feat(ui): let UI delete manifests if current user has permissions to …

…do so

- RepoMeta now contains a new bool field which tells UI if the user has delete permission
on that specific repo
- apply cors on DeleteManifest route

Signed-off-by: Petu Eusebiu <[email protected]>

pkg/api/controller_test.go

@@ -639,7 +639,7 @@ func TestAllowMethodsHeader(t *testing.T) {
 		// /v2/{name}/manifests/{reference}
 		resp, err = simpleUserClient.Options(baseURL + "/v2/reponame/manifests/" + digest.String())
 		So(err, ShouldBeNil)
-		So(resp.Header().Get("Access-Control-Allow-Methods"), ShouldResemble, "HEAD,GET,OPTIONS")
+		So(resp.Header().Get("Access-Control-Allow-Methods"), ShouldResemble, "HEAD,GET,DELETE,OPTIONS")
 
 		// /v2/{name}/referrers/{digest}
 		resp, err = simpleUserClient.Options(baseURL + "/v2/reponame/referrers/" + digest.String())

pkg/api/routes.go

@@ -134,14 +134,14 @@ func (rh *RouteHandler) SetupRoutes() {
 			getUIHeadersHandler(rh.c.Config, http.MethodGet, http.MethodOptions)(
 				applyCORSHeaders(rh.ListTags))).Methods(http.MethodGet, http.MethodOptions)
 		prefixedDistSpecRouter.HandleFunc(fmt.Sprintf("/{name:%s}/manifests/{reference}", zreg.NameRegexp.String()),
-			getUIHeadersHandler(rh.c.Config, http.MethodHead, http.MethodGet, http.MethodOptions)(
+			getUIHeadersHandler(rh.c.Config, http.MethodHead, http.MethodGet, http.MethodDelete, http.MethodOptions)(
 				applyCORSHeaders(rh.CheckManifest))).Methods(http.MethodHead, http.MethodOptions)
 		prefixedDistSpecRouter.HandleFunc(fmt.Sprintf("/{name:%s}/manifests/{reference}", zreg.NameRegexp.String()),
 			applyCORSHeaders(rh.GetManifest)).Methods(http.MethodGet)
 		prefixedDistSpecRouter.HandleFunc(fmt.Sprintf("/{name:%s}/manifests/{reference}", zreg.NameRegexp.String()),
 			rh.UpdateManifest).Methods(http.MethodPut)
 		prefixedDistSpecRouter.HandleFunc(fmt.Sprintf("/{name:%s}/manifests/{reference}", zreg.NameRegexp.String()),
-			rh.DeleteManifest).Methods(http.MethodDelete)
+			applyCORSHeaders(rh.DeleteManifest)).Methods(http.MethodDelete)
 		prefixedDistSpecRouter.HandleFunc(fmt.Sprintf("/{name:%s}/blobs/{digest}", zreg.NameRegexp.String()),
 			rh.CheckBlob).Methods(http.MethodHead)
 		prefixedDistSpecRouter.HandleFunc(fmt.Sprintf("/{name:%s}/blobs/{digest}", zreg.NameRegexp.String()),

pkg/extensions/search/convert/convert_test.go

@@ -18,6 +18,7 @@ import (
 	"zotregistry.io/zot/pkg/log"
 	"zotregistry.io/zot/pkg/meta/boltdb"
 	mTypes "zotregistry.io/zot/pkg/meta/types"
+	reqCtx "zotregistry.io/zot/pkg/requestcontext"
 	. "zotregistry.io/zot/pkg/test/image-utils"
 	"zotregistry.io/zot/pkg/test/mocks"
 	ociutils "zotregistry.io/zot/pkg/test/oci-utils"
@@ -815,5 +816,35 @@ func TestConvertErrors(t *testing.T) {
 			)
 			So(len(imgSums), ShouldEqual, 0)
 		})
+
+		Convey("RepoMeta2ExpandedRepoInfo - bad ctx value", func() {
+			uacKey := reqCtx.GetContextKey()
+			ctx := context.WithValue(ctx, uacKey, "bad context")
+
+			_, imgSums := convert.RepoMeta2ExpandedRepoInfo(ctx,
+				mTypes.RepoMeta{},
+				map[string]mTypes.ImageMeta{
+					"digest": {},
+				},
+				convert.SkipQGLField{}, nil,
+				log,
+			)
+			So(len(imgSums), ShouldEqual, 0)
+		})
+
+		Convey("RepoMeta2ExpandedRepoInfo - nil ctx value", func() {
+			uacKey := reqCtx.GetContextKey()
+			ctx := context.WithValue(ctx, uacKey, nil)
+
+			_, imgSums := convert.RepoMeta2ExpandedRepoInfo(ctx,
+				mTypes.RepoMeta{},
+				map[string]mTypes.ImageMeta{
+					"digest": {},
+				},
+				convert.SkipQGLField{}, nil,
+				log,
+			)
+			So(len(imgSums), ShouldEqual, 0)
+		})
 	})
 }

pkg/extensions/search/convert/metadb.go

@@ -17,6 +17,7 @@ import (
 	"zotregistry.io/zot/pkg/extensions/search/pagination"
 	"zotregistry.io/zot/pkg/log"
 	mTypes "zotregistry.io/zot/pkg/meta/types"
+	reqCtx "zotregistry.io/zot/pkg/requestcontext"
 )
 
 type SkipQGLField struct {
@@ -136,6 +137,8 @@ func RepoMeta2ExpandedRepoInfo(ctx context.Context, repoMeta mTypes.RepoMeta,
 	repoName := repoMeta.Name
 	imageSummaries := make([]*gql_generated.ImageSummary, 0, len(repoMeta.Tags))
 
+	userCanDeleteTag, _ := reqCtx.CanDelete(ctx, repoName)
+
 	for tag, descriptor := range repoMeta.Tags {
 		imageMeta := imageMetaMap[descriptor.Digest]
 
@@ -147,6 +150,8 @@ func RepoMeta2ExpandedRepoInfo(ctx context.Context, repoMeta mTypes.RepoMeta,
 			continue
 		}
 
+		imageSummary.IsDeletable = &userCanDeleteTag
+
 		updateImageSummaryVulnerabilities(ctx, imageSummary, skip, cveInfo)
 
 		imageSummaries = append(imageSummaries, imageSummary)

pkg/extensions/search/schema.graphql

@@ -200,6 +200,10 @@ type ImageSummary {
     Information about objects that reference this image
     """
     Referrers: [Referrer]
+    """
+    True if current user has delete permission on this tag.
+    """
+    IsDeletable: Boolean
 }
 """
 Details about a specific version of an image for a certain operating system and architecture.

pkg/requestcontext/user_access_control.go

@@ -246,10 +246,14 @@ func RepoIsUserAvailable(ctx context.Context, repoName string) (bool, error) {
 		return false, err
 	}
 
-	// no authn/authz enabled on server
-	if uac == nil {
-		return true, nil
+	return uac.Can(constants.ReadPermission, repoName), nil
+}
+
+func CanDelete(ctx context.Context, repoName string) (bool, error) {
+	uac, err := UserAcFromContext(ctx)
+	if err != nil {
+		return false, err
 	}
 
-	return uac.Can("read", repoName), nil
+	return uac.Can(constants.DeletePermission, repoName), nil
 }