Disallow anonymous users to pull new data via pull-through distributions

closes pulp#1657
lubosmj · Jun 11, 2024 · 275c623 · 275c623
1 parent da8a70f
commit 275c623
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 4 deletions.
diff --git a/CHANGES/1657.bugfix b/CHANGES/1657.bugfix
@@ -0,0 +1 @@
+Disallowed anonymous users to pull new content via a pull-through caching distribution.
diff --git a/pulp_container/app/registry_api.py b/pulp_container/app/registry_api.py
@@ -306,7 +306,7 @@ def get_pull_through_drv(self, path):
             .order_by("-base_path")
             .first()
         )
-        if not pull_through_cache_distribution:
+        if not pull_through_cache_distribution or not self.request.user.is_authenticated:
             raise RepositoryNotFound(name=path)
 
         try:

diff --git a/pulp_container/app/token_verification.py b/pulp_container/app/token_verification.py
@@ -75,7 +75,7 @@ def authenticate(self, request):
         If basic authentication could not success, remote webserver authentication is considered.
         """
         if request.headers.get("Authorization") == "Basic Og==":
-            return (AnonymousUser, None)
+            return (AnonymousUser(), None)
 
         try:
             user = super().authenticate(request)

diff --git a/pulp_container/tests/functional/api/test_pull_through_cache.py b/pulp_container/tests/functional/api/test_pull_through_cache.py
@@ -2,6 +2,7 @@
 import subprocess
 import pytest
 
+from subprocess import CalledProcessError
 from uuid import uuid4
 
 from pulp_container.tests.functional.constants import (
@@ -32,6 +33,7 @@ def pull_through_distribution(
 @pytest.fixture
 def pull_and_verify(
     add_to_cleanup,
+    anonymous_user,
     container_pull_through_distribution_api,
     container_distribution_api,
     container_repository_api,
@@ -46,6 +48,10 @@ def _pull_and_verify(images, pull_through_distribution):
             remote_image_path = f"{REGISTRY_V2}/{image_path}"
             local_image_path = f"{pull_through_distribution.base_path}/{image_path}"
 
+            # 0. test if an anonymous user cannot pull new content through the pull-through cache
+            with anonymous_user, pytest.raises(CalledProcessError):
+                local_registry.pull(local_image_path)
+
             # 1. pull remote content through the pull-through distribution
             local_registry.pull(local_image_path)
             local_image = local_registry.inspect(local_image_path)
@@ -89,6 +95,10 @@ def _pull_and_verify(images, pull_through_distribution):
             tags = container_tag_api.list(repository_version=repository.latest_version_href).results
             assert sorted(tags_to_verify) == sorted([tag.name for tag in tags])
 
+            # 6. test if the anonymous user can pull existing content via the pull-through cache
+            with anonymous_user:
+                local_registry.pull(local_image_path)
+
     return _pull_and_verify
 
 

diff --git a/pulp_container/tests/functional/conftest.py b/pulp_container/tests/functional/conftest.py
@@ -5,7 +5,7 @@
 import requests
 import subprocess
 
-from contextlib import contextmanager
+from contextlib import contextmanager, suppress
 from urllib.parse import urljoin, urlparse
 from uuid import uuid4
 
@@ -197,7 +197,8 @@ def pull(image_path):
                     "-u", bindings_cfg.username, "-p", bindings_cfg.password, registry_name
                 )
             else:
-                registry_client.logout(registry_name)
+                with suppress(subprocess.CalledProcessError):
+                    registry_client.logout(registry_name)
             try:
                 registry_client.pull("/".join([registry_name, image_path]))
             finally:
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Disallowed anonymous users to pull new content via a pull-through caching distribution.