Merge pull request #8637 from containers/dependabot/go_modules/github.com/containers/image/v5-5.9.0

Bump github.com/containers/image/v5 from 5.8.1 to 5.9.0

7 files changed, 170 insertions, 16 deletions

diff --git a/vendor/github.com/containers/image/v5/copy/copy.go b/vendor/github.com/containers/image/v5/copy/copy.go
index 4d5b07689..485db4d30 100644
--- a/vendor/github.com/containers/image/v5/copy/copy.go
+++ b/vendor/github.com/containers/image/v5/copy/copy.go
@@ -53,6 +53,14 @@ var (
 // compressionBufferSize is the buffer size used to compress a blob
 var compressionBufferSize = 1048576
 
+// expectedCompressionFormats is used to check if a blob with a specified media type is compressed
+// using the algorithm that the media type says it should be compressed with
+var expectedCompressionFormats = map[string]*compression.Algorithm{
+	imgspecv1.MediaTypeImageLayerGzip:      &compression.Gzip,
+	imgspecv1.MediaTypeImageLayerZstd:      &compression.Zstd,
+	manifest.DockerV2Schema2LayerMediaType: &compression.Gzip,
+}
+
 // newDigestingReader returns an io.Reader implementation with contents of source, which will eventually return a non-EOF error
 // or set validationSucceeded/validationFailed to true if the source stream does/does not match expectedDigest.
 // (neither is set if EOF is never reached).
@@ -1234,6 +1242,10 @@ func (c *copier) copyBlobFromStream(ctx context.Context, srcStream io.Reader, sr
 	isCompressed := decompressor != nil
 	destStream = bar.ProxyReader(destStream)
 
+	if expectedCompressionFormat, known := expectedCompressionFormats[srcInfo.MediaType]; known && isCompressed && compressionFormat.Name() != expectedCompressionFormat.Name() {
+		logrus.Debugf("blob %s with type %s should be compressed with %s, but compressor appears to be %s", srcInfo.Digest.String(), srcInfo.MediaType, expectedCompressionFormat.Name(), compressionFormat.Name())
+	}
+
 	// === Send a copy of the original, uncompressed, stream, to a separate path if necessary.
 	var originalLayerReader io.Reader // DO NOT USE this other than to drain the input if no other consumer in the pipeline has done so.
 	if getOriginalLayerCopyWriter != nil {
diff --git a/vendor/github.com/containers/image/v5/pkg/compression/compression.go b/vendor/github.com/containers/image/v5/pkg/compression/compression.go
index 04d231c6d..d5cfd8d31 100644
--- a/vendor/github.com/containers/image/v5/pkg/compression/compression.go
+++ b/vendor/github.com/containers/image/v5/pkg/compression/compression.go
@@ -91,7 +91,8 @@ func CompressStream(dest io.Writer, algo Algorithm, level *int) (io.WriteCloser,
 	return internal.AlgorithmCompressor(algo)(dest, level)
 }
 
-// DetectCompressionFormat returns a DecompressorFunc if the input is recognized as a compressed format, nil otherwise.
+// DetectCompressionFormat returns an Algorithm and DecompressorFunc if the input is recognized as a compressed format, an invalid
+// value and nil otherwise.
 // Because it consumes the start of input, other consumers must use the returned io.Reader instead to also read from the beginning.
 func DetectCompressionFormat(input io.Reader) (Algorithm, DecompressorFunc, io.Reader, error) {
 	buffer := [8]byte{}
diff --git a/vendor/github.com/containers/image/v5/pkg/shortnames/shortnames.go b/vendor/github.com/containers/image/v5/pkg/shortnames/shortnames.go
index e02703d77..198ac1cc6 100644
--- a/vendor/github.com/containers/image/v5/pkg/shortnames/shortnames.go
+++ b/vendor/github.com/containers/image/v5/pkg/shortnames/shortnames.go
@@ -225,9 +225,8 @@ func (c *PullCandidate) Record() error {
 // Note that tags and digests are stripped from the specified name before
 // looking up an alias. Stripped off tags and digests are later on appended to
 // all candidates.  If neither tag nor digest is specified, candidates are
-// normalized with the "latest" tag. PullCandidates in the returned value may
-// be empty if there is no matching alias and no unqualified-search registries
-// are configured.
+// normalized with the "latest" tag.  An error is returned if there is no
+// matching alias and no unqualified-search registries are configured.
 //
 // Note that callers *must* call `(PullCandidate).Record` after a returned
 // item has been pulled successfully; this callback will record a new
@@ -312,6 +311,10 @@ func Resolve(ctx *types.SystemContext, name string) (*Resolved, error) {
 	if err != nil {
 		return nil, err
 	}
+	// Error out if there's no matching alias and no search registries.
+	if len(unqualifiedSearchRegistries) == 0 {
+		return nil, errors.Errorf("short-name %q did not resolve to an alias and no unqualified-search registries are defined in %q", name, usrConfig)
+	}
 	resolved.originDescription = usrConfig
 
 	for _, reg := range unqualifiedSearchRegistries {
@@ -331,10 +334,8 @@ func Resolve(ctx *types.SystemContext, name string) (*Resolved, error) {
 		return resolved, nil
 	}
 
-	// If we have only one candidate, there's no ambiguity. In case of an
-	// empty candidate slices, callers can implement custom logic or raise
-	// an error.
-	if len(resolved.PullCandidates) <= 1 {
+	// If we have only one candidate, there's no ambiguity.
+	if len(resolved.PullCandidates) == 1 {
 		return resolved, nil
 	}
 
diff --git a/vendor/github.com/containers/image/v5/signature/policy_config.go b/vendor/github.com/containers/image/v5/signature/policy_config.go
index a4873e9fa..d8cc4a09b 100644
--- a/vendor/github.com/containers/image/v5/signature/policy_config.go
+++ b/vendor/github.com/containers/image/v5/signature/policy_config.go
@@ -19,6 +19,7 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"regexp"
 
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/transports"
@@ -507,6 +508,8 @@ func newPolicyReferenceMatchFromJSON(data []byte) (PolicyReferenceMatch, error)
 		res = &prmExactReference{}
 	case prmTypeExactRepository:
 		res = &prmExactRepository{}
+	case prmTypeRemapIdentity:
+		res = &prmRemapIdentity{}
 	default:
 		return nil, InvalidPolicyFormatError(fmt.Sprintf("Unknown policy reference match type \"%s\"", typeField.Type))
 	}
@@ -693,3 +696,76 @@ func (prm *prmExactRepository) UnmarshalJSON(data []byte) error {
 	*prm = *res
 	return nil
 }
+
+// Private objects for validateIdentityRemappingPrefix
+var (
+	// remapIdentityDomainRegexp matches exactly a reference domain (name[:port])
+	remapIdentityDomainRegexp = regexp.MustCompile("^" + reference.DomainRegexp.String() + "$")
+	// remapIdentityDomainPrefixRegexp matches a reference that starts with a domain;
+	// we need this because reference.NameRegexp accepts short names with docker.io implied.
+	remapIdentityDomainPrefixRegexp = regexp.MustCompile("^" + reference.DomainRegexp.String() + "/")
+	// remapIdentityNameRegexp matches exactly a reference.Named name (possibly unnormalized)
+	remapIdentityNameRegexp = regexp.MustCompile("^" + reference.NameRegexp.String() + "$")
+)
+
+// validateIdentityRemappingPrefix returns an InvalidPolicyFormatError if s is detected to be invalid
+// for the Prefix or SignedPrefix values of prmRemapIdentity.
+// Note that it may not recognize _all_ invalid values.
+func validateIdentityRemappingPrefix(s string) error {
+	if remapIdentityDomainRegexp.MatchString(s) ||
+		(remapIdentityNameRegexp.MatchString(s) && remapIdentityDomainPrefixRegexp.MatchString(s)) {
+		// FIXME? This does not reject "shortname" nor "ns/shortname", because docker/reference
+		// does not provide an API for the short vs. long name logic.
+		// It will either not match, or fail in the ParseNamed call of
+		// prmRemapIdentity.remapReferencePrefix when trying to use such a prefix.
+		return nil
+	}
+	return InvalidPolicyFormatError(fmt.Sprintf("prefix %q is not valid", s))
+}
+
+// newPRMRemapIdentity is NewPRMRemapIdentity, except it returns the private type.
+func newPRMRemapIdentity(prefix, signedPrefix string) (*prmRemapIdentity, error) {
+	if err := validateIdentityRemappingPrefix(prefix); err != nil {
+		return nil, err
+	}
+	if err := validateIdentityRemappingPrefix(signedPrefix); err != nil {
+		return nil, err
+	}
+	return &prmRemapIdentity{
+		prmCommon:    prmCommon{Type: prmTypeRemapIdentity},
+		Prefix:       prefix,
+		SignedPrefix: signedPrefix,
+	}, nil
+}
+
+// NewPRMRemapIdentity returns a new "remapIdentity" PolicyRepositoryMatch.
+func NewPRMRemapIdentity(prefix, signedPrefix string) (PolicyReferenceMatch, error) {
+	return newPRMRemapIdentity(prefix, signedPrefix)
+}
+
+// Compile-time check that prmRemapIdentity implements json.Unmarshaler.
+var _ json.Unmarshaler = (*prmRemapIdentity)(nil)
+
+// UnmarshalJSON implements the json.Unmarshaler interface.
+func (prm *prmRemapIdentity) UnmarshalJSON(data []byte) error {
+	*prm = prmRemapIdentity{}
+	var tmp prmRemapIdentity
+	if err := paranoidUnmarshalJSONObjectExactFields(data, map[string]interface{}{
+		"type":         &tmp.Type,
+		"prefix":       &tmp.Prefix,
+		"signedPrefix": &tmp.SignedPrefix,
+	}); err != nil {
+		return err
+	}
+
+	if tmp.Type != prmTypeRemapIdentity {
+		return InvalidPolicyFormatError(fmt.Sprintf("Unexpected policy requirement type \"%s\"", tmp.Type))
+	}
+
+	res, err := newPRMRemapIdentity(tmp.Prefix, tmp.SignedPrefix)
+	if err != nil {
+		return err
+	}
+	*prm = *res
+	return nil
+}
diff --git a/vendor/github.com/containers/image/v5/signature/policy_reference_match.go b/vendor/github.com/containers/image/v5/signature/policy_reference_match.go
index e2a21f01d..064866cf6 100644
--- a/vendor/github.com/containers/image/v5/signature/policy_reference_match.go
+++ b/vendor/github.com/containers/image/v5/signature/policy_reference_match.go
@@ -4,6 +4,7 @@ package signature
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/transports"
@@ -36,12 +37,9 @@ func (prm *prmMatchExact) matchesDockerReference(image types.UnparsedImage, sign
 	return signature.String() == intended.String()
 }
 
-func (prm *prmMatchRepoDigestOrExact) matchesDockerReference(image types.UnparsedImage, signatureDockerReference string) bool {
-	intended, signature, err := parseImageAndDockerReference(image, signatureDockerReference)
-	if err != nil {
-		return false
-	}
-
+// matchRepoDigestOrExactReferenceValues implements prmMatchRepoDigestOrExact.matchesDockerReference
+// using reference.Named values.
+func matchRepoDigestOrExactReferenceValues(intended, signature reference.Named) bool {
 	// Do not add default tags: image.Reference().DockerReference() should contain it already, and signatureDockerReference should be exact; so, verify that now.
 	if reference.IsNameOnly(signature) {
 		return false
@@ -58,6 +56,13 @@ func (prm *prmMatchRepoDigestOrExact) matchesDockerReference(image types.Unparse
 		return false
 	}
 }
+func (prm *prmMatchRepoDigestOrExact) matchesDockerReference(image types.UnparsedImage, signatureDockerReference string) bool {
+	intended, signature, err := parseImageAndDockerReference(image, signatureDockerReference)
+	if err != nil {
+		return false
+	}
+	return matchRepoDigestOrExactReferenceValues(intended, signature)
+}
 
 func (prm *prmMatchRepository) matchesDockerReference(image types.UnparsedImage, signatureDockerReference string) bool {
 	intended, signature, err := parseImageAndDockerReference(image, signatureDockerReference)
@@ -99,3 +104,51 @@ func (prm *prmExactRepository) matchesDockerReference(image types.UnparsedImage,
 	}
 	return signature.Name() == intended.Name()
 }
+
+// refMatchesPrefix returns true if ref matches prm.Prefix.
+func (prm *prmRemapIdentity) refMatchesPrefix(ref reference.Named) bool {
+	name := ref.Name()
+	switch {
+	case len(name) < len(prm.Prefix):
+		return false
+	case len(name) == len(prm.Prefix):
+		return name == prm.Prefix
+	case len(name) > len(prm.Prefix):
+		// We are matching only ref.Name(), not ref.String(), so the only separator we are
+		// expecting is '/':
+		// - '@' is only valid to separate a digest, i.e. not a part of ref.Name()
+		// - similarly ':' to mark a tag would not be a part of ref.Name(); it can be a part of a
+		//   host:port domain syntax, but we don't treat that specially and require an exact match
+		//   of the domain.
+		return strings.HasPrefix(name, prm.Prefix) && name[len(prm.Prefix)] == '/'
+	default:
+		panic("Internal error: impossible comparison outcome")
+	}
+}
+
+// remapReferencePrefix returns the result of remapping ref, if it matches prm.Prefix
+// or the original ref if it does not.
+func (prm *prmRemapIdentity) remapReferencePrefix(ref reference.Named) (reference.Named, error) {
+	if !prm.refMatchesPrefix(ref) {
+		return ref, nil
+	}
+	refString := ref.String()
+	newNamedRef := strings.Replace(refString, prm.Prefix, prm.SignedPrefix, 1)
+	newParsedRef, err := reference.ParseNamed(newNamedRef)
+	if err != nil {
+		return nil, fmt.Errorf(`error rewriting reference from "%s" to "%s": %v`, refString, newNamedRef, err)
+	}
+	return newParsedRef, nil
+}
+
+func (prm *prmRemapIdentity) matchesDockerReference(image types.UnparsedImage, signatureDockerReference string) bool {
+	intended, signature, err := parseImageAndDockerReference(image, signatureDockerReference)
+	if err != nil {
+		return false
+	}
+	intended, err = prm.remapReferencePrefix(intended)
+	if err != nil {
+		return false
+	}
+	return matchRepoDigestOrExactReferenceValues(intended, signature)
+}
diff --git a/vendor/github.com/containers/image/v5/signature/policy_types.go b/vendor/github.com/containers/image/v5/signature/policy_types.go
index d3b33bb7a..c6819929b 100644
--- a/vendor/github.com/containers/image/v5/signature/policy_types.go
+++ b/vendor/github.com/containers/image/v5/signature/policy_types.go
@@ -121,6 +121,7 @@ const (
 	prmTypeMatchRepository        prmTypeIdentifier = "matchRepository"
 	prmTypeExactReference         prmTypeIdentifier = "exactReference"
 	prmTypeExactRepository        prmTypeIdentifier = "exactRepository"
+	prmTypeRemapIdentity          prmTypeIdentifier = "remapIdentity"
 )
 
 // prmMatchExact is a PolicyReferenceMatch with type = prmMatchExact: the two references must match exactly.
@@ -150,3 +151,13 @@ type prmExactRepository struct {
 	prmCommon
 	DockerRepository string `json:"dockerRepository"`
 }
+
+// prmRemapIdentity is a PolicyReferenceMatch with type = prmRemapIdentity: like prmMatchRepoDigestOrExact,
+// except that a namespace (at least a host:port, at most a single repository) is substituted before matching the two references.
+type prmRemapIdentity struct {
+	prmCommon
+	Prefix       string `json:"prefix"`
+	SignedPrefix string `json:"signedPrefix"`
+	// Possibly let the users make a choice for tag/digest matching behavior
+	// similar to prmMatchExact/prmMatchRepository?
+}
diff --git a/vendor/github.com/containers/image/v5/version/version.go b/vendor/github.com/containers/image/v5/version/version.go
index 14e553c9f..48ecf938c 100644
--- a/vendor/github.com/containers/image/v5/version/version.go
+++ b/vendor/github.com/containers/image/v5/version/version.go
@@ -6,9 +6,9 @@ const (
 	// VersionMajor is for an API incompatible changes
 	VersionMajor = 5
 	// VersionMinor is for functionality in a backwards-compatible manner
-	VersionMinor = 8
+	VersionMinor = 9
 	// VersionPatch is for backwards-compatible bug fixes
-	VersionPatch = 1
+	VersionPatch = 0
 
 	// VersionDev indicates development branch. Releases will be empty string.
 	VersionDev = ""