Add architecture validation to manifest lists that contain schema 1 manifests

Fixes https://jira.coreos.com/browse/QUAY-1266
2018-12-19 13:42:07 -05:00 · 2018-12-19 13:42:07 -05:00 · f0f2d9cdf4
commit f0f2d9cdf4
parent b5a5ce7c43
9 changed files with 110 additions and 6 deletions
--- a/test/registry/protocol_v2.py
+++ b/test/registry/protocol_v2.py
@ -292,8 +292,8 @@ class V2Protocol(RegistryProtocol):
    blobs[schema2_config.digest] = schema2_config.bytes.as_encoded_str()
    return builder.build(ensure_ascii=options.ensure_ascii)

-  def build_schema1(self, namespace, repo_name, tag_name, images, blobs, options):
-    builder = DockerSchema1ManifestBuilder(namespace, repo_name, tag_name)
+  def build_schema1(self, namespace, repo_name, tag_name, images, blobs, options, arch='amd64'):
+    builder = DockerSchema1ManifestBuilder(namespace, repo_name, tag_name, arch)

    for image in reversed(images):
      assert image.urls is None
--- a/test/registry/registry_tests.py
+++ b/test/registry/registry_tests.py
@ -1441,7 +1441,8 @@ def test_push_pull_manifest_list_back_compat(v22_protocol, legacy_puller, basic_
  # Build the manifests that will go in the list.
  blobs = {}

-  signed = v22_protocol.build_schema1('devtable', 'newrepo', 'latest', basic_images, blobs, options)
+  signed = v22_protocol.build_schema1('devtable', 'newrepo', 'latest', basic_images, blobs, options,
+                                      arch='amd64' if is_amd else 'something')
  first_manifest = signed.unsigned()
  if schema_version == 2:
    first_manifest = v22_protocol.build_schema2(basic_images, blobs, options)
@ -1904,3 +1905,30 @@ def test_push_pull_older_mimetype(pusher, puller, basic_images, liveserver_sessi
  # Pull the repository to verify.
  puller.pull(liveserver_session, 'devtable', 'newrepo', 'latest', basic_images,
              credentials=credentials, options=options)
+
+def test_attempt_push_mismatched_manifest(v22_protocol, basic_images, liveserver_session,
+                                          app_reloader, data_model):
+  """ Test: Attempt to push a manifest list refering to a schema 1 manifest with a different
+      architecture than that specified in the manifest list.
+  """
+  if data_model != 'oci_model':
+    return
+
+  credentials = ('devtable', 'password')
+  options = ProtocolOptions()
+
+  # Build the manifest that will go in the list. This will be amd64.
+  blobs = {}
+  signed = v22_protocol.build_schema1('devtable', 'newrepo', 'latest', basic_images, blobs, options)
+  manifest = signed.unsigned()
+
+  # Create the manifest list, but refer to the manifest as arm.
+  builder = DockerSchema2ManifestListBuilder()
+  builder.add_manifest(manifest, 'arm', 'linux')
+  manifestlist = builder.build()
+
+  # Attempt to push the manifest, which should fail.
+  v22_protocol.push_list(liveserver_session, 'devtable', 'newrepo', 'latest', manifestlist,
+                         [manifest], blobs,
+                         credentials=credentials, options=options,
+                         expected_failure=Failures.INVALID_MANIFEST)