Add ability for specific geographic regions to be blocked from pulling images within a namespace

2018-12-05 15:19:37 -05:00 · 2018-12-05 15:19:37 -05:00 · c3710a6a5e
commit c3710a6a5e
parent c71a43a06c
20 changed files with 257 additions and 37 deletions
--- a/endpoints/decorators.py
+++ b/endpoints/decorators.py
@ -1,5 +1,6 @@
 """ Various decorators for endpoint and API handlers. """

+import os
 import logging

 from functools import wraps
@ -7,8 +8,9 @@ from flask import abort, request, make_response

 import features

-from app import app
+from app import app, ip_resolver, model_cache
 from auth.auth_context import get_authenticated_context
+from data.registry_model import registry_model
 from util.names import parse_namespace_repository, ImplicitLibraryNamespaceNotAllowed
 from util.http import abort

@ -122,3 +124,40 @@ def require_xhr_from_browser(func):

    return func(*args, **kwargs)
  return wrapper
+
+
+def check_region_blacklisted(error_class=None, namespace_name_kwarg=None):
+  """ Decorator which checks if the incoming request is from a region geo IP blocked
+      for the current namespace. The first argument to the wrapped function must be
+      the namespace name.
+  """
+  def wrapper(wrapped):
+    @wraps(wrapped)
+    def decorated(*args, **kwargs):
+      if namespace_name_kwarg:
+        namespace_name = kwargs[namespace_name_kwarg]
+      else:
+        namespace_name = args[0]
+ 
+      region_blacklist = registry_model.get_cached_namespace_region_blacklist(model_cache,
+                                                                              namespace_name)
+      if region_blacklist:
+        # Resolve the IP information and block if on the namespace's blacklist.
+        remote_addr = request.remote_addr
+        if os.getenv('TEST', 'false').lower() == 'true':
+          remote_addr = request.headers.get('X-Override-Remote-Addr-For-Testing', remote_addr)
+
+        resolved_ip_info = ip_resolver.resolve_ip(remote_addr)
+        logger.debug('Resolved IP information for IP %s: %s', remote_addr, resolved_ip_info)
+
+        if (resolved_ip_info and
+            resolved_ip_info.country_iso_code and
+            resolved_ip_info.country_iso_code in region_blacklist):
+          if error_class:
+            raise error_class()
+
+          abort(403, 'Pulls of this data have been restricted geographically')
+
+      return wrapped(*args, **kwargs)
+    return decorated
+  return wrapper