Merge pull request #59 from riyazdf/trust-parse-fixes-and-tests

trust: parsing fixes and tests
2025-07-19 09:16:29 +00:00 · 2017-06-01 22:35:59 +01:00 · 2017-06-01 22:35:59 +01:00 · edcf4d0362
commit edcf4d0362
parent dec7f8bb2b e0fc007b5a
3 changed files with 80 additions and 5 deletions
--- a/cmd/moby/build.go
+++ b/cmd/moby/build.go
@ -143,17 +143,35 @@ func enforceContentTrust(fullImageName string, config *TrustConfig) bool {
 		}
 		// Also check for an image name only match
 		// by removing a possible tag (with possibly added digest):
-		if img == strings.TrimSuffix(fullImageName, ":") {
+		imgAndTag := strings.Split(fullImageName, ":")
+		if len(imgAndTag) >= 2 && img == imgAndTag[0] {
 			return true
 		}
 		// and by removing a possible digest:
-		if img == strings.TrimSuffix(fullImageName, "@sha256:") {
+		imgAndDigest := strings.Split(fullImageName, "@sha256:")
+		if len(imgAndDigest) >= 2 && img == imgAndDigest[0] {
 			return true
 		}
 	}

 	for _, org := range config.Org {
-		if strings.HasPrefix(fullImageName, org+"/") {
+		var imgOrg string
+		splitName := strings.Split(fullImageName, "/")
+		switch len(splitName) {
+		case 0:
+			// if the image is empty, return false
+			return false
+		case 1:
+			// for single names like nginx, use library
+			imgOrg = "library"
+		case 2:
+			// for names that assume docker hub, like linxukit/alpine, take the first split
+			imgOrg = splitName[0]
+		default:
+			// for names that include the registry, the second piece is the org, ex: docker.io/library/alpine
+			imgOrg = splitName[1]
+		}
+		if imgOrg == org {
 			return true
 		}
 	}
--- a/cmd/moby/trust_test.go
+++ b/cmd/moby/trust_test.go
@ -0,0 +1,58 @@
+package main
+
+import "testing"
+
+func TestEnforceContentTrust(t *testing.T) {
+	type enforceContentTrustCase struct {
+		result      bool
+		imageName   string
+		trustConfig *TrustConfig
+	}
+	testCases := []enforceContentTrustCase{
+		// Simple positive and negative cases for Image subkey
+		{true, "image", &TrustConfig{Image: []string{"image"}}},
+		{true, "image", &TrustConfig{Image: []string{"more", "than", "one", "image"}}},
+		{true, "image", &TrustConfig{Image: []string{"more", "than", "one", "image"}, Org: []string{"random", "orgs"}}},
+		{false, "image", &TrustConfig{}},
+		{false, "image", &TrustConfig{Image: []string{"not", "in", "here!"}}},
+		{false, "image", &TrustConfig{Image: []string{"not", "in", "here!"}, Org: []string{""}}},
+
+		// Tests for Image subkey with tags
+		{true, "image:tag", &TrustConfig{Image: []string{"image:tag"}}},
+		{true, "image:tag", &TrustConfig{Image: []string{"image"}}},
+		{false, "image:tag", &TrustConfig{Image: []string{"image:otherTag"}}},
+		{false, "image:tag", &TrustConfig{Image: []string{"image@sha256:abc123"}}},
+
+		// Tests for Image subkey with digests
+		{true, "image@sha256:abc123", &TrustConfig{Image: []string{"image@sha256:abc123"}}},
+		{true, "image@sha256:abc123", &TrustConfig{Image: []string{"image"}}},
+		{false, "image@sha256:abc123", &TrustConfig{Image: []string{"image:Tag"}}},
+		{false, "image@sha256:abc123", &TrustConfig{Image: []string{"image@sha256:def456"}}},
+
+		// Tests for Image subkey with digests
+		{true, "image@sha256:abc123", &TrustConfig{Image: []string{"image@sha256:abc123"}}},
+		{true, "image@sha256:abc123", &TrustConfig{Image: []string{"image"}}},
+		{false, "image@sha256:abc123", &TrustConfig{Image: []string{"image:Tag"}}},
+		{false, "image@sha256:abc123", &TrustConfig{Image: []string{"image@sha256:def456"}}},
+
+		// Tests for Org subkey
+		{true, "linuxkit/image", &TrustConfig{Image: []string{"notImage"}, Org: []string{"linuxkit"}}},
+		{true, "linuxkit/differentImage", &TrustConfig{Image: []string{}, Org: []string{"linuxkit"}}},
+		{true, "linuxkit/differentImage:tag", &TrustConfig{Image: []string{}, Org: []string{"linuxkit"}}},
+		{true, "linuxkit/differentImage@sha256:abc123", &TrustConfig{Image: []string{}, Org: []string{"linuxkit"}}},
+		{false, "linuxkit/differentImage", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}},
+		{false, "linuxkit/differentImage:tag", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}},
+		{false, "linuxkit/differentImage@sha256:abc123", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}},
+
+		// Tests for Org with library organization
+		{true, "nginx", &TrustConfig{Image: []string{}, Org: []string{"library"}}},
+		{true, "nginx:alpine", &TrustConfig{Image: []string{}, Org: []string{"library"}}},
+		{true, "library/nginx:alpine", &TrustConfig{Image: []string{}, Org: []string{"library"}}},
+		{false, "nginx", &TrustConfig{Image: []string{}, Org: []string{"notLibrary"}}},
+	}
+	for _, testCase := range testCases {
+		if enforceContentTrust(testCase.imageName, testCase.trustConfig) != testCase.result {
+			t.Errorf("incorrect trust enforcement result for %s against configuration %v, expected: %v", testCase.imageName, testCase.trustConfig, testCase.result)
+		}
+	}
+}
--- a/test/test.yml
+++ b/test/test.yml
@ -31,6 +31,5 @@ files:
    contents: '{"debug": true}'
 trust:
  org:
+    - library
    - linuxkit
-  image:
-    - nginx:alpine