-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker digest validation is too strict #32627
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -158,7 +158,7 @@ func TestContainerNaming(t *testing.T) { | |
} | ||
|
||
func TestMatchImageTagOrSHA(t *testing.T) { | ||
for _, testCase := range []struct { | ||
for i, testCase := range []struct { | ||
Inspected dockertypes.ImageInspect | ||
Image string | ||
Output bool | ||
|
@@ -209,9 +209,109 @@ func TestMatchImageTagOrSHA(t *testing.T) { | |
Image: "myimage@sha256:2208", | ||
Output: false, | ||
}, | ||
{ | ||
// mismatched ID is ignored | ||
Inspected: dockertypes.ImageInspect{ | ||
ID: "sha256:2208f7a29005d226d1ee33a63e33af1f47af6156c740d7d23c7948e8d282d53d", | ||
}, | ||
Image: "myimage@sha256:0000f7a29005d226d1ee33a63e33af1f47af6156c740d7d23c7948e8d282d53d", | ||
Output: false, | ||
}, | ||
{ | ||
// invalid digest is ignored | ||
Inspected: dockertypes.ImageInspect{ | ||
ID: "sha256:unparseable", | ||
}, | ||
Image: "myimage@sha256:unparseable", | ||
Output: false, | ||
}, | ||
{ | ||
// v1 schema images can be pulled in one format and returned in another | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Make a copy of this test case, change the value in RepoDigests so it's not a match, and the test will pass with the "double digest" line, and fail once you change one There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That test did fail. On Wed, Sep 14, 2016 at 1:32 PM, Andy Goldstein notifications@github.com
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Actually did not. Fixing On Wed, Sep 14, 2016 at 2:05 PM, Clayton Coleman ccoleman@redhat.com
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Added a hard fail |
||
Inspected: dockertypes.ImageInspect{ | ||
ID: "sha256:9bbdf247c91345f0789c10f50a57e36a667af1189687ad1de88a6243d05a2227", | ||
RepoDigests: []string{"centos/ruby-23-centos7@sha256:940584acbbfb0347272112d2eb95574625c0c60b4e2fdadb139de5859cf754bf"}, | ||
}, | ||
Image: "centos/ruby-23-centos7@sha256:940584acbbfb0347272112d2eb95574625c0c60b4e2fdadb139de5859cf754bf", | ||
Output: true, | ||
}, | ||
{ | ||
// RepoDigest match is is required | ||
Inspected: dockertypes.ImageInspect{ | ||
ID: "", | ||
RepoDigests: []string{"docker.io/centos/ruby-23-centos7@sha256:000084acbbfb0347272112d2eb95574625c0c60b4e2fdadb139de5859cf754bf"}, | ||
}, | ||
Image: "centos/ruby-23-centos7@sha256:940584acbbfb0347272112d2eb95574625c0c60b4e2fdadb139de5859cf754bf", | ||
Output: false, | ||
}, | ||
{ | ||
// RepoDigest match is allowed | ||
Inspected: dockertypes.ImageInspect{ | ||
ID: "sha256:9bbdf247c91345f0789c10f50a57e36a667af1189687ad1de88a6243d05a2227", | ||
RepoDigests: []string{"docker.io/centos/ruby-23-centos7@sha256:940584acbbfb0347272112d2eb95574625c0c60b4e2fdadb139de5859cf754bf"}, | ||
}, | ||
Image: "centos/ruby-23-centos7@sha256:940584acbbfb0347272112d2eb95574625c0c60b4e2fdadb139de5859cf754bf", | ||
Output: true, | ||
}, | ||
{ | ||
// RepoDigest and ID are checked | ||
Inspected: dockertypes.ImageInspect{ | ||
ID: "sha256:940584acbbfb0347272112d2eb95574625c0c60b4e2fdadb139de5859cf754bf", | ||
RepoDigests: []string{"docker.io/centos/ruby-23-centos7@sha256:9bbdf247c91345f0789c10f50a57e36a667af1189687ad1de88a6243d05a2227"}, | ||
}, | ||
Image: "centos/ruby-23-centos7@sha256:940584acbbfb0347272112d2eb95574625c0c60b4e2fdadb139de5859cf754bf", | ||
Output: true, | ||
}, | ||
{ | ||
// unparseable RepoDigests are skipped | ||
Inspected: dockertypes.ImageInspect{ | ||
ID: "sha256:9bbdf247c91345f0789c10f50a57e36a667af1189687ad1de88a6243d05a2227", | ||
RepoDigests: []string{ | ||
"centos/ruby-23-centos7@sha256:unparseable", | ||
"docker.io/centos/ruby-23-centos7@sha256:940584acbbfb0347272112d2eb95574625c0c60b4e2fdadb139de5859cf754bf", | ||
}, | ||
}, | ||
Image: "centos/ruby-23-centos7@sha256:940584acbbfb0347272112d2eb95574625c0c60b4e2fdadb139de5859cf754bf", | ||
Output: true, | ||
}, | ||
{ | ||
// unparseable RepoDigest is ignored | ||
Inspected: dockertypes.ImageInspect{ | ||
ID: "sha256:9bbdf247c91345f0789c10f50a57e36a667af1189687ad1de88a6243d05a2227", | ||
RepoDigests: []string{"docker.io/centos/ruby-23-centos7@sha256:unparseable"}, | ||
}, | ||
Image: "centos/ruby-23-centos7@sha256:940584acbbfb0347272112d2eb95574625c0c60b4e2fdadb139de5859cf754bf", | ||
Output: false, | ||
}, | ||
{ | ||
// unparseable image digest is ignored | ||
Inspected: dockertypes.ImageInspect{ | ||
ID: "sha256:9bbdf247c91345f0789c10f50a57e36a667af1189687ad1de88a6243d05a2227", | ||
RepoDigests: []string{"docker.io/centos/ruby-23-centos7@sha256:unparseable"}, | ||
}, | ||
Image: "centos/ruby-23-centos7@sha256:unparseable", | ||
Output: false, | ||
}, | ||
{ | ||
// prefix match is rejected for ID and RepoDigest | ||
Inspected: dockertypes.ImageInspect{ | ||
ID: "sha256:unparseable", | ||
RepoDigests: []string{"docker.io/centos/ruby-23-centos7@sha256:unparseable"}, | ||
}, | ||
Image: "sha256:unparseable", | ||
Output: false, | ||
}, | ||
{ | ||
// possible SHA prefix match is rejected for ID and RepoDigest because it is not in the named format | ||
Inspected: dockertypes.ImageInspect{ | ||
ID: "sha256:0000f247c91345f0789c10f50a57e36a667af1189687ad1de88a6243d05a2227", | ||
RepoDigests: []string{"docker.io/centos/ruby-23-centos7@sha256:0000f247c91345f0789c10f50a57e36a667af1189687ad1de88a6243d05a2227"}, | ||
}, | ||
Image: "sha256:0000", | ||
Output: false, | ||
}, | ||
} { | ||
match := matchImageTagOrSHA(testCase.Inspected, testCase.Image) | ||
assert.Equal(t, testCase.Output, match, testCase.Image+" is not a match") | ||
assert.Equal(t, testCase.Output, match, testCase.Image+fmt.Sprintf(" is not a match (%d)", i)) | ||
} | ||
} | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As a follow-up to my FYI above, I doubt this code will ever execute in real life
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree but it's good to keep it here just in case, since we are so close to release