Merge pull request #535 from lsm5/more-dir-digest

image/directory: store manifest and signature with digest algorithm prefix

Author: mtrmac

image/directory/directory_dest.go

@@ -227,6 +227,9 @@ func (d *dirImageDestination) TryReusingBlobWithOptions(ctx context.Context, inf
 // If the destination is in principle available, refuses this manifest type (e.g. it does not recognize the schema),
 // but may accept a different manifest type, the returned error must be an ManifestTypeRejectedError.
 func (d *dirImageDestination) PutManifest(ctx context.Context, manifest []byte, instanceDigest *digest.Digest) error {
+	if instanceDigest != nil && instanceDigest.Algorithm() != digest.Canonical { // compare the special case in manifestPath
+		d.usesNonSHA256Digest = true
+	}
 	path, err := d.ref.manifestPath(instanceDigest)
 	if err != nil {
 		return err
@@ -239,6 +242,9 @@ func (d *dirImageDestination) PutManifest(ctx context.Context, manifest []byte,
 // (when the primary manifest is a manifest list); this should always be nil if the primary manifest is not a manifest list.
 // MUST be called after PutManifest (signatures may reference manifest contents).
 func (d *dirImageDestination) PutSignaturesWithFormat(ctx context.Context, signatures []signature.Signature, instanceDigest *digest.Digest) error {
+	if instanceDigest != nil && instanceDigest.Algorithm() != digest.Canonical { // compare the special case in signaturePath
+		d.usesNonSHA256Digest = true
+	}
 	for i, sig := range signatures {
 		blob, err := signature.Blob(sig)
 		if err != nil {

image/directory/directory_dest_test.go

@@ -15,53 +15,85 @@ import (
 )
 
 func TestVersionAssignment(t *testing.T) {
-	for _, c := range []struct {
-		name            string
-		algorithms      []digest.Algorithm
-		expectedVersion version
+	for _, contentType := range []struct {
+		name string
+		put  func(*testing.T, types.ImageDestination, digest.Algorithm, int, types.BlobInfoCache)
 	}{
 		{
-			name:            "SHA256 only gets version 1.1",
-			algorithms:      []digest.Algorithm{digest.SHA256},
-			expectedVersion: version1_1,
+			name: "blob",
+			put: func(t *testing.T, dest types.ImageDestination, algo digest.Algorithm, i int, cache types.BlobInfoCache) {
+				blobData := []byte("test-blob-" + algo.String() + "-" + string(rune(i)))
+				var blobDigest digest.Digest
+				if algo == digest.SHA256 {
+					blobDigest = ""
+				} else {
+					blobDigest = algo.FromBytes(blobData)
+				}
+				_, err := dest.PutBlob(context.Background(), bytes.NewReader(blobData), types.BlobInfo{Digest: blobDigest, Size: int64(len(blobData))}, cache, false)
+				require.NoError(t, err)
+			},
 		},
 		{
-			name:            "SHA512 only gets version 1.2",
-			algorithms:      []digest.Algorithm{digest.SHA512},
-			expectedVersion: version1_2,
+			name: "manifest",
+			put: func(t *testing.T, dest types.ImageDestination, algo digest.Algorithm, i int, cache types.BlobInfoCache) {
+				manifestData := []byte("test-manifest-" + algo.String() + "-" + string(rune(i)))
+				instanceDigest := algo.FromBytes(manifestData)
+				err := dest.PutManifest(context.Background(), manifestData, &instanceDigest)
+				require.NoError(t, err)
+			},
 		},
 		{
-			name:            "Mixed SHA256 and SHA512 gets version 1.2",
-			algorithms:      []digest.Algorithm{digest.SHA256, digest.SHA512},
-			expectedVersion: version1_2,
+			name: "signature",
+			put: func(t *testing.T, dest types.ImageDestination, algo digest.Algorithm, i int, cache types.BlobInfoCache) {
+				manifestData := []byte("test-manifest-" + algo.String() + "-" + string(rune(i)))
+				instanceDigest := algo.FromBytes(manifestData)
+				// These signatures are completely invalid; start with 0xA3 just to be minimally plausible to signature.FromBlob.
+				signatures := [][]byte{[]byte("\xA3sig" + algo.String() + "-" + string(rune(i)))}
+				err := dest.PutSignatures(context.Background(), signatures, &instanceDigest)
+				require.NoError(t, err)
+			},
 		},
 	} {
-		t.Run(c.name, func(t *testing.T) {
-			ref, tmpDir := refToTempDir(t)
-			cache := memory.New()
+		for _, c := range []struct {
+			name            string
+			algorithms      []digest.Algorithm
+			expectedVersion version
+		}{
+			{
+				name:            "SHA256 only gets version 1.1",
+				algorithms:      []digest.Algorithm{digest.SHA256},
+				expectedVersion: version1_1,
+			},
+			{
+				name:            "SHA512 only gets version 1.2",
+				algorithms:      []digest.Algorithm{digest.SHA512},
+				expectedVersion: version1_2,
+			},
+			{
+				name:            "Mixed SHA256 and SHA512 gets version 1.2",
+				algorithms:      []digest.Algorithm{digest.SHA256, digest.SHA512},
+				expectedVersion: version1_2,
+			},
+		} {
+			t.Run(contentType.name+": "+c.name, func(t *testing.T) {
+				ref, tmpDir := refToTempDir(t)
+				cache := memory.New()
 
-			dest, err := ref.NewImageDestination(context.Background(), nil)
-			require.NoError(t, err)
-			defer dest.Close()
+				dest, err := ref.NewImageDestination(context.Background(), nil)
+				require.NoError(t, err)
+				defer dest.Close()
 
-			for i, algo := range c.algorithms {
-				blobData := []byte("test-blob-" + algo.String() + "-" + string(rune(i)))
-				var blobDigest digest.Digest
-				if algo == digest.SHA256 {
-					blobDigest = ""
-				} else {
-					blobDigest = algo.FromBytes(blobData)
+				for i, algo := range c.algorithms {
+					contentType.put(t, dest, algo, i, cache)
 				}
-				_, err = dest.PutBlob(context.Background(), bytes.NewReader(blobData), types.BlobInfo{Digest: blobDigest, Size: int64(len(blobData))}, cache, false)
-				require.NoError(t, err)
-			}
 
-			err = dest.Commit(context.Background(), nil)
-			require.NoError(t, err)
+				err = dest.Commit(context.Background(), nil)
+				require.NoError(t, err)
 
-			versionBytes, err := os.ReadFile(filepath.Join(tmpDir, "version"))
-			require.NoError(t, err)
-			assert.Equal(t, c.expectedVersion.String(), string(versionBytes))
-		})
+				versionBytes, err := os.ReadFile(filepath.Join(tmpDir, "version"))
+				require.NoError(t, err)
+				assert.Equal(t, c.expectedVersion.String(), string(versionBytes))
+			})
+		}
 	}
 }

image/directory/directory_transport.go

@@ -166,7 +166,13 @@ func (ref dirReference) manifestPath(instanceDigest *digest.Digest) (string, err
 		if err := instanceDigest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, and could possibly result in a path with ../, so validate explicitly.
 			return "", err
 		}
-		return filepath.Join(ref.path, instanceDigest.Encoded()+".manifest.json"), nil
+		var filename string
+		if instanceDigest.Algorithm() == digest.Canonical {
+			filename = instanceDigest.Encoded() + ".manifest.json"
+		} else {
+			filename = instanceDigest.Algorithm().String() + "-" + instanceDigest.Encoded() + ".manifest.json"
+		}
+		return filepath.Join(ref.path, filename), nil
 	}
 	return filepath.Join(ref.path, "manifest.json"), nil
 }
@@ -193,7 +199,13 @@ func (ref dirReference) signaturePath(index int, instanceDigest *digest.Digest)
 		if err := instanceDigest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, and could possibly result in a path with ../, so validate explicitly.
 			return "", err
 		}
-		return filepath.Join(ref.path, fmt.Sprintf(instanceDigest.Encoded()+".signature-%d", index+1)), nil
+		var prefix string
+		if instanceDigest.Algorithm() == digest.Canonical {
+			prefix = instanceDigest.Encoded()
+		} else {
+			prefix = instanceDigest.Algorithm().String() + "-" + instanceDigest.Encoded()
+		}
+		return filepath.Join(ref.path, fmt.Sprintf(prefix+".signature-%d", index+1)), nil
 	}
 	return filepath.Join(ref.path, fmt.Sprintf("signature-%d", index+1)), nil
 }

image/directory/directory_transport_test.go

@@ -194,17 +194,24 @@ func TestReferenceDeleteImage(t *testing.T) {
 }
 
 func TestReferenceManifestPath(t *testing.T) {
-	dhex := digest.Digest("sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
+	dhex256 := digest.Digest("sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
+	dhex512 := digest.Digest("sha512:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
 
 	ref, tmpDir := refToTempDir(t)
 	dirRef, ok := ref.(dirReference)
 	require.True(t, ok)
 	res, err := dirRef.manifestPath(nil)
 	require.NoError(t, err)
 	assert.Equal(t, tmpDir+"/manifest.json", res)
-	res, err = dirRef.manifestPath(&dhex)
+
+	res, err = dirRef.manifestPath(&dhex256)
+	require.NoError(t, err)
+	assert.Equal(t, tmpDir+"/"+dhex256.Encoded()+".manifest.json", res)
+
+	res, err = dirRef.manifestPath(&dhex512)
 	require.NoError(t, err)
-	assert.Equal(t, tmpDir+"/"+dhex.Encoded()+".manifest.json", res)
+	assert.Equal(t, tmpDir+"/sha512-"+dhex512.Encoded()+".manifest.json", res)
+
 	invalidDigest := digest.Digest("sha256:../hello")
 	_, err = dirRef.manifestPath(&invalidDigest)
 	assert.Error(t, err)
@@ -231,7 +238,8 @@ func TestReferenceLayerPath(t *testing.T) {
 }
 
 func TestReferenceSignaturePath(t *testing.T) {
-	dhex := digest.Digest("sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
+	dhex256 := digest.Digest("sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
+	dhex512 := digest.Digest("sha512:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
 
 	ref, tmpDir := refToTempDir(t)
 	dirRef, ok := ref.(dirReference)
@@ -242,12 +250,21 @@ func TestReferenceSignaturePath(t *testing.T) {
 	res, err = dirRef.signaturePath(9, nil)
 	require.NoError(t, err)
 	assert.Equal(t, tmpDir+"/signature-10", res)
-	res, err = dirRef.signaturePath(0, &dhex)
+
+	res, err = dirRef.signaturePath(0, &dhex256)
 	require.NoError(t, err)
-	assert.Equal(t, tmpDir+"/"+dhex.Encoded()+".signature-1", res)
-	res, err = dirRef.signaturePath(9, &dhex)
+	assert.Equal(t, tmpDir+"/"+dhex256.Encoded()+".signature-1", res)
+	res, err = dirRef.signaturePath(9, &dhex256)
 	require.NoError(t, err)
-	assert.Equal(t, tmpDir+"/"+dhex.Encoded()+".signature-10", res)
+	assert.Equal(t, tmpDir+"/"+dhex256.Encoded()+".signature-10", res)
+
+	res, err = dirRef.signaturePath(0, &dhex512)
+	require.NoError(t, err)
+	assert.Equal(t, tmpDir+"/sha512-"+dhex512.Encoded()+".signature-1", res)
+	res, err = dirRef.signaturePath(9, &dhex512)
+	require.NoError(t, err)
+	assert.Equal(t, tmpDir+"/sha512-"+dhex512.Encoded()+".signature-10", res)
+
 	invalidDigest := digest.Digest("sha256:../hello")
 	_, err = dirRef.signaturePath(0, &invalidDigest)
 	assert.Error(t, err)