From 32f167bd9ef051c4dd7d173e82626f5e99df9033 Mon Sep 17 00:00:00 2001
From: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
Date: Wed, 31 May 2017 16:42:42 -0700
Subject: [PATCH] trust: fix splitting on tags and digests and add tests

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
---
 cmd/moby/build.go      |  6 ++++--
 cmd/moby/trust_test.go | 46 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+), 2 deletions(-)
 create mode 100644 cmd/moby/trust_test.go

diff --git a/cmd/moby/build.go b/cmd/moby/build.go
index 3237ef94e..e88b1769a 100644
--- a/cmd/moby/build.go
+++ b/cmd/moby/build.go
@@ -137,11 +137,13 @@ func enforceContentTrust(fullImageName string, config *TrustConfig) bool {
 		}
 		// Also check for an image name only match
 		// by removing a possible tag (with possibly added digest):
-		if img == strings.TrimSuffix(fullImageName, ":") {
+		imgAndTag := strings.Split(fullImageName, ":")
+		if len(imgAndTag) >= 2 && img == imgAndTag[0] {
 			return true
 		}
 		// and by removing a possible digest:
-		if img == strings.TrimSuffix(fullImageName, "@sha256:") {
+		imgAndDigest := strings.Split(fullImageName, "@sha256:")
+		if len(imgAndDigest) >= 2 && img == imgAndDigest[0] {
 			return true
 		}
 	}
diff --git a/cmd/moby/trust_test.go b/cmd/moby/trust_test.go
new file mode 100644
index 000000000..681e70f01
--- /dev/null
+++ b/cmd/moby/trust_test.go
@@ -0,0 +1,46 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestEnforceContentTrust(t *testing.T) {
+	// Simple positive and negative cases for Image subkey
+	require.True(t, enforceContentTrust("image", &TrustConfig{Image: []string{"image"}}))
+	require.True(t, enforceContentTrust("image", &TrustConfig{Image: []string{"more", "than", "one", "image"}}))
+	require.True(t, enforceContentTrust("image", &TrustConfig{Image: []string{"more", "than", "one", "image"}, Org: []string{"random", "orgs"}}))
+
+	require.False(t, enforceContentTrust("image", &TrustConfig{}))
+	require.False(t, enforceContentTrust("image", &TrustConfig{Image: []string{"not", "in", "here!"}}))
+	require.False(t, enforceContentTrust("image", &TrustConfig{Image: []string{"not", "in", "here!"}, Org: []string{""}}))
+
+	// Tests for Image subkey with tags
+	require.True(t, enforceContentTrust("image:tag", &TrustConfig{Image: []string{"image:tag"}}))
+	require.True(t, enforceContentTrust("image:tag", &TrustConfig{Image: []string{"image"}}))
+	require.False(t, enforceContentTrust("image:tag", &TrustConfig{Image: []string{"image:otherTag"}}))
+	require.False(t, enforceContentTrust("image:tag", &TrustConfig{Image: []string{"image@sha256:abc123"}}))
+
+	// Tests for Image subkey with digests
+	require.True(t, enforceContentTrust("image@sha256:abc123", &TrustConfig{Image: []string{"image@sha256:abc123"}}))
+	require.True(t, enforceContentTrust("image@sha256:abc123", &TrustConfig{Image: []string{"image"}}))
+	require.False(t, enforceContentTrust("image@sha256:abc123", &TrustConfig{Image: []string{"image:Tag"}}))
+	require.False(t, enforceContentTrust("image@sha256:abc123", &TrustConfig{Image: []string{"image@sha256:def456"}}))
+
+	// Tests for Image subkey with digests
+	require.True(t, enforceContentTrust("image@sha256:abc123", &TrustConfig{Image: []string{"image@sha256:abc123"}}))
+	require.True(t, enforceContentTrust("image@sha256:abc123", &TrustConfig{Image: []string{"image"}}))
+	require.False(t, enforceContentTrust("image@sha256:abc123", &TrustConfig{Image: []string{"image:Tag"}}))
+	require.False(t, enforceContentTrust("image@sha256:abc123", &TrustConfig{Image: []string{"image@sha256:def456"}}))
+
+	// Tests for Org subkey
+	require.True(t, enforceContentTrust("linuxkit/image", &TrustConfig{Image: []string{"notImage"}, Org: []string{"linuxkit"}}))
+	require.True(t, enforceContentTrust("linuxkit/differentImage", &TrustConfig{Image: []string{}, Org: []string{"linuxkit"}}))
+	require.True(t, enforceContentTrust("linuxkit/differentImage:tag", &TrustConfig{Image: []string{}, Org: []string{"linuxkit"}}))
+	require.True(t, enforceContentTrust("linuxkit/differentImage@sha256:abc123", &TrustConfig{Image: []string{}, Org: []string{"linuxkit"}}))
+
+	require.False(t, enforceContentTrust("linuxkit/differentImage", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}))
+	require.False(t, enforceContentTrust("linuxkit/differentImage:tag", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}))
+	require.False(t, enforceContentTrust("linuxkit/differentImage@sha256:abc123", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}))
+}