distribution/registry/storage/signedmanifesthandler.go

package storage

import (
	"context"
	"encoding/json"
	"fmt"

	"github.com/distribution/reference"
	"github.com/docker/distribution"
	dcontext "github.com/docker/distribution/context"
	"github.com/docker/distribution/manifest/schema1"
	"github.com/docker/libtrust"
	"github.com/opencontainers/go-digest"
)

// signedManifestHandler is a ManifestHandler that covers schema1 manifests. It
// can unmarshal and put schema1 manifests that have been signed by libtrust.
type signedManifestHandler struct {
	repository        distribution.Repository
	schema1SigningKey libtrust.PrivateKey
	blobStore         distribution.BlobStore
	ctx               context.Context
}

var _ ManifestHandler = &signedManifestHandler{}

func (ms *signedManifestHandler) Unmarshal(ctx context.Context, dgst digest.Digest, content []byte) (distribution.Manifest, error) {
	dcontext.GetLogger(ms.ctx).Debug("(*signedManifestHandler).Unmarshal")

	var (
		signatures [][]byte
		err        error
	)

	jsig, err := libtrust.NewJSONSignature(content, signatures...)
	if err != nil {
		return nil, err
	}

	if ms.schema1SigningKey != nil {
		if err := jsig.Sign(ms.schema1SigningKey); err != nil {
			return nil, err
		}
	}

	// Extract the pretty JWS
	raw, err := jsig.PrettySignature("signatures")
	if err != nil {
		return nil, err
	}

	var sm schema1.SignedManifest
	if err := json.Unmarshal(raw, &sm); err != nil {
		return nil, err
	}
	return &sm, nil
}

func (ms *signedManifestHandler) Put(ctx context.Context, manifest distribution.Manifest, skipDependencyVerification bool) (digest.Digest, error) {
	dcontext.GetLogger(ms.ctx).Debug("(*signedManifestHandler).Put")

	sm, ok := manifest.(*schema1.SignedManifest)
	if !ok {
		return "", fmt.Errorf("non-schema1 manifest put to signedManifestHandler: %T", manifest)
	}

	if err := ms.verifyManifest(ms.ctx, *sm, skipDependencyVerification); err != nil {
		return "", err
	}

	mt := schema1.MediaTypeManifest
	payload := sm.Canonical

	revision, err := ms.blobStore.Put(ctx, mt, payload)
	if err != nil {
		dcontext.GetLogger(ctx).Errorf("error putting payload into blobstore: %v", err)
		return "", err
	}

	return revision.Digest, nil
}

// verifyManifest ensures that the manifest content is valid from the
// perspective of the registry. It ensures that the signature is valid for the
// enclosed payload. As a policy, the registry only tries to store valid
// content, leaving trust policies of that content up to consumers.
func (ms *signedManifestHandler) verifyManifest(ctx context.Context, mnfst schema1.SignedManifest, skipDependencyVerification bool) error {
	var errs distribution.ErrManifestVerification

	if len(mnfst.Name) > reference.NameTotalLengthMax {
		errs = append(errs,
			distribution.ErrManifestNameInvalid{
				Name:   mnfst.Name,
				Reason: fmt.Errorf("manifest name must not be more than %v characters", reference.NameTotalLengthMax),
			})
	}

	if !reference.NameRegexp.MatchString(mnfst.Name) {
		errs = append(errs,
			distribution.ErrManifestNameInvalid{
				Name:   mnfst.Name,
				Reason: fmt.Errorf("invalid manifest name format"),
			})
	}

	if len(mnfst.History) != len(mnfst.FSLayers) {
		errs = append(errs, fmt.Errorf("mismatched history and fslayer cardinality %d != %d",
			len(mnfst.History), len(mnfst.FSLayers)))
	}

	if _, err := schema1.Verify(&mnfst); err != nil {
		switch err {
		case libtrust.ErrMissingSignatureKey, libtrust.ErrInvalidJSONContent, libtrust.ErrMissingSignatureKey:
			errs = append(errs, distribution.ErrManifestUnverified{})
		default:
			if err.Error() == "invalid signature" { // TODO(stevvooe): This should be exported by libtrust
				errs = append(errs, distribution.ErrManifestUnverified{})
			} else {
				errs = append(errs, err)
			}
		}
	}

	if !skipDependencyVerification {
		for _, fsLayer := range mnfst.References() {
			_, err := ms.repository.Blobs(ctx).Stat(ctx, fsLayer.Digest)
			if err != nil {
				if err != distribution.ErrBlobUnknown {
					errs = append(errs, err)
				}

				// On error here, we always append unknown blob errors.
				errs = append(errs, distribution.ErrManifestBlobUnknown{Digest: fsLayer.Digest})
			}
		}
	}
	if len(errs) != 0 {
		return errs
	}

	return nil
}
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00			`package storage`

			`import (`
context: remove definition of Context Back in the before time, the best practices surrounding usage of Context weren't quite worked out. We defined our own type to make usage easier. As this packaged was used elsewhere, it make it more and more challenging to integrate with the forked `Context` type. Now that it is available in the standard library, we can just use that one directly. To make usage more consistent, we now use `dcontext` when referring to the distribution context package. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2017-08-11 22:31:16 +00:00			`"context"`
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00			`"encoding/json"`
			`"fmt"`

deprecate reference package, migrate to github.com/distribution/reference This integrates the new module, which was extracted from this repository at commit b9b19409cf458dcb9e1253ff44ba75bd0620faa6; # install filter-repo (https://github.com/newren/git-filter-repo/blob/main/INSTALL.md) brew install git-filter-repo # create a temporary clone of docker cd ~/Projects git clone https://github.com/distribution/distribution.git reference cd reference # commit taken from git rev-parse --verify HEAD b9b19409cf458dcb9e1253ff44ba75bd0620faa6 # remove all code, except for general files, 'reference/', and rename to / git filter-repo \ --path .github/workflows/codeql-analysis.yml \ --path .github/workflows/fossa.yml \ --path .golangci.yml \ --path distribution-logo.svg \ --path CODE-OF-CONDUCT.md \ --path CONTRIBUTING.md \ --path GOVERNANCE.md \ --path README.md \ --path LICENSE \ --path MAINTAINERS \ --path-glob 'reference/.' \ --path-rename reference/: # initialize go.mod go mod init github.com/distribution/reference go mod tidy -go=1.20 This commit is based on 152af63ec5c569f074e9cf5d0e409d6928e034d8 in the main branch, but adjusted for the 2.8 branch, with some differences: - the Sort functions have not been kept, as they were not part of the v2 package, and introduced in 1052518d9f962372694e004dba46d2036fb23101 - the ParseAnyReferenceWithSet and ShortIdentifierRegexp were kept (but deprecated) as removing happened in 6d4f62d7fdfa25bd4bb42a18995c50aeededc0d6, which is not in the 2.8 branch. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2023-08-30 15:50:56 +00:00			`"github.com/distribution/reference"`
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00			`"github.com/docker/distribution"`
context: remove definition of Context Back in the before time, the best practices surrounding usage of Context weren't quite worked out. We defined our own type to make usage easier. As this packaged was used elsewhere, it make it more and more challenging to integrate with the forked `Context` type. Now that it is available in the standard library, we can just use that one directly. To make usage more consistent, we now use `dcontext` when referring to the distribution context package. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2017-08-11 22:31:16 +00:00			`dcontext "github.com/docker/distribution/context"`
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00			`"github.com/docker/distribution/manifest/schema1"`
			`"github.com/docker/libtrust"`
digest: migrate to opencontainers/go-digest Signed-off-by: Stephen J Day <stephen.day@docker.com> 2016-12-17 00:28:34 +00:00			`"github.com/opencontainers/go-digest"`
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00			`)`

			`// signedManifestHandler is a ManifestHandler that covers schema1 manifests. It`
			`// can unmarshal and put schema1 manifests that have been signed by libtrust.`
			`type signedManifestHandler struct {`
Decouple storage components by redefining dependencies as interfaces instead of concrete types Signed-off-by: Richard Scothern <richard.scothern@docker.com> 2016-07-20 22:09:11 +00:00			`repository distribution.Repository`
			`schema1SigningKey libtrust.PrivateKey`
			`blobStore distribution.BlobStore`
			`ctx context.Context`
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00			`}`

			`var _ ManifestHandler = &signedManifestHandler{}`

			`func (ms *signedManifestHandler) Unmarshal(ctx context.Context, dgst digest.Digest, content []byte) (distribution.Manifest, error) {`
context: remove definition of Context Back in the before time, the best practices surrounding usage of Context weren't quite worked out. We defined our own type to make usage easier. As this packaged was used elsewhere, it make it more and more challenging to integrate with the forked `Context` type. Now that it is available in the standard library, we can just use that one directly. To make usage more consistent, we now use `dcontext` when referring to the distribution context package. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2017-08-11 22:31:16 +00:00			`dcontext.GetLogger(ms.ctx).Debug("(*signedManifestHandler).Unmarshal")`
Add option to disable signatures Add option for specifying trust key for signing schema1 manifests. Since schema1 signature key identifiers are not verified anywhere and deprecated, storing signatures is no longer a requirement. Furthermore in schema2 there is no signature, requiring the registry to already add signatures to generated schema1 manifests. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2016-02-10 23:20:39 +00:00
			`var (`
			`signatures [][]byte`
			`err error`
			`)`
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00
			`jsig, err := libtrust.NewJSONSignature(content, signatures...)`
			`if err != nil {`
			`return nil, err`
			`}`

Decouple storage components by redefining dependencies as interfaces instead of concrete types Signed-off-by: Richard Scothern <richard.scothern@docker.com> 2016-07-20 22:09:11 +00:00			`if ms.schema1SigningKey != nil {`
			`if err := jsig.Sign(ms.schema1SigningKey); err != nil {`
Add option to disable signatures Add option for specifying trust key for signing schema1 manifests. Since schema1 signature key identifiers are not verified anywhere and deprecated, storing signatures is no longer a requirement. Furthermore in schema2 there is no signature, requiring the registry to already add signatures to generated schema1 manifests. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2016-02-10 23:20:39 +00:00			`return nil, err`
			`}`
			`}`

Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00			`// Extract the pretty JWS`
			`raw, err := jsig.PrettySignature("signatures")`
			`if err != nil {`
			`return nil, err`
			`}`

			`var sm schema1.SignedManifest`
			`if err := json.Unmarshal(raw, &sm); err != nil {`
			`return nil, err`
			`}`
			`return &sm, nil`
			`}`

			`func (ms *signedManifestHandler) Put(ctx context.Context, manifest distribution.Manifest, skipDependencyVerification bool) (digest.Digest, error) {`
context: remove definition of Context Back in the before time, the best practices surrounding usage of Context weren't quite worked out. We defined our own type to make usage easier. As this packaged was used elsewhere, it make it more and more challenging to integrate with the forked `Context` type. Now that it is available in the standard library, we can just use that one directly. To make usage more consistent, we now use `dcontext` when referring to the distribution context package. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2017-08-11 22:31:16 +00:00			`dcontext.GetLogger(ms.ctx).Debug("(*signedManifestHandler).Put")`
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00
			`sm, ok := manifest.(*schema1.SignedManifest)`
			`if !ok {`
			`return "", fmt.Errorf("non-schema1 manifest put to signedManifestHandler: %T", manifest)`
			`}`

			`if err := ms.verifyManifest(ms.ctx, *sm, skipDependencyVerification); err != nil {`
			`return "", err`
			`}`

			`mt := schema1.MediaTypeManifest`
			`payload := sm.Canonical`

			`revision, err := ms.blobStore.Put(ctx, mt, payload)`
			`if err != nil {`
context: remove definition of Context Back in the before time, the best practices surrounding usage of Context weren't quite worked out. We defined our own type to make usage easier. As this packaged was used elsewhere, it make it more and more challenging to integrate with the forked `Context` type. Now that it is available in the standard library, we can just use that one directly. To make usage more consistent, we now use `dcontext` when referring to the distribution context package. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2017-08-11 22:31:16 +00:00			`dcontext.GetLogger(ctx).Errorf("error putting payload into blobstore: %v", err)`
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00			`return "", err`
			`}`

			`return revision.Digest, nil`
			`}`

			`// verifyManifest ensures that the manifest content is valid from the`
			`// perspective of the registry. It ensures that the signature is valid for the`
			`// enclosed payload. As a policy, the registry only tries to store valid`
Add support for manifest list ("fat manifest") Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-17 01:26:13 +00:00			`// content, leaving trust policies of that content up to consumers.`
Factor out schema-specific portions of manifestStore Create signedManifestHandler and schema2ManifestHandler. Use these to unmarshal and put the respective types of manifests from manifestStore. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com> 2015-12-15 02:19:34 +00:00			`func (ms *signedManifestHandler) verifyManifest(ctx context.Context, mnfst schema1.SignedManifest, skipDependencyVerification bool) error {`
			`var errs distribution.ErrManifestVerification`

			`if len(mnfst.Name) > reference.NameTotalLengthMax {`
			`errs = append(errs,`
			`distribution.ErrManifestNameInvalid{`
			`Name: mnfst.Name,`
			`Reason: fmt.Errorf("manifest name must not be more than %v characters", reference.NameTotalLengthMax),`
			`})`
			`}`

			`if !reference.NameRegexp.MatchString(mnfst.Name) {`
			`errs = append(errs,`
			`distribution.ErrManifestNameInvalid{`
			`Name: mnfst.Name,`
			`Reason: fmt.Errorf("invalid manifest name format"),`
			`})`
			`}`

			`if len(mnfst.History) != len(mnfst.FSLayers) {`
			`errs = append(errs, fmt.Errorf("mismatched history and fslayer cardinality %d != %d",`
			`len(mnfst.History), len(mnfst.FSLayers)))`
			`}`

			`if _, err := schema1.Verify(&mnfst); err != nil {`
			`switch err {`
			`case libtrust.ErrMissingSignatureKey, libtrust.ErrInvalidJSONContent, libtrust.ErrMissingSignatureKey:`
			`errs = append(errs, distribution.ErrManifestUnverified{})`
			`default:`
			`if err.Error() == "invalid signature" { // TODO(stevvooe): This should be exported by libtrust`
			`errs = append(errs, distribution.ErrManifestUnverified{})`
			`} else {`
			`errs = append(errs, err)`
			`}`
			`}`
			`}`

			`if !skipDependencyVerification {`
			`for _, fsLayer := range mnfst.References() {`
			`_, err := ms.repository.Blobs(ctx).Stat(ctx, fsLayer.Digest)`
			`if err != nil {`
			`if err != distribution.ErrBlobUnknown {`
			`errs = append(errs, err)`
			`}`

			`// On error here, we always append unknown blob errors.`
			`errs = append(errs, distribution.ErrManifestBlobUnknown{Digest: fsLayer.Digest})`
			`}`
			`}`
			`}`
			`if len(errs) != 0 {`
			`return errs`
			`}`

			`return nil`
			`}`