From 99eeb981a725084f8d7b826c23b7aea6e8869779 Mon Sep 17 00:00:00 2001
From: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
Date: Wed, 31 May 2017 17:22:31 -0700
Subject: [PATCH] trust: improve org checks to enable library official repo
 checks

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
---
 cmd/moby/build.go      | 18 +++++++++++++++++-
 cmd/moby/trust_test.go |  6 ++++++
 test/test.yml          |  3 +--
 3 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/cmd/moby/build.go b/cmd/moby/build.go
index e88b1769a..8c278446d 100644
--- a/cmd/moby/build.go
+++ b/cmd/moby/build.go
@@ -149,7 +149,23 @@ func enforceContentTrust(fullImageName string, config *TrustConfig) bool {
 	}
 
 	for _, org := range config.Org {
-		if strings.HasPrefix(fullImageName, org+"/") {
+		var imgOrg string
+		splitName := strings.Split(fullImageName, "/")
+		switch len(splitName) {
+		case 0:
+			// if the image is empty, return false
+			return false
+		case 1:
+			// for single names like nginx, use library
+			imgOrg = "library"
+		case 2:
+			// for names that assume docker hub, like linxukit/alpine, take the first split
+			imgOrg = splitName[0]
+		default:
+			// for names that include the registry, the second piece is the org, ex: docker.io/library/alpine
+			imgOrg = splitName[1]
+		}
+		if imgOrg == org {
 			return true
 		}
 	}
diff --git a/cmd/moby/trust_test.go b/cmd/moby/trust_test.go
index 681e70f01..c175f8026 100644
--- a/cmd/moby/trust_test.go
+++ b/cmd/moby/trust_test.go
@@ -43,4 +43,10 @@ func TestEnforceContentTrust(t *testing.T) {
 	require.False(t, enforceContentTrust("linuxkit/differentImage", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}))
 	require.False(t, enforceContentTrust("linuxkit/differentImage:tag", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}))
 	require.False(t, enforceContentTrust("linuxkit/differentImage@sha256:abc123", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}))
+
+	// Tests for Org with library organization
+	require.True(t, enforceContentTrust("nginx", &TrustConfig{Image: []string{}, Org: []string{"library"}}))
+	require.True(t, enforceContentTrust("nginx:alpine", &TrustConfig{Image: []string{}, Org: []string{"library"}}))
+	require.True(t, enforceContentTrust("library/nginx:alpine", &TrustConfig{Image: []string{}, Org: []string{"library"}}))
+	require.False(t, enforceContentTrust("nginx", &TrustConfig{Image: []string{}, Org: []string{"notLibrary"}}))
 }
diff --git a/test/test.yml b/test/test.yml
index b80acf476..41488d860 100644
--- a/test/test.yml
+++ b/test/test.yml
@@ -31,6 +31,5 @@ files:
     contents: '{"debug": true}'
 trust:
   org:
+    - library
     - linuxkit
-  image:
-    - nginx:alpine