Merge pull request #3231 from quay/hidden-tags-fix

Disallow access in the new registry model to hidden tags
This commit is contained in:
Joseph Schorr 2018-08-28 15:53:11 -04:00 committed by GitHub
commit cd513f7482
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 30 additions and 3 deletions

View file

@ -597,7 +597,8 @@ def get_active_tag_for_repo(repo, tag_name):
.join(Image) .join(Image)
.join(ImageStorage) .join(ImageStorage)
.where(RepositoryTag.name == tag_name, .where(RepositoryTag.name == tag_name,
RepositoryTag.repository == repo)).get() RepositoryTag.repository == repo,
RepositoryTag.hidden == False)).get()
except RepositoryTag.DoesNotExist: except RepositoryTag.DoesNotExist:
return None return None
@ -778,7 +779,7 @@ def get_most_recent_tag(repo_id):
try: try:
return (_tag_alive(RepositoryTag return (_tag_alive(RepositoryTag
.select() .select()
.where(RepositoryTag.repository == repo_id) .where(RepositoryTag.repository == repo_id, RepositoryTag.hidden == False)
.order_by(RepositoryTag.lifetime_start_ts.desc())) .order_by(RepositoryTag.lifetime_start_ts.desc()))
.get()) .get())
except RepositoryTag.DoesNotExist: except RepositoryTag.DoesNotExist:

View file

@ -13,7 +13,8 @@ from data.database import (Image, RepositoryTag, ImageStorage, Repository, Manif
from data.model.repository import create_repository from data.model.repository import create_repository
from data.model.tag import (list_active_repo_tags, create_or_update_tag, delete_tag, from data.model.tag import (list_active_repo_tags, create_or_update_tag, delete_tag,
get_matching_tags, _tag_alive, get_matching_tags_for_images, get_matching_tags, _tag_alive, get_matching_tags_for_images,
change_tag_expiration, get_active_tag, store_tag_manifest_for_testing) change_tag_expiration, get_active_tag, store_tag_manifest_for_testing,
get_most_recent_tag, get_active_tag_for_repo)
from data.model.image import find_create_or_link_image from data.model.image import find_create_or_link_image
from image.docker.schema1 import DockerSchema1ManifestBuilder from image.docker.schema1 import DockerSchema1ManifestBuilder
from util.timedeltastring import convert_to_timedelta from util.timedeltastring import convert_to_timedelta
@ -264,3 +265,24 @@ def test_store_tag_manifest(get_storages, initialized_db):
assert blob_rows == {s.id for s in storages} assert blob_rows == {s.id for s in storages}
assert ManifestLegacyImage.get(manifest=mapping_row.manifest).image == tag_manifest.tag.image assert ManifestLegacyImage.get(manifest=mapping_row.manifest).image == tag_manifest.tag.image
def test_get_most_recent_tag(initialized_db):
# Create a hidden tag that is the most recent.
repo = model.repository.get_repository('devtable', 'simple')
image = model.tag.get_tag_image('devtable', 'simple', 'latest')
model.tag.create_temporary_hidden_tag(repo, image, 10000000)
# Ensure we find a non-hidden tag.
found = model.tag.get_most_recent_tag(repo)
assert not found.hidden
def test_get_active_tag_for_repo(initialized_db):
repo = model.repository.get_repository('devtable', 'simple')
image = model.tag.get_tag_image('devtable', 'simple', 'latest')
hidden_tag = model.tag.create_temporary_hidden_tag(repo, image, 10000000)
# Ensure get active tag for repo cannot find it.
assert model.tag.get_active_tag_for_repo(repo, hidden_tag) is None
assert model.tag.get_active_tag_for_repo(repo, 'latest') is not None

View file

@ -23,6 +23,7 @@ class PreOCIModel(RegistryDataInterface):
or None if none. or None if none.
""" """
found_tag = model.tag.find_matching_tag(repository_ref._db_id, tag_names) found_tag = model.tag.find_matching_tag(repository_ref._db_id, tag_names)
assert found_tag is None or not found_tag.hidden
return Tag.for_repository_tag(found_tag) return Tag.for_repository_tag(found_tag)
def get_most_recent_tag(self, repository_ref): def get_most_recent_tag(self, repository_ref):
@ -30,6 +31,7 @@ class PreOCIModel(RegistryDataInterface):
None. None.
""" """
found_tag = model.tag.get_most_recent_tag(repository_ref._db_id) found_tag = model.tag.get_most_recent_tag(repository_ref._db_id)
assert found_tag is None or not found_tag.hidden
return Tag.for_repository_tag(found_tag) return Tag.for_repository_tag(found_tag)
def lookup_repository(self, namespace_name, repo_name, kind_filter=None): def lookup_repository(self, namespace_name, repo_name, kind_filter=None):
@ -316,6 +318,8 @@ class PreOCIModel(RegistryDataInterface):
except database.RepositoryTag.DoesNotExist: except database.RepositoryTag.DoesNotExist:
return None return None
assert not tag_obj.hidden
repo = tag_obj.repository repo = tag_obj.repository
namespace_name = repo.namespace_user.username namespace_name = repo.namespace_user.username
repo_name = repo.name repo_name = repo.name