Merge pull request #2474 from vikstrous/disable-v1-master

disable schema1 by default, add a config flag to enable it

registry/storage/catalog_test.go

@@ -26,7 +26,7 @@ type setupEnv struct {
 func setupFS(t *testing.T) *setupEnv {
 	d := inmemory.New()
 	ctx := context.Background()
-	registry, err := NewRegistry(ctx, d, BlobDescriptorCacheProvider(memory.NewInMemoryBlobDescriptorCacheProvider()), EnableRedirect)
+	registry, err := NewRegistry(ctx, d, BlobDescriptorCacheProvider(memory.NewInMemoryBlobDescriptorCacheProvider()), EnableRedirect, EnableSchema1)
 	if err != nil {
 		t.Fatalf("error creating registry: %v", err)
 	}
@@ -207,7 +207,7 @@ func testEq(a, b []string, size int) bool {
 func setupBadWalkEnv(t *testing.T) *setupEnv {
 	d := newBadListDriver()
 	ctx := context.Background()
-	registry, err := NewRegistry(ctx, d, BlobDescriptorCacheProvider(memory.NewInMemoryBlobDescriptorCacheProvider()), EnableRedirect)
+	registry, err := NewRegistry(ctx, d, BlobDescriptorCacheProvider(memory.NewInMemoryBlobDescriptorCacheProvider()), EnableRedirect, EnableSchema1)
 	if err != nil {
 		t.Fatalf("error creating registry: %v", err)
 	}

registry/storage/garbagecollect_test.go

@@ -27,7 +27,7 @@ func createRegistry(t *testing.T, driver driver.StorageDriver, options ...Regist
 	if err != nil {
 		t.Fatal(err)
 	}
-	options = append([]RegistryOption{EnableDelete, Schema1SigningKey(k)}, options...)
+	options = append([]RegistryOption{EnableDelete, Schema1SigningKey(k), EnableSchema1}, options...)
 	registry, err := NewRegistry(ctx, driver, options...)
 	if err != nil {
 		t.Fatalf("Failed to construct namespace")

registry/storage/manifeststore_test.go

@@ -59,10 +59,18 @@ func TestManifestStorage(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	testManifestStorage(t, BlobDescriptorCacheProvider(memory.NewInMemoryBlobDescriptorCacheProvider()), EnableDelete, EnableRedirect, Schema1SigningKey(k))
+	testManifestStorage(t, true, BlobDescriptorCacheProvider(memory.NewInMemoryBlobDescriptorCacheProvider()), EnableDelete, EnableRedirect, Schema1SigningKey(k), EnableSchema1)
 }
 
-func testManifestStorage(t *testing.T, options ...RegistryOption) {
+func TestManifestStorageV1Unsupported(t *testing.T) {
+	k, err := libtrust.GenerateECP256PrivateKey()
+	if err != nil {
+		t.Fatal(err)
+	}
+	testManifestStorage(t, false, BlobDescriptorCacheProvider(memory.NewInMemoryBlobDescriptorCacheProvider()), EnableDelete, EnableRedirect, Schema1SigningKey(k))
+}
+
+func testManifestStorage(t *testing.T, schema1Enabled bool, options ...RegistryOption) {
 	repoName, _ := reference.WithName("foo/bar")
 	env := newManifestStoreTestEnv(t, repoName, "thetag", options...)
 	ctx := context.Background()
@@ -114,6 +122,15 @@ func testManifestStorage(t *testing.T, options ...RegistryOption) {
 		t.Fatalf("expected errors putting manifest with full verification")
 	}
 
+	// If schema1 is not enabled, do a short version of this test, just checking
+	// if we get the right error when we Put
+	if !schema1Enabled {
+		if err != distribution.ErrSchemaV1Unsupported {
+			t.Fatalf("got the wrong error when schema1 is disabled: %s", err)
+		}
+		return
+	}
+
 	switch err := err.(type) {
 	case distribution.ErrManifestVerification:
 		if len(err) != 2 {

registry/storage/registry.go

@@ -19,6 +19,7 @@ type registry struct {
 	statter                      *blobStatter // global statter service.
 	blobDescriptorCacheProvider  cache.BlobDescriptorCacheProvider
 	deleteEnabled                bool
+	schema1Enabled               bool
 	resumableDigestEnabled       bool
 	schema1SigningKey            libtrust.PrivateKey
 	blobDescriptorServiceFactory distribution.BlobDescriptorServiceFactory
@@ -49,6 +50,13 @@ func EnableDelete(registry *registry) error {
 	return nil
 }
 
+// EnableSchema1 is a functional option for NewRegistry. It enables pushing of
+// schema1 manifests.
+func EnableSchema1(registry *registry) error {
+	registry.schema1Enabled = true
+	return nil
+}
+
 // DisableDigestResumption is a functional option for NewRegistry. It should be
 // used if the registry is acting as a caching proxy.
 func DisableDigestResumption(registry *registry) error {
@@ -239,16 +247,30 @@ func (repo *repository) Manifests(ctx context.Context, options ...distribution.M
 		linkDirectoryPathSpec: manifestDirectoryPathSpec,
 	}
 
-	ms := &manifestStore{
-		ctx:        ctx,
-		repository: repo,
-		blobStore:  blobStore,
-		schema1Handler: &signedManifestHandler{
+	var v1Handler ManifestHandler
+	if repo.schema1Enabled {
+		v1Handler = &signedManifestHandler{
 			ctx:               ctx,
 			schema1SigningKey: repo.schema1SigningKey,
 			repository:        repo,
 			blobStore:         blobStore,
-		},
+		}
+	} else {
+		v1Handler = &v1UnsupportedHandler{
+			innerHandler: &signedManifestHandler{
+				ctx:               ctx,
+				schema1SigningKey: repo.schema1SigningKey,
+				repository:        repo,
+				blobStore:         blobStore,
+			},
+		}
+	}
+
+	ms := &manifestStore{
+		ctx:            ctx,
+		repository:     repo,
+		blobStore:      blobStore,
+		schema1Handler: v1Handler,
 		schema2Handler: &schema2ManifestHandler{
 			ctx:          ctx,
 			repository:   repo,

registry/storage/v1unsupportedhandler.go

@@ -0,0 +1,23 @@
+package storage
+
+import (
+	"context"
+
+	"github.com/docker/distribution"
+	digest "github.com/opencontainers/go-digest"
+)
+
+// signedManifestHandler is a ManifestHandler that unmarshals v1 manifests but
+// refuses to Put v1 manifests
+type v1UnsupportedHandler struct {
+	innerHandler ManifestHandler
+}
+
+var _ ManifestHandler = &v1UnsupportedHandler{}
+
+func (v *v1UnsupportedHandler) Unmarshal(ctx context.Context, dgst digest.Digest, content []byte) (distribution.Manifest, error) {
+	return v.innerHandler.Unmarshal(ctx, dgst, content)
+}
+func (v *v1UnsupportedHandler) Put(ctx context.Context, manifest distribution.Manifest, skipDependencyVerification bool) (digest.Digest, error) {
+	return digest.Digest(""), distribution.ErrSchemaV1Unsupported
+}