vendor: update containers/image

Depends-On: https://github.com/containers/image/pull/631
Signed-off-by: Tristan Cacqueray <tdecacqu@redhat.com>

vendor.conf

@@ -2,7 +2,7 @@
 github.com/urfave/cli v1.20.0
 github.com/kr/pretty v0.1.0
 github.com/kr/text v0.1.0
-github.com/containers/image ff926d3c79684793a2135666a2cb738f44ba33dc
+github.com/containers/image 2c0349c99af7d90694b3faa0e9bde404d407b145
 github.com/containers/buildah 810efa340ab43753034e2ed08ec290e4abab7e72
 github.com/vbauerster/mpb v3.3.4
 github.com/mattn/go-isatty v0.0.4

vendor/github.com/containers/image/docker/docker_client.go

@@ -23,7 +23,7 @@ import (
 	"github.com/containers/image/types"
 	"github.com/docker/distribution/registry/client"
 	"github.com/docker/go-connections/tlsconfig"
-	"github.com/opencontainers/go-digest"
+	digest "github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -84,27 +84,27 @@ type dockerClient struct {
 	sys      *types.SystemContext
 	registry string
 
+	// tlsClientConfig is setup by newDockerClient and will be used and updated
+	// by detectProperties(). Callers can edit tlsClientConfig.InsecureSkipVerify in the meantime.
+	tlsClientConfig *tls.Config
 	// The following members are not set by newDockerClient and must be set by callers if needed.
 	username      string
 	password      string
 	signatureBase signatureStorageBase
 	scope         authScope
+
 	// The following members are detected registry properties:
 	// They are set after a successful detectProperties(), and never change afterwards.
-	scheme             string // Empty value also used to indicate detectProperties() has not yet succeeded.
+	client             *http.Client
+	scheme             string
 	challenges         []challenge
 	supportsSignatures bool
-	// The tlsClientConfig is setup during the creation of the dockerClient and
-	// will be updated by detectPropertiesHelper(). Any HTTP request the
-	// dockerClient does will be done by this TLS client configuration.
-	tlsClientConfig *tls.Config
 
 	// Private state for setupRequestAuth (key: string, value: bearerToken)
 	tokenCache sync.Map
-	// detectPropertiesError caches the initial error.
+	// Private state for detectProperties:
-	detectPropertiesError error
+	detectPropertiesOnce  sync.Once // detectPropertiesOnce is used to execute detectProperties() at most once.
-	// detectPropertiesOnce is used to execuute detectProperties() at most once in in makeRequest().
+	detectPropertiesError error     // detectPropertiesError caches the initial error.
-	detectPropertiesOnce sync.Once
 }
 
 type authScope struct {
@@ -439,18 +439,11 @@ func (c *dockerClient) makeRequestToResolvedURL(ctx context.Context, method, url
 		}
 	}
 	logrus.Debugf("%s %s", method, url)
-
+	res, err := c.client.Do(req)
-	// Build the transport and do the request by using the clients tlsclientconfig
+	if err != nil {
-	return c.doHTTP(req)
+		return nil, err
-}
+	}
-
+	return res, nil
-// doHttp uses the clients internal TLS configuration for doing the
-// provided HTTP request.  It returns the response and an error on failure.
-func (c *dockerClient) doHTTP(req *http.Request) (*http.Response, error) {
-	tr := tlsclientconfig.NewTransport()
-	tr.TLSClientConfig = c.tlsClientConfig
-	httpClient := &http.Client{Transport: tr}
-	return httpClient.Do(req)
 }
 
 // we're using the challenges from the /v2/ ping response and not the one from the destination
@@ -558,15 +551,14 @@ func (c *dockerClient) getBearerToken(ctx context.Context, challenge challenge,
 // detectPropertiesHelper performs the work of detectProperties which executes
 // it at most once.
 func (c *dockerClient) detectPropertiesHelper(ctx context.Context) error {
-	if c.scheme != "" {
-		return nil
-	}
-
 	// We overwrite the TLS clients `InsecureSkipVerify` only if explicitly
 	// specified by the system context
 	if c.sys != nil && c.sys.DockerInsecureSkipTLSVerify != types.OptionalBoolUndefined {
 		c.tlsClientConfig.InsecureSkipVerify = c.sys.DockerInsecureSkipTLSVerify == types.OptionalBoolTrue
 	}
+	tr := tlsclientconfig.NewTransport()
+	tr.TLSClientConfig = c.tlsClientConfig
+	c.client = &http.Client{Transport: tr}
 
 	ping := func(scheme string) error {
 		url := fmt.Sprintf(resolvedPingV2URL, scheme, c.registry)

vendor/github.com/containers/image/docker/docker_image_src.go

@@ -16,7 +16,7 @@ import (
 	"github.com/containers/image/pkg/sysregistriesv2"
 	"github.com/containers/image/types"
 	"github.com/docker/distribution/registry/client"
-	"github.com/opencontainers/go-digest"
+	digest "github.com/opencontainers/go-digest"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -71,16 +71,15 @@ func newImageSource(ctx context.Context, sys *types.SystemContext, ref dockerRef
 			Endpoint: sysregistriesv2.Endpoint{
 				Location: ref.ref.String(),
 			},
+			Prefix: ref.ref.String(),
 		}
 	}
 
+	primaryDomain := reference.Domain(ref.ref)
 	// Found the registry within the sysregistriesv2 configuration. Now we test
 	// all endpoints for the manifest availability. If a working image source
 	// was found, it will be used for all future pull actions.
-	var (
+	manifestLoadErr := errors.New("Internal error: newImageSource returned without trying any endpoint")
-		imageSource     *dockerImageSource
-		manifestLoadErr error
-	)
 	for _, endpoint := range append(registry.Mirrors, registry.Endpoint) {
 		logrus.Debugf("Trying to pull %q from endpoint %q", ref.ref, endpoint.Location)
 
@@ -93,7 +92,15 @@ func newImageSource(ctx context.Context, sys *types.SystemContext, ref dockerRef
 			return nil, err
 		}
 
-		client, err := newDockerClientFromRef(sys, dockerRef, false, "pull")
+		endpointSys := sys
+		// sys.DockerAuthConfig does not explicitly specify a registry; we must not blindly send the credentials intended for the primary endpoint to mirrors.
+		if endpointSys != nil && endpointSys.DockerAuthConfig != nil && reference.Domain(dockerRef.ref) != primaryDomain {
+			copy := *endpointSys
+			copy.DockerAuthConfig = nil
+			endpointSys = &copy
+		}
+
+		client, err := newDockerClientFromRef(endpointSys, dockerRef, false, "pull")
 		if err != nil {
 			return nil, err
 		}
@@ -106,12 +113,10 @@ func newImageSource(ctx context.Context, sys *types.SystemContext, ref dockerRef
 
 		manifestLoadErr = testImageSource.ensureManifestIsLoaded(ctx)
 		if manifestLoadErr == nil {
-			imageSource = testImageSource
+			return testImageSource, nil
-			break
 		}
 	}
-
+	return nil, manifestLoadErr
-	return imageSource, manifestLoadErr
 }
 
 // Reference returns the reference used to set up this source, _as specified by the user_
@@ -347,7 +352,7 @@ func (s *dockerImageSource) getOneSignature(ctx context.Context, url *url.URL) (
 			return nil, false, err
 		}
 		req = req.WithContext(ctx)
-		res, err := s.c.doHTTP(req)
+		res, err := s.c.client.Do(req)
 		if err != nil {
 			return nil, false, err
 		}

vendor/github.com/containers/image/docs/containers-signature.5.md

@@ -1,10 +1,10 @@
-% atomic-signature(5) Atomic signature format
+% container-signature(5) Container signature format
 % Miloslav Trmač
 % March 2017
 
-# Atomic signature format
+# Container signature format
 
-This document describes the format of “atomic” container signatures,
+This document describes the format of container signatures,
 as implemented by the `github.com/containers/image/signature` package.
 
 Most users should be able to consume these signatures by using the `github.com/containers/image/signature` package
@@ -21,7 +21,7 @@ an automated build system as a result of an automated build,
 a company IT department approving the image for production) under a specified _identity_
 (e.g. an OS base image / specific application, with a specific version).
 
-An atomic container signature consists of a cryptographic signature which identifies
+A container signature consists of a cryptographic signature which identifies
 and authenticates who signed the image, and carries as a signed payload a JSON document.
 The JSON document identifies the image being signed, claims a specific identity of the
 image and if applicable, contains other information about the image.
@@ -34,7 +34,7 @@ associating more than one signature with an image.
 
 ## The cryptographic signature
 
-As distributed, the atomic container signature is a blob which contains a cryptographic signature
+As distributed, the container signature is a blob which contains a cryptographic signature
 in an industry-standard format, carrying a signed JSON payload (i.e. the blob contains both the
 JSON document and a signature of the JSON document; it is not a “detached signature” with
 independent blobs containing the JSON document and a cryptographic signature).
@@ -46,7 +46,7 @@ that this is not necessary and the configured expected public key provides anoth
 of the expected cryptographic signature format. Such metadata may be added in the future for
 newly added cryptographic signature formats, if necessary.)
 
-Consumers of atomic container signatures SHOULD verify the cryptographic signature
+Consumers of container signatures SHOULD verify the cryptographic signature
 against one or more trusted public keys
 (e.g. defined in a [policy.json signature verification policy file](policy.json.md))
 before parsing or processing the JSON payload in _any_ way,
@@ -89,7 +89,7 @@ and if the semantics of the invalid document, as created by such an implementati
 The top-level value of the JSON document MUST be a JSON object with exactly two members, `critical` and `optional`,
 each a JSON object.
 
-The `critical` object MUST contain a `type` member identifying the document as an atomic container signature
+The `critical` object MUST contain a `type` member identifying the document as a container signature
 (as defined [below](#criticaltype))
 and signature consumers MUST reject signatures which do not have this member or in which this member does not have the expected value.
 
@@ -210,7 +210,7 @@ Consumers still SHOULD reject any signature where a member of an `optional` obje
 
 If present, this MUST be a JSON string, identifying the name and version of the software which has created the signature.
 
-The contents of this string is not defined in detail; however each implementation creating atomic container signatures:
+The contents of this string is not defined in detail; however each implementation creating container signatures:
 
 - SHOULD define the contents to unambiguously define the software in practice (e.g. it SHOULD contain the name of the software, not only the version number)
 - SHOULD use a build and versioning process which ensures that the contents of this string (e.g. an included version number)
@@ -221,7 +221,7 @@ The contents of this string is not defined in detail; however each implementatio
   (e.g. the version of the implementation SHOULD NOT be only a git hash, because they don’t have an easily defined ordering;
   the string should contain a version number, or at least a date of the commit).
 
-Consumers of atomic container signatures MAY recognize specific values or sets of values of `optional.creator`
+Consumers of container signatures MAY recognize specific values or sets of values of `optional.creator`
 (perhaps augmented with `optional.timestamp`),
 and MAY change their processing of the signature based on these values
 (usually to acommodate violations of this specification in past versions of the signing software which cannot be fixed retroactively),

vendor/github.com/containers/image/pkg/sysregistriesv2/system_registries_v2.go

@@ -39,26 +39,18 @@ type Endpoint struct {
 // endpoints `location` from the `ref` and creates a new named reference from it.
 // The function errors if the newly created reference is not parsable.
 func (e *Endpoint) RewriteReference(ref reference.Named, prefix string) (reference.Named, error) {
-	if ref == nil {
-		return nil, fmt.Errorf("provided reference is nil")
-	}
-	if prefix == "" {
-		return ref, nil
-	}
 	refString := ref.String()
-	if refMatchesPrefix(refString, prefix) {
+	if !refMatchesPrefix(refString, prefix) {
-		newNamedRef := strings.Replace(refString, prefix, e.Location, 1)
+		return nil, fmt.Errorf("invalid prefix '%v' for reference '%v'", prefix, refString)
-		newParsedRef, err := reference.ParseNamed(newNamedRef)
-		if newParsedRef != nil {
-			logrus.Debugf("reference rewritten from '%v' to '%v'", refString, newParsedRef.String())
-		}
-		if err != nil {
-			return nil, errors.Wrapf(err, "error rewriting reference")
-		}
-		return newParsedRef, nil
 	}
 
-	return nil, fmt.Errorf("invalid prefix '%v' for reference '%v'", prefix, refString)
+	newNamedRef := strings.Replace(refString, prefix, e.Location, 1)
+	newParsedRef, err := reference.ParseNamed(newNamedRef)
+	if err != nil {
+		return nil, errors.Wrapf(err, "error rewriting reference")
+	}
+	logrus.Debugf("reference rewritten from '%v' to '%v'", refString, newParsedRef.String())
+	return newParsedRef, nil
 }
 
 // Registry represents a registry.

vendor/github.com/containers/image/transports/alltransports/alltransports.go

@@ -22,6 +22,7 @@ import (
 
 // ParseImageName converts a URL-like image name to a types.ImageReference.
 func ParseImageName(imgName string) (types.ImageReference, error) {
+	// Keep this in sync with TransportFromImageName!
 	parts := strings.SplitN(imgName, ":", 2)
 	if len(parts) != 2 {
 		return nil, errors.Errorf(`Invalid image name "%s", expected colon-separated transport:reference`, imgName)
@@ -32,3 +33,14 @@ func ParseImageName(imgName string) (types.ImageReference, error) {
 	}
 	return transport.ParseReference(parts[1])
 }
+
+// TransportFromImageName converts an URL-like name to a types.ImageTransport or nil when
+// the transport is unknown or when the input is invalid.
+func TransportFromImageName(imageName string) types.ImageTransport {
+	// Keep this in sync with ParseImageName!
+	parts := strings.SplitN(imageName, ":", 2)
+	if len(parts) == 2 {
+		return transports.Get(parts[0])
+	}
+	return nil
+}

vendor/github.com/containers/image/types/types.go

@@ -401,6 +401,7 @@ type ImageInspectInfo struct {
 }
 
 // DockerAuthConfig contains authorization information for connecting to a registry.
+// the value of Username and Password can be empty for accessing the registry anonymously
 type DockerAuthConfig struct {
 	Username string
 	Password string