diff --git a/cmd/moby/build.go b/cmd/moby/build.go index 8970499c4..9f485c6f5 100644 --- a/cmd/moby/build.go +++ b/cmd/moby/build.go @@ -143,17 +143,35 @@ func enforceContentTrust(fullImageName string, config *TrustConfig) bool { } // Also check for an image name only match // by removing a possible tag (with possibly added digest): - if img == strings.TrimSuffix(fullImageName, ":") { + imgAndTag := strings.Split(fullImageName, ":") + if len(imgAndTag) >= 2 && img == imgAndTag[0] { return true } // and by removing a possible digest: - if img == strings.TrimSuffix(fullImageName, "@sha256:") { + imgAndDigest := strings.Split(fullImageName, "@sha256:") + if len(imgAndDigest) >= 2 && img == imgAndDigest[0] { return true } } for _, org := range config.Org { - if strings.HasPrefix(fullImageName, org+"/") { + var imgOrg string + splitName := strings.Split(fullImageName, "/") + switch len(splitName) { + case 0: + // if the image is empty, return false + return false + case 1: + // for single names like nginx, use library + imgOrg = "library" + case 2: + // for names that assume docker hub, like linxukit/alpine, take the first split + imgOrg = splitName[0] + default: + // for names that include the registry, the second piece is the org, ex: docker.io/library/alpine + imgOrg = splitName[1] + } + if imgOrg == org { return true } } diff --git a/cmd/moby/trust_test.go b/cmd/moby/trust_test.go new file mode 100644 index 000000000..36d1f2da8 --- /dev/null +++ b/cmd/moby/trust_test.go @@ -0,0 +1,58 @@ +package main + +import "testing" + +func TestEnforceContentTrust(t *testing.T) { + type enforceContentTrustCase struct { + result bool + imageName string + trustConfig *TrustConfig + } + testCases := []enforceContentTrustCase{ + // Simple positive and negative cases for Image subkey + {true, "image", &TrustConfig{Image: []string{"image"}}}, + {true, "image", &TrustConfig{Image: []string{"more", "than", "one", "image"}}}, + {true, "image", &TrustConfig{Image: []string{"more", "than", "one", "image"}, Org: []string{"random", "orgs"}}}, + {false, "image", &TrustConfig{}}, + {false, "image", &TrustConfig{Image: []string{"not", "in", "here!"}}}, + {false, "image", &TrustConfig{Image: []string{"not", "in", "here!"}, Org: []string{""}}}, + + // Tests for Image subkey with tags + {true, "image:tag", &TrustConfig{Image: []string{"image:tag"}}}, + {true, "image:tag", &TrustConfig{Image: []string{"image"}}}, + {false, "image:tag", &TrustConfig{Image: []string{"image:otherTag"}}}, + {false, "image:tag", &TrustConfig{Image: []string{"image@sha256:abc123"}}}, + + // Tests for Image subkey with digests + {true, "image@sha256:abc123", &TrustConfig{Image: []string{"image@sha256:abc123"}}}, + {true, "image@sha256:abc123", &TrustConfig{Image: []string{"image"}}}, + {false, "image@sha256:abc123", &TrustConfig{Image: []string{"image:Tag"}}}, + {false, "image@sha256:abc123", &TrustConfig{Image: []string{"image@sha256:def456"}}}, + + // Tests for Image subkey with digests + {true, "image@sha256:abc123", &TrustConfig{Image: []string{"image@sha256:abc123"}}}, + {true, "image@sha256:abc123", &TrustConfig{Image: []string{"image"}}}, + {false, "image@sha256:abc123", &TrustConfig{Image: []string{"image:Tag"}}}, + {false, "image@sha256:abc123", &TrustConfig{Image: []string{"image@sha256:def456"}}}, + + // Tests for Org subkey + {true, "linuxkit/image", &TrustConfig{Image: []string{"notImage"}, Org: []string{"linuxkit"}}}, + {true, "linuxkit/differentImage", &TrustConfig{Image: []string{}, Org: []string{"linuxkit"}}}, + {true, "linuxkit/differentImage:tag", &TrustConfig{Image: []string{}, Org: []string{"linuxkit"}}}, + {true, "linuxkit/differentImage@sha256:abc123", &TrustConfig{Image: []string{}, Org: []string{"linuxkit"}}}, + {false, "linuxkit/differentImage", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}}, + {false, "linuxkit/differentImage:tag", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}}, + {false, "linuxkit/differentImage@sha256:abc123", &TrustConfig{Image: []string{}, Org: []string{"notlinuxkit"}}}, + + // Tests for Org with library organization + {true, "nginx", &TrustConfig{Image: []string{}, Org: []string{"library"}}}, + {true, "nginx:alpine", &TrustConfig{Image: []string{}, Org: []string{"library"}}}, + {true, "library/nginx:alpine", &TrustConfig{Image: []string{}, Org: []string{"library"}}}, + {false, "nginx", &TrustConfig{Image: []string{}, Org: []string{"notLibrary"}}}, + } + for _, testCase := range testCases { + if enforceContentTrust(testCase.imageName, testCase.trustConfig) != testCase.result { + t.Errorf("incorrect trust enforcement result for %s against configuration %v, expected: %v", testCase.imageName, testCase.trustConfig, testCase.result) + } + } +} diff --git a/test/test.yml b/test/test.yml index b80acf476..41488d860 100644 --- a/test/test.yml +++ b/test/test.yml @@ -31,6 +31,5 @@ files: contents: '{"debug": true}' trust: org: + - library - linuxkit - image: - - nginx:alpine