all: remove Quay keyserver support

This support was never actually used and only tested locally.

Signed-off-by: Hank Donnay <hdonnay@redhat.com>

Documentation/concepts/authentication.md

@@ -9,39 +9,6 @@ present, but they will be used preferentially in the order laid out below.
 
 [jwtproxy]: https://github.com/quay/jwtproxy
 
-### Quay Integration
-
-Quay implements a keyserver protocol that allows for publishing and rotating
-keys in an automated fashion. Any process that has successfully enrolled in the
-keyserver that Clair is configured to talk to should be able to sign requests to
-Clair.
-
-#### Configuration
-
-The `auth` stanza of the configuration file requires one parameter, `api`, which
-is the API endpoint of keyserver protocol.
-
-```yaml
-auth:
-  keyserver:
-    api: 'https://quay.example.com/keys/'
-```
-
-##### Intraservice
-
-When Clair instances are configured with keyserver authentication and run in any
-other mode besides "combo", an additional `intraservice` key is
-required. This key is used for signing and verifying requests within the
-Clair service cluster.
-
-```yaml
-auth:
-  keyserver:
-    api: 'https://quay.example.com/keys/'
-    intraservice: >-
-      MDQ4ODBlNDAtNDc0ZC00MWUxLThhMzAtOTk0MzEwMGQwYTMxCg==
-```
-
 ### PSK
 
 Clair implements JWT-based authentication using a pre-shared key.
@@ -60,6 +27,3 @@ auth:
     iss: 'issuer'
 ```
 
-
-Desired updaters should be selected by the normal configuration mechanism.
-

Documentation/reference/config.md

@@ -117,6 +117,9 @@ more information.
 # `$.tls.root_ca`
 # `$.updaters.filter`
 # `$.notifier.webhook.signed`
+# `$.auth.keyserver`
+# `$.auth.keyserver.api`
+# `$.auth.keyserver.intraservice`
 -->
 
 ### `$.http_listen_addr`
@@ -554,7 +557,8 @@ The STOMP passcode to connect with.
 ### `$.auth`
 Defines ClairV4's external and intra-service JWT based authentication.
 
-If multiple auth mechanisms are defined, the Keyserver is preferred.
+If multiple auth mechanisms are defined, Clair will pick one. Currently, there
+are not multiple mechanisms.
 
 ### `$.auth.psk`
 Defines preshared key authentication.
@@ -571,19 +575,6 @@ a list of string value
 A list of JWT issuers to verify. An empty list will accept any issuer in a
 JWT claim.
 
-### `$.auth.keyserver`
-Defines Quay keyserver authentication.
-
-#### `$.auth.keyserver.api`
-a string value
-
-The API where Quay Keyserver can be reached.
-
-#### `$.auth.keyserver.intraservice`
-a string value
-
-A key shared between all Clair nodes for intra-service JWT authentication.
-
 ### `$.trace`
 Defines distributed tracing configuration based on OpenTelemetry.
 

config/auth.go

@@ -45,16 +45,10 @@ type Auth struct {
 
 // Any reports whether any sort of authentication is configured.
 func (a Auth) Any() bool {
-	return a.PSK != nil ||
-		a.Keyserver != nil
+	return a.PSK != nil
 }
 
 func (a *Auth) lint() ([]Warning, error) {
-	if a.PSK != nil && a.Keyserver != nil {
-		return []Warning{{
-			msg: `both "PSK" and "Keyserver" authentication methods are defined`,
-		}}, nil
-	}
 	return nil, nil
 }
 
@@ -63,15 +57,19 @@ func (a *Auth) lint() ([]Warning, error) {
 //
 // The "Intraservice" key is only needed when the overall config mode is not
 // "combo".
+//
+// Deprecated: This authentication method was never used. It was planned for
+// integration with Quay, but ultimately the Quay team decided to remove the
+// keyserver feature altogether.
 type AuthKeyserver struct {
 	API          string `yaml:"api" json:"api"`
 	Intraservice Base64 `yaml:"intraservice" json:"intraservice"`
 }
 
 func (a *AuthKeyserver) lint() ([]Warning, error) {
-	return []Warning{{
+	return nil, &Warning{
 		inner: fmt.Errorf(`authentication method deprecated: %w`, ErrDeprecated),
-	}}, nil
+	}
 }
 
 // AuthPSK is the configuration for doing pre-shared key based authentication.

config/lint_test.go

@@ -4,7 +4,6 @@ import "fmt"
 
 func ExampleLint() {
 	var c Config
-	c.Auth.Keyserver = &AuthKeyserver{}
 	c.Auth.PSK = &AuthPSK{}
 	ws, err := Lint(&c)
 	fmt.Println("error:", err)
@@ -22,6 +21,4 @@ func ExampleLint() {
 	// warning: connection string is empty and no relevant environment variables found (at $.notifier.connstring)
 	// warning: interval is very fast: may result in increased workload (at $.notifier.poll_interval)
 	// warning: interval is very fast: may result in increased workload (at $.notifier.delivery_interval)
-	// warning: both "PSK" and "Keyserver" authentication methods are defined (at $.auth)
-	// warning: authentication method deprecated: setting will be removed in a future release (at $.auth.keyserver)
 }

go.mod

@@ -7,7 +7,6 @@ require (
 	github.com/google/go-cmp v0.5.7
 	github.com/google/go-containerregistry v0.6.0
 	github.com/google/uuid v1.2.0
-	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79
 	github.com/jackc/pgconn v1.10.0
 	github.com/jackc/pgx/v4 v4.13.0
 	github.com/klauspost/compress v1.13.6

go.sum

@@ -483,8 +483,6 @@ github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY
 github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
-github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA=
-github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=

httptransport/auth.go

@@ -1,7 +1,7 @@
 package httptransport
 
 import (
-	"fmt"
+	"errors"
 	"net/http"
 
 	"github.com/quay/clair/config"
@@ -16,20 +16,6 @@ func authHandler(cfg *config.Config, next http.Handler) (http.Handler, error) {
 
 	// Keep this ordered "best" to "worst".
 	switch {
-	case cfg.Auth.Keyserver != nil:
-		cfg := cfg.Auth.Keyserver
-		ks, err := auth.NewQuayKeyserver(cfg.API)
-		if err != nil {
-			return nil, fmt.Errorf("failed to initialize quay keyserver: %v", err)
-		}
-		checks = append(checks, ks)
-		if cfg.Intraservice != nil {
-			psk, err := auth.NewPSK(cfg.Intraservice, []string{IntraserviceIssuer})
-			if err != nil {
-				return nil, fmt.Errorf("failed to initialize quay keyserver: %w", err)
-			}
-			checks = append(checks, psk)
-		}
 	case cfg.Auth.PSK != nil:
 		cfg := cfg.Auth.PSK
 		issuers := make([]string, 0, 1+len(cfg.Issuer))
@@ -41,6 +27,8 @@ func authHandler(cfg *config.Config, next http.Handler) (http.Handler, error) {
 			return nil, err
 		}
 		checks = append(checks, psk)
+	case cfg.Auth.Keyserver != nil:
+		return nil, errors.New("quay keyserver support has been removed")
 	default:
 		return next, nil
 	}

httptransport/auth_test.go

@@ -137,17 +137,6 @@ func TestAuth(t *testing.T) {
 			},
 			Claims: &jwt.Claims{Issuer: `geromy`},
 		},
-		{
-			Name: "FakeKeyserver",
-			Config: config.Config{
-				Auth: config.Auth{
-					Keyserver: &config.AuthKeyserver{
-						API:          "http://localhost",
-						Intraservice: fakeKey,
-					},
-				},
-			},
-		},
 		{
 			Name: "PSKBadKey",
 			Config: config.Config{
@@ -161,19 +150,6 @@ func TestAuth(t *testing.T) {
 			ShouldFail: true,
 			ConfigMod:  func(_ *testing.T, cfg *config.Config) { cfg.Auth.PSK.Key = []byte("badbeef") },
 		},
-		{
-			Name: "FakeKeyserverFail",
-			Config: config.Config{
-				Auth: config.Auth{
-					Keyserver: &config.AuthKeyserver{
-						API:          "http://localhost",
-						Intraservice: fakeKey,
-					},
-				},
-			},
-			ShouldFail: true,
-			ConfigMod:  func(_ *testing.T, cfg *config.Config) { cfg.Auth.Keyserver = nil },
-		},
 		{
 			Name: "PSKFail",
 			Config: config.Config{