Add GetIntendedDockerReference to types.Image and types.ImageSource

This will be necessary for signature verification and related policy
evaluation in the future.

directory/directory.go

@@ -77,6 +77,13 @@ func NewDirImageSource(dir string) types.ImageSource {
 	return &dirImageSource{dir}
 }
 
+// GetIntendedDockerReference returns the full, unambiguous, Docker reference for this image, _as specified by the user_
+// (not as the image itself, or its underlying storage, claims).  This can be used e.g. to determine which public keys are trusted for this image.
+// May be "" if unknown.
+func (s *dirImageSource) GetIntendedDockerReference() string {
+	return ""
+}
+
 func (s *dirImageSource) GetManifest() ([]byte, string, error) {
 	manifest, err := ioutil.ReadFile(manifestPath(s.dir))
 	if err != nil {

docker/docker_image.go

@@ -35,6 +35,13 @@ func NewDockerImage(img, certPath string, tlsVerify bool) (types.Image, error) {
 	return &dockerImage{src: s}, nil
 }
 
+// GetIntendedDockerReference returns the full, unambiguous, Docker reference for this image, _as specified by the user_
+// (not as the image itself, or its underlying storage, claims).  This can be used e.g. to determine which public keys are trusted for this image.
+// May be "" if unknown.
+func (i *dockerImage) GetIntendedDockerReference() string {
+	return i.src.GetIntendedDockerReference()
+}
+
 // GetManifest is like ImageSource.GetManifest, but the result is cached; it is OK to call this however often you need.
 func (i *dockerImage) GetManifest() ([]byte, error) {
 	if err := i.retrieveRawManifest(); err != nil {

docker/docker_image_src.go

@@ -48,6 +48,13 @@ func NewDockerImageSource(img, certPath string, tlsVerify bool) (types.ImageSour
 	return newDockerImageSource(img, certPath, tlsVerify)
 }
 
+// GetIntendedDockerReference returns the full, unambiguous, Docker reference for this image, _as specified by the user_
+// (not as the image itself, or its underlying storage, claims).  This can be used e.g. to determine which public keys are trusted for this image.
+// May be "" if unknown.
+func (s *dockerImageSource) GetIntendedDockerReference() string {
+	return fmt.Sprintf("%s:%s", s.ref.Name(), s.tag)
+}
+
 func (s *dockerImageSource) GetManifest() (manifest []byte, unverifiedCanonicalDigest string, err error) {
 	url := fmt.Sprintf(manifestURL, s.ref.RemoteName(), s.tag)
 	// TODO(runcom) set manifest version header! schema1 for now - then schema2 etc etc and v1

openshift/openshift.go

@@ -133,6 +133,13 @@ func (c *openshiftClient) doRequest(method, path string, requestBody []byte) ([]
 	return body, nil
 }
 
+// canonicalDockerReference returns a canonical reference we use for signing OpenShift images.
+// FIXME: This is, strictly speaking, a namespace conflict with images placed in a Docker registry running on the same host.
+// Do we need to do something else, perhaps disambiguate (port number?) or namespace Docker and OpenShift separately?
+func (c *openshiftClient) canonicalDockerReference() string {
+	return fmt.Sprintf("%s/%s/%s:%s", c.baseURL.Host, c.namespace, c.stream, c.tag)
+}
+
 // convertDockerImageReference takes an image API DockerImageReference value and returns a reference we can actually use;
 // currently OpenShift stores the cluster-internal service IPs here, which are unusable from the outside.
 func (c *openshiftClient) convertDockerImageReference(ref string) (string, error) {
@@ -179,6 +186,13 @@ func NewOpenshiftImageSource(imageName, certPath string, tlsVerify bool) (types.
 	}, nil
 }
 
+// GetIntendedDockerReference returns the full, unambiguous, Docker reference for this image, _as specified by the user_
+// (not as the image itself, or its underlying storage, claims).  This can be used e.g. to determine which public keys are trusted for this image.
+// May be "" if unknown.
+func (s *openshiftImageSource) GetIntendedDockerReference() string {
+	return s.client.canonicalDockerReference()
+}
+
 func (s *openshiftImageSource) GetManifest() (manifest []byte, unverifiedCanonicalDigest string, err error) {
 	if err := s.ensureImageIsResolved(); err != nil {
 		return nil, "", err
@@ -270,7 +284,7 @@ func NewOpenshiftImageDestination(imageName, certPath string, tlsVerify bool) (t
 }
 
 func (d *openshiftImageDestination) CanonicalDockerReference() (string, error) {
-	return fmt.Sprintf("%s/%s/%s:%s", d.client.baseURL.Host, d.client.namespace, d.client.stream, d.client.tag), nil
+	return d.client.canonicalDockerReference(), nil
 }
 
 func (d *openshiftImageDestination) PutManifest(manifest []byte) error {

types/types.go

@@ -30,6 +30,10 @@ type Repository interface {
 
 // ImageSource is a service, possibly remote (= slow), to download components of a single image.
 type ImageSource interface {
+	// GetIntendedDockerReference returns the full, unambiguous, Docker reference for this image, _as specified by the user_
+	// (not as the image itself, or its underlying storage, claims).  This can be used e.g. to determine which public keys are trusted for this image.
+	// May be "" if unknown.
+	GetIntendedDockerReference() string
 	GetManifest() (manifest []byte, unverifiedCanonicalDigest string, err error)
 	GetLayer(digest string) (io.ReadCloser, error)
 	GetSignatures() ([][]byte, error)
@@ -47,6 +51,10 @@ type ImageDestination interface {
 // Image is a Docker image in a repository.
 type Image interface {
 	// ref to repository?
+	// GetIntendedDockerReference returns the full, unambiguous, Docker reference for this image, _as specified by the user_
+	// (not as the image itself, or its underlying storage, claims).  This can be used e.g. to determine which public keys are trusted for this image.
+	// May be "" if unknown.
+	GetIntendedDockerReference() string
 	// GetManifest is like ImageSource.GetManifest, but the result is cached; it is OK to call this however often you need.
 	GetManifest() ([]byte, error)
 	// GetSignatures is like ImageSource.GetSignatures, but the result is cached; it is OK to call this however often you need.