Make ACI generation consistent across calls
This will ensure that no matter which signature we write for the generated ACI, it is correct for that image.
This commit is contained in:
Joseph Schorr
parent
f02d295dd8
commit
4ec3a6c231
5 changed files with 60 additions and 16 deletions
|
|
@ -19,7 +19,7 @@ from cryptography.x509 import load_pem_x509_certificate
|
|||
from cryptography.hazmat.backends import default_backend
|
||||
|
||||
from app import app, storage
|
||||
from data.database import close_db_filter, configure
|
||||
from data.database import close_db_filter, configure, DerivedStorageForImage
|
||||
from data import model
|
||||
from endpoints.v1 import v1_bp
|
||||
from endpoints.v2 import v2_bp
|
||||
|
|
@ -83,6 +83,12 @@ def set_feature(feature_name):
|
|||
return jsonify({'old_value': old_value})
|
||||
|
||||
|
||||
@testbp.route('/clearderivedcache', methods=['POST'])
|
||||
def clearderivedcache():
|
||||
DerivedStorageForImage.delete().execute()
|
||||
return 'OK'
|
||||
|
||||
|
||||
@testbp.route('/removeuncompressed/<image_id>', methods=['POST'])
|
||||
def removeuncompressed(image_id):
|
||||
image = model.image.get_image_by_id('devtable', 'newrepo', image_id)
|
||||
|
|
@ -1449,7 +1455,7 @@ class ACIConversionTests(RegistryTestCaseMixin, V1RegistryPushMixin, LiveServerT
|
|||
|
||||
def get_converted_signature(self):
|
||||
# Give time for the signature to be written before continuing.
|
||||
time.sleep(1)
|
||||
time.sleep(2)
|
||||
response = self.conduct('GET', '/c1/aci/localhost:5000/devtable/newrepo/latest/aci.asc/linux/amd64/', auth='sig')
|
||||
return response.content
|
||||
|
||||
|
|
@ -1485,6 +1491,7 @@ class ACIConversionTests(RegistryTestCaseMixin, V1RegistryPushMixin, LiveServerT
|
|||
# Pull the squashed version of the tag.
|
||||
tar, converted = self.get_converted_image()
|
||||
signature = self.get_converted_signature()
|
||||
first_hash = hashlib.sha256(converted).hexdigest()
|
||||
|
||||
# Verify the manifest.
|
||||
self.assertEquals(['manifest', 'rootfs', 'rootfs/contents'], tar.getnames())
|
||||
|
|
@ -1523,6 +1530,24 @@ class ACIConversionTests(RegistryTestCaseMixin, V1RegistryPushMixin, LiveServerT
|
|||
# Verify the signature.
|
||||
self._verify_signature(signature, converted)
|
||||
|
||||
# Clear the cache and pull again, ensuring that the hash does not change even for a completely
|
||||
# new generation of the image.
|
||||
self.conduct('POST', '/__test/clearderivedcache')
|
||||
|
||||
_, converted_again = self.get_converted_image()
|
||||
second_hash = hashlib.sha256(converted_again).hexdigest()
|
||||
self.assertEquals(second_hash, first_hash)
|
||||
|
||||
# Ensure we have a different signature (and therefore the cache was broken).
|
||||
signature_again = self.get_converted_signature()
|
||||
self.assertNotEquals(signature_again, signature)
|
||||
|
||||
# Ensure *both* signatures work for both images.
|
||||
self._verify_signature(signature, converted_again)
|
||||
self._verify_signature(signature_again, converted)
|
||||
self._verify_signature(signature_again, converted_again)
|
||||
|
||||
|
||||
def test_multilayer_conversion(self):
|
||||
images = [
|
||||
{
|
||||
|
|
|
|||
Reference in a new issue