Enforce "blocked" for registries for the "docker" transport

Check if reading and writing from the registry named by an image is allowed when the transport is "docker". Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #1056 Approved by: rhatdan
2025-07-31 15:24:26 +03:00 · 2018-10-02 14:48:11 -04:00
parent 62c01da3e4
commit 318fc8940f
5 changed files with 77 additions and 0 deletions
--- a/commit.go
+++ b/commit.go
@ -92,6 +92,15 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
 	var imgID string

 	systemContext := getSystemContext(options.SystemContext, options.SignaturePolicyPath)
+
+	blocked, err := isReferenceBlocked(dest, systemContext)
+	if err != nil {
+		return "", errors.Wrapf(err, "error checking if committing to registry for %q is blocked", transports.ImageName(dest))
+	}
+	if blocked {
+		return "", errors.Errorf("commit access to registry for %q is blocked by configuration", transports.ImageName(dest))
+	}
+
 	policy, err := signature.DefaultPolicy(systemContext)
 	if err != nil {
 		return imgID, errors.Wrapf(err, "error obtaining default signature policy")
@ -162,6 +171,15 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
 // Push copies the contents of the image to a new location.
 func Push(ctx context.Context, image string, dest types.ImageReference, options PushOptions) error {
 	systemContext := getSystemContext(options.SystemContext, options.SignaturePolicyPath)
+
+	blocked, err := isReferenceBlocked(dest, systemContext)
+	if err != nil {
+		return errors.Wrapf(err, "error checking if pushing to registry for %q is blocked", transports.ImageName(dest))
+	}
+	if blocked {
+		return errors.Errorf("push access to registry for %q is blocked by configuration", transports.ImageName(dest))
+	}
+
 	policy, err := signature.DefaultPolicy(systemContext)
 	if err != nil {
 		return errors.Wrapf(err, "error obtaining default signature policy")