Prevent registry operations against disabled namespaces

Allows admins to completely wall off a namespace by disabling it Fixes https://jira.coreos.com/browse/QUAY-869
2018-05-22 18:36:04 -04:00 · 2018-05-22 18:36:04 -04:00 · f86c087b3b
commit f86c087b3b
parent 6ffafe44d3
14 changed files with 102 additions and 1 deletions
--- a/endpoints/v1/registry.py
+++ b/endpoints/v1/registry.py
@ -15,6 +15,7 @@ from data import model, database
 from digest import checksums
 from endpoints.v1 import v1_bp
 from endpoints.v1.models_pre_oci import pre_oci_model as model
+from endpoints.v1.index import ensure_namespace_enabled
 from endpoints.decorators import anon_protect
 from util.http import abort, exact_abort
 from util.registry.filelike import SocketReader
@ -75,6 +76,7 @@ def set_cache_headers(f):
@v1_bp.route('/images/<image_id>/layer', methods=['HEAD'])
@process_auth
@extract_namespace_repo_from_session
+@ensure_namespace_enabled
@require_completion
@set_cache_headers
@anon_protect
@ -112,6 +114,7 @@ def head_image_layer(namespace, repository, image_id, headers):
@v1_bp.route('/images/<image_id>/layer', methods=['GET'])
@process_auth
@extract_namespace_repo_from_session
+@ensure_namespace_enabled
@require_completion
@set_cache_headers
@anon_protect
@ -151,6 +154,7 @@ def get_image_layer(namespace, repository, image_id, headers):
@v1_bp.route('/images/<image_id>/layer', methods=['PUT'])
@process_auth
@extract_namespace_repo_from_session
+@ensure_namespace_enabled
@anon_protect
 def put_image_layer(namespace, repository, image_id):
  logger.debug('Checking repo permissions')
@ -259,6 +263,7 @@ def put_image_layer(namespace, repository, image_id):
@v1_bp.route('/images/<image_id>/checksum', methods=['PUT'])
@process_auth
@extract_namespace_repo_from_session
+@ensure_namespace_enabled
@anon_protect
 def put_image_checksum(namespace, repository, image_id):
  logger.debug('Checking repo permissions')
@ -331,6 +336,7 @@ def put_image_checksum(namespace, repository, image_id):
@v1_bp.route('/images/<image_id>/json', methods=['GET'])
@process_auth
@extract_namespace_repo_from_session
+@ensure_namespace_enabled
@require_completion
@set_cache_headers
@anon_protect
@ -365,6 +371,7 @@ def get_image_json(namespace, repository, image_id, headers):
@v1_bp.route('/images/<image_id>/ancestry', methods=['GET'])
@process_auth
@extract_namespace_repo_from_session
+@ensure_namespace_enabled
@require_completion
@set_cache_headers
@anon_protect
@ -392,6 +399,7 @@ def get_image_ancestry(namespace, repository, image_id, headers):
@v1_bp.route('/images/<image_id>/json', methods=['PUT'])
@process_auth
@extract_namespace_repo_from_session
+@ensure_namespace_enabled
@anon_protect
 def put_image_json(namespace, repository, image_id):
  logger.debug('Checking repo permissions')