Add ability for specific geographic regions to be blocked from pulling images within a namespace

endpoints/v2/blob.py

@@ -13,11 +13,11 @@ from data.registry_model.blobuploader import (create_blob_upload, retrieve_blob_
                                               BlobUploadException, BlobTooLargeException,
                                               BlobRangeMismatchException)
 from digest import digest_tools
-from endpoints.decorators import anon_protect, parse_repository_name
+from endpoints.decorators import anon_protect, parse_repository_name, check_region_blacklisted
 from endpoints.v2 import v2_bp, require_repo_read, require_repo_write, get_input_stream
 from endpoints.v2.errors import (
   BlobUnknown, BlobUploadInvalid, BlobUploadUnknown, Unsupported, NameUnknown, LayerTooLarge,
-  InvalidRequest)
+  InvalidRequest, BlobDownloadGeoBlocked)
 from util.cache import cache_control
 from util.names import parse_namespace_repository
 
@@ -65,6 +65,7 @@ def check_blob_exists(namespace_name, repo_name, digest):
 @process_registry_jwt_auth(scopes=['pull'])
 @require_repo_read
 @anon_protect
+@check_region_blacklisted(BlobDownloadGeoBlocked)
 @cache_control(max_age=31536000)
 def download_blob(namespace_name, repo_name, digest):
   # Find the blob.

endpoints/v2/errors.py

@@ -144,3 +144,10 @@ class NamespaceDisabled(V2RegistryException):
   def __init__(self, message=None):
     message = message or 'This namespace is disabled. Please contact your system administrator.'
     super(NamespaceDisabled, self).__init__('NAMESPACE_DISABLED', message, {}, 400)
+
+
+class BlobDownloadGeoBlocked(V2RegistryException):
+  def __init__(self, detail=None):
+    message = ('The region from which you are pulling has been geo-ip blocked. ' +
+               'Please contact the namespace owner.')
+    super(BlobDownloadGeoBlocked, self).__init__('BLOB_DOWNLOAD_GEO_BLOCKED', message, detail, 403)