Prevent registry operations against disabled namespaces

Allows admins to completely wall off a namespace by disabling it Fixes https://jira.coreos.com/browse/QUAY-869
2018-05-22 18:36:04 -04:00 · 2018-05-22 18:36:04 -04:00 · f86c087b3b
commit f86c087b3b
parent 6ffafe44d3
14 changed files with 102 additions and 1 deletions
--- a/endpoints/v1/index.py
+++ b/endpoints/v1/index.py
@ -30,6 +30,16 @@ class GrantType(object):
  WRITE_REPOSITORY = 'write'


+def ensure_namespace_enabled(f):
+  @wraps(f)
+  def wrapper(namespace_name, repo_name, *args, **kwargs):
+    if not model.is_namespace_enabled(namespace_name):
+      abort(400, message='Namespace is disabled. Please contact your system administrator.')
+
+    return f(namespace_name, repo_name, *args, **kwargs)
+  return wrapper
+
+
 def generate_headers(scope=GrantType.READ_REPOSITORY, add_grant_for_status=None):
  def decorator_method(f):
    @wraps(f)
@ -149,6 +159,7 @@ def update_user(username):
@v1_bp.route('/repositories/<repopath:repository>/', methods=['PUT'])
@process_auth
@parse_repository_name()
+@ensure_namespace_enabled
@generate_headers(scope=GrantType.WRITE_REPOSITORY, add_grant_for_status=201)
@anon_allowed
 def create_repository(namespace_name, repo_name):
@ -205,6 +216,7 @@ def create_repository(namespace_name, repo_name):
@v1_bp.route('/repositories/<repopath:repository>/images', methods=['PUT'])
@process_auth
@parse_repository_name()
+@ensure_namespace_enabled
@generate_headers(scope=GrantType.WRITE_REPOSITORY)
@anon_allowed
 def update_images(namespace_name, repo_name):
@ -238,6 +250,7 @@ def update_images(namespace_name, repo_name):
@v1_bp.route('/repositories/<repopath:repository>/images', methods=['GET'])
@process_auth
@parse_repository_name()
+@ensure_namespace_enabled
@generate_headers(scope=GrantType.READ_REPOSITORY)
@anon_protect
 def get_repository_images(namespace_name, repo_name):
@ -268,6 +281,7 @@ def get_repository_images(namespace_name, repo_name):
@v1_bp.route('/repositories/<repopath:repository>/images', methods=['DELETE'])
@process_auth
@parse_repository_name()
+@ensure_namespace_enabled
@generate_headers(scope=GrantType.WRITE_REPOSITORY)
@anon_allowed
 def delete_repository_images(namespace_name, repo_name):
@ -276,6 +290,7 @@ def delete_repository_images(namespace_name, repo_name):

@v1_bp.route('/repositories/<repopath:repository>/auth', methods=['PUT'])
@parse_repository_name()
+@ensure_namespace_enabled
@anon_allowed
 def put_repository_auth(namespace_name, repo_name):
  abort(501, 'Not Implemented', issue='not-implemented')
--- a/endpoints/v1/models_interface.py
+++ b/endpoints/v1/models_interface.py
@ -203,3 +203,8 @@ class DockerRegistryV1DataInterface(object):
    Returns a sorted list of repositories matching the given search term.
    """
    pass
+
+  @abstractmethod
+  def is_namespace_enabled(self, namespace_name):
+    """ Returns whether the given namespace exists and is enabled. """
+    pass
--- a/endpoints/v1/models_pre_oci.py
+++ b/endpoints/v1/models_pre_oci.py
@ -163,6 +163,10 @@ class PreOCIModel(DockerRegistryV1DataInterface):
      search_term, filter_username=filter_username, offset=offset, limit=limit)
    return [_repository_for_repo(repo) for repo in repos]

+  def is_namespace_enabled(self, namespace_name):
+    namespace = model.user.get_namespace_user(namespace_name)
+    return namespace is not None and namespace.enabled
+

 def _repository_for_repo(repo):
  """ Returns a Repository object representing the Pre-OCI data model instance of a repository. """
--- a/endpoints/v1/registry.py
+++ b/endpoints/v1/registry.py
@ -15,6 +15,7 @@ from data import model, database
 from digest import checksums
 from endpoints.v1 import v1_bp
 from endpoints.v1.models_pre_oci import pre_oci_model as model
+from endpoints.v1.index import ensure_namespace_enabled
 from endpoints.decorators import anon_protect
 from util.http import abort, exact_abort
 from util.registry.filelike import SocketReader
@ -75,6 +76,7 @@ def set_cache_headers(f):
@v1_bp.route('/images/<image_id>/layer', methods=['HEAD'])
@process_auth
@extract_namespace_repo_from_session
+@ensure_namespace_enabled
@require_completion
@set_cache_headers
@anon_protect
@ -112,6 +114,7 @@ def head_image_layer(namespace, repository, image_id, headers):
@v1_bp.route('/images/<image_id>/layer', methods=['GET'])
@process_auth
@extract_namespace_repo_from_session
+@ensure_namespace_enabled
@require_completion
@set_cache_headers
@anon_protect
@ -151,6 +154,7 @@ def get_image_layer(namespace, repository, image_id, headers):
@v1_bp.route('/images/<image_id>/layer', methods=['PUT'])
@process_auth
@extract_namespace_repo_from_session
+@ensure_namespace_enabled
@anon_protect
 def put_image_layer(namespace, repository, image_id):
  logger.debug('Checking repo permissions')
@ -259,6 +263,7 @@ def put_image_layer(namespace, repository, image_id):
@v1_bp.route('/images/<image_id>/checksum', methods=['PUT'])
@process_auth
@extract_namespace_repo_from_session
+@ensure_namespace_enabled
@anon_protect
 def put_image_checksum(namespace, repository, image_id):
  logger.debug('Checking repo permissions')
@ -331,6 +336,7 @@ def put_image_checksum(namespace, repository, image_id):
@v1_bp.route('/images/<image_id>/json', methods=['GET'])
@process_auth
@extract_namespace_repo_from_session
+@ensure_namespace_enabled
@require_completion
@set_cache_headers
@anon_protect
@ -365,6 +371,7 @@ def get_image_json(namespace, repository, image_id, headers):
@v1_bp.route('/images/<image_id>/ancestry', methods=['GET'])
@process_auth
@extract_namespace_repo_from_session
+@ensure_namespace_enabled
@require_completion
@set_cache_headers
@anon_protect
@ -392,6 +399,7 @@ def get_image_ancestry(namespace, repository, image_id, headers):
@v1_bp.route('/images/<image_id>/json', methods=['PUT'])
@process_auth
@extract_namespace_repo_from_session
+@ensure_namespace_enabled
@anon_protect
 def put_image_json(namespace, repository, image_id):
  logger.debug('Checking repo permissions')
--- a/endpoints/v2/errors.py
+++ b/endpoints/v2/errors.py
@ -138,3 +138,9 @@ class InvalidLogin(V2RegistryException):
 class InvalidRequest(V2RegistryException):
  def __init__(self, message=None):
    super(InvalidRequest, self).__init__('INVALID_REQUEST', message or 'Invalid request', {}, 400)
+
+
+class NamespaceDisabled(V2RegistryException):
+  def __init__(self, message=None):
+    message = message or 'This namespace is disabled. Please contact your system administrator.'
+    super(NamespaceDisabled, self).__init__('NAMESPACE_DISABLED', message, {}, 400)
--- a/endpoints/v2/models_interface.py
+++ b/endpoints/v2/models_interface.py
@ -270,3 +270,9 @@ class DockerRegistryV2DataInterface(object):
    Looks up all blobs with the matching digests under the given repository.
    """
    pass
+
+  @abstractmethod
+  def is_namespace_enabled(self, namespace_name):
+    """ Returns whether the given namespace is enabled. If the namespace doesn't exist,
+        returns True. """
+    pass
--- a/endpoints/v2/models_pre_oci.py
+++ b/endpoints/v2/models_pre_oci.py
@ -258,6 +258,10 @@ class PreOCIModel(DockerRegistryV2DataInterface):
    except model.InvalidManifestException:
      return

+  def is_namespace_enabled(self, namespace_name):
+    namespace = model.user.get_namespace_user(namespace_name)
+    return namespace is None or namespace.enabled
+

 def _docker_v1_metadata(namespace_name, repo_name, repo_image):
  """
--- a/endpoints/v2/test/test_v2auth.py
+++ b/endpoints/v2/test/test_v2auth.py
@ -54,6 +54,11 @@ from test.fixtures import *
  ('repository:somenamespace/unknownrepo:pull,push', 'devtable', 'password', 200,
   ['somenamespace/unknownrepo:']),

+  # Disabled namespace.
+  (['repository:devtable/simple:pull,push', 'repository:disabled/complex:pull'],
+    'devtable', 'password', 400,
+   []),
+
  # Multiple scopes.
  (['repository:devtable/simple:pull,push', 'repository:devtable/complex:pull'],
    'devtable', 'password', 200,
--- a/endpoints/v2/v2auth.py
+++ b/endpoints/v2/v2auth.py
@ -13,7 +13,8 @@ from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermissi
                              CreateRepositoryPermission, AdministerRepositoryPermission)
 from endpoints.decorators import anon_protect
 from endpoints.v2 import v2_bp
-from endpoints.v2.errors import InvalidLogin, NameInvalid, InvalidRequest, Unsupported, Unauthorized
+from endpoints.v2.errors import (InvalidLogin, NameInvalid, InvalidRequest, Unsupported,
+                                 Unauthorized, NamespaceDisabled)
 from endpoints.v2.models_pre_oci import data_model as model
 from util.cache import no_cache
 from util.names import parse_namespace_repository, REPOSITORY_NAME_REGEX
@ -160,6 +161,11 @@ def _authorize_or_downscope_request(scope_param, has_valid_auth_context):

    raise NameInvalid(message='Invalid repository name: %s' % namespace_and_repo)

+  # Ensure the namespace is enabled.
+  if not model.is_namespace_enabled(namespace):
+    msg = 'Namespace %s has been disabled. Please contact a system administrator.' % namespace
+    raise NamespaceDisabled(message=msg)
+
  final_actions = []

  repo = model.get_repository(namespace, reponame)