fix: enable non-admins to cache images via pull-thru (PROJQUAY-3806) (#…

…1366) (#1379) introduces a check of the OrganizationMemberPermission for pulls against a proxy org. if the proxy cache feature is disabled, or the org is not a proxy org the check is not performed and Quay will behave normally. this check does not mean pulls will work transparently though - non-admin users need to be added to a team in the proxy org with the member role, and default read and write permissions need to be given to that team so that non-admin users can pull and update the cache for images they do not own (the user who first pulls an image ends up owning the repository since that is when the repo gets created).
quay · Jun 14, 2022 · 6090bd0 · 6090bd0
1 parent 5487b26
commit 6090bd0
Show file tree

Hide file tree

Showing 7 changed files with 1,329 additions and 1,266 deletions.
diff --git a/data/model/proxy_cache.py b/data/model/proxy_cache.py
@@ -1,8 +1,16 @@
 from data.database import ProxyCacheConfig, User, DEFAULT_PROXY_CACHE_EXPIRATION
-from data.model import InvalidProxyCacheConfigException, InvalidOrganizationException
+from data.model import InvalidProxyCacheConfigException
 from data.model.organization import get_organization
 
 
+def has_proxy_cache_config(org_name):
+    try:
+        get_proxy_cache_config_for_org(org_name)
+    except InvalidProxyCacheConfigException:
+        return False
+    return True
+
+
 def create_proxy_cache_config(
     org_name,
     upstream_registry,

diff --git a/data/model/test/test_proxy_cache_config.py b/data/model/test/test_proxy_cache_config.py
@@ -1,17 +1,45 @@
 from playhouse.test_utils import assert_query_count
-
-from data.model import InvalidOrganizationException
-from data.model.proxy_cache import *
+import pytest
+
+from data.model import InvalidOrganizationException, InvalidProxyCacheConfigException
+from data.model.proxy_cache import (
+    create_proxy_cache_config,
+    get_proxy_cache_config_for_org,
+    delete_proxy_cache_config,
+    has_proxy_cache_config,
+)
+from data.database import DEFAULT_PROXY_CACHE_EXPIRATION
 from data.model.organization import create_organization
-from data.database import ProxyCacheConfig, DEFAULT_PROXY_CACHE_EXPIRATION
-from test.fixtures import *
+from data.model.user import create_user_noverify
+from test.fixtures import *  # noqa: F401, F403
 
 
 def create_org(user_name, user_email, org_name, org_email):
     user_obj = create_user_noverify(user_name, user_email)
     return create_organization(org_name, org_email, user_obj)
 
 
+def test_has_proxy_cache_config_with_proxy_cache_org(initialized_db):
+    org = create_org(
+        user_name="test",
+        user_email="[email protected]",
+        org_name="foobar",
+        org_email="[email protected]",
+    )
+    create_proxy_cache_config(org.username, "quay.io")
+    assert has_proxy_cache_config(org.username)
+
+
+def test_has_proxy_cache_config_with_regular_org(initialized_db):
+    org = create_org(
+        user_name="test",
+        user_email="[email protected]",
+        org_name="foobar",
+        org_email="[email protected]",
+    )
+    assert not has_proxy_cache_config(org.username)
+
+
 def test_create_proxy_cache_config_with_defaults(initialized_db):
     upstream_registry = "quay.io"
     org = create_org(