forked from TrueCloudLab/distribution
Merge pull request #1156 from RichardScothern/manifest-verification
Manifest Verification
This commit is contained in:
commit
057284b593
3 changed files with 34 additions and 1 deletions
|
@ -804,6 +804,14 @@ func testManifestAPI(t *testing.T, env *testEnv, args manifestArgs) (*testEnv, m
|
|||
BlobSum: "qwer",
|
||||
},
|
||||
},
|
||||
History: []schema1.History{
|
||||
{
|
||||
V1Compatibility: "",
|
||||
},
|
||||
{
|
||||
V1Compatibility: "",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
resp = putManifest(t, "putting unsigned manifest", manifestURL, unsignedManifest)
|
||||
|
@ -999,6 +1007,19 @@ func testManifestAPI(t *testing.T, env *testEnv, args manifestArgs) (*testEnv, m
|
|||
t.Fatalf("tag not as expected: %q != %q", tagsResponse.Tags[0], tag)
|
||||
}
|
||||
|
||||
// Attempt to put a manifest with mismatching FSLayer and History array cardinalities
|
||||
|
||||
unsignedManifest.History = append(unsignedManifest.History, schema1.History{
|
||||
V1Compatibility: "",
|
||||
})
|
||||
invalidSigned, err := schema1.Sign(unsignedManifest, env.pk)
|
||||
if err != nil {
|
||||
t.Fatalf("error signing manifest")
|
||||
}
|
||||
|
||||
resp = putManifest(t, "putting invalid signed manifest", manifestDigestURL, invalidSigned)
|
||||
checkResponse(t, "putting invalid signed manifest", resp, http.StatusBadRequest)
|
||||
|
||||
return env, args
|
||||
}
|
||||
|
||||
|
@ -1432,8 +1453,10 @@ func createRepository(env *testEnv, t *testing.T, imageName string, tag string)
|
|||
{
|
||||
BlobSum: "asdf",
|
||||
},
|
||||
},
|
||||
History: []schema1.History{
|
||||
{
|
||||
BlobSum: "qwer",
|
||||
V1Compatibility: "",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
@ -1499,6 +1522,7 @@ func TestRegistryAsCacheMutationAPIs(t *testing.T) {
|
|||
Name: imageName,
|
||||
Tag: tag,
|
||||
FSLayers: []schema1.FSLayer{},
|
||||
History: []schema1.History{},
|
||||
}
|
||||
|
||||
sm, err := schema1.Sign(m, env.pk)
|
||||
|
|
|
@ -110,6 +110,11 @@ func (ms *manifestStore) verifyManifest(ctx context.Context, mnfst *schema1.Sign
|
|||
errs = append(errs, fmt.Errorf("repository name does not match manifest name"))
|
||||
}
|
||||
|
||||
if len(mnfst.History) != len(mnfst.FSLayers) {
|
||||
errs = append(errs, fmt.Errorf("mismatched history and fslayer cardinality %d != %d",
|
||||
len(mnfst.History), len(mnfst.FSLayers)))
|
||||
}
|
||||
|
||||
if _, err := schema1.Verify(mnfst); err != nil {
|
||||
switch err {
|
||||
case libtrust.ErrMissingSignatureKey, libtrust.ErrInvalidJSONContent, libtrust.ErrMissingSignatureKey:
|
||||
|
|
|
@ -98,6 +98,10 @@ func TestManifestStorage(t *testing.T) {
|
|||
m.FSLayers = append(m.FSLayers, schema1.FSLayer{
|
||||
BlobSum: dgst,
|
||||
})
|
||||
m.History = append(m.History, schema1.History{
|
||||
V1Compatibility: "",
|
||||
})
|
||||
|
||||
}
|
||||
|
||||
pk, err := libtrust.GenerateECP256PrivateKey()
|
||||
|
|
Loading…
Reference in a new issue