Merge pull request #2257 from coreos-inc/clair-gc-take2

feat(gc): Garbage collection for security scanning

test/test_secscan.py

@@ -726,5 +726,34 @@ class TestSecurityScanner(unittest.TestCase):
       self.assertIsNone(notification_queue.get())
 
 
+  def test_layer_gc(self):
+    layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest', include_storage=True)
+
+    # Delete the prod tag so that only the `latest` tag remains.
+    model.tag.delete_tag(ADMIN_ACCESS_USER, SIMPLE_REPO, 'prod')
+
+    with fake_security_scanner() as security_scanner:
+      # Analyze the layer.
+      analyzer = LayerAnalyzer(app.config, self.api)
+      analyzer.analyze_recursively(layer)
+
+      layer = model.tag.get_tag_image(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
+      self.assertAnalyzed(layer, security_scanner, True, 1)
+      self.assertTrue(security_scanner.has_layer(security_scanner.layer_id(layer)))
+
+      namespace_user = model.user.get_user(ADMIN_ACCESS_USER)
+      model.user.change_user_tag_expiration(namespace_user, 0)
+
+      # Delete the tag in the repository and GC.
+      model.tag.delete_tag(ADMIN_ACCESS_USER, SIMPLE_REPO, 'latest')
+      time.sleep(1)
+
+      repo = model.repository.get_repository(ADMIN_ACCESS_USER, SIMPLE_REPO)
+      model.repository.garbage_collect_repo(repo)
+
+      # Ensure that the security scanner no longer has the image.
+      self.assertFalse(security_scanner.has_layer(security_scanner.layer_id(layer)))
+
+
 if __name__ == '__main__':
   unittest.main()