Disable certain APIs and build triggers when trust is enabled

Since trust will break if Quay makes changes, disable all Quay tag-change APIs and build APIs+webhooks when trust is enabled on a repository. Once we get Quay signing things itself, we can revisit this.
2017-04-16 22:40:59 -04:00 · 2017-04-16 22:40:59 -04:00 · 6f722e4585
commit 6f722e4585
parent 2661db7485
8 changed files with 102 additions and 10 deletions
--- a/endpoints/api/build.py
+++ b/endpoints/api/build.py
@ -19,7 +19,8 @@ from data.buildlogs import BuildStatusRetrievalError
 from endpoints.api import (RepositoryParamResource, parse_args, query_param, nickname, resource,
                           require_repo_read, require_repo_write, validate_json_request,
                           ApiResource, internal_only, format_date, api, path_param,
-                           require_repo_admin, abort, disallow_for_app_repositories)
+                           require_repo_admin, abort, disallow_for_app_repositories,
+                           disallow_under_trust)
 from endpoints.building import start_build, PreparedBuild, MaximumBuildsQueuedException
 from endpoints.exception import Unauthorized, NotFound, InvalidRequest
 from util.names import parse_robot_username
@ -225,6 +226,7 @@ class RepositoryBuildList(RepositoryParamResource):
  @require_repo_write
  @nickname('requestRepoBuild')
  @disallow_for_app_repositories
+  @disallow_under_trust
  @validate_json_request('RepositoryBuildRequest')
  def post(self, namespace, repository):
    """ Request that a repository be built and pushed from the specified input. """
@ -361,6 +363,7 @@ class RepositoryBuildResource(RepositoryParamResource):

  @require_repo_admin
  @nickname('cancelRepoBuild')
+  @disallow_under_trust
  @disallow_for_app_repositories
  def delete(self, namespace, repository, build_uuid):
    """ Cancels a repository build. """