distribution/registry/storage/ocimanifesthandler_test.go

package storage

import (
	"context"
	"regexp"
	"strings"
	"testing"

	"github.com/distribution/distribution/v3"
	"github.com/distribution/distribution/v3/manifest"
	"github.com/distribution/distribution/v3/manifest/ocischema"
	"github.com/distribution/distribution/v3/registry/storage/driver/inmemory"
	"github.com/opencontainers/go-digest"
	v1 "github.com/opencontainers/image-spec/specs-go/v1"
)

func TestVerifyOCIManifestNonDistributableLayer(t *testing.T) {
	ctx := context.Background()
	inmemoryDriver := inmemory.New()
	registry := createRegistry(t, inmemoryDriver,
		ManifestURLsAllowRegexp(regexp.MustCompile("^https?://foo")),
		ManifestURLsDenyRegexp(regexp.MustCompile("^https?://foo/nope")))
	repo := makeRepository(t, registry, "test")
	manifestService := makeManifestService(t, repo)

	config, err := repo.Blobs(ctx).Put(ctx, v1.MediaTypeImageConfig, nil)
	if err != nil {
		t.Fatal(err)
	}

	layer, err := repo.Blobs(ctx).Put(ctx, v1.MediaTypeImageLayerGzip, nil)
	if err != nil {
		t.Fatal(err)
	}

	nonDistributableLayer := distribution.Descriptor{
		Digest:    "sha256:463435349086340864309863409683460843608348608934092322395278926a",
		Size:      6323,
		MediaType: v1.MediaTypeImageLayerNonDistributableGzip, //nolint:staticcheck // ignore A1019: v1.MediaTypeImageLayerNonDistributableGzip is deprecated: Non-distributable layers are deprecated, and not recommended for future use
	}

	emptyLayer := distribution.Descriptor{
		Digest: "",
	}

	emptyGzipLayer := distribution.Descriptor{
		Digest:    "",
		MediaType: v1.MediaTypeImageLayerGzip,
	}

	template := ocischema.Manifest{
		Versioned: manifest.Versioned{
			SchemaVersion: 2,
			MediaType:     v1.MediaTypeImageManifest,
		},
		Config: config,
	}

	type testcase struct {
		BaseLayer distribution.Descriptor
		URLs      []string
		Err       error
	}

	cases := []testcase{
		{
			nonDistributableLayer,
			nil,
			distribution.ErrManifestBlobUnknown{Digest: nonDistributableLayer.Digest},
		},
		{
			layer,
			[]string{"http://foo/bar"},
			nil,
		},
		{
			nonDistributableLayer,
			[]string{"file:///local/file"},
			errInvalidURL,
		},
		{
			nonDistributableLayer,
			[]string{"http://foo/bar#baz"},
			errInvalidURL,
		},
		{
			nonDistributableLayer,
			[]string{""},
			errInvalidURL,
		},
		{
			nonDistributableLayer,
			[]string{"https://foo/bar", ""},
			errInvalidURL,
		},
		{
			nonDistributableLayer,
			[]string{"", "https://foo/bar"},
			errInvalidURL,
		},
		{
			nonDistributableLayer,
			[]string{"http://nope/bar"},
			errInvalidURL,
		},
		{
			nonDistributableLayer,
			[]string{"http://foo/nope"},
			errInvalidURL,
		},
		{
			nonDistributableLayer,
			[]string{"http://foo/bar"},
			nil,
		},
		{
			nonDistributableLayer,
			[]string{"https://foo/bar"},
			nil,
		},
		{
			emptyLayer,
			[]string{"https://foo/empty"},
			digest.ErrDigestInvalidFormat,
		},
		{
			emptyLayer,
			[]string{},
			digest.ErrDigestInvalidFormat,
		},
		{
			emptyGzipLayer,
			[]string{"https://foo/empty"},
			digest.ErrDigestInvalidFormat,
		},
		{
			emptyGzipLayer,
			[]string{},
			digest.ErrDigestInvalidFormat,
		},
	}

	for _, c := range cases {
		m := template
		l := c.BaseLayer
		l.URLs = c.URLs
		m.Layers = []distribution.Descriptor{l}
		dm, err := ocischema.FromStruct(m)
		if err != nil {
			t.Error(err)
			continue
		}

		_, err = manifestService.Put(ctx, dm)
		if verr, ok := err.(distribution.ErrManifestVerification); ok {
			// Extract the first error
			if len(verr) == 2 {
				if _, ok = verr[1].(distribution.ErrManifestBlobUnknown); ok {
					err = verr[0]
				}
			} else if len(verr) == 1 {
				err = verr[0]
			}
		}
		if err != c.Err {
			t.Errorf("%#v: expected %v, got %v", l, c.Err, err)
		}
	}
}

func TestVerifyOCIManifestBlobLayerAndConfig(t *testing.T) {
	ctx := context.Background()
	inmemoryDriver := inmemory.New()
	registry := createRegistry(t, inmemoryDriver,
		ManifestURLsAllowRegexp(regexp.MustCompile("^https?://foo")),
		ManifestURLsDenyRegexp(regexp.MustCompile("^https?://foo/nope")))

	repo := makeRepository(t, registry, strings.ToLower(t.Name()))
	manifestService := makeManifestService(t, repo)

	config, err := repo.Blobs(ctx).Put(ctx, v1.MediaTypeImageConfig, nil)
	if err != nil {
		t.Fatal(err)
	}

	layer, err := repo.Blobs(ctx).Put(ctx, v1.MediaTypeImageLayerGzip, nil)
	if err != nil {
		t.Fatal(err)
	}

	template := ocischema.Manifest{
		Versioned: manifest.Versioned{
			SchemaVersion: 2,
			MediaType:     v1.MediaTypeImageManifest,
		},
	}

	checkFn := func(m ocischema.Manifest, rerr error) {
		dm, err := ocischema.FromStruct(m)
		if err != nil {
			t.Error(err)
			return
		}

		_, err = manifestService.Put(ctx, dm)
		if verr, ok := err.(distribution.ErrManifestVerification); ok {
			// Extract the first error
			if len(verr) == 2 {
				if _, ok = verr[1].(distribution.ErrManifestBlobUnknown); ok {
					err = verr[0]
				}
			} else if len(verr) == 1 {
				err = verr[0]
			}
		}
		if err != rerr {
			t.Errorf("%#v: expected %v, got %v", m, rerr, err)
		}
	}

	type testcase struct {
		Desc distribution.Descriptor
		URLs []string
		Err  error
	}

	layercases := []testcase{
		// empty media type
		{
			distribution.Descriptor{},
			[]string{"http://foo/bar"},
			digest.ErrDigestInvalidFormat,
		},
		{
			distribution.Descriptor{},
			nil,
			digest.ErrDigestInvalidFormat,
		},
		// unknown media type, but blob is present
		{
			distribution.Descriptor{
				Digest: layer.Digest,
			},
			nil,
			nil,
		},
		{
			distribution.Descriptor{
				Digest: layer.Digest,
			},
			[]string{"http://foo/bar"},
			nil,
		},
		// gzip layer, but invalid digest
		{
			distribution.Descriptor{
				MediaType: v1.MediaTypeImageLayerGzip,
			},
			nil,
			digest.ErrDigestInvalidFormat,
		},
		{
			distribution.Descriptor{
				MediaType: v1.MediaTypeImageLayerGzip,
			},
			[]string{"https://foo/bar"},
			digest.ErrDigestInvalidFormat,
		},
		{
			distribution.Descriptor{
				MediaType: v1.MediaTypeImageLayerGzip,
				Digest:    digest.Digest("invalid"),
			},
			nil,
			digest.ErrDigestInvalidFormat,
		},
		// normal uploaded gzip layer
		{
			layer,
			nil,
			nil,
		},
		{
			layer,
			[]string{"https://foo/bar"},
			nil,
		},
	}

	for _, c := range layercases {
		m := template
		m.Config = config

		l := c.Desc
		l.URLs = c.URLs

		m.Layers = []distribution.Descriptor{l}

		checkFn(m, c.Err)
	}

	configcases := []testcase{
		// valid config
		{
			config,
			nil,
			nil,
		},
		// invalid digest
		{
			distribution.Descriptor{
				MediaType: v1.MediaTypeImageConfig,
			},
			[]string{"https://foo/bar"},
			digest.ErrDigestInvalidFormat,
		},
		{
			distribution.Descriptor{
				MediaType: v1.MediaTypeImageConfig,
				Digest:    digest.Digest("invalid"),
			},
			nil,
			digest.ErrDigestInvalidFormat,
		},
	}

	for _, c := range configcases {
		m := template
		m.Config = c.Desc
		m.Config.URLs = c.URLs

		checkFn(m, c.Err)
	}
}
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`package storage`

			`import (`
folow commit 9c88801a12a97de49abf26e9604975eececa654c Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-09-01 02:14:40 +00:00			`"context"`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`"regexp"`
registry: verify digest and check blob presence when put manifest According to OCI image spec, the descriptor's digest field is required. For the normal config/layer blobs, the valivation should check the presence of the blob when put manifest. REF: https://github.com/opencontainers/image-spec/blob/v1.0.1/descriptor.md Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com> Signed-off-by: Wei Fu <fuweid89@gmail.com> 2021-04-15 06:44:04 +00:00			`"strings"`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`"testing"`

go.mod: change imports to github.com/distribution/distribution/v3 Go 1.13 and up enforce import paths to be versioned if a project contains a go.mod and has released v2 or up. The current v2.x branches (and releases) do not yet have a go.mod, and therefore are still allowed to be imported with a non-versioned import path (go modules add a `+incompatible` annotation in that case). However, now that this project has a `go.mod` file, incompatible import paths will not be accepted by go modules, and attempting to use code from this repository will fail. This patch uses `v3` for the import-paths (not `v2`), because changing import paths itself is a breaking change, which means that the next release should increment the "major" version to comply with SemVer (as go modules dictate). Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-08-24 11:18:39 +00:00			`"github.com/distribution/distribution/v3"`
			`"github.com/distribution/distribution/v3/manifest"`
			`"github.com/distribution/distribution/v3/manifest/ocischema"`
			`"github.com/distribution/distribution/v3/registry/storage/driver/inmemory"`
registry: verify digest and check blob presence when put manifest According to OCI image spec, the descriptor's digest field is required. For the normal config/layer blobs, the valivation should check the presence of the blob when put manifest. REF: https://github.com/opencontainers/image-spec/blob/v1.0.1/descriptor.md Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com> Signed-off-by: Wei Fu <fuweid89@gmail.com> 2021-04-15 06:44:04 +00:00			`"github.com/opencontainers/go-digest"`
Migrate to golangci-lint Signed-off-by: Tam Mach <sayboras@yahoo.com> 2019-10-09 12:02:21 +00:00			`v1 "github.com/opencontainers/image-spec/specs-go/v1"`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`)`

OCI media types; annotation support; oci index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-11 19:19:47 +00:00			`func TestVerifyOCIManifestNonDistributableLayer(t *testing.T) {`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`ctx := context.Background()`
			`inmemoryDriver := inmemory.New()`
			`registry := createRegistry(t, inmemoryDriver,`
			`ManifestURLsAllowRegexp(regexp.MustCompile("^https?://foo")),`
			`ManifestURLsDenyRegexp(regexp.MustCompile("^https?://foo/nope")))`
			`repo := makeRepository(t, registry, "test")`
			`manifestService := makeManifestService(t, repo)`

OCI media types; annotation support; oci index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-11 19:19:47 +00:00			`config, err := repo.Blobs(ctx).Put(ctx, v1.MediaTypeImageConfig, nil)`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`if err != nil {`
			`t.Fatal(err)`
			`}`

OCI media types; annotation support; oci index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-11 19:19:47 +00:00			`layer, err := repo.Blobs(ctx).Put(ctx, v1.MediaTypeImageLayerGzip, nil)`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`if err != nil {`
			`t.Fatal(err)`
			`}`

OCI media types; annotation support; oci index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-11 19:19:47 +00:00			`nonDistributableLayer := distribution.Descriptor{`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`Digest: "sha256:463435349086340864309863409683460843608348608934092322395278926a",`
			`Size: 6323,`
vendor: github.com/opencontainers/image-spec v1.1.0 full diff: https://github.com/opencontainers/image-spec/compare/v1.0.2...v1.1.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2023-04-30 17:01:20 +00:00			`MediaType: v1.MediaTypeImageLayerNonDistributableGzip, //nolint:staticcheck // ignore A1019: v1.MediaTypeImageLayerNonDistributableGzip is deprecated: Non-distributable layers are deprecated, and not recommended for future use`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`}`

registry: verify digest and check blob presence when put manifest According to OCI image spec, the descriptor's digest field is required. For the normal config/layer blobs, the valivation should check the presence of the blob when put manifest. REF: https://github.com/opencontainers/image-spec/blob/v1.0.1/descriptor.md Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com> Signed-off-by: Wei Fu <fuweid89@gmail.com> 2021-04-15 06:44:04 +00:00			`emptyLayer := distribution.Descriptor{`
			`Digest: "",`
			`}`

			`emptyGzipLayer := distribution.Descriptor{`
			`Digest: "",`
			`MediaType: v1.MediaTypeImageLayerGzip,`
			`}`

add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`template := ocischema.Manifest{`
			`Versioned: manifest.Versioned{`
			`SchemaVersion: 2,`
OCI media types; annotation support; oci index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-11 19:19:47 +00:00			`MediaType: v1.MediaTypeImageManifest,`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`},`
			`Config: config,`
			`}`

			`type testcase struct {`
			`BaseLayer distribution.Descriptor`
			`URLs []string`
			`Err error`
			`}`

			`cases := []testcase{`
update url policy support; testing for annoations in index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-08-01 22:27:52 +00:00			`{`
			`nonDistributableLayer,`
			`nil,`
			`distribution.ErrManifestBlobUnknown{Digest: nonDistributableLayer.Digest},`
			`},`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`{`
			`layer,`
			`[]string{"http://foo/bar"},`
			`nil,`
			`},`
			`{`
OCI media types; annotation support; oci index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-11 19:19:47 +00:00			`nonDistributableLayer,`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`[]string{"file:///local/file"},`
update url policy support; testing for annoations in index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-08-01 22:27:52 +00:00			`errInvalidURL,`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`},`
			`{`
OCI media types; annotation support; oci index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-11 19:19:47 +00:00			`nonDistributableLayer,`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`[]string{"http://foo/bar#baz"},`
update url policy support; testing for annoations in index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-08-01 22:27:52 +00:00			`errInvalidURL,`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`},`
			`{`
OCI media types; annotation support; oci index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-11 19:19:47 +00:00			`nonDistributableLayer,`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`[]string{""},`
update url policy support; testing for annoations in index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-08-01 22:27:52 +00:00			`errInvalidURL,`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`},`
			`{`
OCI media types; annotation support; oci index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-11 19:19:47 +00:00			`nonDistributableLayer,`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`[]string{"https://foo/bar", ""},`
update url policy support; testing for annoations in index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-08-01 22:27:52 +00:00			`errInvalidURL,`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`},`
			`{`
OCI media types; annotation support; oci index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-11 19:19:47 +00:00			`nonDistributableLayer,`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`[]string{"", "https://foo/bar"},`
update url policy support; testing for annoations in index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-08-01 22:27:52 +00:00			`errInvalidURL,`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`},`
			`{`
OCI media types; annotation support; oci index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-11 19:19:47 +00:00			`nonDistributableLayer,`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`[]string{"http://nope/bar"},`
update url policy support; testing for annoations in index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-08-01 22:27:52 +00:00			`errInvalidURL,`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`},`
			`{`
OCI media types; annotation support; oci index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-11 19:19:47 +00:00			`nonDistributableLayer,`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`[]string{"http://foo/nope"},`
update url policy support; testing for annoations in index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-08-01 22:27:52 +00:00			`errInvalidURL,`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`},`
			`{`
OCI media types; annotation support; oci index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-11 19:19:47 +00:00			`nonDistributableLayer,`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`[]string{"http://foo/bar"},`
			`nil,`
			`},`
			`{`
OCI media types; annotation support; oci index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-11 19:19:47 +00:00			`nonDistributableLayer,`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`[]string{"https://foo/bar"},`
			`nil,`
			`},`
registry: verify digest and check blob presence when put manifest According to OCI image spec, the descriptor's digest field is required. For the normal config/layer blobs, the valivation should check the presence of the blob when put manifest. REF: https://github.com/opencontainers/image-spec/blob/v1.0.1/descriptor.md Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com> Signed-off-by: Wei Fu <fuweid89@gmail.com> 2021-04-15 06:44:04 +00:00			`{`
			`emptyLayer,`
			`[]string{"https://foo/empty"},`
			`digest.ErrDigestInvalidFormat,`
			`},`
			`{`
			`emptyLayer,`
			`[]string{},`
			`digest.ErrDigestInvalidFormat,`
			`},`
			`{`
			`emptyGzipLayer,`
			`[]string{"https://foo/empty"},`
			`digest.ErrDigestInvalidFormat,`
			`},`
			`{`
			`emptyGzipLayer,`
			`[]string{},`
			`digest.ErrDigestInvalidFormat,`
			`},`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`}`

			`for _, c := range cases {`
			`m := template`
			`l := c.BaseLayer`
			`l.URLs = c.URLs`
			`m.Layers = []distribution.Descriptor{l}`
			`dm, err := ocischema.FromStruct(m)`
			`if err != nil {`
			`t.Error(err)`
			`continue`
			`}`

			`_, err = manifestService.Put(ctx, dm)`
			`if verr, ok := err.(distribution.ErrManifestVerification); ok {`
			`// Extract the first error`
			`if len(verr) == 2 {`
			`if _, ok = verr[1].(distribution.ErrManifestBlobUnknown); ok {`
			`err = verr[0]`
			`}`
update url policy support; testing for annoations in index Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-08-01 22:27:52 +00:00			`} else if len(verr) == 1 {`
			`err = verr[0]`
add an ocischema manifest handler for the registry Signed-off-by: Mike Brown <brownwm@us.ibm.com> 2017-07-10 23:09:10 +00:00			`}`
			`}`
			`if err != c.Err {`
			`t.Errorf("%#v: expected %v, got %v", l, c.Err, err)`
			`}`
			`}`
			`}`
registry: verify digest and check blob presence when put manifest According to OCI image spec, the descriptor's digest field is required. For the normal config/layer blobs, the valivation should check the presence of the blob when put manifest. REF: https://github.com/opencontainers/image-spec/blob/v1.0.1/descriptor.md Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com> Signed-off-by: Wei Fu <fuweid89@gmail.com> 2021-04-15 06:44:04 +00:00
			`func TestVerifyOCIManifestBlobLayerAndConfig(t *testing.T) {`
			`ctx := context.Background()`
			`inmemoryDriver := inmemory.New()`
			`registry := createRegistry(t, inmemoryDriver,`
			`ManifestURLsAllowRegexp(regexp.MustCompile("^https?://foo")),`
			`ManifestURLsDenyRegexp(regexp.MustCompile("^https?://foo/nope")))`

			`repo := makeRepository(t, registry, strings.ToLower(t.Name()))`
			`manifestService := makeManifestService(t, repo)`

			`config, err := repo.Blobs(ctx).Put(ctx, v1.MediaTypeImageConfig, nil)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`layer, err := repo.Blobs(ctx).Put(ctx, v1.MediaTypeImageLayerGzip, nil)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`template := ocischema.Manifest{`
			`Versioned: manifest.Versioned{`
			`SchemaVersion: 2,`
			`MediaType: v1.MediaTypeImageManifest,`
			`},`
			`}`

			`checkFn := func(m ocischema.Manifest, rerr error) {`
			`dm, err := ocischema.FromStruct(m)`
			`if err != nil {`
			`t.Error(err)`
			`return`
			`}`

			`_, err = manifestService.Put(ctx, dm)`
			`if verr, ok := err.(distribution.ErrManifestVerification); ok {`
			`// Extract the first error`
			`if len(verr) == 2 {`
			`if _, ok = verr[1].(distribution.ErrManifestBlobUnknown); ok {`
			`err = verr[0]`
			`}`
			`} else if len(verr) == 1 {`
			`err = verr[0]`
			`}`
			`}`
			`if err != rerr {`
			`t.Errorf("%#v: expected %v, got %v", m, rerr, err)`
			`}`
			`}`

			`type testcase struct {`
			`Desc distribution.Descriptor`
			`URLs []string`
			`Err error`
			`}`

			`layercases := []testcase{`
			`// empty media type`
			`{`
			`distribution.Descriptor{},`
			`[]string{"http://foo/bar"},`
			`digest.ErrDigestInvalidFormat,`
			`},`
			`{`
			`distribution.Descriptor{},`
			`nil,`
			`digest.ErrDigestInvalidFormat,`
			`},`
			`// unknown media type, but blob is present`
			`{`
			`distribution.Descriptor{`
			`Digest: layer.Digest,`
			`},`
			`nil,`
			`nil,`
			`},`
			`{`
			`distribution.Descriptor{`
			`Digest: layer.Digest,`
			`},`
			`[]string{"http://foo/bar"},`
			`nil,`
			`},`
			`// gzip layer, but invalid digest`
			`{`
			`distribution.Descriptor{`
			`MediaType: v1.MediaTypeImageLayerGzip,`
			`},`
			`nil,`
			`digest.ErrDigestInvalidFormat,`
			`},`
			`{`
			`distribution.Descriptor{`
			`MediaType: v1.MediaTypeImageLayerGzip,`
			`},`
			`[]string{"https://foo/bar"},`
			`digest.ErrDigestInvalidFormat,`
			`},`
			`{`
			`distribution.Descriptor{`
			`MediaType: v1.MediaTypeImageLayerGzip,`
			`Digest: digest.Digest("invalid"),`
			`},`
			`nil,`
			`digest.ErrDigestInvalidFormat,`
			`},`
			`// normal uploaded gzip layer`
			`{`
			`layer,`
			`nil,`
			`nil,`
			`},`
			`{`
			`layer,`
			`[]string{"https://foo/bar"},`
			`nil,`
			`},`
			`}`

			`for _, c := range layercases {`
			`m := template`
			`m.Config = config`

			`l := c.Desc`
			`l.URLs = c.URLs`

			`m.Layers = []distribution.Descriptor{l}`

			`checkFn(m, c.Err)`
			`}`

			`configcases := []testcase{`
			`// valid config`
			`{`
			`config,`
			`nil,`
			`nil,`
			`},`
			`// invalid digest`
			`{`
			`distribution.Descriptor{`
			`MediaType: v1.MediaTypeImageConfig,`
			`},`
			`[]string{"https://foo/bar"},`
			`digest.ErrDigestInvalidFormat,`
			`},`
			`{`
			`distribution.Descriptor{`
			`MediaType: v1.MediaTypeImageConfig,`
			`Digest: digest.Digest("invalid"),`
			`},`
			`nil,`
			`digest.ErrDigestInvalidFormat,`
			`},`
			`}`

			`for _, c := range configcases {`
			`m := template`
			`m.Config = c.Desc`
			`m.Config.URLs = c.URLs`

			`checkFn(m, c.Err)`
			`}`
			`}`