Skip to content

Commit

Permalink
Check image digests in ImageStatus / ListImages
Browse files Browse the repository at this point in the history
  • Loading branch information
Ivan Shvedunov committed Sep 5, 2018
1 parent 2370579 commit f145b1a
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 6 deletions.
23 changes: 18 additions & 5 deletions pkg/image/image.go
Original file line number Diff line number Diff line change
Expand Up @@ -322,6 +322,8 @@ func (s *FileStore) imageInfo(fi os.FileInfo) (*Image, error) {
}

func (s *FileStore) listImagesUnlocked(filter string) ([]*Image, error) {
filter, digestSpec := SplitImageName(filter)

if linkDirExists, err := s.linkDirExists(); err != nil {
return nil, err
} else if !linkDirExists {
Expand All @@ -339,13 +341,16 @@ func (s *FileStore) listImagesUnlocked(filter string) ([]*Image, error) {
continue
}
image, err := s.imageInfo(fi)
if err != nil {
switch {
case err != nil:
glog.Warningf("listing images: skipping image link %q: %v", fi.Name(), err)
continue
case filter != "" && image.Name != filter:
continue
case digestSpec != "" && digest.Digest(image.Digest) != digestSpec:
continue
}
if filter == "" || image.Name == filter {
r = append(r, image)
}
r = append(r, image)
}

return r, nil
Expand All @@ -363,7 +368,15 @@ func (s *FileStore) imageStatusUnlocked(name string) (*Image, error) {
// get info about the link itself, not its target
switch fi, err := os.Lstat(linkFileName); {
case err == nil:
return s.imageInfo(fi)
info, err := s.imageInfo(fi)
if err != nil {
return nil, err
}
_, digestSpec := SplitImageName(name)
if digestSpec != "" && digest.Digest(info.Digest) != digestSpec {
return nil, fmt.Errorf("image digest mismatch: %s instead of %s", info.Digest, digestSpec)
}
return info, nil
case os.IsNotExist(err):
return nil, nil
default:
Expand Down
15 changes: 14 additions & 1 deletion pkg/image/image_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -295,6 +295,8 @@ func TestPullListStatus(t *testing.T) {
tst.pullImage(tst.images[2].Name, tst.refs[2])
tst.verifyListImages("", tst.images[1], tst.images[0], tst.images[2]) // alphabetically sorted by name
tst.verifySubpathContents("links/foobar", "###baz")

tst.verifyListImages(tst.refs[1], tst.images[1])
}

func TestReplaceImage(t *testing.T) {
Expand Down Expand Up @@ -486,14 +488,25 @@ func TestVerifyImageChecksum(t *testing.T) {
tst.pullImage(tst.refs[0], tst.refs[0])
tst.verifyListImages("foobar")

refWithBadDigest := tst.images[0].Name + "@sha256:0000000000000000000000000000000000000000000000000000000000000000"
_, err := tst.store.PullImage(
context.Background(),
tst.images[0].Name+"@sha256:0000000000000000000000000000000000000000000000000000000000000000",
refWithBadDigest,
tst.translateImageName)
switch {
case err == nil:
tst.t.Errorf("PullImage() din't return any error for an image with mismatching digest")
case !strings.Contains(err.Error(), "image digest mismatch"):
t.Errorf("PullImage() is expected to return invalid checksum error but returned %q", err)
}

switch _, err := tst.store.ImageStatus(refWithBadDigest); {
case err == nil:
tst.t.Errorf("ImageStatus() din't return any error for an image with mismatching digest")
case !strings.Contains(err.Error(), "image digest mismatch"):
t.Errorf("ImageStatus() is expected to return invalid checksum error but returned %q", err)
}

// the bad digest should not match any images while listing
tst.verifyListImages(refWithBadDigest)
}

0 comments on commit f145b1a

Please sign in to comment.