forked from TrueCloudLab/distribution
Before allowing a schema1 manifest to be stored in the registry, ensure that it
contains equal length History and FSLayer arrays. This is required to prevent malformed manifests being put to the registry and failing external verification checks. Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
This commit is contained in:
parent
854fa0a4dd
commit
78b6d648fa
3 changed files with 34 additions and 1 deletions
|
@ -804,6 +804,14 @@ func testManifestAPI(t *testing.T, env *testEnv, args manifestArgs) (*testEnv, m
|
||||||
BlobSum: "qwer",
|
BlobSum: "qwer",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
History: []schema1.History{
|
||||||
|
{
|
||||||
|
V1Compatibility: "",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
V1Compatibility: "",
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
resp = putManifest(t, "putting unsigned manifest", manifestURL, unsignedManifest)
|
resp = putManifest(t, "putting unsigned manifest", manifestURL, unsignedManifest)
|
||||||
|
@ -999,6 +1007,19 @@ func testManifestAPI(t *testing.T, env *testEnv, args manifestArgs) (*testEnv, m
|
||||||
t.Fatalf("tag not as expected: %q != %q", tagsResponse.Tags[0], tag)
|
t.Fatalf("tag not as expected: %q != %q", tagsResponse.Tags[0], tag)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Attempt to put a manifest with mismatching FSLayer and History array cardinalities
|
||||||
|
|
||||||
|
unsignedManifest.History = append(unsignedManifest.History, schema1.History{
|
||||||
|
V1Compatibility: "",
|
||||||
|
})
|
||||||
|
invalidSigned, err := schema1.Sign(unsignedManifest, env.pk)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("error signing manifest")
|
||||||
|
}
|
||||||
|
|
||||||
|
resp = putManifest(t, "putting invalid signed manifest", manifestDigestURL, invalidSigned)
|
||||||
|
checkResponse(t, "putting invalid signed manifest", resp, http.StatusBadRequest)
|
||||||
|
|
||||||
return env, args
|
return env, args
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1432,8 +1453,10 @@ func createRepository(env *testEnv, t *testing.T, imageName string, tag string)
|
||||||
{
|
{
|
||||||
BlobSum: "asdf",
|
BlobSum: "asdf",
|
||||||
},
|
},
|
||||||
|
},
|
||||||
|
History: []schema1.History{
|
||||||
{
|
{
|
||||||
BlobSum: "qwer",
|
V1Compatibility: "",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -1499,6 +1522,7 @@ func TestRegistryAsCacheMutationAPIs(t *testing.T) {
|
||||||
Name: imageName,
|
Name: imageName,
|
||||||
Tag: tag,
|
Tag: tag,
|
||||||
FSLayers: []schema1.FSLayer{},
|
FSLayers: []schema1.FSLayer{},
|
||||||
|
History: []schema1.History{},
|
||||||
}
|
}
|
||||||
|
|
||||||
sm, err := schema1.Sign(m, env.pk)
|
sm, err := schema1.Sign(m, env.pk)
|
||||||
|
|
|
@ -110,6 +110,11 @@ func (ms *manifestStore) verifyManifest(ctx context.Context, mnfst *schema1.Sign
|
||||||
errs = append(errs, fmt.Errorf("repository name does not match manifest name"))
|
errs = append(errs, fmt.Errorf("repository name does not match manifest name"))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if len(mnfst.History) != len(mnfst.FSLayers) {
|
||||||
|
errs = append(errs, fmt.Errorf("mismatched history and fslayer cardinality %d != %d",
|
||||||
|
len(mnfst.History), len(mnfst.FSLayers)))
|
||||||
|
}
|
||||||
|
|
||||||
if _, err := schema1.Verify(mnfst); err != nil {
|
if _, err := schema1.Verify(mnfst); err != nil {
|
||||||
switch err {
|
switch err {
|
||||||
case libtrust.ErrMissingSignatureKey, libtrust.ErrInvalidJSONContent, libtrust.ErrMissingSignatureKey:
|
case libtrust.ErrMissingSignatureKey, libtrust.ErrInvalidJSONContent, libtrust.ErrMissingSignatureKey:
|
||||||
|
|
|
@ -98,6 +98,10 @@ func TestManifestStorage(t *testing.T) {
|
||||||
m.FSLayers = append(m.FSLayers, schema1.FSLayer{
|
m.FSLayers = append(m.FSLayers, schema1.FSLayer{
|
||||||
BlobSum: dgst,
|
BlobSum: dgst,
|
||||||
})
|
})
|
||||||
|
m.History = append(m.History, schema1.History{
|
||||||
|
V1Compatibility: "",
|
||||||
|
})
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
pk, err := libtrust.GenerateECP256PrivateKey()
|
pk, err := libtrust.GenerateECP256PrivateKey()
|
||||||
|
|
Loading…
Reference in a new issue