Prevent registry operations against disabled namespaces

Allows admins to completely wall off a namespace by disabling it

Fixes https://jira.coreos.com/browse/QUAY-869

test/registry/registry_tests.py

@@ -644,6 +644,36 @@ def test_chunked_uploading_mismatched_chunks(manifest_protocol, random_layer_dat
                          images, credentials=credentials, options=options)
 
 
+def test_pull_disabled_namespace(pusher, puller, basic_images, liveserver_session,
+                                 app_reloader, liveserver, registry_server_executor):
+  """ Test: Attempt to pull a repository from a disabled namespace results in an error. """
+  credentials = ('devtable', 'password')
+
+  # Push a new repository.
+  pusher.push(liveserver_session, 'buynlarge', 'someneworgrepo', 'latest', basic_images,
+              credentials=credentials)
+
+  # Disable the namespace.
+  registry_server_executor.on(liveserver).disable_namespace('buynlarge')
+
+  # Attempt to pull, which should fail.
+  puller.pull(liveserver_session, 'buynlarge', 'someneworgrepo', 'latest', basic_images,
+              credentials=credentials, expected_failure=Failures.NAMESPACE_DISABLED)
+
+
+def test_push_disabled_namespace(pusher, basic_images, liveserver_session,
+                                 app_reloader, liveserver, registry_server_executor):
+  """ Test: Attempt to push a repository from a disabled namespace results in an error. """
+  credentials = ('devtable', 'password')
+
+  # Disable the namespace.
+  registry_server_executor.on(liveserver).disable_namespace('buynlarge')
+
+  # Attempt to push, which should fail.
+  pusher.push(liveserver_session, 'buynlarge', 'someneworgrepo', 'latest', basic_images,
+              credentials=credentials, expected_failure=Failures.NAMESPACE_DISABLED)
+
+
 @pytest.mark.parametrize('public_catalog, credentials, expected_repos', [
   # No public access and no credentials => No results.
   (False, None, None),