From e4913bd0b04767ea1efca1f9f0b3501347129b05 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Mon, 16 May 2016 18:28:16 +0200 Subject: [PATCH] Add GetIntendedDockerReference to types.Image and types.ImageSource This will be necessary for signature verification and related policy evaluation in the future. --- directory/directory.go | 7 +++++++ docker/docker_image.go | 7 +++++++ docker/docker_image_src.go | 7 +++++++ openshift/openshift.go | 16 +++++++++++++++- types/types.go | 8 ++++++++ 5 files changed, 44 insertions(+), 1 deletion(-) diff --git a/directory/directory.go b/directory/directory.go index e333c433..49bb5765 100644 --- a/directory/directory.go +++ b/directory/directory.go @@ -77,6 +77,13 @@ func NewDirImageSource(dir string) types.ImageSource { return &dirImageSource{dir} } +// GetIntendedDockerReference returns the full, unambiguous, Docker reference for this image, _as specified by the user_ +// (not as the image itself, or its underlying storage, claims). This can be used e.g. to determine which public keys are trusted for this image. +// May be "" if unknown. +func (s *dirImageSource) GetIntendedDockerReference() string { + return "" +} + func (s *dirImageSource) GetManifest() ([]byte, string, error) { manifest, err := ioutil.ReadFile(manifestPath(s.dir)) if err != nil { diff --git a/docker/docker_image.go b/docker/docker_image.go index ef99c1cc..bd2bfe39 100644 --- a/docker/docker_image.go +++ b/docker/docker_image.go @@ -35,6 +35,13 @@ func NewDockerImage(img, certPath string, tlsVerify bool) (types.Image, error) { return &dockerImage{src: s}, nil } +// GetIntendedDockerReference returns the full, unambiguous, Docker reference for this image, _as specified by the user_ +// (not as the image itself, or its underlying storage, claims). This can be used e.g. to determine which public keys are trusted for this image. +// May be "" if unknown. +func (i *dockerImage) GetIntendedDockerReference() string { + return i.src.GetIntendedDockerReference() +} + // GetManifest is like ImageSource.GetManifest, but the result is cached; it is OK to call this however often you need. func (i *dockerImage) GetManifest() ([]byte, error) { if err := i.retrieveRawManifest(); err != nil { diff --git a/docker/docker_image_src.go b/docker/docker_image_src.go index 4b68e4ff..53bbd425 100644 --- a/docker/docker_image_src.go +++ b/docker/docker_image_src.go @@ -48,6 +48,13 @@ func NewDockerImageSource(img, certPath string, tlsVerify bool) (types.ImageSour return newDockerImageSource(img, certPath, tlsVerify) } +// GetIntendedDockerReference returns the full, unambiguous, Docker reference for this image, _as specified by the user_ +// (not as the image itself, or its underlying storage, claims). This can be used e.g. to determine which public keys are trusted for this image. +// May be "" if unknown. +func (s *dockerImageSource) GetIntendedDockerReference() string { + return fmt.Sprintf("%s:%s", s.ref.Name(), s.tag) +} + func (s *dockerImageSource) GetManifest() (manifest []byte, unverifiedCanonicalDigest string, err error) { url := fmt.Sprintf(manifestURL, s.ref.RemoteName(), s.tag) // TODO(runcom) set manifest version header! schema1 for now - then schema2 etc etc and v1 diff --git a/openshift/openshift.go b/openshift/openshift.go index d433207b..2e549c0d 100644 --- a/openshift/openshift.go +++ b/openshift/openshift.go @@ -133,6 +133,13 @@ func (c *openshiftClient) doRequest(method, path string, requestBody []byte) ([] return body, nil } +// canonicalDockerReference returns a canonical reference we use for signing OpenShift images. +// FIXME: This is, strictly speaking, a namespace conflict with images placed in a Docker registry running on the same host. +// Do we need to do something else, perhaps disambiguate (port number?) or namespace Docker and OpenShift separately? +func (c *openshiftClient) canonicalDockerReference() string { + return fmt.Sprintf("%s/%s/%s:%s", c.baseURL.Host, c.namespace, c.stream, c.tag) +} + // convertDockerImageReference takes an image API DockerImageReference value and returns a reference we can actually use; // currently OpenShift stores the cluster-internal service IPs here, which are unusable from the outside. func (c *openshiftClient) convertDockerImageReference(ref string) (string, error) { @@ -179,6 +186,13 @@ func NewOpenshiftImageSource(imageName, certPath string, tlsVerify bool) (types. }, nil } +// GetIntendedDockerReference returns the full, unambiguous, Docker reference for this image, _as specified by the user_ +// (not as the image itself, or its underlying storage, claims). This can be used e.g. to determine which public keys are trusted for this image. +// May be "" if unknown. +func (s *openshiftImageSource) GetIntendedDockerReference() string { + return s.client.canonicalDockerReference() +} + func (s *openshiftImageSource) GetManifest() (manifest []byte, unverifiedCanonicalDigest string, err error) { if err := s.ensureImageIsResolved(); err != nil { return nil, "", err @@ -270,7 +284,7 @@ func NewOpenshiftImageDestination(imageName, certPath string, tlsVerify bool) (t } func (d *openshiftImageDestination) CanonicalDockerReference() (string, error) { - return fmt.Sprintf("%s/%s/%s:%s", d.client.baseURL.Host, d.client.namespace, d.client.stream, d.client.tag), nil + return d.client.canonicalDockerReference(), nil } func (d *openshiftImageDestination) PutManifest(manifest []byte) error { diff --git a/types/types.go b/types/types.go index 97699743..3c579f93 100644 --- a/types/types.go +++ b/types/types.go @@ -30,6 +30,10 @@ type Repository interface { // ImageSource is a service, possibly remote (= slow), to download components of a single image. type ImageSource interface { + // GetIntendedDockerReference returns the full, unambiguous, Docker reference for this image, _as specified by the user_ + // (not as the image itself, or its underlying storage, claims). This can be used e.g. to determine which public keys are trusted for this image. + // May be "" if unknown. + GetIntendedDockerReference() string GetManifest() (manifest []byte, unverifiedCanonicalDigest string, err error) GetLayer(digest string) (io.ReadCloser, error) GetSignatures() ([][]byte, error) @@ -47,6 +51,10 @@ type ImageDestination interface { // Image is a Docker image in a repository. type Image interface { // ref to repository? + // GetIntendedDockerReference returns the full, unambiguous, Docker reference for this image, _as specified by the user_ + // (not as the image itself, or its underlying storage, claims). This can be used e.g. to determine which public keys are trusted for this image. + // May be "" if unknown. + GetIntendedDockerReference() string // GetManifest is like ImageSource.GetManifest, but the result is cached; it is OK to call this however often you need. GetManifest() ([]byte, error) // GetSignatures is like ImageSource.GetSignatures, but the result is cached; it is OK to call this however often you need.