From 4c34b00b38848358ef24ef01667be9c2d46b6c1c Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Wed, 22 Mar 2017 23:46:05 -0400 Subject: [PATCH] Prevent CNR methods from auth-ing on non-app repos --- endpoints/appr/decorators.py | 7 +++++++ endpoints/appr/test/test_decorators.py | 19 +++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 endpoints/appr/test/test_decorators.py diff --git a/endpoints/appr/decorators.py b/endpoints/appr/decorators.py index 4d3efd783..857c3f18e 100644 --- a/endpoints/appr/decorators.py +++ b/endpoints/appr/decorators.py @@ -2,6 +2,8 @@ import logging from functools import wraps +from flask import abort + from data import model @@ -24,6 +26,11 @@ def require_repo_permission(permission_class, scopes=None, allow_public=False, def wrapped(*args, **kwargs): namespace_name, repo_name = get_reponame_method(*args, **kwargs) + image_repo = model.repository.get_repository(namespace_name, repo_name, kind_filter='image') + if image_repo is not None: + logger.debug('Tried to invoked a CNR method on an image repository') + abort(501) + logger.debug('Checking permission %s for repo: %s/%s', permission_class, namespace_name, repo_name) permission = permission_class(namespace_name, repo_name) diff --git a/endpoints/appr/test/test_decorators.py b/endpoints/appr/test/test_decorators.py new file mode 100644 index 000000000..0e5565da3 --- /dev/null +++ b/endpoints/appr/test/test_decorators.py @@ -0,0 +1,19 @@ +import pytest + +from werkzeug.exceptions import NotImplemented as NIE + +from data import model +from endpoints.test.fixtures import app, appconfig, database_uri, init_db_path, sqlitedb_file +from endpoints.appr import require_app_repo_read + +def test_require_app_repo_read(app): + called = [False] + + # Ensure that trying to read an *image* repository fails. + @require_app_repo_read + def empty(**kwargs): + called[0] = True + + with pytest.raises(NIE): + empty(namespace='devtable', package_name='simple') + assert not called[0]