if: ${{ always() && (github.event_name == 'workflow_dispatch') && inputs.debug_enabled }}
- name: Set output report name
id: vars
run: echo "short_commit_hash=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
Expand Down
17 changes: 6 additions & 11 deletions .github/workflows/oci-dist-spec-content-management.yml
Original file line number Diff line number Diff line change
@@ -1,28 +1,23 @@
name: OCI Distribution Spec - Content Management

on:
pull_request:
push:
branches:
- main
branches: [main]
workflow_dispatch:
inputs:
debug_enabled:
type: boolean
description: 'Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)'
description: Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)
required: false
default: false

concurrency:
group: content-management-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true

env:
PGUSER: postgres
POSTGRES_DB: open_registry
POSTGRES_PASSWORD: Qwerty@123
POSTGRES_USER: postgres

jobs:
conformance:
runs-on: ubuntu-latest
Expand All @@ -39,9 +34,9 @@ jobs:
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 5432:5432
ports: [5432:5432]
steps:
- run: sudo snap install --edge --classic just
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
Expand All @@ -58,7 +53,7 @@ jobs:
yq e -i '.dfs.mock.type = "FS"' config.yaml
go mod download
go build
make certs
just certs
./OpenRegistry migrations init \
--admin-db="postgres" \
--admin-db-username="postgres" \
Expand Down Expand Up @@ -92,7 +87,7 @@ jobs:
OCI_DEBUG: 0
- name: Setup tmate session if mode is debug and OpenRegistry or OCI Tests Fail
uses: mxschmitt/action-tmate@v3
if: ${{ always() && (github.event_name == 'workflow_dispatch') && inputs.debug_enabled }}
if: ${{ always() && (github.event_name == 'workflow_dispatch') && inputs.debug_enabled }}
- name: Set output report name
id: vars
run: echo "short_commit_hash=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/oci-dist-spec-pull.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ jobs:
ports:
- 5432:5432
steps:
- run: sudo snap install --edge --classic just
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
Expand All @@ -58,7 +59,7 @@ jobs:
yq e -i '.dfs.mock.type = "FS"' config.yaml
go mod download
go build
make certs
just certs
./OpenRegistry migrations init \
--admin-db="postgres" \
--admin-db-username="postgres" \
Expand Down
18 changes: 7 additions & 11 deletions .github/workflows/oci-dist-spec-push.yml
Original file line number Diff line number Diff line change
@@ -1,28 +1,24 @@
---
name: OCI Distribution Spec - Push Image

on:
pull_request:
push:
branches:
- main
branches: [main]
workflow_dispatch:
inputs:
debug_enabled:
type: boolean
description: 'Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)'
description: Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)
required: false
default: false

concurrency:
group: push-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true

env:
PGUSER: postgres
POSTGRES_DB: open_registry
POSTGRES_PASSWORD: Qwerty@123
POSTGRES_USER: postgres

jobs:
conformance:
runs-on: ubuntu-latest
Expand All @@ -39,9 +35,9 @@ jobs:
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 5432:5432
ports: [5432:5432]
steps:
- run: sudo snap install --edge --classic just
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
Expand All @@ -58,7 +54,7 @@ jobs:
yq e -i '.dfs.mock.type = "FS"' config.yaml
go mod download
go build
make certs
just certs
./OpenRegistry migrations init \
--admin-db="postgres" \
--admin-db-username="postgres" \
Expand Down Expand Up @@ -93,7 +89,7 @@ jobs:
OCI_DEBUG: 0
- name: Setup tmate session if mode is debug and OpenRegistry or OCI Tests Fail
uses: mxschmitt/action-tmate@v3
if: ${{ always() && (github.event_name == 'workflow_dispatch') && inputs.debug_enabled }}
if: ${{ always() && (github.event_name == 'workflow_dispatch') && inputs.debug_enabled }}
- name: Set output report name
id: vars
run: echo "short_commit_hash=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
Expand Down
16 changes: 0 additions & 16 deletions Makefile

This file was deleted.

118 changes: 118 additions & 0 deletions api/users/users.go
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
package users

import (
"fmt"
"net/http"
"time"

"github.com/containerish/OpenRegistry/auth"
"github.com/containerish/OpenRegistry/store/v1/types"
"github.com/containerish/OpenRegistry/store/v1/users"
"github.com/containerish/OpenRegistry/telemetry"
Expand All @@ -12,6 +15,8 @@ import (
type (
UserApi interface {
SearchUsers(echo.Context) error
CreateUserToken(ctx echo.Context) error
ListUserToken(ctx echo.Context) error
}

api struct {
Expand Down Expand Up @@ -47,3 +52,116 @@ func (a *api) SearchUsers(ctx echo.Context) error {
a.logger.Log(ctx, nil).Send()
return echoErr
}

func (a *api) CreateUserToken(ctx echo.Context) error {
ctx.Set(types.HandlerStartTime, time.Now())

user, ok := ctx.Get(string(types.UserContextKey)).(*types.User)
if !ok {
err := fmt.Errorf("missing authentication credentials")
echoErr := ctx.JSON(http.StatusUnauthorized, echo.Map{
"error": err.Error(),
})

a.logger.Log(ctx, err).Send()
return echoErr
}

var body types.CreateAuthTokenRequest
if err := ctx.Bind(&body); err != nil {
echoErr := ctx.JSON(http.StatusBadRequest, echo.Map{
"error": err.Error(),
})

a.logger.Log(ctx, err).Send()
return echoErr
}

if body.Name == "" {
err := fmt.Errorf("token name is a required field")
echoErr := ctx.JSON(http.StatusBadRequest, echo.Map{
"error": err.Error(),
})

a.logger.Log(ctx, err).Send()
return echoErr
}

token, err := types.CreateNewAuthToken()
if err != nil {
echoErr := ctx.JSON(http.StatusInternalServerError, echo.Map{
"error": err.Error(),
})

a.logger.Log(ctx, err).Send()
return echoErr
}

hashedToken, err := auth.GenerateSafeHash([]byte(token.RawString()))
if err != nil {
echoErr := ctx.JSON(http.StatusInternalServerError, echo.Map{
"error": err.Error(),
})

a.logger.Log(ctx, err).Send()
return echoErr
}

authToken := &types.AuthTokens{
CreatedAt: time.Now(),
ExpiresAt: body.ExpiresAt,
Name: body.Name,
AuthToken: hashedToken,
OwnerID: user.ID,
}

if err = a.userStore.AddAuthToken(ctx.Request().Context(), authToken); err != nil {
echoErr := ctx.JSON(http.StatusInternalServerError, echo.Map{
"error": err.Error(),
})

a.logger.Log(ctx, err).Send()
return echoErr
}

echoErr := ctx.JSON(http.StatusOK, echo.Map{
"token": token.String(),
})

a.logger.Log(ctx, nil).Str("client_token", token.String()).Str("stored_token", hashedToken).Send()
return echoErr
}

func (a *api) ListUserToken(ctx echo.Context) error {
ctx.Set(types.HandlerStartTime, time.Now())

user, ok := ctx.Get(string(types.UserContextKey)).(*types.User)
if !ok {
err := fmt.Errorf("missing authentication credentials")
echoErr := ctx.JSON(http.StatusUnauthorized, echo.Map{
"error": err.Error(),
})

a.logger.Log(ctx, err).Send()
return echoErr
}

tokens, err := a.userStore.ListAuthTokens(ctx.Request().Context(), user.ID)
if err != nil {
echoErr := ctx.JSON(http.StatusInternalServerError, echo.Map{
"error": err.Error(),
})

a.logger.Log(ctx, err).Send()
return echoErr
}

if len(tokens) == 0 {
tokens = make([]*types.AuthTokens, 0)
}

echoErr := ctx.JSON(http.StatusOK, tokens)

a.logger.Log(ctx, nil).Send()
return echoErr
}
Loading