project-zot · rchincha · Dec 13, 2023 · Dec 11, 2023 · eusebiu-constantin-petu-dbk · Dec 13, 2023
@@ -639,7 +639,7 @@ func TestAllowMethodsHeader(t *testing.T) {
 		// /v2/{name}/manifests/{reference}
 		resp, err = simpleUserClient.Options(baseURL + "/v2/reponame/manifests/" + digest.String())
 		So(err, ShouldBeNil)
-		So(resp.Header().Get("Access-Control-Allow-Methods"), ShouldResemble, "HEAD,GET,OPTIONS")
+		So(resp.Header().Get("Access-Control-Allow-Methods"), ShouldResemble, "HEAD,GET,DELETE,OPTIONS")
 
 		// /v2/{name}/referrers/{digest}
 		resp, err = simpleUserClient.Options(baseURL + "/v2/reponame/referrers/" + digest.String())

@@ -134,14 +134,14 @@ func (rh *RouteHandler) SetupRoutes() {
 			getUIHeadersHandler(rh.c.Config, http.MethodGet, http.MethodOptions)(
 				applyCORSHeaders(rh.ListTags))).Methods(http.MethodGet, http.MethodOptions)
 		prefixedDistSpecRouter.HandleFunc(fmt.Sprintf("/{name:%s}/manifests/{reference}", zreg.NameRegexp.String()),
-			getUIHeadersHandler(rh.c.Config, http.MethodHead, http.MethodGet, http.MethodOptions)(
+			getUIHeadersHandler(rh.c.Config, http.MethodHead, http.MethodGet, http.MethodDelete, http.MethodOptions)(
 				applyCORSHeaders(rh.CheckManifest))).Methods(http.MethodHead, http.MethodOptions)
 		prefixedDistSpecRouter.HandleFunc(fmt.Sprintf("/{name:%s}/manifests/{reference}", zreg.NameRegexp.String()),
 			applyCORSHeaders(rh.GetManifest)).Methods(http.MethodGet)
 		prefixedDistSpecRouter.HandleFunc(fmt.Sprintf("/{name:%s}/manifests/{reference}", zreg.NameRegexp.String()),
 			rh.UpdateManifest).Methods(http.MethodPut)
 		prefixedDistSpecRouter.HandleFunc(fmt.Sprintf("/{name:%s}/manifests/{reference}", zreg.NameRegexp.String()),
-			rh.DeleteManifest).Methods(http.MethodDelete)
+			applyCORSHeaders(rh.DeleteManifest)).Methods(http.MethodDelete)
 		prefixedDistSpecRouter.HandleFunc(fmt.Sprintf("/{name:%s}/blobs/{digest}", zreg.NameRegexp.String()),
 			rh.CheckBlob).Methods(http.MethodHead)
 		prefixedDistSpecRouter.HandleFunc(fmt.Sprintf("/{name:%s}/blobs/{digest}", zreg.NameRegexp.String()),

@@ -18,6 +18,7 @@ import (
 	"zotregistry.io/zot/pkg/log"
 	"zotregistry.io/zot/pkg/meta/boltdb"
 	mTypes "zotregistry.io/zot/pkg/meta/types"
+	reqCtx "zotregistry.io/zot/pkg/requestcontext"
 	. "zotregistry.io/zot/pkg/test/image-utils"
 	"zotregistry.io/zot/pkg/test/mocks"
 	ociutils "zotregistry.io/zot/pkg/test/oci-utils"
@@ -815,5 +816,35 @@ func TestConvertErrors(t *testing.T) {
 			)
 			So(len(imgSums), ShouldEqual, 0)
 		})
+
+		Convey("RepoMeta2ExpandedRepoInfo - bad ctx value", func() {
+			uacKey := reqCtx.GetContextKey()
+			ctx := context.WithValue(ctx, uacKey, "bad context")
+
+			_, imgSums := convert.RepoMeta2ExpandedRepoInfo(ctx,
+				mTypes.RepoMeta{},
+				map[string]mTypes.ImageMeta{
+					"digest": {},
+				},
+				convert.SkipQGLField{}, nil,
+				log,
+			)
+			So(len(imgSums), ShouldEqual, 0)
+		})
+
+		Convey("RepoMeta2ExpandedRepoInfo - nil ctx value", func() {
+			uacKey := reqCtx.GetContextKey()
+			ctx := context.WithValue(ctx, uacKey, nil)
+
+			_, imgSums := convert.RepoMeta2ExpandedRepoInfo(ctx,
+				mTypes.RepoMeta{},
+				map[string]mTypes.ImageMeta{
+					"digest": {},
+				},
+				convert.SkipQGLField{}, nil,
+				log,
+			)
+			So(len(imgSums), ShouldEqual, 0)
+		})
 	})
 }
@@ -17,6 +17,7 @@ import (
 	"zotregistry.io/zot/pkg/extensions/search/pagination"
 	"zotregistry.io/zot/pkg/log"
 	mTypes "zotregistry.io/zot/pkg/meta/types"
+	reqCtx "zotregistry.io/zot/pkg/requestcontext"
 )
 
 type SkipQGLField struct {
@@ -136,6 +137,8 @@ func RepoMeta2ExpandedRepoInfo(ctx context.Context, repoMeta mTypes.RepoMeta,
 	repoName := repoMeta.Name
 	imageSummaries := make([]*gql_generated.ImageSummary, 0, len(repoMeta.Tags))
 
+	userCanDeleteTag, _ := reqCtx.CanDelete(ctx, repoName)
+
 	for tag, descriptor := range repoMeta.Tags {
 		imageMeta := imageMetaMap[descriptor.Digest]
 
@@ -147,6 +150,8 @@ func RepoMeta2ExpandedRepoInfo(ctx context.Context, repoMeta mTypes.RepoMeta,
 			continue
 		}
 
+		imageSummary.IsDeletable = &userCanDeleteTag
+
 		updateImageSummaryVulnerabilities(ctx, imageSummary, skip, cveInfo)
 
 		imageSummaries = append(imageSummaries, imageSummary)

@@ -200,6 +200,10 @@ type ImageSummary {
     Information about objects that reference this image
     """
     Referrers: [Referrer]
+    """
+    True if current user has delete permission on this tag.
+    """
+    IsDeletable: Boolean
 }
 """
 Details about a specific version of an image for a certain operating system and architecture.

@@ -58,7 +58,7 @@
 }

 func (uac *UserAccessControl) SetUsername(username string) {
 	if uac.authnInfo == nil {
 		uac.authnInfo = &UserAuthnInfo{}
 	}

@@ -66,7 +66,7 @@
 }

 func (uac *UserAccessControl) GetUsername() string {
 	if uac.authnInfo == nil {
 		return ""
 	}

@@ -74,7 +74,7 @@
 }

 func (uac *UserAccessControl) AddGroups(groups []string) {
 	if uac.authnInfo == nil {
 		uac.authnInfo = &UserAuthnInfo{
 			groups: []string{},
 		}
@@ -84,7 +84,7 @@
 }

 func (uac *UserAccessControl) GetGroups() []string {
 	if uac.authnInfo == nil {
 		return []string{}
 	}

@@ -92,11 +92,11 @@
 }

 func (uac *UserAccessControl) IsAnonymous() bool {
 	if uac.authnInfo == nil {
 		return true
 	}

 	return uac.authnInfo.username == ""
 }

 func (uac *UserAccessControl) IsAdmin() bool {
@@ -246,10 +246,14 @@
 		return false, err
 	}
 
-	// no authn/authz enabled on server
-	if uac == nil {
-		return true, nil
+	return uac.Can(constants.ReadPermission, repoName), nil
+}
+
+func CanDelete(ctx context.Context, repoName string) (bool, error) {
+	uac, err := UserAcFromContext(ctx)
+	if err != nil {
+		return false, err
 	}
 
-	return uac.Can("read", repoName), nil
+	return uac.Can(constants.DeletePermission, repoName), nil
 }