Commit Graph

1495 Commits

Author SHA1 Message Date
Milos Gajdos
ca7d4de0ee fix(proxy): fix tag list endpoint in proxy mode (#4846) 2026-04-16 14:17:56 -07:00
chuanshanjida
0679fc13c5 refactor: use slices.Backward to simplify the code
Signed-off-by: chuanshanjida <chuanshanjida@outlook.com>
2026-04-12 16:01:45 +08:00
njucjc
60de6e3443 fix(proxy): fix tag list endpoint in proxy mode
Signed-off-by: njucjc <njucjc@alibaba-inc.com>
Signed-off-by: chenjinci.cjc <chenjinci.cjc@alibaba-inc.com>
2026-04-09 23:30:51 +08:00
Milos Gajdos
078b0783f2 Merge commit from fork
fix redis repo-scoped blob descriptor revocation
2026-04-05 17:08:50 -07:00
Milos Gajdos
cc5d5fa4ba Merge commit from fork
proxy: bind bearer realms to upstream trust boundary
2026-04-05 13:30:20 -07:00
Milos Gajdos
2f2ce9fb6c Opt: refactor tag list pagination support (#4353) 2026-04-04 13:49:23 -07:00
njucjc
6a02a0e81d Opt: refactor tag list pagination support
Signed-off-by: njucjc <njucjc@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-04-04 22:04:37 +02:00
HexMix
7ed654e0a7 feat(registry): enhance authentication checks in htpasswd implementation
- Added a dummy hash for nonexistent users to prevent timing attacks.
- Updated test cases to include a nonexistent user scenario for better coverage.
- Introduced a global dummy hash variable to streamline authentication for nonexistent users.
- Updated the authentication logic to utilize the new dummy hash for improved consistency.
- Added support for overriding the dummy hash in the access controller for testing purposes.
- Updated the authentication logic to utilize the provided dummy hash during user authentication.
- Updated test cases to use `t.TempDir()` for creating temporary htpasswd files, enhancing test isolation and cleanup.
- Simplified file reading and error handling in the `TestCreateHtpasswdFile` function.

Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: HexMix <32300164+mnixry@users.noreply.github.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-04-04 21:19:33 +02:00
Milos Gajdos
000567267f chore(app): warn when partial TLS config is used in Redis
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2026-04-03 12:04:53 -07:00
1seal
5cda72868f fix redis repo-scoped blob descriptor revocation 2026-04-01 18:38:38 +03:00
1seal
f215e513de proxy: bind bearer realms to upstream trust boundary
bind proxy-mode bearer realms to the upstream trust boundary before sending credentials, move challenge filtering behind the auth manager, and use golang.org/x/net/publicsuffix for registrable-domain handling.
2026-03-30 18:27:47 +03:00
ChandonPierre
e0bac48375 fix(registry/proxy): do not re-use http request context for background writes
Signed-off-by: Chandon Pierre <cpierre@coreweave.com>
2026-03-27 18:19:47 -04:00
Milos Gajdos
3e4f4a8bde Enable Redis TLS without client certificates (#4770) 2026-03-27 09:35:39 -07:00
Milos Gajdos
7a7c44d3f9 Opt: refector tag list pagination support (stage 1) (#4360) 2026-03-25 09:55:09 -07:00
Milos Gajdos
ee3ba929f6 Update vacuum.go (#4610) 2026-03-23 06:45:30 -07:00
Milos Gajdos
764d131502 fix: correct Ed25519 JWK thumbprint kty from "OTP" to "OKP" (#4801) 2026-03-23 06:45:15 -07:00
Milos Gajdos
83dd82021c fix: set MD5 on GCS writer before first Write call in putContent (#4803) 2026-03-17 11:04:56 -07:00
Joonas Bergius
332405077a chore: fix typo in comment
Co-authored-by: Kyle Squizzato <kyle@replicated.com>
Signed-off-by: Joonas Bergius <joonas@users.noreply.github.com>
2026-03-17 12:52:12 -05:00
Joonas Bergius
021b69d5a6 fix: nil-check scheduler in proxyingRegistry.Close()
When proxy TTL is set to 0, `NewRegistryPullThroughCache`
skips creating a `TTLExpirationScheduler`. When `Close()`
calls `pr.scheduler.Stop()`, it causes causing a nil pointer
dereference panic.

Signed-off-by: Joonas Bergius <joonas@defenseunicorns.com>
2026-03-01 19:59:20 -06:00
Joonas Bergius
2957c891d4 fix: set MD5 on GCS writer before first Write call in putContent
Signed-off-by: Joonas Bergius <joonas@defenseunicorns.com>
2026-03-01 17:49:25 -06:00
Joonas Bergius
830758b5b2 fix: correct Ed25519 JWK thumbprint kty from "OTP" to "OKP"
Signed-off-by: Joonas Bergius <joonas@defenseunicorns.com>
2026-03-01 12:27:45 -06:00
Milos Gajdos
3cf5a08615 modernize code (#4784) 2026-02-12 10:06:32 -08:00
Sebastiaan van Stijn
f18b8d707e fix "prealloc" linting
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 18:28:58 +01:00
Sebastiaan van Stijn
775d3734eb modernize code
Automated fixing, using Go's "modernize" tool;

    go install golang.org/x/tools/go/analysis/passes/modernize/cmd/modernize@latest
    modernize -fix ./...

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 18:28:58 +01:00
ningmingxiao
b4f2af3f60 fix: sync parent dir to ensure data is reliably stored
Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-12 18:15:45 +01:00
ningmingxiao
5ddf7898fa use filepath instead of path
Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn>
2026-02-12 18:14:53 +01:00
Sebastiaan van Stijn
f5e1a8931a update golangci-lint to v2.9 and fix linting issues
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-02-11 10:10:07 +01:00
njucjc
b1ae1b211e Opt: refector tag list pagination support
Signed-off-by: njucjc <njucjc@gmail.com>
2026-01-28 11:39:06 +08:00
Omar Trigui
6780dbbba4 Enable Redis TLS without client certificates
Signed-off-by: Omar Trigui <omar.trigui.tn@gmail.com>
2026-01-24 00:16:52 +01:00
Raghav Mahajan
33dab3939e Expose useFIPSEndpoint for S3
Signed-off-by: Raghav Mahajan <rmahajan@palantir.com>
2026-01-07 21:01:26 +05:30
Milos Gajdos
f61aa941b3 Add boolean parsing util (#4763) 2026-01-07 07:23:28 -08:00
Raghav Mahajan
75a14d4d31 Add boolean parsing util
Signed-off-by: Raghav Mahajan <rmahajan@palantir.com>
2026-01-07 17:04:02 +05:30
Milos Gajdos
47c426cf2e fix: Logging regression for manifest HEAD requests (#4756) 2026-01-06 09:03:21 -08:00
Thomas Cuthbert
1ad03da687 fix: Logging regression for manifest HEAD requests
Since version 3.0.0, the response completed log line is no longer
present for HEAD requests to manifests that return 200.

The regression is caused by the implicit handling of manifest HEAD
responses that bypass the logging middleware when returning from
`GetManifest`.

This change ensures that the logging middleware handles responses for
manifest HEAD requests by explicitly writing `StatusOK` into the
response header before returning from `GetManifest`.

Closes: https://github.com/distribution/distribution/issues/4733
Signed-off-by: Thomas Cuthbert <tom.cuthbert@elastic.co>
2026-01-07 00:09:07 +08:00
tranthang2404
f1e4ae3de7 add return error when list object
Signed-off-by: tranthang2404 <tranthang.mda@gmail.com>
2025-12-19 08:24:50 +07:00
efcking
64f4511a27 refactor: remove redundant variable declarations in for loops
Signed-off-by: efcking <efcking@outlook.com>
2025-11-19 12:01:28 +08:00
Sumedh Vats
f1323c5bc7 fix(proxy): sanitize challenge URL logs using Redacted()
The log message "Challenge established with upstream" was using
an incorrect format specifier (%s) when logging the challenge structs,
causing garbled output. This commit updates the format specifier to %+v
and removes the unnecessary challenge manager log. URLs are now
Redacted() to prevent leaking credentials.

Fixes: #4697

Co-authored-by: Sebastiaan van Stijn <thaJeztah@users.noreply.github.com>
Signed-off-by: Sumedh Vats <sumedhvats2004@gmail.com>
2025-10-20 18:45:10 +05:30
Sumedh Vats
edde36cd9e feat(registry): Make graceful shutdown test robust
The `TestGracefulShutdown` test was failing intermittently, especially
with stricter HTTP handling in newer Go versions (e.g., 1.25). This was
caused by sending an incomplete HTTP request in two separate writes,
creating a race condition where the server could shut down before
receiving the full request.

This commit fixes the test's flakiness by sending a single, complete,
and valid HTTP/1.1 request before triggering the shutdown. This ensures
the test accurately verifies the intended behavior: that a valid,
in-flight request is fully processed while new connections are rejected.

Fixes:#4696
Signed-off-by: Sumedh Vats <sumedhvats2004@gmail.com>
2025-10-18 00:35:54 +05:30
Milos Gajdos
979a07472e fix(registry/handlers/app): redis CAs (#4668) 2025-09-03 07:06:09 -07:00
Wang Yan
8c60ad709b Fixes #4683 - uses X/Y instead of Gx/Gy for thumbprint of ecdsa keys (#4684) 2025-08-12 13:41:12 +08:00
João Pereira
7f2dad4420 Fixed data race in TestSchedule test (#4647) 2025-08-11 23:25:37 +01:00
Guillaume pelletier
6e59b82417 Fixes #4683 - uses X/Y instead of Gx/Gy for thumbprint of ecdsa keys
Signed-off-by: Guillaume Pelletier <guillaume.pelletier@genaiz.com>
2025-08-11 10:29:53 -04:00
Milos Gajdos
7d74ee7186 Fix S3 driver loglevel param (#4617) 2025-08-11 14:27:41 +01:00
Wang Yan
c54bcb3770 s3-aws: fix build for 386 (#4642) 2025-08-11 14:14:53 +08:00
Raj Siva-Rajah
b559f27a08 Switch to UUIDv7
Signed-off-by: Raj Siva-Rajah <raj@zapzap.cloud>
2025-07-31 06:54:27 +00:00
ChandonPierre
02b1f6e3af fix(registry/handlers/app): redis CAs
`configureRedis` currently sets `RequireAndVerifyClientCert` and `ClientCAs`, however these are server side mTLS configurations, and do not apply for the client initiating the handshake.

Since we never actually set client side `RootCAs`, connecting to Redis with a self-signed CA results in:

```
"error": "tls: failed to verify certificate: x509: certificate signed by unknown authority",
```
Fixed by switching Redis TLS config to use `RootCAs` instead, and updating configuration accordingly.

Signed-off-by: ChandonPierre <cpierre@coreweave.com>
2025-07-05 15:25:17 -04:00
Artem Khoroshev
bb278c2be6 fix: fixed data race in TestSchedule test
Signed-off-by: Artem Khoroshev <horoshev.artem@yandex.ru>
2025-06-06 20:12:59 +03:00
Chen Qi
6970080b10 s3-aws: fix build for 386
When building for 386, we got the following build error:

  registry/storage/driver/s3-aws/s3.go:312:99: cannot use
  maxChunkSize (untyped int constant 5368709120) as int value
  in argument to getParameterAsInteger (overflows)

This is because the s3_64bit.go is used. Adjust the build tag matching
in s3_32bit.go and s3_64bit.go to fix this issue.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
2025-05-29 11:35:59 +08:00
Milos Gajdos
97495e5397 Fix: resolve issue #4478 by using a temporary file for non-append writes (#4624) 2025-05-19 07:37:07 -07:00
Oded Porat
dde1e49f23 Changes:
Append a UUID to ensure uniqueness
Join delete error

Signed-off-by: Oded Porat <onporat@gmail.com>
2025-05-04 10:43:19 +03:00