distribution/registry/storage/signedmanifesthandler.go

package storage

import (
	"context"
	"encoding/json"
	"fmt"

	"github.com/distribution/distribution/v3"
	dcontext "github.com/distribution/distribution/v3/context"
	"github.com/distribution/distribution/v3/manifest/schema1" //nolint:staticcheck // Ignore SA1019: "github.com/distribution/distribution/v3/manifest/schema1" is deprecated, as it's used for backward compatibility.
	"github.com/distribution/distribution/v3/reference"
	"github.com/docker/libtrust"
	"github.com/opencontainers/go-digest"
)

// signedManifestHandler is a ManifestHandler that covers schema1 manifests. It
// can unmarshal and put schema1 manifests that have been signed by libtrust.
type signedManifestHandler struct {
	repository        distribution.Repository
	schema1SigningKey libtrust.PrivateKey
	blobStore         distribution.BlobStore
	ctx               context.Context
}

var _ ManifestHandler = &signedManifestHandler{}

func (ms *signedManifestHandler) Unmarshal(ctx context.Context, dgst digest.Digest, content []byte) (distribution.Manifest, error) {
	dcontext.GetLogger(ms.ctx).Debug("(*signedManifestHandler).Unmarshal")

	var (
		signatures [][]byte
		err        error
	)

	jsig, err := libtrust.NewJSONSignature(content, signatures...)
	if err != nil {
		return nil, err
	}

	if ms.schema1SigningKey != nil {
		if err := jsig.Sign(ms.schema1SigningKey); err != nil {
			return nil, err
		}
	}

	// Extract the pretty JWS
	raw, err := jsig.PrettySignature("signatures")
	if err != nil {
		return nil, err
	}

	var sm schema1.SignedManifest //nolint:staticcheck // Ignore SA1019: "github.com/distribution/distribution/v3/manifest/schema1" is deprecated, as it's used for backward compatibility.
	if err := json.Unmarshal(raw, &sm); err != nil {
		return nil, err
	}
	return &sm, nil
}

func (ms *signedManifestHandler) Put(ctx context.Context, manifest distribution.Manifest, skipDependencyVerification bool) (digest.Digest, error) {
	dcontext.GetLogger(ms.ctx).Debug("(*signedManifestHandler).Put")

	sm, ok := manifest.(*schema1.SignedManifest) //nolint:staticcheck // Ignore SA1019: "github.com/distribution/distribution/v3/manifest/schema1" is deprecated, as it's used for backward compatibility.
	if !ok {
		return "", fmt.Errorf("non-schema1 manifest put to signedManifestHandler: %T", manifest)
	}

	if err := ms.verifyManifest(ms.ctx, *sm, skipDependencyVerification); err != nil {
		return "", err
	}

	mt := schema1.MediaTypeManifest //nolint:staticcheck // Ignore SA1019: "github.com/distribution/distribution/v3/manifest/schema1" is deprecated, as it's used for backward compatibility.
	payload := sm.Canonical

	revision, err := ms.blobStore.Put(ctx, mt, payload)
	if err != nil {
		dcontext.GetLogger(ctx).Errorf("error putting payload into blobstore: %v", err)
		return "", err
	}

	return revision.Digest, nil
}

// verifyManifest ensures that the manifest content is valid from the
// perspective of the registry. It ensures that the signature is valid for the
// enclosed payload. As a policy, the registry only tries to store valid
// content, leaving trust policies of that content up to consumers.
func (ms *signedManifestHandler) verifyManifest(ctx context.Context, mnfst schema1.SignedManifest, skipDependencyVerification bool) error { //nolint:staticcheck // Ignore SA1019: "github.com/distribution/distribution/v3/manifest/schema1" is deprecated, as it's used for backward compatibility.
	var errs distribution.ErrManifestVerification

	if len(mnfst.Name) > reference.NameTotalLengthMax {
		errs = append(errs,
			distribution.ErrManifestNameInvalid{
				Name:   mnfst.Name,
				Reason: fmt.Errorf("manifest name must not be more than %v characters", reference.NameTotalLengthMax),
			})
	}

	if !reference.NameRegexp.MatchString(mnfst.Name) {
		errs = append(errs,
			distribution.ErrManifestNameInvalid{
				Name:   mnfst.Name,
				Reason: fmt.Errorf("invalid manifest name format"),
			})
	}

	if len(mnfst.History) != len(mnfst.FSLayers) {
		errs = append(errs, fmt.Errorf("mismatched history and fslayer cardinality %d != %d",
			len(mnfst.History), len(mnfst.FSLayers)))
	}

	if _, err := schema1.Verify(&mnfst); err != nil { //nolint:staticcheck // Ignore SA1019: "github.com/distribution/distribution/v3/manifest/schema1" is deprecated, as it's used for backward compatibility.
		switch err {
		case libtrust.ErrMissingSignatureKey, libtrust.ErrInvalidJSONContent, libtrust.ErrMissingSignatureKey:
			errs = append(errs, distribution.ErrManifestUnverified{})
		default:
			if err.Error() == "invalid signature" { // TODO(stevvooe): This should be exported by libtrust
				errs = append(errs, distribution.ErrManifestUnverified{})
			} else {
				errs = append(errs, err)
			}
		}
	}

	if !skipDependencyVerification {
		for _, fsLayer := range mnfst.References() { //nolint:staticcheck // Ignore SA1019: "github.com/distribution/distribution/v3/manifest/schema1" is deprecated, as it's used for backward compatibility.
			_, err := ms.repository.Blobs(ctx).Stat(ctx, fsLayer.Digest)
			if err != nil {
				if err != distribution.ErrBlobUnknown {
					errs = append(errs, err)
				}

				// On error here, we always append unknown blob errors.
				errs = append(errs, distribution.ErrManifestBlobUnknown{Digest: fsLayer.Digest})
			}
		}
	}
	if len(errs) != 0 {
		return errs
	}

	return nil
}
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00			`package storage`

			`import (`
context: remove definition of Context Back in the before time, the best practices surrounding usage of Context weren't quite worked out. We defined our own type to make usage easier. As this packaged was used elsewhere, it make it more and more challenging to integrate with the forked `Context` type. Now that it is available in the standard library, we can just use that one directly. To make usage more consistent, we now use `dcontext` when referring to the distribution context package. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2017-08-11 22:31:16 +00:00			`"context"`
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00			`"encoding/json"`
			`"fmt"`

go.mod: change imports to github.com/distribution/distribution/v3 Go 1.13 and up enforce import paths to be versioned if a project contains a go.mod and has released v2 or up. The current v2.x branches (and releases) do not yet have a go.mod, and therefore are still allowed to be imported with a non-versioned import path (go modules add a `+incompatible` annotation in that case). However, now that this project has a `go.mod` file, incompatible import paths will not be accepted by go modules, and attempting to use code from this repository will fail. This patch uses `v3` for the import-paths (not `v2`), because changing import paths itself is a breaking change, which means that the next release should increment the "major" version to comply with SemVer (as go modules dictate). Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-08-24 11:18:39 +00:00			`"github.com/distribution/distribution/v3"`
			`dcontext "github.com/distribution/distribution/v3/context"`
Ignore SA1019: "schema1 is deprecated" linting errors We need to use this for backward compatibility. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2023-05-09 11:18:47 +00:00			`"github.com/distribution/distribution/v3/manifest/schema1" //nolint:staticcheck // Ignore SA1019: "github.com/distribution/distribution/v3/manifest/schema1" is deprecated, as it's used for backward compatibility.`
go.mod: change imports to github.com/distribution/distribution/v3 Go 1.13 and up enforce import paths to be versioned if a project contains a go.mod and has released v2 or up. The current v2.x branches (and releases) do not yet have a go.mod, and therefore are still allowed to be imported with a non-versioned import path (go modules add a `+incompatible` annotation in that case). However, now that this project has a `go.mod` file, incompatible import paths will not be accepted by go modules, and attempting to use code from this repository will fail. This patch uses `v3` for the import-paths (not `v2`), because changing import paths itself is a breaking change, which means that the next release should increment the "major" version to comply with SemVer (as go modules dictate). Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-08-24 11:18:39 +00:00			`"github.com/distribution/distribution/v3/reference"`
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00			`"github.com/docker/libtrust"`
digest: migrate to opencontainers/go-digest Signed-off-by: Stephen J Day <stephen.day@docker.com> 2016-12-17 00:28:34 +00:00			`"github.com/opencontainers/go-digest"`
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00			`)`

			`// signedManifestHandler is a ManifestHandler that covers schema1 manifests. It`
			`// can unmarshal and put schema1 manifests that have been signed by libtrust.`
			`type signedManifestHandler struct {`
Decouple storage components by redefining dependencies as interfaces instead of concrete types Signed-off-by: Richard Scothern <richard.scothern@docker.com> 2016-07-20 22:09:11 +00:00			`repository distribution.Repository`
			`schema1SigningKey libtrust.PrivateKey`
			`blobStore distribution.BlobStore`
			`ctx context.Context`
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00			`}`

			`var _ ManifestHandler = &signedManifestHandler{}`

			`func (ms *signedManifestHandler) Unmarshal(ctx context.Context, dgst digest.Digest, content []byte) (distribution.Manifest, error) {`
context: remove definition of Context Back in the before time, the best practices surrounding usage of Context weren't quite worked out. We defined our own type to make usage easier. As this packaged was used elsewhere, it make it more and more challenging to integrate with the forked `Context` type. Now that it is available in the standard library, we can just use that one directly. To make usage more consistent, we now use `dcontext` when referring to the distribution context package. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2017-08-11 22:31:16 +00:00			`dcontext.GetLogger(ms.ctx).Debug("(*signedManifestHandler).Unmarshal")`
Add option to disable signatures Add option for specifying trust key for signing schema1 manifests. Since schema1 signature key identifiers are not verified anywhere and deprecated, storing signatures is no longer a requirement. Furthermore in schema2 there is no signature, requiring the registry to already add signatures to generated schema1 manifests. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2016-02-10 23:20:39 +00:00
			`var (`
			`signatures [][]byte`
			`err error`
			`)`
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00
			`jsig, err := libtrust.NewJSONSignature(content, signatures...)`
			`if err != nil {`
			`return nil, err`
			`}`

Decouple storage components by redefining dependencies as interfaces instead of concrete types Signed-off-by: Richard Scothern <richard.scothern@docker.com> 2016-07-20 22:09:11 +00:00			`if ms.schema1SigningKey != nil {`
			`if err := jsig.Sign(ms.schema1SigningKey); err != nil {`
Add option to disable signatures Add option for specifying trust key for signing schema1 manifests. Since schema1 signature key identifiers are not verified anywhere and deprecated, storing signatures is no longer a requirement. Furthermore in schema2 there is no signature, requiring the registry to already add signatures to generated schema1 manifests. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2016-02-10 23:20:39 +00:00			`return nil, err`
			`}`
			`}`

Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00			`// Extract the pretty JWS`
			`raw, err := jsig.PrettySignature("signatures")`
			`if err != nil {`
			`return nil, err`
			`}`

Ignore SA1019: "schema1 is deprecated" linting errors We need to use this for backward compatibility. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2023-05-09 11:18:47 +00:00			`var sm schema1.SignedManifest //nolint:staticcheck // Ignore SA1019: "github.com/distribution/distribution/v3/manifest/schema1" is deprecated, as it's used for backward compatibility.`
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00			`if err := json.Unmarshal(raw, &sm); err != nil {`
			`return nil, err`
			`}`
			`return &sm, nil`
			`}`

			`func (ms *signedManifestHandler) Put(ctx context.Context, manifest distribution.Manifest, skipDependencyVerification bool) (digest.Digest, error) {`
context: remove definition of Context Back in the before time, the best practices surrounding usage of Context weren't quite worked out. We defined our own type to make usage easier. As this packaged was used elsewhere, it make it more and more challenging to integrate with the forked `Context` type. Now that it is available in the standard library, we can just use that one directly. To make usage more consistent, we now use `dcontext` when referring to the distribution context package. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2017-08-11 22:31:16 +00:00			`dcontext.GetLogger(ms.ctx).Debug("(*signedManifestHandler).Put")`
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00
Ignore SA1019: "schema1 is deprecated" linting errors We need to use this for backward compatibility. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2023-05-09 11:18:47 +00:00			`sm, ok := manifest.(*schema1.SignedManifest) //nolint:staticcheck // Ignore SA1019: "github.com/distribution/distribution/v3/manifest/schema1" is deprecated, as it's used for backward compatibility.`
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00			`if !ok {`
			`return "", fmt.Errorf("non-schema1 manifest put to signedManifestHandler: %T", manifest)`
			`}`

			`if err := ms.verifyManifest(ms.ctx, *sm, skipDependencyVerification); err != nil {`
			`return "", err`
			`}`

Ignore SA1019: "schema1 is deprecated" linting errors We need to use this for backward compatibility. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2023-05-09 11:18:47 +00:00			`mt := schema1.MediaTypeManifest //nolint:staticcheck // Ignore SA1019: "github.com/distribution/distribution/v3/manifest/schema1" is deprecated, as it's used for backward compatibility.`
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00			`payload := sm.Canonical`

			`revision, err := ms.blobStore.Put(ctx, mt, payload)`
			`if err != nil {`
context: remove definition of Context Back in the before time, the best practices surrounding usage of Context weren't quite worked out. We defined our own type to make usage easier. As this packaged was used elsewhere, it make it more and more challenging to integrate with the forked `Context` type. Now that it is available in the standard library, we can just use that one directly. To make usage more consistent, we now use `dcontext` when referring to the distribution context package. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2017-08-11 22:31:16 +00:00			`dcontext.GetLogger(ctx).Errorf("error putting payload into blobstore: %v", err)`
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00			`return "", err`
			`}`

			`return revision.Digest, nil`
			`}`

			`// verifyManifest ensures that the manifest content is valid from the`
			`// perspective of the registry. It ensures that the signature is valid for the`
			`// enclosed payload. As a policy, the registry only tries to store valid`
Add support for manifest list ("fat manifest") Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-17 01:26:13 +00:00			`// content, leaving trust policies of that content up to consumers.`
Ignore SA1019: "schema1 is deprecated" linting errors We need to use this for backward compatibility. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2023-05-09 11:18:47 +00:00			`func (ms *signedManifestHandler) verifyManifest(ctx context.Context, mnfst schema1.SignedManifest, skipDependencyVerification bool) error { //nolint:staticcheck // Ignore SA1019: "github.com/distribution/distribution/v3/manifest/schema1" is deprecated, as it's used for backward compatibility.`
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00			`var errs distribution.ErrManifestVerification`

			`if len(mnfst.Name) > reference.NameTotalLengthMax {`
			`errs = append(errs,`
			`distribution.ErrManifestNameInvalid{`
			`Name: mnfst.Name,`
			`Reason: fmt.Errorf("manifest name must not be more than %v characters", reference.NameTotalLengthMax),`
			`})`
			`}`

			`if !reference.NameRegexp.MatchString(mnfst.Name) {`
			`errs = append(errs,`
			`distribution.ErrManifestNameInvalid{`
			`Name: mnfst.Name,`
			`Reason: fmt.Errorf("invalid manifest name format"),`
			`})`
			`}`

			`if len(mnfst.History) != len(mnfst.FSLayers) {`
			`errs = append(errs, fmt.Errorf("mismatched history and fslayer cardinality %d != %d",`
			`len(mnfst.History), len(mnfst.FSLayers)))`
			`}`

Ignore SA1019: "schema1 is deprecated" linting errors We need to use this for backward compatibility. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2023-05-09 11:18:47 +00:00			`if _, err := schema1.Verify(&mnfst); err != nil { //nolint:staticcheck // Ignore SA1019: "github.com/distribution/distribution/v3/manifest/schema1" is deprecated, as it's used for backward compatibility.`
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00			`switch err {`
			`case libtrust.ErrMissingSignatureKey, libtrust.ErrInvalidJSONContent, libtrust.ErrMissingSignatureKey:`
			`errs = append(errs, distribution.ErrManifestUnverified{})`
			`default:`
			`if err.Error() == "invalid signature" { // TODO(stevvooe): This should be exported by libtrust`
			`errs = append(errs, distribution.ErrManifestUnverified{})`
			`} else {`
			`errs = append(errs, err)`
			`}`
			`}`
			`}`

			`if !skipDependencyVerification {`
Ignore SA1019: "schema1 is deprecated" linting errors We need to use this for backward compatibility. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2023-05-09 11:18:47 +00:00			`for _, fsLayer := range mnfst.References() { //nolint:staticcheck // Ignore SA1019: "github.com/distribution/distribution/v3/manifest/schema1" is deprecated, as it's used for backward compatibility.`
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00			`_, err := ms.repository.Blobs(ctx).Stat(ctx, fsLayer.Digest)`
			`if err != nil {`
			`if err != distribution.ErrBlobUnknown {`
			`errs = append(errs, err)`
			`}`

			`// On error here, we always append unknown blob errors.`
			`errs = append(errs, distribution.ErrManifestBlobUnknown{Digest: fsLayer.Digest})`
			`}`
			`}`
			`}`
			`if len(errs) != 0 {`
			`return errs`
			`}`

			`return nil`
			`}`