Merge pull request #3231 from quay/hidden-tags-fix
Disallow access in the new registry model to hidden tags
This commit is contained in:
commit
cd513f7482
3 changed files with 30 additions and 3 deletions
|
@ -597,7 +597,8 @@ def get_active_tag_for_repo(repo, tag_name):
|
||||||
.join(Image)
|
.join(Image)
|
||||||
.join(ImageStorage)
|
.join(ImageStorage)
|
||||||
.where(RepositoryTag.name == tag_name,
|
.where(RepositoryTag.name == tag_name,
|
||||||
RepositoryTag.repository == repo)).get()
|
RepositoryTag.repository == repo,
|
||||||
|
RepositoryTag.hidden == False)).get()
|
||||||
except RepositoryTag.DoesNotExist:
|
except RepositoryTag.DoesNotExist:
|
||||||
return None
|
return None
|
||||||
|
|
||||||
|
@ -778,7 +779,7 @@ def get_most_recent_tag(repo_id):
|
||||||
try:
|
try:
|
||||||
return (_tag_alive(RepositoryTag
|
return (_tag_alive(RepositoryTag
|
||||||
.select()
|
.select()
|
||||||
.where(RepositoryTag.repository == repo_id)
|
.where(RepositoryTag.repository == repo_id, RepositoryTag.hidden == False)
|
||||||
.order_by(RepositoryTag.lifetime_start_ts.desc()))
|
.order_by(RepositoryTag.lifetime_start_ts.desc()))
|
||||||
.get())
|
.get())
|
||||||
except RepositoryTag.DoesNotExist:
|
except RepositoryTag.DoesNotExist:
|
||||||
|
|
|
@ -13,7 +13,8 @@ from data.database import (Image, RepositoryTag, ImageStorage, Repository, Manif
|
||||||
from data.model.repository import create_repository
|
from data.model.repository import create_repository
|
||||||
from data.model.tag import (list_active_repo_tags, create_or_update_tag, delete_tag,
|
from data.model.tag import (list_active_repo_tags, create_or_update_tag, delete_tag,
|
||||||
get_matching_tags, _tag_alive, get_matching_tags_for_images,
|
get_matching_tags, _tag_alive, get_matching_tags_for_images,
|
||||||
change_tag_expiration, get_active_tag, store_tag_manifest_for_testing)
|
change_tag_expiration, get_active_tag, store_tag_manifest_for_testing,
|
||||||
|
get_most_recent_tag, get_active_tag_for_repo)
|
||||||
from data.model.image import find_create_or_link_image
|
from data.model.image import find_create_or_link_image
|
||||||
from image.docker.schema1 import DockerSchema1ManifestBuilder
|
from image.docker.schema1 import DockerSchema1ManifestBuilder
|
||||||
from util.timedeltastring import convert_to_timedelta
|
from util.timedeltastring import convert_to_timedelta
|
||||||
|
@ -264,3 +265,24 @@ def test_store_tag_manifest(get_storages, initialized_db):
|
||||||
assert blob_rows == {s.id for s in storages}
|
assert blob_rows == {s.id for s in storages}
|
||||||
|
|
||||||
assert ManifestLegacyImage.get(manifest=mapping_row.manifest).image == tag_manifest.tag.image
|
assert ManifestLegacyImage.get(manifest=mapping_row.manifest).image == tag_manifest.tag.image
|
||||||
|
|
||||||
|
|
||||||
|
def test_get_most_recent_tag(initialized_db):
|
||||||
|
# Create a hidden tag that is the most recent.
|
||||||
|
repo = model.repository.get_repository('devtable', 'simple')
|
||||||
|
image = model.tag.get_tag_image('devtable', 'simple', 'latest')
|
||||||
|
model.tag.create_temporary_hidden_tag(repo, image, 10000000)
|
||||||
|
|
||||||
|
# Ensure we find a non-hidden tag.
|
||||||
|
found = model.tag.get_most_recent_tag(repo)
|
||||||
|
assert not found.hidden
|
||||||
|
|
||||||
|
|
||||||
|
def test_get_active_tag_for_repo(initialized_db):
|
||||||
|
repo = model.repository.get_repository('devtable', 'simple')
|
||||||
|
image = model.tag.get_tag_image('devtable', 'simple', 'latest')
|
||||||
|
hidden_tag = model.tag.create_temporary_hidden_tag(repo, image, 10000000)
|
||||||
|
|
||||||
|
# Ensure get active tag for repo cannot find it.
|
||||||
|
assert model.tag.get_active_tag_for_repo(repo, hidden_tag) is None
|
||||||
|
assert model.tag.get_active_tag_for_repo(repo, 'latest') is not None
|
||||||
|
|
|
@ -23,6 +23,7 @@ class PreOCIModel(RegistryDataInterface):
|
||||||
or None if none.
|
or None if none.
|
||||||
"""
|
"""
|
||||||
found_tag = model.tag.find_matching_tag(repository_ref._db_id, tag_names)
|
found_tag = model.tag.find_matching_tag(repository_ref._db_id, tag_names)
|
||||||
|
assert found_tag is None or not found_tag.hidden
|
||||||
return Tag.for_repository_tag(found_tag)
|
return Tag.for_repository_tag(found_tag)
|
||||||
|
|
||||||
def get_most_recent_tag(self, repository_ref):
|
def get_most_recent_tag(self, repository_ref):
|
||||||
|
@ -30,6 +31,7 @@ class PreOCIModel(RegistryDataInterface):
|
||||||
None.
|
None.
|
||||||
"""
|
"""
|
||||||
found_tag = model.tag.get_most_recent_tag(repository_ref._db_id)
|
found_tag = model.tag.get_most_recent_tag(repository_ref._db_id)
|
||||||
|
assert found_tag is None or not found_tag.hidden
|
||||||
return Tag.for_repository_tag(found_tag)
|
return Tag.for_repository_tag(found_tag)
|
||||||
|
|
||||||
def lookup_repository(self, namespace_name, repo_name, kind_filter=None):
|
def lookup_repository(self, namespace_name, repo_name, kind_filter=None):
|
||||||
|
@ -316,6 +318,8 @@ class PreOCIModel(RegistryDataInterface):
|
||||||
except database.RepositoryTag.DoesNotExist:
|
except database.RepositoryTag.DoesNotExist:
|
||||||
return None
|
return None
|
||||||
|
|
||||||
|
assert not tag_obj.hidden
|
||||||
|
|
||||||
repo = tag_obj.repository
|
repo = tag_obj.repository
|
||||||
namespace_name = repo.namespace_user.username
|
namespace_name = repo.namespace_user.username
|
||||||
repo_name = repo.name
|
repo_name = repo.name
|
||||||
|
|
Reference in a new issue