update url policy support; testing for annoations in index
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
This commit is contained in:
parent
f186e1da1c
commit
7b47fb13cf
@ -89,9 +89,6 @@ type ManifestList struct {
|
|||||||
|
|
||||||
// Config references the image configuration as a blob.
|
// Config references the image configuration as a blob.
|
||||||
Manifests []ManifestDescriptor `json:"manifests"`
|
Manifests []ManifestDescriptor `json:"manifests"`
|
||||||
|
|
||||||
// Annotations contains arbitrary metadata for the image index.
|
|
||||||
Annotations map[string]string `json:"annotations,omitempty"`
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// References returns the distribution descriptors for the referenced image
|
// References returns the distribution descriptors for the referenced image
|
||||||
|
@ -111,7 +111,12 @@ func TestManifestList(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO (mikebrow): add annotations on the index and individual manifests
|
// TODO (mikebrow): add annotations on the manifest list (index) and support for
|
||||||
|
// empty platform structs (move to Platform *Platform `json:"platform,omitempty"`
|
||||||
|
// from current Platform PlatformSpec `json:"platform"`) in the manifest descriptor.
|
||||||
|
// Requires changes to docker/distribution/manifest/manifestlist.ManifestList and .ManifestDescriptor
|
||||||
|
// and associated serialization APIs in manifestlist.go. Or split the OCI index and
|
||||||
|
// docker manifest list implementations, which would require a lot of refactoring.
|
||||||
var expectedOCIImageIndexSerialization = []byte(`{
|
var expectedOCIImageIndexSerialization = []byte(`{
|
||||||
"schemaVersion": 2,
|
"schemaVersion": 2,
|
||||||
"mediaType": "application/vnd.oci.image.index.v1+json",
|
"mediaType": "application/vnd.oci.image.index.v1+json",
|
||||||
@ -128,10 +133,25 @@ var expectedOCIImageIndexSerialization = []byte(`{
|
|||||||
]
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"mediaType": "application/vnd.oci.image.manifest.v1+json",
|
||||||
|
"size": 985,
|
||||||
|
"digest": "sha256:1a9ec845ee94c202b2d5da74a24f0ed2058318bfa9879fa541efaecba272e86b",
|
||||||
|
"annotations": {
|
||||||
|
"platform": "none"
|
||||||
|
},
|
||||||
|
"platform": {
|
||||||
|
"architecture": "",
|
||||||
|
"os": ""
|
||||||
|
}
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"mediaType": "application/vnd.oci.image.manifest.v1+json",
|
"mediaType": "application/vnd.oci.image.manifest.v1+json",
|
||||||
"size": 2392,
|
"size": 2392,
|
||||||
"digest": "sha256:6346340964309634683409684360934680934608934608934608934068934608",
|
"digest": "sha256:6346340964309634683409684360934680934608934608934608934068934608",
|
||||||
|
"annotations": {
|
||||||
|
"what": "for"
|
||||||
|
},
|
||||||
"platform": {
|
"platform": {
|
||||||
"architecture": "sun4m",
|
"architecture": "sun4m",
|
||||||
"os": "sunos"
|
"os": "sunos"
|
||||||
@ -154,11 +174,20 @@ func TestOCIImageIndex(t *testing.T) {
|
|||||||
Features: []string{"sse4"},
|
Features: []string{"sse4"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
Descriptor: distribution.Descriptor{
|
||||||
|
Digest: "sha256:1a9ec845ee94c202b2d5da74a24f0ed2058318bfa9879fa541efaecba272e86b",
|
||||||
|
Size: 985,
|
||||||
|
MediaType: "application/vnd.oci.image.manifest.v1+json",
|
||||||
|
Annotations: map[string]string{"platform": "none"},
|
||||||
|
},
|
||||||
|
},
|
||||||
{
|
{
|
||||||
Descriptor: distribution.Descriptor{
|
Descriptor: distribution.Descriptor{
|
||||||
Digest: "sha256:6346340964309634683409684360934680934608934608934608934068934608",
|
Digest: "sha256:6346340964309634683409684360934680934608934608934608934068934608",
|
||||||
Size: 2392,
|
Size: 2392,
|
||||||
MediaType: "application/vnd.oci.image.manifest.v1+json",
|
MediaType: "application/vnd.oci.image.manifest.v1+json",
|
||||||
|
Annotations: map[string]string{"what": "for"},
|
||||||
},
|
},
|
||||||
Platform: PlatformSpec{
|
Platform: PlatformSpec{
|
||||||
Architecture: "sun4m",
|
Architecture: "sun4m",
|
||||||
@ -190,7 +219,7 @@ func TestOCIImageIndex(t *testing.T) {
|
|||||||
|
|
||||||
// Check that the canonical field has the expected value.
|
// Check that the canonical field has the expected value.
|
||||||
if !bytes.Equal(expectedOCIImageIndexSerialization, canonical) {
|
if !bytes.Equal(expectedOCIImageIndexSerialization, canonical) {
|
||||||
t.Fatalf("manifest bytes not equal: %q != %q", string(canonical), string(expectedOCIImageIndexSerialization))
|
t.Fatalf("manifest bytes not equal to expected: %q != %q", string(canonical), string(expectedOCIImageIndexSerialization))
|
||||||
}
|
}
|
||||||
|
|
||||||
var unmarshalled DeserializedManifestList
|
var unmarshalled DeserializedManifestList
|
||||||
@ -203,7 +232,7 @@ func TestOCIImageIndex(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
references := deserialized.References()
|
references := deserialized.References()
|
||||||
if len(references) != 2 {
|
if len(references) != 3 {
|
||||||
t.Fatalf("unexpected number of references: %d", len(references))
|
t.Fatalf("unexpected number of references: %d", len(references))
|
||||||
}
|
}
|
||||||
for i := range references {
|
for i := range references {
|
||||||
|
@ -3,6 +3,7 @@ package storage
|
|||||||
import (
|
import (
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"net/url"
|
||||||
|
|
||||||
"github.com/docker/distribution"
|
"github.com/docker/distribution"
|
||||||
"github.com/docker/distribution/context"
|
"github.com/docker/distribution/context"
|
||||||
@ -79,6 +80,22 @@ func (ms *ocischemaManifestHandler) verifyManifest(ctx context.Context, mnfst oc
|
|||||||
var err error
|
var err error
|
||||||
|
|
||||||
switch descriptor.MediaType {
|
switch descriptor.MediaType {
|
||||||
|
case v1.MediaTypeImageLayer, v1.MediaTypeImageLayerGzip, v1.MediaTypeImageLayerNonDistributable, v1.MediaTypeImageLayerNonDistributableGzip:
|
||||||
|
allow := ms.manifestURLs.allow
|
||||||
|
deny := ms.manifestURLs.deny
|
||||||
|
for _, u := range descriptor.URLs {
|
||||||
|
var pu *url.URL
|
||||||
|
pu, err = url.Parse(u)
|
||||||
|
if err != nil || (pu.Scheme != "http" && pu.Scheme != "https") || pu.Fragment != "" || (allow != nil && !allow.MatchString(u)) || (deny != nil && deny.MatchString(u)) {
|
||||||
|
err = errInvalidURL
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if err == nil && len(descriptor.URLs) == 0 {
|
||||||
|
// If no URLs, require that the blob exists
|
||||||
|
_, err = blobsService.Stat(ctx, descriptor.Digest)
|
||||||
|
}
|
||||||
|
|
||||||
case v1.MediaTypeImageManifest:
|
case v1.MediaTypeImageManifest:
|
||||||
var exists bool
|
var exists bool
|
||||||
exists, err = manifestService.Exists(ctx, descriptor.Digest)
|
exists, err = manifestService.Exists(ctx, descriptor.Digest)
|
||||||
|
@ -52,6 +52,11 @@ func TestVerifyOCIManifestNonDistributableLayer(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
cases := []testcase{
|
cases := []testcase{
|
||||||
|
{
|
||||||
|
nonDistributableLayer,
|
||||||
|
nil,
|
||||||
|
distribution.ErrManifestBlobUnknown{Digest: nonDistributableLayer.Digest},
|
||||||
|
},
|
||||||
{
|
{
|
||||||
layer,
|
layer,
|
||||||
[]string{"http://foo/bar"},
|
[]string{"http://foo/bar"},
|
||||||
@ -60,37 +65,37 @@ func TestVerifyOCIManifestNonDistributableLayer(t *testing.T) {
|
|||||||
{
|
{
|
||||||
nonDistributableLayer,
|
nonDistributableLayer,
|
||||||
[]string{"file:///local/file"},
|
[]string{"file:///local/file"},
|
||||||
nil,
|
errInvalidURL,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
nonDistributableLayer,
|
nonDistributableLayer,
|
||||||
[]string{"http://foo/bar#baz"},
|
[]string{"http://foo/bar#baz"},
|
||||||
nil,
|
errInvalidURL,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
nonDistributableLayer,
|
nonDistributableLayer,
|
||||||
[]string{""},
|
[]string{""},
|
||||||
nil,
|
errInvalidURL,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
nonDistributableLayer,
|
nonDistributableLayer,
|
||||||
[]string{"https://foo/bar", ""},
|
[]string{"https://foo/bar", ""},
|
||||||
nil,
|
errInvalidURL,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
nonDistributableLayer,
|
nonDistributableLayer,
|
||||||
[]string{"", "https://foo/bar"},
|
[]string{"", "https://foo/bar"},
|
||||||
nil,
|
errInvalidURL,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
nonDistributableLayer,
|
nonDistributableLayer,
|
||||||
[]string{"http://nope/bar"},
|
[]string{"http://nope/bar"},
|
||||||
nil,
|
errInvalidURL,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
nonDistributableLayer,
|
nonDistributableLayer,
|
||||||
[]string{"http://foo/nope"},
|
[]string{"http://foo/nope"},
|
||||||
nil,
|
errInvalidURL,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
nonDistributableLayer,
|
nonDistributableLayer,
|
||||||
@ -122,6 +127,8 @@ func TestVerifyOCIManifestNonDistributableLayer(t *testing.T) {
|
|||||||
if _, ok = verr[1].(distribution.ErrManifestBlobUnknown); ok {
|
if _, ok = verr[1].(distribution.ErrManifestBlobUnknown); ok {
|
||||||
err = verr[0]
|
err = verr[0]
|
||||||
}
|
}
|
||||||
|
} else if len(verr) == 1 {
|
||||||
|
err = verr[0]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if err != c.Err {
|
if err != c.Err {
|
||||||
|
Loading…
Reference in New Issue
Block a user