Skip to content

Commit

Permalink
Disallow anonymous users to pull from private pull-through distributions
Browse files Browse the repository at this point in the history
closes #1623
  • Loading branch information
lubosmj committed Jul 4, 2024
1 parent e7d1db4 commit 67809ea
Show file tree
Hide file tree
Showing 4 changed files with 44 additions and 11 deletions.
1 change: 1 addition & 0 deletions CHANGES/1623.bugfix
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Disallowed anonymous users to pull images from private pull-through distributions.
3 changes: 1 addition & 2 deletions pulp_container/app/registry_api.py
Original file line number Diff line number Diff line change
Expand Up @@ -339,13 +339,12 @@ def get_pull_through_drv(self, path):
**remote_data,
)

# TODO: Propagate the user's permissions and private flag from the pull-through
# distribution to this distribution
distribution, _ = models.ContainerDistribution.objects.get_or_create(
name=path,
base_path=path,
remote=remote,
repository=repository,
private=pull_through_cache_distribution.private,
)
except IntegrityError:
# some entities needed to be created, but their keys already exist in the database
Expand Down
37 changes: 33 additions & 4 deletions pulp_container/tests/functional/api/test_pull_through_cache.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
import subprocess
import pytest

from django.conf import settings

from subprocess import CalledProcessError
from uuid import uuid4

Expand Down Expand Up @@ -44,7 +46,6 @@ def pull_and_verify(
):
def _pull_and_verify(images, pull_through_distribution):
tags_to_verify = []
pull_through_distribution = pull_through_distribution()
for version, image_path in enumerate(images, start=1):
remote_image_path = f"{REGISTRY_V2}/{image_path}"
local_image_path = f"{pull_through_distribution.base_path}/{image_path}"
Expand Down Expand Up @@ -102,12 +103,12 @@ def _pull_and_verify(images, pull_through_distribution):

def test_manifest_list_pull(delete_orphans_pre, pull_through_distribution, pull_and_verify):
images = [f"{PULP_HELLO_WORLD_REPO}:latest", f"{PULP_HELLO_WORLD_REPO}:linux"]
pull_and_verify(images, pull_through_distribution)
pull_and_verify(images, pull_through_distribution())


def test_manifest_pull(delete_orphans_pre, pull_through_distribution, pull_and_verify):
images = [f"{PULP_FIXTURE_1}:manifest_a", f"{PULP_FIXTURE_1}:manifest_b"]
pull_and_verify(images, pull_through_distribution)
pull_and_verify(images, pull_through_distribution())


def test_anonymous_pull_by_digest(
Expand All @@ -118,7 +119,7 @@ def test_anonymous_pull_by_digest(
pull_through_distribution,
):
image = f"{PULP_HELLO_WORLD_REPO}@{PULP_HELLO_WORLD_LINUX_AMD64_DIGEST}"
local_image_path = f"{pull_through_distribution.base_path}/{image}"
local_image_path = f"{pull_through_distribution().base_path}/{image}"

with anonymous_user, pytest.raises(CalledProcessError):
local_registry.pull(local_image_path)
Expand All @@ -131,6 +132,34 @@ def test_anonymous_pull_by_digest(
local_registry.pull(local_image_path)


def test_pull_from_private_distribution(
delete_orphans_pre,
add_pull_through_entities_to_cleanup,
anonymous_user,
local_registry,
pull_through_distribution,
gen_user,
):
if settings.TOKEN_AUTH_DISABLED:
pytest.skip("RBAC cannot be tested when token authentication is disabled")

image = f"{PULP_HELLO_WORLD_REPO}:latest"
local_image_path = f"{pull_through_distribution(private=True).base_path}/{image}"

with anonymous_user, pytest.raises(CalledProcessError):
local_registry.pull(local_image_path)

local_registry.pull(local_image_path)

add_pull_through_entities_to_cleanup(local_image_path.split(":")[0])

with anonymous_user, pytest.raises(CalledProcessError):
local_registry.pull(local_image_path)

with gen_user(model_roles=["container.containernamespace_collaborator"]):
local_registry.pull(local_image_path)


def test_conflicting_names_and_paths(
container_remote_api,
container_remote_factory,
Expand Down
14 changes: 9 additions & 5 deletions pulp_container/tests/functional/conftest.py
Original file line number Diff line number Diff line change
Expand Up @@ -440,7 +440,7 @@ def pull_through_distribution(
container_pull_through_remote_api,
container_pull_through_distribution_api,
):
def _pull_through_distribution(includes=None, excludes=None):
def _pull_through_distribution(includes=None, excludes=None, private=False):
remote = gen_object_with_cleanup(
container_pull_through_remote_api,
{
Expand All @@ -450,10 +450,14 @@ def _pull_through_distribution(includes=None, excludes=None):
"excludes": excludes,
},
)
distribution = gen_object_with_cleanup(
container_pull_through_distribution_api,
{"name": str(uuid4()), "base_path": str(uuid4()), "remote": remote.pulp_href},
)

data = {
"name": str(uuid4()),
"base_path": str(uuid4()),
"remote": remote.pulp_href,
"private": private,
}
distribution = gen_object_with_cleanup(container_pull_through_distribution_api, data)
return distribution

return _pull_through_distribution

0 comments on commit 67809ea

Please sign in to comment.