From 99eeb981a725084f8d7b826c23b7aea6e8869779 Mon Sep 17 00:00:00 2001 From: Riyaz Faizullabhoy Date: Wed, 31 May 2017 17:22:31 -0700 Subject: [PATCH] trust: improve org checks to enable library official repo checks Signed-off-by: Riyaz Faizullabhoy --- cmd/moby/build.go | 18 +++++++++++++++++- cmd/moby/trust_test.go | 6 ++++++ test/test.yml | 3 +-- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/cmd/moby/build.go b/cmd/moby/build.go index e88b1769a..8c278446d 100644 --- a/cmd/moby/build.go +++ b/cmd/moby/build.go @@ -149,7 +149,23 @@ func enforceContentTrust(fullImageName string, config *TrustConfig) bool { } for _, org := range config.Org { - if strings.HasPrefix(fullImageName, org+"/") { + var imgOrg string + splitName := strings.Split(fullImageName, "/") + switch len(splitName) { + case 0: + // if the image is empty, return false + return false + case 1: + // for single names like nginx, use library + imgOrg = "library" + case 2: + // for names that assume docker hub, like linxukit/alpine, take the first split + imgOrg = splitName[0] + default: + // for names that include the registry, the second piece is the org, ex: docker.io/library/alpine + imgOrg = splitName[1] + } + if imgOrg == org { return true } } diff --git a/cmd/moby/trust_test.go b/cmd/moby/trust_test.go index 681e70f01..c175f8026 100644 --- a/cmd/moby/trust_test.go +++ b/cmd/moby/trust_test.go @@ -43,4 +43,10 @@ func TestEnforceContentTrust(t *testing.T) { require.False(t, enforceContentTrust("linuxkit/differentImage", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}})) require.False(t, enforceContentTrust("linuxkit/differentImage:tag", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}})) require.False(t, enforceContentTrust("linuxkit/differentImage@sha256:abc123", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}})) + + // Tests for Org with library organization + require.True(t, enforceContentTrust("nginx", &TrustConfig{Image: []string{}, Org: []string{"library"}})) + require.True(t, enforceContentTrust("nginx:alpine", &TrustConfig{Image: []string{}, Org: []string{"library"}})) + require.True(t, enforceContentTrust("library/nginx:alpine", &TrustConfig{Image: []string{}, Org: []string{"library"}})) + require.False(t, enforceContentTrust("nginx", &TrustConfig{Image: []string{}, Org: []string{"notLibrary"}})) } diff --git a/test/test.yml b/test/test.yml index b80acf476..41488d860 100644 --- a/test/test.yml +++ b/test/test.yml @@ -31,6 +31,5 @@ files: contents: '{"debug": true}' trust: org: + - library - linuxkit - image: - - nginx:alpine