Commit graph

130 commits

Author SHA1 Message Date
Milos Gajdos
5316d3bda2
Bump Go and golang linter
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-06-30 16:50:09 +01:00
dependabot[bot]
050e1a3ee7
build(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity
Bumps [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go) from 1.3.0 to 1.6.0.
- [Release notes](https://github.com/Azure/azure-sdk-for-go/releases)
- [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md)
- [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azcore/v1.3.0...sdk/azcore/v1.6.0)

---
updated-dependencies:
- dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azidentity
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-06-11 20:09:16 +00:00
Milos Gajdos
52d68216c0
feature: Bump go-jose and require signing algorithms in auth
This bumps go-jose to the latest available version: v4.0.3.
This slightly breaks the backwards compatibility with the existing
registry deployments but brings more security with it.

We now require the users to specify the list of token signing algorithms in
the configuration. We do strive to maintain the b/w compat by providing
a list of supported algorithms, though, this isn't something we
recommend due to security issues, see:
* https://github.com/go-jose/go-jose/issues/64
* https://github.com/go-jose/go-jose/pull/69

As part of this change we now return to the original flow of the token
signature validation:
1. X2C (tls) headers
2. JWKS
3. KeyID

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-05-30 20:44:35 +01:00
Liang Zheng
a5882d6646 vendor: update manifest dependencies
Signed-off-by: Liang Zheng <zhengliang0901@gmail.com>
2024-04-26 22:22:49 +08:00
dependabot[bot]
2db0a598cc
build(deps): bump golang.org/x/net from 0.20.0 to 0.23.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.20.0 to 0.23.0.
- [Commits](https://github.com/golang/net/compare/v0.20.0...v0.23.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-04-19 12:59:08 +00:00
Milos Gajdos
167d7996be
chore: bump distriution/reference dependency
We've made a new release https://github.com/distribution/reference

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-03-26 20:19:28 +00:00
Milos Gajdos
7c7517493c
build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 (#4297) 2024-03-17 10:38:34 +00:00
dependabot[bot]
cb2b51cac9
build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.33.0
Bumps google.golang.org/protobuf from 1.31.0 to 1.33.0.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-03-13 23:16:02 +00:00
dependabot[bot]
1c5fe22dec
build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3
Bumps [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) from 3.0.1 to 3.0.3.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/v3.0.3/CHANGELOG.md)
- [Commits](https://github.com/go-jose/go-jose/compare/v3.0.1...v3.0.3)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-03-07 23:01:05 +00:00
erezrokah
11f50c034e
feat: Add HTTP2 for unencrypted HTTP
Signed-off-by: erezrokah <erezrokah@users.noreply.github.com>
2024-01-17 20:59:02 +00:00
Milos Gajdos
6926aea0ee
vendor: github.com/gorilla/handlers v1.5.2 (#4211) 2024-01-16 17:06:16 +07:00
Sebastiaan van Stijn
bdfa8324a0
vendor: github.com/mitchellh/mapstructure v1.5.0
note that this repository will be sunset, and the "endorsed" fork will be
maintened by "go-viper". Updating the dependency to the latest version in
preparation.

full diff: https://github.com/mitchellh/mapstructure/compare/v1.1.2...v1.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-27 12:28:10 +01:00
Sebastiaan van Stijn
4f9fe183c3
vendor: github.com/gorilla/handlers v1.5.2
full diff: https://github.com/gorilla/handlers/compare/v1.5.1...v1.5.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-22 10:23:09 +01:00
dependabot[bot]
dcee8e93a3
build(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.15.0 to 0.17.0.
- [Commits](https://github.com/golang/crypto/compare/v0.15.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-19 00:02:47 +00:00
Eng Zer Jun
bcbf0431d1
testing: replace legacy gopkg.in/check.v1
This commit replaces the legacy `gopkg.in/check.v1` testing dependency
with `github.com/stretchr/testify`.

Closes https://github.com/distribution/distribution/issues/3884.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2023-12-13 09:22:43 +00:00
gotgelf
0e3018f2cf Otel tracing MVP: vendor changes
Signed-off-by: gotgelf <gotgelf@gmail.com>
2023-12-11 21:18:42 +01:00
Milos Gajdos
60e7e87889
vendor: github.com/spf13/cobra v1.8.0 (#4182) 2023-12-01 12:09:15 +00:00
Milos Gajdos
6f84e87803
update: AWS Go SDK bump to the latest release
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2023-12-01 11:24:44 +00:00
Sebastiaan van Stijn
1f6afab6e0
vendor: github.com/spf13/cobra v1.8.0
updating to current version.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-01 12:05:31 +01:00
Milos Gajdos
a2613975a1
vendor: github.com/sirupsen/logrus v1.9.3 (#4179) 2023-12-01 10:51:38 +00:00
Milos Gajdos
3b58737bb6
vendor: github.com/gorilla/mux v1.8.1 (#4180) 2023-12-01 10:51:20 +00:00
Sebastiaan van Stijn
79976446f7
vendor: github.com/klauspost/compress v1.17.4
newer versions continue to include performance improvements, so it's good
to stay up-to-date.

full diff: https://github.com/klauspost/compress/compare/v1.16.5...v1.17.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-01 10:33:39 +01:00
Sebastiaan van Stijn
db187ae55c
vendor: github.com/gorilla/mux v1.8.1
full diff: https://github.com/gorilla/mux/compare/v1.8.0...v1.8.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-01 10:26:51 +01:00
Sebastiaan van Stijn
d6dd652f5a
vendor: github.com/sirupsen/logrus v1.9.3
full diff: https://github.com/sirupsen/logrus/compare/v1.8.1...v1.9.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-01 10:21:44 +01:00
dependabot[bot]
b8b390f4cd
build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1
Bumps [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) from 3.0.0 to 3.0.1.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/v3/CHANGELOG.md)
- [Commits](https://github.com/go-jose/go-jose/compare/v3.0.0...v3.0.1)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-21 22:25:08 +00:00
dependabot[bot]
32316367c8
Bump google.golang.org/grpc from 1.53.0 to 1.56.3
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.53.0 to 1.56.3.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.53.0...v1.56.3)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-25 22:26:53 +00:00
Milos Gajdos
fe21f43911
feat: replace docker/libtrust with go-jose/go-jose
docker/libtrust repository has been archived for several years now.
This commit replaces all the libtrust JWT machinery with go-jose/go-jose module.
Some of the code has been adopted from libtrust and adjusted for some of
the use cases covered by the token authorization flow especially in the
tests.

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2023-10-19 15:32:59 +01:00
dependabot[bot]
758c0f9d77
Bump golang.org/x/net from 0.8.0 to 0.17.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.8.0 to 0.17.0.
- [Commits](https://github.com/golang/net/compare/v0.8.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-11 23:39:45 +00:00
Geoffrey Hausheer
2435def474 Support systemd socket-activation
Signed-off-by: Geoffrey Hausheer <rc2012@pblue.org>
2023-09-20 09:37:22 -07:00
dependabot[bot]
e4dd28b886
Bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4
Bumps [github.com/cyphar/filepath-securejoin](https://github.com/cyphar/filepath-securejoin) from 0.2.3 to 0.2.4.
- [Release notes](https://github.com/cyphar/filepath-securejoin/releases)
- [Commits](https://github.com/cyphar/filepath-securejoin/compare/v0.2.3...v0.2.4)

---
updated-dependencies:
- dependency-name: github.com/cyphar/filepath-securejoin
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-07 13:06:27 +00:00
Sebastiaan van Stijn
152af63ec5
deprecate reference package, migrate to github.com/distribution/reference
This integrates the new module, which was extracted from this repository
at commit b9b19409cf458dcb9e1253ff44ba75bd0620faa6;

    # install filter-repo (https://github.com/newren/git-filter-repo/blob/main/INSTALL.md)
    brew install git-filter-repo

    # create a temporary clone of docker
    cd ~/Projects
    git clone https://github.com/distribution/distribution.git reference
    cd reference

    # commit taken from
    git rev-parse --verify HEAD
    b9b19409cf

    # remove all code, except for general files, 'reference/', and rename to /
    git filter-repo \
      --path .github/workflows/codeql-analysis.yml \
      --path .github/workflows/fossa.yml \
      --path .golangci.yml \
      --path distribution-logo.svg \
      --path CODE-OF-CONDUCT.md \
      --path CONTRIBUTING.md \
      --path GOVERNANCE.md \
      --path README.md \
      --path LICENSE \
      --path MAINTAINERS \
      --path-glob 'reference/*.*' \
      --path-rename reference/:

    # initialize go.mod
    go mod init github.com/distribution/reference
    go mod tidy -go=1.20

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-31 15:47:06 +02:00
Milos Gajdos
fcbc25e789
Replace redigo with redis-go
We are replacing the very outdated redigo Go module with the official
redis Go module, go-redis.

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2023-08-26 07:44:02 +01:00
David van der Spek
3e4c4ead4c
Remove bugsnag
Signed-off-by: David van der Spek <vanderspek.david@gmail.com>
2023-08-21 10:24:36 +02:00
David van der Spek
77c33cd243
remove NewRelic
Signed-off-by: David van der Spek <vanderspek.david@gmail.com>
2023-08-18 12:16:18 +02:00
Milos Gajdos
ac32466188
Merge pull request #3993 from DavidSpek/update-golang-lru
Update github.com/hashicorp/golang-lru to v2
2023-08-18 08:09:11 +01:00
David van der Spek
0f006548a1
update golang-lru to v2
Signed-off-by: David van der Spek <vanderspek.david@gmail.com>
2023-08-17 13:41:54 +02:00
David van der Spek
9d862f0982
fix(deps): update module github.com/aws/aws-sdk-go to v1.44.325
Signed-off-by: David van der Spek <vanderspek.david@gmail.com>
2023-08-17 12:02:28 +02:00
Milos Gajdos
3f1859af26
Remove oss storage driver and alicdn storage driver middleware
This commit removes `oss` storage driver from distribution as well as
`alicdn` storage middleware which only works with the `oss` driver.

There are several reasons for it:
* no real-life expertise among the maintainers
* oss is compatible with S3 API operations required by S3 storage driver

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2023-08-16 08:39:20 +01:00
Milos Gajdos
c6b9944ab1
Remove SWIFT storage driver
This commit removes swift storage driver from distribution.
There are several reasons for it:
* no real life expertise among the maintainers
* swift is compatible with S3 API operations required by S3 storage driver

This will also remove depedencies that are also hard to keep up with.

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2023-08-15 09:14:11 +01:00
Laura Brehm
afe5a2a9b7 Support ztsd compression as Content-Encoding
Co-authored-by: Nicolas De Loof <nicolas.deloof@gmail.com>
Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2023-06-01 14:06:25 +01:00
Flavian Missi
817dd286c1 vendor: update gcs driver dependencies files
Signed-off-by: Flavian Missi <fmissi@redhat.com>
2023-05-31 09:28:43 +02:00
Flavian Missi
7caf058a65
bump azure sdk
v1.3.0 of azidentity introduces support to workload identity.

Signed-off-by: Flavian Missi <fmissi@redhat.com>
2023-05-22 09:05:35 +02:00
AdamKorcz
e2a43ec8d3
Fuzzing: Move over two fuzzers from cncf-fuzzing
Signed-off-by: AdamKorcz <adam@adalogics.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-02 23:03:57 +02:00
Kirat Singh
ba4a6bbe02 Update Azure SDK and support additional authentication schemes
Microsoft has updated the golang Azure SDK significantly.  Update the
azure storage driver to use the new SDK.  Add support for client
secret and MSI authentication schemes in addition to shared key
authentication.

Implement rootDirectory support for the azure storage driver to mirror
the S3 driver.

Signed-off-by: Kirat Singh <kirat.singh@beacon.io>

Co-authored-by: Cory Snider <corhere@gmail.com>
2023-04-25 17:23:20 +00:00
dependabot[bot]
9594fbcfeb
build(deps): bump golang.org/x/net from 0.4.0 to 0.7.0
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.4.0 to 0.7.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.4.0...v0.7.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-17 22:42:11 +00:00
Sebastiaan van Stijn
345be95498
vendor: golang.org/x/net v0.4.0
golang.org/x/net contains a fix for CVE-2022-41717, which was addressed
in stdlib in go1.19.4 and go1.18.9;

> net/http: limit canonical header cache by bytes, not entries
>
> An attacker can cause excessive memory growth in a Go server accepting
> HTTP/2 requests.
>
> HTTP/2 server connections contain a cache of HTTP header keys sent by
> the client. While the total number of entries in this cache is capped,
> an attacker sending very large keys can cause the server to allocate
> approximately 64 MiB per open connection.
>
> This issue is also fixed in golang.org/x/net/http2 v0.4.0,
> for users manually configuring HTTP/2.

full diff: https://github.com/golang/net/compare/v0.2.0...v0.4.0

other dependency updates (due to (circular) dependencies):

- golang.org/x/sys v0.3.0: https://github.com/golang/sys/compare/3c1f35247d10...v0.3.0
- golang.org/x/text v0.5.0: https://github.com/golang/text/compare/v0.3.7...v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-08 10:39:04 +01:00
Wang Yan
9d38ed78d2
Merge pull request #3764 from thaJeztah/bump_cobra
go.mod: github.com/spf13/cobra v1.6.1
2022-11-09 11:19:22 +08:00
Sebastiaan van Stijn
7b651a9692
digestset: deprecate package in favor of go-digest/digestset
This package was only used for the deprecated "shortid" syntax. Now that
support for this syntax was removed, we can also remove this package.

This patch deprecates and removes the package, adding temporary aliases pointing
to the new location to ease migration from docker/distribution to the new
distribution/distribution/v3. We should remove those aliases in a future update.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-08 23:17:10 +01:00
Sebastiaan van Stijn
b1285c33a8
go.mod: github.com/spf13/cobra v1.6.1
We were using v1.0.0 of Cobra as newer versions added spf13/viper as dependency,
which came with many indirect dependencies. Cobra v1.6.0 and up no longer depend
on viper, so we can now safely upgrade to the latest version.

full diff: https://github.com/spf13/cobra/compare/v1.0.0...v1.6.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-02 19:48:45 +01:00
Milos Gajdos
c47a966fde
Merge pull request #3727 from thaJeztah/bump_x_net
vendor: golang.org/x/net v0.0.0-20220906165146-f3363e06e74c
2022-10-21 10:26:57 +01:00