Add ability for specific geographic regions to be blocked from pulling images within a namespace

2018-12-05 15:19:37 -05:00 · 2018-12-05 15:19:37 -05:00 · c3710a6a5e
commit c3710a6a5e
parent c71a43a06c
20 changed files with 257 additions and 37 deletions
--- a/test/registry/registry_tests.py
+++ b/test/registry/registry_tests.py
@ -1706,3 +1706,25 @@ def test_verify_schema2(v22_protocol, basic_images, liveserver_session, liveserv
                             credentials=credentials)
  manifest = result.manifests['latest']
  assert manifest.schema_version == 2
+
+
+def test_geo_blocking(pusher, puller, basic_images, liveserver_session,
+                      liveserver, registry_server_executor, app_reloader):
+  """ Test: Attempt to pull an image from a geoblocked IP address. """
+  credentials = ('devtable', 'password')
+  options = ProtocolOptions()
+  options.skip_blob_push_checks = True # Otherwise, cache gets established.
+
+  # Push a new repository.
+  pusher.push(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
+              credentials=credentials, options=options)
+
+  registry_server_executor.on(liveserver).set_geo_block_for_namespace('devtable', 'US')
+
+  # Attempt to pull the repository to verify. This should fail with a 403 due to
+  # the geoblocking of the IP being using.
+  options = ProtocolOptions()
+  options.request_addr = '6.0.0.0'
+  puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
+              credentials=credentials, options=options,
+              expected_failure=Failures.GEO_BLOCKED)