Merge pull request #1829 from nwt/foreign-layer-host-whitelist

Add a foreign layer URL host whitelist

registry/storage/registry.go

@@ -1,6 +1,8 @@
 package storage
 
 import (
+	"regexp"
+
 	"github.com/docker/distribution"
 	"github.com/docker/distribution/context"
 	"github.com/docker/distribution/reference"
@@ -20,6 +22,10 @@ type registry struct {
 	resumableDigestEnabled       bool
 	schema1SigningKey            libtrust.PrivateKey
 	blobDescriptorServiceFactory distribution.BlobDescriptorServiceFactory
+	manifestURLs                 struct {
+		allow *regexp.Regexp
+		deny  *regexp.Regexp
+	}
 }
 
 // RegistryOption is the type used for functional options for NewRegistry.
@@ -46,6 +52,22 @@ func DisableDigestResumption(registry *registry) error {
 	return nil
 }
 
+// ManifestURLsAllowRegexp is a functional option for NewRegistry.
+func ManifestURLsAllowRegexp(r *regexp.Regexp) RegistryOption {
+	return func(registry *registry) error {
+		registry.manifestURLs.allow = r
+		return nil
+	}
+}
+
+// ManifestURLsDenyRegexp is a functional option for NewRegistry.
+func ManifestURLsDenyRegexp(r *regexp.Regexp) RegistryOption {
+	return func(registry *registry) error {
+		registry.manifestURLs.deny = r
+		return nil
+	}
+}
+
 // Schema1SigningKey returns a functional option for NewRegistry. It sets the
 // key for signing  all schema1 manifests.
 func Schema1SigningKey(key libtrust.PrivateKey) RegistryOption {