Add the ability to blacklist v2 for specific versions

2015-12-15 16:21:06 -05:00 · 2015-12-15 16:21:06 -05:00 · 766d60493f
commit 766d60493f
parent 4a84388f15
7 changed files with 97 additions and 2 deletions
--- a/config.py
+++ b/config.py
@ -193,6 +193,10 @@ class DefaultConfig(object):
  # Feature Flag: Whether the v2/ endpoint is visible
  FEATURE_ADVERTISE_V2 = True
  # Semver spec for which Docker versions we will blacklist
  # Documentation: http://pythonhosted.org/semantic_version/reference.html#semantic_version.Spec
  BLACKLIST_V2_SPEC = '<1.6.0'
  BUILD_MANAGER = ('enterprise', {})
  DISTRIBUTED_STORAGE_CONFIG = {
--- a/endpoints/v2/init.py
+++ b/endpoints/v2/init.py
@ -3,6 +3,7 @@ import logging
 from flask import Blueprint, make_response, url_for, request, jsonify
 from functools import wraps
 from urlparse import urlparse
 from semantic_version import Spec
 import features
@ -13,8 +14,10 @@ from auth.auth_context import get_grant_context
 from auth.permissions import (ReadRepositoryPermission, ModifyRepositoryPermission,
                              AdministerRepositoryPermission)
 from data import model
 from app import app
 from util.http import abort
 from util.saas.metricqueue import time_blueprint
 from util.registry.dockerver import docker_version
 from auth.registry_jwt_auth import process_registry_jwt_auth, get_auth_headers
 logger = logging.getLogger(__name__)
@ -75,6 +78,14 @@ def route_show_if(value):
@process_registry_jwt_auth
@anon_allowed
 def v2_support_enabled():
  docker_ver = docker_version(request.user_agent.string)
  # Check if our version is one of the blacklisted versions, if we can't
  # identify the version (None) we will fail open and assume that it is
  # newer and therefore should not be blacklisted.
  if Spec(app.config['BLACKLIST_V2_SPEC']).match(docker_ver) and docker_ver is not None:
    abort(404)
  response = make_response('true', 200)
  if get_grant_context() is None:
--- a/requirements-nover.txt
+++ b/requirements-nover.txt
@ -58,3 +58,4 @@ rfc3987
 jsonpath-rw
 bintrees
 redlock
 semantic-version
--- a/requirements.txt
+++ b/requirements.txt
@ -78,6 +78,7 @@ reportlab==2.7
 requests==2.7.0
 requests-oauthlib==0.5.0
 rfc3987==1.3.4
 semantic-version==2.4.2
 simplejson==3.7.3
 six==1.9.0
 SQLAlchemy==1.0.6
--- a/test/registry_tests.py
+++ b/test/registry_tests.py
@ -181,13 +181,18 @@ class RegistryTestCaseMixin(LiveServerTestCase):
 class BaseRegistryMixin(object):
  def conduct(self, method, url, headers=None, data=None, auth=None, params=None, expected_code=200,
-              json_data=None):
+              json_data=None, user_agent=None):
    params = params or {}
    params['_csrf_token'] = self.csrf_token
    headers = headers or {}
    auth_tuple = None
    if user_agent is not None:
      headers['User-Agent'] = user_agent
    else:
      headers['User-Agent'] = 'docker/1.9.1'
    if self.docker_token:
      headers['X-Docker-Token'] = self.docker_token
@ -1026,6 +1031,9 @@ class V2RegistryTests(V2RegistryPullMixin, V2RegistryPushMixin, RegistryTestsMix
    # Try to get tags before a repo exists.
    self.conduct('GET', '/v2/devtable/doesnotexist/tags/list', auth='jwt', expected_code=401)
  def test_one_five_blacklist(self):
    self.conduct('GET', '/v2/', expected_code=404, user_agent='Go 1.1 package http')
 class V1PushV2PullRegistryTests(V2RegistryPullMixin, V1RegistryPushMixin, RegistryTestsMixin,
                                RegistryTestCaseMixin, LiveServerTestCase):
--- a/test/test_util.py
+++ b/test/test_util.py
@ -1,9 +1,11 @@
 import unittest
 from itertools import islice
 from semantic_version import Version, Spec
 from util.validation import generate_valid_usernames
 from util.registry.generatorfile import GeneratorFile
 from util.registry.dockerver import docker_version
 class TestGeneratorFile(unittest.TestCase):
  def sample_generator(self):
@ -131,6 +133,47 @@ class TestUsernameGenerator(unittest.TestCase):
    self.assertEquals('a003', generated_output[3])
 class TestDockerVersionParsing(unittest.TestCase):
  def test_parsing(self):
    tests_cases = [
      ('docker/1.6.0 go/go1.4.2 git-commit/1234567 kernel/4.2.0-18-generic os/linux arch/amd64',
       Version('1.6.0')),
      ('docker/1.7.1 go/go1.4.2 kernel/4.1.7-15.23.amzn1.x86_64 os/linux arch/amd64',
       Version('1.7.1')),
      ('docker/1.6.2 go/go1.4.2 git-commit/7c8fca2-dirty kernel/4.0.5 os/linux arch/amd64',
       Version('1.6.2')),
      ('docker/1.9.0 go/go1.4.2 git-commit/76d6bc9 kernel/3.16.0-4-amd64 os/linux arch/amd64',
       Version('1.9.0')),
      ('docker/1.9.1 go/go1.4.2 git-commit/a34a1d5 kernel/3.10.0-229.20.1.el7.x86_64 os/linux arch/amd64',
       Version('1.9.1')),
      ('docker/1.8.2-circleci go/go1.4.2 git-commit/a8b52f5 kernel/3.13.0-71-generic os/linux arch/amd64',
       Version('1.8.2')),
      ('Go 1.1 package http', Version('1.5.0')),
      ('curl', None),
      ('docker/1.8 stuff', Version('1.8.0')),
    ]
    for ua_string, ver_info in tests_cases:
      parsed_ver = docker_version(ua_string)
      self.assertEquals(ver_info, parsed_ver)
  def test_specs(self):
    test_cases = [
      # (Spec, no_match_case_list, matching_case_list)
      (Spec('<1.6.0'), ['1.6.0', '1.6.1', '1.9.0', '100.5.2'], ['0.0.0', '1.5.99']),
      (Spec('<1.9.0'), ['1.9.0', '100.5.2'], ['0.0.0', '1.5.99', '1.6.0', '1.6.1']),
      (Spec('<1.6.0,>0.0.1'), ['1.6.0', '1.6.1', '1.9.0', '0.0.0'], ['1.5.99']),
    ]
    for spec, no_match_cases, match_cases in test_cases:
      for no_match_case in no_match_cases:
        self.assertFalse(spec.match(Version(no_match_case)),
                         'Spec: %s Case: %s' % (spec, no_match_case))
      for match_case in match_cases:
        self.assertTrue(spec.match(Version(match_case)),
                        'Spec: %s Case: %s' % (spec, match_case))
 if __name__ == '__main__':
  unittest.main()
--- a/util/registry/dockerver.py
+++ b/util/registry/dockerver.py
@ -0,0 +1,27 @@
 import re
 from semantic_version import Version
 _USER_AGENT_SEARCH_REGEX = re.compile(r'docker\/([0-9]+(?:\.[0-9]+){1,2})')
 _EXACT_1_5_USER_AGENT = re.compile(r'^Go 1\.1 package http$')
 _ONE_FIVE_ZERO = '1.5.0'
 def docker_version(user_agent_string):
  """ Extract the Docker version from the user agent, taking special care to
      handle the case of a 1.5 client requesting an auth token, which sends
      a broken user agent. If we can not positively identify a version, return
      None.
      """
  # First search for a well defined semver portion in the UA header.
  found_semver = _USER_AGENT_SEARCH_REGEX.search(user_agent_string)
  if found_semver:
    return Version(found_semver.group(1), partial=True)
  # Check if we received the very specific header which represents a 1.5 request
  # to the auth endpoints.
  elif _EXACT_1_5_USER_AGENT.match(user_agent_string):
    return Version(_ONE_FIVE_ZERO)
  else:
    return None