distribution/manifest/schema1/manifest_test.go

package schema1

import (
	"bytes"
	"encoding/json"
	"reflect"
	"testing"

	"github.com/docker/libtrust"
)

type testEnv struct {
	name, tag     string
	invalidSigned *SignedManifest
	signed        *SignedManifest
	pk            libtrust.PrivateKey
}

func TestManifestMarshaling(t *testing.T) {
	env := genEnv(t)

	// Check that the all field is the same as json.MarshalIndent with these
	// parameters.
	expected, err := json.MarshalIndent(env.signed, "", "   ")
	if err != nil {
		t.Fatalf("error marshaling manifest: %v", err)
	}

	if !bytes.Equal(expected, env.signed.all) {
		t.Fatalf("manifest bytes not equal:\nexpected:\n%s\nactual:\n%s\n", string(expected), string(env.signed.all))
	}
}

func TestManifestUnmarshaling(t *testing.T) {
	env := genEnv(t)

	var signed SignedManifest
	if err := json.Unmarshal(env.signed.all, &signed); err != nil {
		t.Fatalf("error unmarshaling signed manifest: %v", err)
	}

	if !reflect.DeepEqual(&signed, env.signed) {
		t.Fatalf("manifests are different after unmarshaling: %v != %v", signed, env.signed)
	}
}

func TestManifestVerification(t *testing.T) {
	env := genEnv(t)

	publicKeys, err := Verify(env.signed)
	if err != nil {
		t.Fatalf("error verifying manifest: %v", err)
	}

	if len(publicKeys) == 0 {
		t.Fatalf("no public keys found in signature")
	}

	var found bool
	publicKey := env.pk.PublicKey()
	// ensure that one of the extracted public keys matches the private key.
	for _, candidate := range publicKeys {
		if candidate.KeyID() == publicKey.KeyID() {
			found = true
			break
		}
	}

	if !found {
		t.Fatalf("expected public key, %v, not found in verified keys: %v", publicKey, publicKeys)
	}

	// Check that an invalid manifest fails verification
	_, err = Verify(env.invalidSigned)
	if err != nil {
		t.Fatalf("Invalid manifest should not pass Verify()")
	}
}

func genEnv(t *testing.T) *testEnv {
	pk, err := libtrust.GenerateECP256PrivateKey()
	if err != nil {
		t.Fatalf("error generating test key: %v", err)
	}

	name, tag := "foo/bar", "test"

	invalid := Manifest{
		Versioned: SchemaVersion,
		Name:      name,
		Tag:       tag,
		FSLayers: []FSLayer{
			{
				BlobSum: "asdf",
			},
			{
				BlobSum: "qwer",
			},
		},
	}

	valid := Manifest{
		Versioned: SchemaVersion,
		Name:      name,
		Tag:       tag,
		FSLayers: []FSLayer{
			{
				BlobSum: "asdf",
			},
		},
		History: []History{
			{
				V1Compatibility: "",
			},
		},
	}

	sm, err := Sign(&valid, pk)
	if err != nil {
		t.Fatalf("error signing manifest: %v", err)
	}

	invalidSigned, err := Sign(&invalid, pk)
	if err != nil {
		t.Fatalf("error signing manifest: %v", err)
	}

	return &testEnv{
		name:          name,
		tag:           tag,
		invalidSigned: invalidSigned,
		signed:        sm,
		pk:            pk,
	}
}
Move manifest package to schema1 As we begin our march towards multi-arch, we must prepare for the reality of multiple manifest schemas. This is the beginning of a set of changes to facilitate this. We are both moving this package into its target position where it may live peacefully next to other manfiest versions. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-08-21 04:24:30 +00:00			`package schema1`
Add unit tests for manifest package Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-01-02 23:24:10 +00:00
			`import (`
			`"bytes"`
			`"encoding/json"`
			`"reflect"`
			`"testing"`

			`"github.com/docker/libtrust"`
			`)`

			`type testEnv struct {`
Before allowing a schema1 manifest to be stored in the registry, ensure that it contains equal length History and FSLayer arrays. This is required to prevent malformed manifests being put to the registry and failing external verification checks. Signed-off-by: Richard Scothern <richard.scothern@gmail.com> 2015-11-03 19:03:17 +00:00			`name, tag string`
			`invalidSigned *SignedManifest`
			`signed *SignedManifest`
			`pk libtrust.PrivateKey`
Add unit tests for manifest package Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-01-02 23:24:10 +00:00			`}`

			`func TestManifestMarshaling(t *testing.T) {`
			`env := genEnv(t)`

Implementation of the Manifest Service API refactor. Add a generic Manifest interface to represent manifests in the registry and remove references to schema specific manifests. Add a ManifestBuilder to construct Manifest objects. Concrete manifest builders will exist for each manifest type and implementations will contain manifest specific data used to build a manifest. Remove Signatures() from Repository interface. Signatures are relevant only to schema1 manifests. Move access to the signature store inside the schema1 manifestStore. Add some API tests to verify signature roundtripping. schema1 ------- Change the way data is stored in schema1.Manifest to enable Payload() to be used to return complete Manifest JSON from the HTTP handler without knowledge of the schema1 protocol. tags ---- Move tag functionality to a seperate TagService and update ManifestService to use the new interfaces. Implement a driver based tagService to be backward compatible with the current tag service. Add a proxyTagService to enable the registry to get a digest for remote manifests from a tag. manifest store -------------- Remove revision store and move all signing functionality into the signed manifeststore. manifest registration --------------------- Add a mechanism to register manifest media types and to allow different manifest types to be Unmarshalled correctly. client ------ Add ManifestServiceOptions to client functions to allow tags to be passed into Put and Get for building correct registry URLs. Change functional arguments to be an interface type to allow passing data without mutating shared state. Signed-off-by: Richard Scothern <richard.scothern@gmail.com> Signed-off-by: Richard Scothern <richard.scothern@docker.com> 2015-08-21 04:50:15 +00:00			`// Check that the all field is the same as json.MarshalIndent with these`
Add unit tests for manifest package Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-01-02 23:24:10 +00:00			`// parameters.`
manifest: improve test output and use const Use consts to make clear these values are fixed, and improve the output to make it clearer which part is the expected output, and which part the actual. Before this: === RUN TestManifest manifest_test.go:87: manifest bytes not equal: "{\n \"schemaVersion\": 2,\n \"mediaType\": \"application/vnd.oci.image.manifest.v1+json\",\n \"config\": {\n \"mediaType\": \"application/vnd.oci.image.config.v1+json\",\n \"size\": 985,\n \"digest\": \"sha256:1a9ec845ee94c202b2d5da74a24f0ed2058318bfa9879fa541efaecba272e86b\",\n \"annotations\": {\n \"apple\": \"orange\"\n }\n },\n \"layers\": [\n {\n \"mediaType\": \"application/vnd.oci.image.layer.v1.tar+gzip\",\n \"size\": 153263,\n \"digest\": \"sha256:62d8908bee94c202b2d35224a221aaa2058318bfa9879fa541efaecba272331b\",\n \"annotations\": {\n \"lettuce\": \"wrap\"\n }\n }\n ],\n \"annotations\": {\n \"hot\": \"potato\"\n }\n}" != "{\n \"schemaVersion\": 2,\n \"mediaType\": \"application/vnd.oci.image.manifest.v1+json\",\n \"config\": {\n \"mediaType\": \"application/vnd.oci.image.config.v1+json\",\n \"size\": 985,\n \"digest\": \"sha256:1a9ec845ee94c202b2d5da74a24f0ed2058318bfa9879fa541efaecba272e86b\",\n \"annotations\": {\n \"apple\": \"orange\"\n }\n },\n \"layers\": [\n {\n \"mediaType\": \"application/vnd.oci.image.layer.v1.tar+gzip\",\n \"size\": 153263,\n \"digest\": \"sha256:62d8908bee94c202b2d35224a221aaa2058318bfa9879fa541efaecba272331b\",\n \"annotations\": {\n \"lettuce\": \"wrap\"\n }\n }\n ],\n \"annotations\": {\n \"hot\": \"potato\"\n }\n}" --- FAIL: TestManifest (0.00s) After this: === RUN TestManifest manifest_test.go:72: manifest bytes not equal: expected: { "schemaVersion": 2, "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "config": { "mediaType": "application/vnd.docker.container.image.v1+json", "size": 985, "digest": "sha256:1a9ec845ee94c202b2d5da74a24f0ed2058318bfa9879fa541efaecba272e86b" }, "layers": [ { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 153263, "digest": "sha256:62d8908bee94c202b2d35224a221aaa2058318bfa9879fa541efaecba272331b" } ] } actual: { "schemaVersion": 2, "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "config": { "mediaType": "application/vnd.docker.container.image.v1+json", "size": 985, "digest": "sha256:1a9ec845ee94c202b2d5da74a24f0ed2058318bfa9879fa541efaecba272e86b" }, "layers": [ { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 153263, "digest": "sha256:62d8908bee94c202b2d35224a221aaa2058318bfa9879fa541efaecba272331b" } ] } --- FAIL: TestManifest (0.00s) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2022-11-26 13:00:37 +00:00			`expected, err := json.MarshalIndent(env.signed, "", " ")`
Add unit tests for manifest package Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-01-02 23:24:10 +00:00			`if err != nil {`
			`t.Fatalf("error marshaling manifest: %v", err)`
			`}`

manifest: improve test output and use const Use consts to make clear these values are fixed, and improve the output to make it clearer which part is the expected output, and which part the actual. Before this: === RUN TestManifest manifest_test.go:87: manifest bytes not equal: "{\n \"schemaVersion\": 2,\n \"mediaType\": \"application/vnd.oci.image.manifest.v1+json\",\n \"config\": {\n \"mediaType\": \"application/vnd.oci.image.config.v1+json\",\n \"size\": 985,\n \"digest\": \"sha256:1a9ec845ee94c202b2d5da74a24f0ed2058318bfa9879fa541efaecba272e86b\",\n \"annotations\": {\n \"apple\": \"orange\"\n }\n },\n \"layers\": [\n {\n \"mediaType\": \"application/vnd.oci.image.layer.v1.tar+gzip\",\n \"size\": 153263,\n \"digest\": \"sha256:62d8908bee94c202b2d35224a221aaa2058318bfa9879fa541efaecba272331b\",\n \"annotations\": {\n \"lettuce\": \"wrap\"\n }\n }\n ],\n \"annotations\": {\n \"hot\": \"potato\"\n }\n}" != "{\n \"schemaVersion\": 2,\n \"mediaType\": \"application/vnd.oci.image.manifest.v1+json\",\n \"config\": {\n \"mediaType\": \"application/vnd.oci.image.config.v1+json\",\n \"size\": 985,\n \"digest\": \"sha256:1a9ec845ee94c202b2d5da74a24f0ed2058318bfa9879fa541efaecba272e86b\",\n \"annotations\": {\n \"apple\": \"orange\"\n }\n },\n \"layers\": [\n {\n \"mediaType\": \"application/vnd.oci.image.layer.v1.tar+gzip\",\n \"size\": 153263,\n \"digest\": \"sha256:62d8908bee94c202b2d35224a221aaa2058318bfa9879fa541efaecba272331b\",\n \"annotations\": {\n \"lettuce\": \"wrap\"\n }\n }\n ],\n \"annotations\": {\n \"hot\": \"potato\"\n }\n}" --- FAIL: TestManifest (0.00s) After this: === RUN TestManifest manifest_test.go:72: manifest bytes not equal: expected: { "schemaVersion": 2, "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "config": { "mediaType": "application/vnd.docker.container.image.v1+json", "size": 985, "digest": "sha256:1a9ec845ee94c202b2d5da74a24f0ed2058318bfa9879fa541efaecba272e86b" }, "layers": [ { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 153263, "digest": "sha256:62d8908bee94c202b2d35224a221aaa2058318bfa9879fa541efaecba272331b" } ] } actual: { "schemaVersion": 2, "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "config": { "mediaType": "application/vnd.docker.container.image.v1+json", "size": 985, "digest": "sha256:1a9ec845ee94c202b2d5da74a24f0ed2058318bfa9879fa541efaecba272e86b" }, "layers": [ { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "size": 153263, "digest": "sha256:62d8908bee94c202b2d35224a221aaa2058318bfa9879fa541efaecba272331b" } ] } --- FAIL: TestManifest (0.00s) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2022-11-26 13:00:37 +00:00			`if !bytes.Equal(expected, env.signed.all) {`
			`t.Fatalf("manifest bytes not equal:\nexpected:\n%s\nactual:\n%s\n", string(expected), string(env.signed.all))`
Add unit tests for manifest package Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-01-02 23:24:10 +00:00			`}`
			`}`

			`func TestManifestUnmarshaling(t *testing.T) {`
			`env := genEnv(t)`

			`var signed SignedManifest`
Implementation of the Manifest Service API refactor. Add a generic Manifest interface to represent manifests in the registry and remove references to schema specific manifests. Add a ManifestBuilder to construct Manifest objects. Concrete manifest builders will exist for each manifest type and implementations will contain manifest specific data used to build a manifest. Remove Signatures() from Repository interface. Signatures are relevant only to schema1 manifests. Move access to the signature store inside the schema1 manifestStore. Add some API tests to verify signature roundtripping. schema1 ------- Change the way data is stored in schema1.Manifest to enable Payload() to be used to return complete Manifest JSON from the HTTP handler without knowledge of the schema1 protocol. tags ---- Move tag functionality to a seperate TagService and update ManifestService to use the new interfaces. Implement a driver based tagService to be backward compatible with the current tag service. Add a proxyTagService to enable the registry to get a digest for remote manifests from a tag. manifest store -------------- Remove revision store and move all signing functionality into the signed manifeststore. manifest registration --------------------- Add a mechanism to register manifest media types and to allow different manifest types to be Unmarshalled correctly. client ------ Add ManifestServiceOptions to client functions to allow tags to be passed into Put and Get for building correct registry URLs. Change functional arguments to be an interface type to allow passing data without mutating shared state. Signed-off-by: Richard Scothern <richard.scothern@gmail.com> Signed-off-by: Richard Scothern <richard.scothern@docker.com> 2015-08-21 04:50:15 +00:00			`if err := json.Unmarshal(env.signed.all, &signed); err != nil {`
Add unit tests for manifest package Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-01-02 23:24:10 +00:00			`t.Fatalf("error unmarshaling signed manifest: %v", err)`
			`}`

			`if !reflect.DeepEqual(&signed, env.signed) {`
			`t.Fatalf("manifests are different after unmarshaling: %v != %v", signed, env.signed)`
			`}`
			`}`

			`func TestManifestVerification(t *testing.T) {`
			`env := genEnv(t)`

Decouple manifest signing and verification It was probably ill-advised to couple manifest signing and verification to their respective types. This changeset simply changes them from methods to functions. These might not even be in this package in the future. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-01-02 23:46:47 +00:00			`publicKeys, err := Verify(env.signed)`
Add unit tests for manifest package Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-01-02 23:24:10 +00:00			`if err != nil {`
			`t.Fatalf("error verifying manifest: %v", err)`
			`}`

			`if len(publicKeys) == 0 {`
			`t.Fatalf("no public keys found in signature")`
			`}`

			`var found bool`
			`publicKey := env.pk.PublicKey()`
			`// ensure that one of the extracted public keys matches the private key.`
			`for _, candidate := range publicKeys {`
			`if candidate.KeyID() == publicKey.KeyID() {`
			`found = true`
			`break`
			`}`
			`}`

			`if !found {`
			`t.Fatalf("expected public key, %v, not found in verified keys: %v", publicKey, publicKeys)`
			`}`
Before allowing a schema1 manifest to be stored in the registry, ensure that it contains equal length History and FSLayer arrays. This is required to prevent malformed manifests being put to the registry and failing external verification checks. Signed-off-by: Richard Scothern <richard.scothern@gmail.com> 2015-11-03 19:03:17 +00:00
			`// Check that an invalid manifest fails verification`
			`_, err = Verify(env.invalidSigned)`
			`if err != nil {`
			`t.Fatalf("Invalid manifest should not pass Verify()")`
			`}`
Add unit tests for manifest package Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-01-02 23:24:10 +00:00			`}`

			`func genEnv(t testing.T) testEnv {`
			`pk, err := libtrust.GenerateECP256PrivateKey()`
			`if err != nil {`
			`t.Fatalf("error generating test key: %v", err)`
			`}`

			`name, tag := "foo/bar", "test"`

Before allowing a schema1 manifest to be stored in the registry, ensure that it contains equal length History and FSLayer arrays. This is required to prevent malformed manifests being put to the registry and failing external verification checks. Signed-off-by: Richard Scothern <richard.scothern@gmail.com> 2015-11-03 19:03:17 +00:00			`invalid := Manifest{`
Move manifest package to schema1 As we begin our march towards multi-arch, we must prepare for the reality of multiple manifest schemas. This is the beginning of a set of changes to facilitate this. We are both moving this package into its target position where it may live peacefully next to other manfiest versions. Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-08-21 04:24:30 +00:00			`Versioned: SchemaVersion,`
			`Name: name,`
			`Tag: tag,`
Add unit tests for manifest package Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-01-02 23:24:10 +00:00			`FSLayers: []FSLayer{`
			`{`
			`BlobSum: "asdf",`
			`},`
			`{`
			`BlobSum: "qwer",`
			`},`
			`},`
			`}`

Before allowing a schema1 manifest to be stored in the registry, ensure that it contains equal length History and FSLayer arrays. This is required to prevent malformed manifests being put to the registry and failing external verification checks. Signed-off-by: Richard Scothern <richard.scothern@gmail.com> 2015-11-03 19:03:17 +00:00			`valid := Manifest{`
			`Versioned: SchemaVersion,`
			`Name: name,`
			`Tag: tag,`
			`FSLayers: []FSLayer{`
			`{`
			`BlobSum: "asdf",`
			`},`
			`},`
			`History: []History{`
			`{`
			`V1Compatibility: "",`
			`},`
			`},`
			`}`

			`sm, err := Sign(&valid, pk)`
			`if err != nil {`
			`t.Fatalf("error signing manifest: %v", err)`
			`}`

			`invalidSigned, err := Sign(&invalid, pk)`
Add unit tests for manifest package Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-01-02 23:24:10 +00:00			`if err != nil {`
			`t.Fatalf("error signing manifest: %v", err)`
			`}`

			`return &testEnv{`
Before allowing a schema1 manifest to be stored in the registry, ensure that it contains equal length History and FSLayer arrays. This is required to prevent malformed manifests being put to the registry and failing external verification checks. Signed-off-by: Richard Scothern <richard.scothern@gmail.com> 2015-11-03 19:03:17 +00:00			`name: name,`
			`tag: tag,`
			`invalidSigned: invalidSigned,`
			`signed: sm,`
			`pk: pk,`
Add unit tests for manifest package Signed-off-by: Stephen J Day <stephen.day@docker.com> 2015-01-02 23:24:10 +00:00			`}`
			`}`