trust: improve org checks to enable library official repo checks

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>

cmd/moby/build.go

@@ -149,7 +149,23 @@ func enforceContentTrust(fullImageName string, config *TrustConfig) bool {
 	}
 
 	for _, org := range config.Org {
-		if strings.HasPrefix(fullImageName, org+"/") {
+		var imgOrg string
+		splitName := strings.Split(fullImageName, "/")
+		switch len(splitName) {
+		case 0:
+			// if the image is empty, return false
+			return false
+		case 1:
+			// for single names like nginx, use library
+			imgOrg = "library"
+		case 2:
+			// for names that assume docker hub, like linxukit/alpine, take the first split
+			imgOrg = splitName[0]
+		default:
+			// for names that include the registry, the second piece is the org, ex: docker.io/library/alpine
+			imgOrg = splitName[1]
+		}
+		if imgOrg == org {
 			return true
 		}
 	}

cmd/moby/trust_test.go

@@ -43,4 +43,10 @@ func TestEnforceContentTrust(t *testing.T) {
 	require.False(t, enforceContentTrust("linuxkit/differentImage", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}))
 	require.False(t, enforceContentTrust("linuxkit/differentImage:tag", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}))
 	require.False(t, enforceContentTrust("linuxkit/differentImage@sha256:abc123", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}))
+
+	// Tests for Org with library organization
+	require.True(t, enforceContentTrust("nginx", &TrustConfig{Image: []string{}, Org: []string{"library"}}))
+	require.True(t, enforceContentTrust("nginx:alpine", &TrustConfig{Image: []string{}, Org: []string{"library"}}))
+	require.True(t, enforceContentTrust("library/nginx:alpine", &TrustConfig{Image: []string{}, Org: []string{"library"}}))
+	require.False(t, enforceContentTrust("nginx", &TrustConfig{Image: []string{}, Org: []string{"notLibrary"}}))
 }

test/test.yml

@@ -31,6 +31,5 @@ files:
     contents: '{"debug": true}'
 trust:
   org:
+    - library
     - linuxkit
-  image:
-    - nginx:alpine