e4168b7ee4
chore: add workspace clippy lints, release profiles, COMPAT.md, diff-registry.sh ( #119 )
...
- Workspace clippy lints: or_fun_call, redundant_clone, collection_is_never_read,
naive_bytecount, stable_sort_primitive, large_types_passed_by_value, assigning_clones
- Fix or_fun_call in cargo_registry.rs (unwrap_or -> unwrap_or_else)
- Release profiles: release (thin LTO) + release-official (full LTO, codegen-units=1)
- COMPAT.md: protocol compatibility matrix for all 7 registries (40 endpoints)
- scripts/diff-registry.sh: differential smoke tests (Docker/npm/Cargo/PyPI/Go/Raw)
2026-04-09 12:38:59 +03:00
dependabot[bot]
25ba9f6cb5
chore(deps): bump criterion from 0.5.1 to 0.8.2 ( #112 )
...
Bumps [criterion](https://github.com/criterion-rs/criterion.rs ) from 0.5.1 to 0.8.2.
- [Release notes](https://github.com/criterion-rs/criterion.rs/releases )
- [Changelog](https://github.com/criterion-rs/criterion.rs/blob/master/CHANGELOG.md )
- [Commits](https://github.com/criterion-rs/criterion.rs/compare/0.5.1...criterion-v0.8.2 )
---
updated-dependencies:
- dependency-name: criterion
dependency-version: 0.8.2
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: DevITWay | Pavel Volkov <devitway@gmail.com >
2026-04-07 17:02:28 +03:00
dependabot[bot]
347e3016d3
chore(deps): bump toml from 1.0.6+spec-1.1.0 to 1.1.2+spec-1.1.0 ( #111 )
...
Bumps [toml](https://github.com/toml-rs/toml ) from 1.0.6+spec-1.1.0 to 1.1.2+spec-1.1.0.
- [Commits](https://github.com/toml-rs/toml/compare/toml-v1.0.6...toml-v1.1.2 )
---
updated-dependencies:
- dependency-name: toml
dependency-version: 1.1.2+spec-1.1.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: DevITWay | Pavel Volkov <devitway@gmail.com >
2026-04-07 16:59:42 +03:00
ac3a8a7c43
quality: MSRV, tarpaulin config, proptest for parsers ( #84 )
...
* fix: proxy dedup, multi-registry GC, TOCTOU and credential hygiene
- Deduplicate proxy_fetch/proxy_fetch_text into generic proxy_fetch_core
with response extractor closure (removes ~50 lines of copy-paste)
- GC now scans all registry prefixes, not just docker/
- Add tracing::warn to fire-and-forget cache writes in docker proxy
- Mark S3 credentials as skip_serializing to prevent accidental leaks
- Remove TOCTOU race in LocalStorage get/delete (redundant exists check)
* chore: clean up root directory structure
- Move Dockerfile.astra and Dockerfile.redos to deploy/ (niche builds
should not clutter the project root)
- Harden .gitignore to exclude session files, working notes, and
internal review scripts
* refactor(metrics): replace 13 atomic fields with CounterMap
Per-registry download/upload counters were 13 individual AtomicU64
fields, each duplicated across new(), with_persistence(), save(),
record_download(), record_upload(), and get_registry_* (6 touch points
per counter). Adding a new registry required changes in 6+ places.
Now uses CounterMap (HashMap<String, AtomicU64>) for per-registry
counters. Adding a new registry = one entry in REGISTRIES const.
Added Go registry to REGISTRIES, gaining go metrics for free.
* quality: add MSRV, tarpaulin config, proptest for parsers
- Set rust-version = 1.75 in workspace Cargo.toml (MSRV policy)
- Add tarpaulin.toml: llvm engine, fail-under=25, json+html output
- Add coverage/ to .gitignore
- Update CI to use tarpaulin.toml instead of inline flags
- Add proptest dev-dependency and property tests:
- validation.rs: 16 tests (never-panics + invariants for all 4 validators)
- pypi.rs: 5 tests (extract_filename never-panics + format assertions)
* test: add unit tests for 14 modules, coverage 21% → 30%
Add 149 new tests across auth, backup, gc, metrics, mirror parsers,
docker (manifest detection, session cleanup, metadata serde),
docker_auth (token cache), maven, npm, pypi (normalize, rewrite, extract),
raw (content-type guessing), request_id, and s3 (URI encoding).
Update tarpaulin.toml: raise fail-under to 30, exclude UI/main from
coverage reporting as they require integration tests.
* bench: add criterion benchmarks for validation and manifest parsing
Add parsing benchmark suite with 14 benchmarks covering:
- Storage key, Docker name, digest, and reference validation
- Docker manifest media type detection (v2, OCI index, minimal, invalid)
Run with: cargo bench --package nora-registry --bench parsing
* test: add 48 integration tests via tower oneshot
Add integration tests for all HTTP handlers:
- health (3), raw (7), cargo (4), maven (4), request_id (2)
- pypi (5), npm (5), docker (12), auth (6)
Create test_helpers.rs with TestContext pattern.
Add tower and http-body-util dev-dependencies.
Update tarpaulin fail-under 30 to 40.
Coverage: 29.5% to 43.3% (2089/4825 lines)
* fix: clean clippy warnings in tests, fix flaky audit test
Add #[allow(clippy::unwrap_used)] to 18 test modules.
Fix 3 additional clippy lints: writeln_empty_string, needless_update,
unnecessary_get_then_check.
Fix flaky audit test: replace single sleep(50ms) with retry loop (max 1s).
Prefix unused token variable with underscore.
cargo clippy --all-targets = 0 warnings (was 245 errors)
2026-04-05 10:01:50 +03:00
c8dc141b2f
feat: add Go module proxy (GOPROXY protocol) ( #59 )
...
* feat: add Go module proxy (GOPROXY protocol) (#47 )
Implements caching proxy for Go modules with 5 standard endpoints:
- GET /go/{module}/@v/list — list versions
- GET /go/{module}/@v/{version}.info — version metadata
- GET /go/{module}/@v/{version}.mod — go.mod file
- GET /go/{module}/@v/{version}.zip — module zip
- GET /go/{module}/@latest — latest version info
Features:
- Module path encoding/decoding per Go spec (!x → X)
- Immutable caching (.info/.mod/.zip never overwritten)
- Mutable endpoints (@v/list, @latest) refreshed from upstream
- Configurable upstream (default: proxy.golang.org)
- Separate timeout for .zip downloads (default: 120s)
- Size limit for zips (default: 100MB)
- Path traversal protection
- Dashboard integration (stats, mount points, index)
- 25 unit tests (encoding, path splitting, safety, content-type)
Closes #47
* style: cargo fmt
* feat(ui): add Go pages, compact cards, fix icons
- Go in sidebar + list/detail pages with go get command
- Dashboard: fix fallback icon (was Docker whale for Go)
- Compact registry cards: lg:grid-cols-6, all 6 in one row
- Cargo icon: crate boxes instead of truck
- Go icon: stylized Go text (sidebar + dashboard)
* fix(go): URL-decode path + send encoded paths to upstream
Go client sends %21 for ! in module paths. Axum wildcard does not
auto-decode, so we percent-decode manually. Upstream proxy.golang.org
expects encoded paths (with !), not decoded uppercase.
Tested: full Pusk build (22 modules, 135MB cached) including
SherClockHolmes/webpush-go with triple uppercase encoding.
* style: cargo fmt
2026-03-27 21:16:00 +03:00
432e8d35af
security: migrate token hashing from SHA256 to Argon2id ( #55 )
...
* docs: add DCO, governance model, roles, vulnerability credit policy
* security: migrate token hashing from SHA256 to Argon2id
- Replace unsalted SHA256 with Argon2id (salted) for API token hashing
- Fix TOCTOU race: replace exists()+read() with read()+match on error
- Set chmod 600 on token files and 700 on token storage directory
- Auto-migrate legacy SHA256 tokens to Argon2id on first verification
- Add regression tests: argon2 format, legacy migration, file permissions
2026-03-24 22:56:43 +00:00
fa2cd45ed3
security: harden Docker registry and container runtime
...
- Verify blob digest (SHA256) on upload, reject mismatches (DIGEST_INVALID)
- Reject sha512 digests (only sha256 supported)
- Add upload session limits: max 100 concurrent, 2GB per session, 30min TTL
- Bind upload sessions to repository name (prevent session fixation)
- Filter .meta.json from Docker tag list (fix ArgoCD Image Updater recursion)
- Fix catalog to show namespaced images (library/alpine instead of library)
- Add security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Run containers as non-root user (USER nora) in all 3 Dockerfiles
- Add configurable NORA_MAX_UPLOAD_SESSIONS and NORA_MAX_UPLOAD_SESSION_SIZE_MB
2026-03-19 08:29:28 +00:00
cb37813f11
security: add cargo-fuzz targets and ClusterFuzzLite config
...
Fuzz targets:
- fuzz_validation: storage key, Docker name, digest, reference validators
- fuzz_docker_manifest: Docker/OCI manifest media type detection
Infrastructure:
- lib.rs exposing validation module and docker_fuzz for fuzz harnesses
- ClusterFuzzLite project config (libfuzzer + ASan)
2026-03-17 11:20:17 +00:00
dependabot[bot]
95c6e403a8
chore(deps): bump bcrypt from 0.18.0 to 0.19.0
...
Bumps [bcrypt](https://github.com/Keats/rust-bcrypt ) from 0.18.0 to 0.19.0.
- [Commits](https://github.com/Keats/rust-bcrypt/compare/v0.18.0...v0.19.0 )
---
updated-dependencies:
- dependency-name: bcrypt
dependency-version: 0.19.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-10 04:25:38 +00:00
45c3e276dc
Merge pull request #8 from getnora-io/dependabot/cargo/indicatif-0.18.4
...
chore(deps): bump indicatif from 0.17.11 to 0.18.4
2026-03-03 12:13:33 +03:00
dependabot[bot]
f4e53b85dd
chore(deps): bump indicatif from 0.17.11 to 0.18.4
...
Bumps [indicatif](https://github.com/console-rs/indicatif ) from 0.17.11 to 0.18.4.
- [Release notes](https://github.com/console-rs/indicatif/releases )
- [Commits](https://github.com/console-rs/indicatif/compare/0.17.11...0.18.4 )
---
updated-dependencies:
- dependency-name: indicatif
dependency-version: 0.18.4
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 09:13:21 +00:00
dependabot[bot]
7454ff2e03
chore(deps): bump bcrypt from 0.17.1 to 0.18.0
...
Bumps [bcrypt](https://github.com/Keats/rust-bcrypt ) from 0.17.1 to 0.18.0.
- [Commits](https://github.com/Keats/rust-bcrypt/compare/v0.17.1...v0.18.0 )
---
updated-dependencies:
- dependency-name: bcrypt
dependency-version: 0.18.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-03 04:26:29 +00:00
4ad802ce2f
fix: bump prometheus 0.13->0.14 and bytes 1.11.0->1.11.1 (CVE-2025-53605, CVE-2026-25541)
2026-02-24 11:36:07 +00:00
dependabot[bot]
bcd172f23f
chore(deps): bump toml from 0.8.23 to 1.0.3+spec-1.1.0 ( #7 )
...
Bumps [toml](https://github.com/toml-rs/toml ) from 0.8.23 to 1.0.3+spec-1.1.0.
- [Commits](https://github.com/toml-rs/toml/compare/toml-v0.8.23...toml-v1.0.3 )
---
updated-dependencies:
- dependency-name: toml
dependency-version: 1.0.3+spec-1.1.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-24 12:22:52 +01:00
dependabot[bot]
a5a7c4f8be
chore(deps): bump flate2 from 1.1.8 to 1.1.9 ( #6 )
...
Bumps [flate2](https://github.com/rust-lang/flate2-rs ) from 1.1.8 to 1.1.9.
- [Release notes](https://github.com/rust-lang/flate2-rs/releases )
- [Commits](https://github.com/rust-lang/flate2-rs/compare/1.1.8...1.1.9 )
---
updated-dependencies:
- dependency-name: flate2
dependency-version: 1.1.9
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-24 12:22:46 +01:00
b29a0309d4
feat: add S3 authentication and fix Docker multi-segment routes
...
S3 Storage:
- Implement AWS Signature v4 for S3-compatible storage (MinIO, AWS)
- Add s3_access_key, s3_secret_key, s3_region config options
- Support both authenticated and anonymous S3 access
- Add proper URI encoding for S3 canonical requests
Docker Registry:
- Fix routing for multi-segment image names (e.g., library/alpine)
- Add namespace routes for two-segment paths (/v2/{ns}/{name}/...)
- Add debug tracing for upstream proxy operations
Config:
- Add NORA_STORAGE_S3_ACCESS_KEY env var
- Add NORA_STORAGE_S3_SECRET_KEY env var
- Add NORA_STORAGE_S3_REGION env var (default: us-east-1)
2026-01-30 23:22:22 +00:00
ee4e01467a
feat: add secrets provider architecture
...
Trait-based secrets management for secure credential handling:
- SecretsProvider trait for pluggable backends
- EnvProvider as default (12-Factor App pattern)
- ProtectedString with zeroize (memory zeroed on drop)
- Redacted Debug impl prevents secret leakage in logs
- S3Credentials struct for future AWS S3 integration
- Config: [secrets] section with provider and clear_env options
Foundation for AWS Secrets Manager, Vault, K8s (v0.4.0+)
2026-01-30 10:02:58 +00:00
f1cda800a2
Fix Docker push/pull: add PATCH endpoint for chunked uploads
...
- Add PATCH handler for /v2/{name}/blobs/uploads/{uuid} to support
chunked blob uploads (Docker sends data chunks via PATCH)
- Include Range header in PATCH response to indicate bytes received
- Add Docker-Content-Digest header to GET manifest responses
- Store manifests by both tag and digest for proper pull support
- Add parking_lot dependency for upload session state management
2026-01-26 12:01:05 +00:00
7ed3444d86
test: add comprehensive unit tests for storage and auth
...
- LocalStorage tests: put/get, list, stat, health_check, nested dirs
- S3Storage tests with wiremock HTTP mocking
- Auth/htpasswd tests: loading, validation, public paths
- Token lifecycle tests: create, verify, expire, revoke
Total: 75 tests passing
2026-01-26 00:02:09 +00:00
586420a476
feat: initialize NORA artifact registry
...
Cloud-native multi-protocol artifact registry in Rust.
- Docker Registry v2
- Maven (+ proxy)
- npm (+ proxy)
- Cargo, PyPI
- Web UI, Swagger, Prometheus
- Local & S3 storage
- 32MB Docker image
Created by DevITWay
https://getnora.io
2026-01-25 17:33:15 +00:00
