mirror of
https://github.com/linuxkit/linuxkit.git
synced 2025-07-25 03:34:58 +00:00
trust: improve org checks to enable library official repo checks
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
This commit is contained in:
parent
32f167bd9e
commit
99eeb981a7
@ -149,7 +149,23 @@ func enforceContentTrust(fullImageName string, config *TrustConfig) bool {
|
|||||||
}
|
}
|
||||||
|
|
||||||
for _, org := range config.Org {
|
for _, org := range config.Org {
|
||||||
if strings.HasPrefix(fullImageName, org+"/") {
|
var imgOrg string
|
||||||
|
splitName := strings.Split(fullImageName, "/")
|
||||||
|
switch len(splitName) {
|
||||||
|
case 0:
|
||||||
|
// if the image is empty, return false
|
||||||
|
return false
|
||||||
|
case 1:
|
||||||
|
// for single names like nginx, use library
|
||||||
|
imgOrg = "library"
|
||||||
|
case 2:
|
||||||
|
// for names that assume docker hub, like linxukit/alpine, take the first split
|
||||||
|
imgOrg = splitName[0]
|
||||||
|
default:
|
||||||
|
// for names that include the registry, the second piece is the org, ex: docker.io/library/alpine
|
||||||
|
imgOrg = splitName[1]
|
||||||
|
}
|
||||||
|
if imgOrg == org {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -43,4 +43,10 @@ func TestEnforceContentTrust(t *testing.T) {
|
|||||||
require.False(t, enforceContentTrust("linuxkit/differentImage", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}))
|
require.False(t, enforceContentTrust("linuxkit/differentImage", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}))
|
||||||
require.False(t, enforceContentTrust("linuxkit/differentImage:tag", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}))
|
require.False(t, enforceContentTrust("linuxkit/differentImage:tag", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}))
|
||||||
require.False(t, enforceContentTrust("linuxkit/differentImage@sha256:abc123", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}))
|
require.False(t, enforceContentTrust("linuxkit/differentImage@sha256:abc123", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}))
|
||||||
|
|
||||||
|
// Tests for Org with library organization
|
||||||
|
require.True(t, enforceContentTrust("nginx", &TrustConfig{Image: []string{}, Org: []string{"library"}}))
|
||||||
|
require.True(t, enforceContentTrust("nginx:alpine", &TrustConfig{Image: []string{}, Org: []string{"library"}}))
|
||||||
|
require.True(t, enforceContentTrust("library/nginx:alpine", &TrustConfig{Image: []string{}, Org: []string{"library"}}))
|
||||||
|
require.False(t, enforceContentTrust("nginx", &TrustConfig{Image: []string{}, Org: []string{"notLibrary"}}))
|
||||||
}
|
}
|
||||||
|
@ -31,6 +31,5 @@ files:
|
|||||||
contents: '{"debug": true}'
|
contents: '{"debug": true}'
|
||||||
trust:
|
trust:
|
||||||
org:
|
org:
|
||||||
|
- library
|
||||||
- linuxkit
|
- linuxkit
|
||||||
image:
|
|
||||||
- nginx:alpine
|
|
||||||
|
Loading…
Reference in New Issue
Block a user