summaryrefslogtreecommitdiff
path: root/vendor
diff options
context:
space:
mode:
Diffstat (limited to 'vendor')
-rw-r--r--vendor/github.com/containers/image/v5/copy/copy.go12
-rw-r--r--vendor/github.com/containers/image/v5/pkg/compression/compression.go3
-rw-r--r--vendor/github.com/containers/image/v5/pkg/shortnames/shortnames.go15
-rw-r--r--vendor/github.com/containers/image/v5/signature/policy_config.go76
-rw-r--r--vendor/github.com/containers/image/v5/signature/policy_reference_match.go65
-rw-r--r--vendor/github.com/containers/image/v5/signature/policy_types.go11
-rw-r--r--vendor/github.com/containers/image/v5/version/version.go4
-rw-r--r--vendor/modules.txt2
8 files changed, 171 insertions, 17 deletions
diff --git a/vendor/github.com/containers/image/v5/copy/copy.go b/vendor/github.com/containers/image/v5/copy/copy.go
index 4d5b07689..485db4d30 100644
--- a/vendor/github.com/containers/image/v5/copy/copy.go
+++ b/vendor/github.com/containers/image/v5/copy/copy.go
@@ -53,6 +53,14 @@ var (
// compressionBufferSize is the buffer size used to compress a blob
var compressionBufferSize = 1048576
+// expectedCompressionFormats is used to check if a blob with a specified media type is compressed
+// using the algorithm that the media type says it should be compressed with
+var expectedCompressionFormats = map[string]*compression.Algorithm{
+ imgspecv1.MediaTypeImageLayerGzip: &compression.Gzip,
+ imgspecv1.MediaTypeImageLayerZstd: &compression.Zstd,
+ manifest.DockerV2Schema2LayerMediaType: &compression.Gzip,
+}
+
// newDigestingReader returns an io.Reader implementation with contents of source, which will eventually return a non-EOF error
// or set validationSucceeded/validationFailed to true if the source stream does/does not match expectedDigest.
// (neither is set if EOF is never reached).
@@ -1234,6 +1242,10 @@ func (c *copier) copyBlobFromStream(ctx context.Context, srcStream io.Reader, sr
isCompressed := decompressor != nil
destStream = bar.ProxyReader(destStream)
+ if expectedCompressionFormat, known := expectedCompressionFormats[srcInfo.MediaType]; known && isCompressed && compressionFormat.Name() != expectedCompressionFormat.Name() {
+ logrus.Debugf("blob %s with type %s should be compressed with %s, but compressor appears to be %s", srcInfo.Digest.String(), srcInfo.MediaType, expectedCompressionFormat.Name(), compressionFormat.Name())
+ }
+
// === Send a copy of the original, uncompressed, stream, to a separate path if necessary.
var originalLayerReader io.Reader // DO NOT USE this other than to drain the input if no other consumer in the pipeline has done so.
if getOriginalLayerCopyWriter != nil {
diff --git a/vendor/github.com/containers/image/v5/pkg/compression/compression.go b/vendor/github.com/containers/image/v5/pkg/compression/compression.go
index 04d231c6d..d5cfd8d31 100644
--- a/vendor/github.com/containers/image/v5/pkg/compression/compression.go
+++ b/vendor/github.com/containers/image/v5/pkg/compression/compression.go
@@ -91,7 +91,8 @@ func CompressStream(dest io.Writer, algo Algorithm, level *int) (io.WriteCloser,
return internal.AlgorithmCompressor(algo)(dest, level)
}
-// DetectCompressionFormat returns a DecompressorFunc if the input is recognized as a compressed format, nil otherwise.
+// DetectCompressionFormat returns an Algorithm and DecompressorFunc if the input is recognized as a compressed format, an invalid
+// value and nil otherwise.
// Because it consumes the start of input, other consumers must use the returned io.Reader instead to also read from the beginning.
func DetectCompressionFormat(input io.Reader) (Algorithm, DecompressorFunc, io.Reader, error) {
buffer := [8]byte{}
diff --git a/vendor/github.com/containers/image/v5/pkg/shortnames/shortnames.go b/vendor/github.com/containers/image/v5/pkg/shortnames/shortnames.go
index e02703d77..198ac1cc6 100644
--- a/vendor/github.com/containers/image/v5/pkg/shortnames/shortnames.go
+++ b/vendor/github.com/containers/image/v5/pkg/shortnames/shortnames.go
@@ -225,9 +225,8 @@ func (c *PullCandidate) Record() error {
// Note that tags and digests are stripped from the specified name before
// looking up an alias. Stripped off tags and digests are later on appended to
// all candidates. If neither tag nor digest is specified, candidates are
-// normalized with the "latest" tag. PullCandidates in the returned value may
-// be empty if there is no matching alias and no unqualified-search registries
-// are configured.
+// normalized with the "latest" tag. An error is returned if there is no
+// matching alias and no unqualified-search registries are configured.
//
// Note that callers *must* call `(PullCandidate).Record` after a returned
// item has been pulled successfully; this callback will record a new
@@ -312,6 +311,10 @@ func Resolve(ctx *types.SystemContext, name string) (*Resolved, error) {
if err != nil {
return nil, err
}
+ // Error out if there's no matching alias and no search registries.
+ if len(unqualifiedSearchRegistries) == 0 {
+ return nil, errors.Errorf("short-name %q did not resolve to an alias and no unqualified-search registries are defined in %q", name, usrConfig)
+ }
resolved.originDescription = usrConfig
for _, reg := range unqualifiedSearchRegistries {
@@ -331,10 +334,8 @@ func Resolve(ctx *types.SystemContext, name string) (*Resolved, error) {
return resolved, nil
}
- // If we have only one candidate, there's no ambiguity. In case of an
- // empty candidate slices, callers can implement custom logic or raise
- // an error.
- if len(resolved.PullCandidates) <= 1 {
+ // If we have only one candidate, there's no ambiguity.
+ if len(resolved.PullCandidates) == 1 {
return resolved, nil
}
diff --git a/vendor/github.com/containers/image/v5/signature/policy_config.go b/vendor/github.com/containers/image/v5/signature/policy_config.go
index a4873e9fa..d8cc4a09b 100644
--- a/vendor/github.com/containers/image/v5/signature/policy_config.go
+++ b/vendor/github.com/containers/image/v5/signature/policy_config.go
@@ -19,6 +19,7 @@ import (
"io/ioutil"
"os"
"path/filepath"
+ "regexp"
"github.com/containers/image/v5/docker/reference"
"github.com/containers/image/v5/transports"
@@ -507,6 +508,8 @@ func newPolicyReferenceMatchFromJSON(data []byte) (PolicyReferenceMatch, error)
res = &prmExactReference{}
case prmTypeExactRepository:
res = &prmExactRepository{}
+ case prmTypeRemapIdentity:
+ res = &prmRemapIdentity{}
default:
return nil, InvalidPolicyFormatError(fmt.Sprintf("Unknown policy reference match type \"%s\"", typeField.Type))
}
@@ -693,3 +696,76 @@ func (prm *prmExactRepository) UnmarshalJSON(data []byte) error {
*prm = *res
return nil
}
+
+// Private objects for validateIdentityRemappingPrefix
+var (
+ // remapIdentityDomainRegexp matches exactly a reference domain (name[:port])
+ remapIdentityDomainRegexp = regexp.MustCompile("^" + reference.DomainRegexp.String() + "$")
+ // remapIdentityDomainPrefixRegexp matches a reference that starts with a domain;
+ // we need this because reference.NameRegexp accepts short names with docker.io implied.
+ remapIdentityDomainPrefixRegexp = regexp.MustCompile("^" + reference.DomainRegexp.String() + "/")
+ // remapIdentityNameRegexp matches exactly a reference.Named name (possibly unnormalized)
+ remapIdentityNameRegexp = regexp.MustCompile("^" + reference.NameRegexp.String() + "$")
+)
+
+// validateIdentityRemappingPrefix returns an InvalidPolicyFormatError if s is detected to be invalid
+// for the Prefix or SignedPrefix values of prmRemapIdentity.
+// Note that it may not recognize _all_ invalid values.
+func validateIdentityRemappingPrefix(s string) error {
+ if remapIdentityDomainRegexp.MatchString(s) ||
+ (remapIdentityNameRegexp.MatchString(s) && remapIdentityDomainPrefixRegexp.MatchString(s)) {
+ // FIXME? This does not reject "shortname" nor "ns/shortname", because docker/reference
+ // does not provide an API for the short vs. long name logic.
+ // It will either not match, or fail in the ParseNamed call of
+ // prmRemapIdentity.remapReferencePrefix when trying to use such a prefix.
+ return nil
+ }
+ return InvalidPolicyFormatError(fmt.Sprintf("prefix %q is not valid", s))
+}
+
+// newPRMRemapIdentity is NewPRMRemapIdentity, except it returns the private type.
+func newPRMRemapIdentity(prefix, signedPrefix string) (*prmRemapIdentity, error) {
+ if err := validateIdentityRemappingPrefix(prefix); err != nil {
+ return nil, err
+ }
+ if err := validateIdentityRemappingPrefix(signedPrefix); err != nil {
+ return nil, err
+ }
+ return &prmRemapIdentity{
+ prmCommon: prmCommon{Type: prmTypeRemapIdentity},
+ Prefix: prefix,
+ SignedPrefix: signedPrefix,
+ }, nil
+}
+
+// NewPRMRemapIdentity returns a new "remapIdentity" PolicyRepositoryMatch.
+func NewPRMRemapIdentity(prefix, signedPrefix string) (PolicyReferenceMatch, error) {
+ return newPRMRemapIdentity(prefix, signedPrefix)
+}
+
+// Compile-time check that prmRemapIdentity implements json.Unmarshaler.
+var _ json.Unmarshaler = (*prmRemapIdentity)(nil)
+
+// UnmarshalJSON implements the json.Unmarshaler interface.
+func (prm *prmRemapIdentity) UnmarshalJSON(data []byte) error {
+ *prm = prmRemapIdentity{}
+ var tmp prmRemapIdentity
+ if err := paranoidUnmarshalJSONObjectExactFields(data, map[string]interface{}{
+ "type": &tmp.Type,
+ "prefix": &tmp.Prefix,
+ "signedPrefix": &tmp.SignedPrefix,
+ }); err != nil {
+ return err
+ }
+
+ if tmp.Type != prmTypeRemapIdentity {
+ return InvalidPolicyFormatError(fmt.Sprintf("Unexpected policy requirement type \"%s\"", tmp.Type))
+ }
+
+ res, err := newPRMRemapIdentity(tmp.Prefix, tmp.SignedPrefix)
+ if err != nil {
+ return err
+ }
+ *prm = *res
+ return nil
+}
diff --git a/vendor/github.com/containers/image/v5/signature/policy_reference_match.go b/vendor/github.com/containers/image/v5/signature/policy_reference_match.go
index e2a21f01d..064866cf6 100644
--- a/vendor/github.com/containers/image/v5/signature/policy_reference_match.go
+++ b/vendor/github.com/containers/image/v5/signature/policy_reference_match.go
@@ -4,6 +4,7 @@ package signature
import (
"fmt"
+ "strings"
"github.com/containers/image/v5/docker/reference"
"github.com/containers/image/v5/transports"
@@ -36,12 +37,9 @@ func (prm *prmMatchExact) matchesDockerReference(image types.UnparsedImage, sign
return signature.String() == intended.String()
}
-func (prm *prmMatchRepoDigestOrExact) matchesDockerReference(image types.UnparsedImage, signatureDockerReference string) bool {
- intended, signature, err := parseImageAndDockerReference(image, signatureDockerReference)
- if err != nil {
- return false
- }
-
+// matchRepoDigestOrExactReferenceValues implements prmMatchRepoDigestOrExact.matchesDockerReference
+// using reference.Named values.
+func matchRepoDigestOrExactReferenceValues(intended, signature reference.Named) bool {
// Do not add default tags: image.Reference().DockerReference() should contain it already, and signatureDockerReference should be exact; so, verify that now.
if reference.IsNameOnly(signature) {
return false
@@ -58,6 +56,13 @@ func (prm *prmMatchRepoDigestOrExact) matchesDockerReference(image types.Unparse
return false
}
}
+func (prm *prmMatchRepoDigestOrExact) matchesDockerReference(image types.UnparsedImage, signatureDockerReference string) bool {
+ intended, signature, err := parseImageAndDockerReference(image, signatureDockerReference)
+ if err != nil {
+ return false
+ }
+ return matchRepoDigestOrExactReferenceValues(intended, signature)
+}
func (prm *prmMatchRepository) matchesDockerReference(image types.UnparsedImage, signatureDockerReference string) bool {
intended, signature, err := parseImageAndDockerReference(image, signatureDockerReference)
@@ -99,3 +104,51 @@ func (prm *prmExactRepository) matchesDockerReference(image types.UnparsedImage,
}
return signature.Name() == intended.Name()
}
+
+// refMatchesPrefix returns true if ref matches prm.Prefix.
+func (prm *prmRemapIdentity) refMatchesPrefix(ref reference.Named) bool {
+ name := ref.Name()
+ switch {
+ case len(name) < len(prm.Prefix):
+ return false
+ case len(name) == len(prm.Prefix):
+ return name == prm.Prefix
+ case len(name) > len(prm.Prefix):
+ // We are matching only ref.Name(), not ref.String(), so the only separator we are
+ // expecting is '/':
+ // - '@' is only valid to separate a digest, i.e. not a part of ref.Name()
+ // - similarly ':' to mark a tag would not be a part of ref.Name(); it can be a part of a
+ // host:port domain syntax, but we don't treat that specially and require an exact match
+ // of the domain.
+ return strings.HasPrefix(name, prm.Prefix) && name[len(prm.Prefix)] == '/'
+ default:
+ panic("Internal error: impossible comparison outcome")
+ }
+}
+
+// remapReferencePrefix returns the result of remapping ref, if it matches prm.Prefix
+// or the original ref if it does not.
+func (prm *prmRemapIdentity) remapReferencePrefix(ref reference.Named) (reference.Named, error) {
+ if !prm.refMatchesPrefix(ref) {
+ return ref, nil
+ }
+ refString := ref.String()
+ newNamedRef := strings.Replace(refString, prm.Prefix, prm.SignedPrefix, 1)
+ newParsedRef, err := reference.ParseNamed(newNamedRef)
+ if err != nil {
+ return nil, fmt.Errorf(`error rewriting reference from "%s" to "%s": %v`, refString, newNamedRef, err)
+ }
+ return newParsedRef, nil
+}
+
+func (prm *prmRemapIdentity) matchesDockerReference(image types.UnparsedImage, signatureDockerReference string) bool {
+ intended, signature, err := parseImageAndDockerReference(image, signatureDockerReference)
+ if err != nil {
+ return false
+ }
+ intended, err = prm.remapReferencePrefix(intended)
+ if err != nil {
+ return false
+ }
+ return matchRepoDigestOrExactReferenceValues(intended, signature)
+}
diff --git a/vendor/github.com/containers/image/v5/signature/policy_types.go b/vendor/github.com/containers/image/v5/signature/policy_types.go
index d3b33bb7a..c6819929b 100644
--- a/vendor/github.com/containers/image/v5/signature/policy_types.go
+++ b/vendor/github.com/containers/image/v5/signature/policy_types.go
@@ -121,6 +121,7 @@ const (
prmTypeMatchRepository prmTypeIdentifier = "matchRepository"
prmTypeExactReference prmTypeIdentifier = "exactReference"
prmTypeExactRepository prmTypeIdentifier = "exactRepository"
+ prmTypeRemapIdentity prmTypeIdentifier = "remapIdentity"
)
// prmMatchExact is a PolicyReferenceMatch with type = prmMatchExact: the two references must match exactly.
@@ -150,3 +151,13 @@ type prmExactRepository struct {
prmCommon
DockerRepository string `json:"dockerRepository"`
}
+
+// prmRemapIdentity is a PolicyReferenceMatch with type = prmRemapIdentity: like prmMatchRepoDigestOrExact,
+// except that a namespace (at least a host:port, at most a single repository) is substituted before matching the two references.
+type prmRemapIdentity struct {
+ prmCommon
+ Prefix string `json:"prefix"`
+ SignedPrefix string `json:"signedPrefix"`
+ // Possibly let the users make a choice for tag/digest matching behavior
+ // similar to prmMatchExact/prmMatchRepository?
+}
diff --git a/vendor/github.com/containers/image/v5/version/version.go b/vendor/github.com/containers/image/v5/version/version.go
index 14e553c9f..48ecf938c 100644
--- a/vendor/github.com/containers/image/v5/version/version.go
+++ b/vendor/github.com/containers/image/v5/version/version.go
@@ -6,9 +6,9 @@ const (
// VersionMajor is for an API incompatible changes
VersionMajor = 5
// VersionMinor is for functionality in a backwards-compatible manner
- VersionMinor = 8
+ VersionMinor = 9
// VersionPatch is for backwards-compatible bug fixes
- VersionPatch = 1
+ VersionPatch = 0
// VersionDev indicates development branch. Releases will be empty string.
VersionDev = ""
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 3ad53c73c..518000970 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -104,7 +104,7 @@ github.com/containers/common/pkg/umask
github.com/containers/common/version
# github.com/containers/conmon v2.0.20+incompatible
github.com/containers/conmon/runner/config
-# github.com/containers/image/v5 v5.8.1
+# github.com/containers/image/v5 v5.9.0
github.com/containers/image/v5/copy
github.com/containers/image/v5/directory
github.com/containers/image/v5/directory/explicitfilepath