Disable certain APIs and build triggers when trust is enabled

Since trust will break if Quay makes changes, disable all Quay tag-change APIs and build APIs+webhooks when trust is enabled on a repository. Once we get Quay signing things itself, we can revisit this.
2017-04-16 22:40:59 -04:00 · 2017-04-16 22:40:59 -04:00 · 6f722e4585
commit 6f722e4585
parent 2661db7485
8 changed files with 102 additions and 10 deletions
--- a/endpoints/api/tag.py
+++ b/endpoints/api/tag.py
@ -5,7 +5,7 @@ from flask import request, abort
 from endpoints.api import (resource, nickname, require_repo_read, require_repo_write,
                           RepositoryParamResource, log_action, validate_json_request,
                           path_param, parse_args, query_param, truthy_bool,
-                           disallow_for_app_repositories)
+                           disallow_for_app_repositories, disallow_under_trust)
 from endpoints.exception import NotFound
 from endpoints.api.image import image_view
 from data import model
@ -85,6 +85,7 @@ class RepositoryTag(RepositoryParamResource):

  @require_repo_write
  @disallow_for_app_repositories
+  @disallow_under_trust
  @nickname('changeTagImage')
  @validate_json_request('MoveTag')
  def put(self, namespace, repository, tag):
@ -120,6 +121,7 @@ class RepositoryTag(RepositoryParamResource):

  @require_repo_write
  @disallow_for_app_repositories
+  @disallow_under_trust
  @nickname('deleteFullTag')
  def delete(self, namespace, repository, tag):
    """ Delete the specified repository tag. """
@ -212,6 +214,7 @@ class RestoreTag(RepositoryParamResource):

  @require_repo_write
  @disallow_for_app_repositories
+  @disallow_under_trust
  @nickname('restoreTag')
  @validate_json_request('RestoreTag')
  def post(self, namespace, repository, tag):