Merge pull request #3231 from quay/hidden-tags-fix

Disallow access in the new registry model to hidden tags

data/model/tag.py

@@ -597,7 +597,8 @@ def get_active_tag_for_repo(repo, tag_name):
                       .join(Image)
                       .join(ImageStorage)
                       .where(RepositoryTag.name == tag_name,
-                             RepositoryTag.repository == repo)).get()
+                             RepositoryTag.repository == repo,
+                             RepositoryTag.hidden == False)).get()
   except RepositoryTag.DoesNotExist:
     return None
 
@@ -778,7 +779,7 @@ def get_most_recent_tag(repo_id):
   try:
     return (_tag_alive(RepositoryTag
                        .select()
-                       .where(RepositoryTag.repository == repo_id)
+                       .where(RepositoryTag.repository == repo_id, RepositoryTag.hidden == False)
                        .order_by(RepositoryTag.lifetime_start_ts.desc()))
             .get())
   except RepositoryTag.DoesNotExist:

data/model/test/test_tag.py

@@ -13,7 +13,8 @@ from data.database import (Image, RepositoryTag, ImageStorage, Repository, Manif
 from data.model.repository import create_repository
 from data.model.tag import (list_active_repo_tags, create_or_update_tag, delete_tag,
                             get_matching_tags, _tag_alive, get_matching_tags_for_images,
-                            change_tag_expiration, get_active_tag, store_tag_manifest_for_testing)
+                            change_tag_expiration, get_active_tag, store_tag_manifest_for_testing,
+                            get_most_recent_tag, get_active_tag_for_repo)
 from data.model.image import find_create_or_link_image
 from image.docker.schema1 import DockerSchema1ManifestBuilder
 from util.timedeltastring import convert_to_timedelta
@@ -264,3 +265,24 @@ def test_store_tag_manifest(get_storages, initialized_db):
   assert blob_rows == {s.id for s in storages}
 
   assert ManifestLegacyImage.get(manifest=mapping_row.manifest).image == tag_manifest.tag.image
+
+
+def test_get_most_recent_tag(initialized_db):
+  # Create a hidden tag that is the most recent.
+  repo = model.repository.get_repository('devtable', 'simple')
+  image = model.tag.get_tag_image('devtable', 'simple', 'latest')
+  model.tag.create_temporary_hidden_tag(repo, image, 10000000)
+
+  # Ensure we find a non-hidden tag.
+  found = model.tag.get_most_recent_tag(repo)
+  assert not found.hidden
+
+
+def test_get_active_tag_for_repo(initialized_db):
+  repo = model.repository.get_repository('devtable', 'simple')
+  image = model.tag.get_tag_image('devtable', 'simple', 'latest')
+  hidden_tag = model.tag.create_temporary_hidden_tag(repo, image, 10000000)
+
+  # Ensure get active tag for repo cannot find it.
+  assert model.tag.get_active_tag_for_repo(repo, hidden_tag) is None
+  assert model.tag.get_active_tag_for_repo(repo, 'latest') is not None

data/registry_model/registry_pre_oci_model.py

@@ -23,6 +23,7 @@ class PreOCIModel(RegistryDataInterface):
         or None if none.
     """
     found_tag = model.tag.find_matching_tag(repository_ref._db_id, tag_names)
+    assert found_tag is None or not found_tag.hidden
     return Tag.for_repository_tag(found_tag)
 
   def get_most_recent_tag(self, repository_ref):
@@ -30,6 +31,7 @@ class PreOCIModel(RegistryDataInterface):
         None.
     """
     found_tag = model.tag.get_most_recent_tag(repository_ref._db_id)
+    assert found_tag is None or not found_tag.hidden
     return Tag.for_repository_tag(found_tag)
 
   def lookup_repository(self, namespace_name, repo_name, kind_filter=None):
@@ -316,6 +318,8 @@ class PreOCIModel(RegistryDataInterface):
     except database.RepositoryTag.DoesNotExist:
       return None
 
+    assert not tag_obj.hidden
+
     repo = tag_obj.repository
     namespace_name = repo.namespace_user.username
     repo_name = repo.name