Prevent registry operations against disabled namespaces

Allows admins to completely wall off a namespace by disabling it Fixes https://jira.coreos.com/browse/QUAY-869
2018-05-22 18:36:04 -04:00 · 2018-05-22 18:36:04 -04:00 · f86c087b3b
commit f86c087b3b
parent 6ffafe44d3
14 changed files with 102 additions and 1 deletions
--- a/endpoints/v1/index.py
+++ b/endpoints/v1/index.py
@ -30,6 +30,16 @@ class GrantType(object):
  WRITE_REPOSITORY = 'write'


+def ensure_namespace_enabled(f):
+  @wraps(f)
+  def wrapper(namespace_name, repo_name, *args, **kwargs):
+    if not model.is_namespace_enabled(namespace_name):
+      abort(400, message='Namespace is disabled. Please contact your system administrator.')
+
+    return f(namespace_name, repo_name, *args, **kwargs)
+  return wrapper
+
+
 def generate_headers(scope=GrantType.READ_REPOSITORY, add_grant_for_status=None):
  def decorator_method(f):
    @wraps(f)
@ -149,6 +159,7 @@ def update_user(username):
@v1_bp.route('/repositories/<repopath:repository>/', methods=['PUT'])
@process_auth
@parse_repository_name()
+@ensure_namespace_enabled
@generate_headers(scope=GrantType.WRITE_REPOSITORY, add_grant_for_status=201)
@anon_allowed
 def create_repository(namespace_name, repo_name):
@ -205,6 +216,7 @@ def create_repository(namespace_name, repo_name):
@v1_bp.route('/repositories/<repopath:repository>/images', methods=['PUT'])
@process_auth
@parse_repository_name()
+@ensure_namespace_enabled
@generate_headers(scope=GrantType.WRITE_REPOSITORY)
@anon_allowed
 def update_images(namespace_name, repo_name):
@ -238,6 +250,7 @@ def update_images(namespace_name, repo_name):
@v1_bp.route('/repositories/<repopath:repository>/images', methods=['GET'])
@process_auth
@parse_repository_name()
+@ensure_namespace_enabled
@generate_headers(scope=GrantType.READ_REPOSITORY)
@anon_protect
 def get_repository_images(namespace_name, repo_name):
@ -268,6 +281,7 @@ def get_repository_images(namespace_name, repo_name):
@v1_bp.route('/repositories/<repopath:repository>/images', methods=['DELETE'])
@process_auth
@parse_repository_name()
+@ensure_namespace_enabled
@generate_headers(scope=GrantType.WRITE_REPOSITORY)
@anon_allowed
 def delete_repository_images(namespace_name, repo_name):
@ -276,6 +290,7 @@ def delete_repository_images(namespace_name, repo_name):

@v1_bp.route('/repositories/<repopath:repository>/auth', methods=['PUT'])
@parse_repository_name()
+@ensure_namespace_enabled
@anon_allowed
 def put_repository_auth(namespace_name, repo_name):
  abort(501, 'Not Implemented', issue='not-implemented')