update url policy support; testing for annoations in index

Signed-off-by: Mike Brown <brownwm@us.ibm.com>
This commit is contained in:
Mike Brown 2017-08-01 17:27:52 -05:00
parent f186e1da1c
commit 7b47fb13cf
4 changed files with 66 additions and 16 deletions

View file

@ -89,9 +89,6 @@ type ManifestList struct {
// Config references the image configuration as a blob. // Config references the image configuration as a blob.
Manifests []ManifestDescriptor `json:"manifests"` Manifests []ManifestDescriptor `json:"manifests"`
// Annotations contains arbitrary metadata for the image index.
Annotations map[string]string `json:"annotations,omitempty"`
} }
// References returns the distribution descriptors for the referenced image // References returns the distribution descriptors for the referenced image

View file

@ -111,7 +111,12 @@ func TestManifestList(t *testing.T) {
} }
} }
// TODO (mikebrow): add annotations on the index and individual manifests // TODO (mikebrow): add annotations on the manifest list (index) and support for
// empty platform structs (move to Platform *Platform `json:"platform,omitempty"`
// from current Platform PlatformSpec `json:"platform"`) in the manifest descriptor.
// Requires changes to docker/distribution/manifest/manifestlist.ManifestList and .ManifestDescriptor
// and associated serialization APIs in manifestlist.go. Or split the OCI index and
// docker manifest list implementations, which would require a lot of refactoring.
var expectedOCIImageIndexSerialization = []byte(`{ var expectedOCIImageIndexSerialization = []byte(`{
"schemaVersion": 2, "schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json", "mediaType": "application/vnd.oci.image.index.v1+json",
@ -128,10 +133,25 @@ var expectedOCIImageIndexSerialization = []byte(`{
] ]
} }
}, },
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 985,
"digest": "sha256:1a9ec845ee94c202b2d5da74a24f0ed2058318bfa9879fa541efaecba272e86b",
"annotations": {
"platform": "none"
},
"platform": {
"architecture": "",
"os": ""
}
},
{ {
"mediaType": "application/vnd.oci.image.manifest.v1+json", "mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 2392, "size": 2392,
"digest": "sha256:6346340964309634683409684360934680934608934608934608934068934608", "digest": "sha256:6346340964309634683409684360934680934608934608934608934068934608",
"annotations": {
"what": "for"
},
"platform": { "platform": {
"architecture": "sun4m", "architecture": "sun4m",
"os": "sunos" "os": "sunos"
@ -154,11 +174,20 @@ func TestOCIImageIndex(t *testing.T) {
Features: []string{"sse4"}, Features: []string{"sse4"},
}, },
}, },
{
Descriptor: distribution.Descriptor{
Digest: "sha256:1a9ec845ee94c202b2d5da74a24f0ed2058318bfa9879fa541efaecba272e86b",
Size: 985,
MediaType: "application/vnd.oci.image.manifest.v1+json",
Annotations: map[string]string{"platform": "none"},
},
},
{ {
Descriptor: distribution.Descriptor{ Descriptor: distribution.Descriptor{
Digest: "sha256:6346340964309634683409684360934680934608934608934608934068934608", Digest: "sha256:6346340964309634683409684360934680934608934608934608934068934608",
Size: 2392, Size: 2392,
MediaType: "application/vnd.oci.image.manifest.v1+json", MediaType: "application/vnd.oci.image.manifest.v1+json",
Annotations: map[string]string{"what": "for"},
}, },
Platform: PlatformSpec{ Platform: PlatformSpec{
Architecture: "sun4m", Architecture: "sun4m",
@ -190,7 +219,7 @@ func TestOCIImageIndex(t *testing.T) {
// Check that the canonical field has the expected value. // Check that the canonical field has the expected value.
if !bytes.Equal(expectedOCIImageIndexSerialization, canonical) { if !bytes.Equal(expectedOCIImageIndexSerialization, canonical) {
t.Fatalf("manifest bytes not equal: %q != %q", string(canonical), string(expectedOCIImageIndexSerialization)) t.Fatalf("manifest bytes not equal to expected: %q != %q", string(canonical), string(expectedOCIImageIndexSerialization))
} }
var unmarshalled DeserializedManifestList var unmarshalled DeserializedManifestList
@ -203,7 +232,7 @@ func TestOCIImageIndex(t *testing.T) {
} }
references := deserialized.References() references := deserialized.References()
if len(references) != 2 { if len(references) != 3 {
t.Fatalf("unexpected number of references: %d", len(references)) t.Fatalf("unexpected number of references: %d", len(references))
} }
for i := range references { for i := range references {

View file

@ -3,6 +3,7 @@ package storage
import ( import (
"encoding/json" "encoding/json"
"fmt" "fmt"
"net/url"
"github.com/docker/distribution" "github.com/docker/distribution"
"github.com/docker/distribution/context" "github.com/docker/distribution/context"
@ -79,6 +80,22 @@ func (ms *ocischemaManifestHandler) verifyManifest(ctx context.Context, mnfst oc
var err error var err error
switch descriptor.MediaType { switch descriptor.MediaType {
case v1.MediaTypeImageLayer, v1.MediaTypeImageLayerGzip, v1.MediaTypeImageLayerNonDistributable, v1.MediaTypeImageLayerNonDistributableGzip:
allow := ms.manifestURLs.allow
deny := ms.manifestURLs.deny
for _, u := range descriptor.URLs {
var pu *url.URL
pu, err = url.Parse(u)
if err != nil || (pu.Scheme != "http" && pu.Scheme != "https") || pu.Fragment != "" || (allow != nil && !allow.MatchString(u)) || (deny != nil && deny.MatchString(u)) {
err = errInvalidURL
break
}
}
if err == nil && len(descriptor.URLs) == 0 {
// If no URLs, require that the blob exists
_, err = blobsService.Stat(ctx, descriptor.Digest)
}
case v1.MediaTypeImageManifest: case v1.MediaTypeImageManifest:
var exists bool var exists bool
exists, err = manifestService.Exists(ctx, descriptor.Digest) exists, err = manifestService.Exists(ctx, descriptor.Digest)

View file

@ -52,6 +52,11 @@ func TestVerifyOCIManifestNonDistributableLayer(t *testing.T) {
} }
cases := []testcase{ cases := []testcase{
{
nonDistributableLayer,
nil,
distribution.ErrManifestBlobUnknown{Digest: nonDistributableLayer.Digest},
},
{ {
layer, layer,
[]string{"http://foo/bar"}, []string{"http://foo/bar"},
@ -60,37 +65,37 @@ func TestVerifyOCIManifestNonDistributableLayer(t *testing.T) {
{ {
nonDistributableLayer, nonDistributableLayer,
[]string{"file:///local/file"}, []string{"file:///local/file"},
nil, errInvalidURL,
}, },
{ {
nonDistributableLayer, nonDistributableLayer,
[]string{"http://foo/bar#baz"}, []string{"http://foo/bar#baz"},
nil, errInvalidURL,
}, },
{ {
nonDistributableLayer, nonDistributableLayer,
[]string{""}, []string{""},
nil, errInvalidURL,
}, },
{ {
nonDistributableLayer, nonDistributableLayer,
[]string{"https://foo/bar", ""}, []string{"https://foo/bar", ""},
nil, errInvalidURL,
}, },
{ {
nonDistributableLayer, nonDistributableLayer,
[]string{"", "https://foo/bar"}, []string{"", "https://foo/bar"},
nil, errInvalidURL,
}, },
{ {
nonDistributableLayer, nonDistributableLayer,
[]string{"http://nope/bar"}, []string{"http://nope/bar"},
nil, errInvalidURL,
}, },
{ {
nonDistributableLayer, nonDistributableLayer,
[]string{"http://foo/nope"}, []string{"http://foo/nope"},
nil, errInvalidURL,
}, },
{ {
nonDistributableLayer, nonDistributableLayer,
@ -122,6 +127,8 @@ func TestVerifyOCIManifestNonDistributableLayer(t *testing.T) {
if _, ok = verr[1].(distribution.ErrManifestBlobUnknown); ok { if _, ok = verr[1].(distribution.ErrManifestBlobUnknown); ok {
err = verr[0] err = verr[0]
} }
} else if len(verr) == 1 {
err = verr[0]
} }
} }
if err != c.Err { if err != c.Err {