2023-05-31 20:26:23 +03:00
|
|
|
//go:build sync
|
|
|
|
// +build sync
|
|
|
|
|
|
|
|
package references
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
2023-09-05 19:48:56 +03:00
|
|
|
"context"
|
2023-05-31 20:26:23 +03:00
|
|
|
"fmt"
|
|
|
|
"net/http"
|
|
|
|
|
2023-06-16 20:27:33 +03:00
|
|
|
godigest "github.com/opencontainers/go-digest"
|
2023-05-31 20:26:23 +03:00
|
|
|
ispec "github.com/opencontainers/image-spec/specs-go/v1"
|
|
|
|
artifactspec "github.com/oras-project/artifacts-spec/specs-go/v1"
|
|
|
|
"github.com/sigstore/cosign/v2/pkg/oci/static"
|
|
|
|
|
|
|
|
"zotregistry.io/zot/pkg/common"
|
|
|
|
client "zotregistry.io/zot/pkg/extensions/sync/httpclient"
|
|
|
|
"zotregistry.io/zot/pkg/log"
|
2023-07-18 20:27:26 +03:00
|
|
|
mTypes "zotregistry.io/zot/pkg/meta/types"
|
2023-05-31 20:26:23 +03:00
|
|
|
"zotregistry.io/zot/pkg/storage"
|
|
|
|
storageTypes "zotregistry.io/zot/pkg/storage/types"
|
|
|
|
)
|
|
|
|
|
|
|
|
type Reference interface {
|
2023-06-16 20:27:33 +03:00
|
|
|
// Returns name of reference (OCIReference/CosignReference/OrasReference)
|
2023-05-31 20:26:23 +03:00
|
|
|
Name() string
|
2023-06-16 20:27:33 +03:00
|
|
|
// Returns whether or not image is signed
|
2023-09-05 19:48:56 +03:00
|
|
|
IsSigned(ctx context.Context, upstreamRepo, subjectDigestStr string) bool
|
2023-06-16 20:27:33 +03:00
|
|
|
// Sync recursively all references for a subject digest (can be image/artifacts/signatures)
|
2023-09-05 19:48:56 +03:00
|
|
|
SyncReferences(ctx context.Context, localRepo, upstreamRepo, subjectDigestStr string) ([]godigest.Digest, error)
|
2023-05-31 20:26:23 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
type References struct {
|
2023-06-16 20:27:33 +03:00
|
|
|
referenceList []Reference
|
|
|
|
log log.Logger
|
2023-05-31 20:26:23 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
func NewReferences(httpClient *client.Client, storeController storage.StoreController,
|
2023-07-18 20:27:26 +03:00
|
|
|
metaDB mTypes.MetaDB, log log.Logger,
|
2023-05-31 20:26:23 +03:00
|
|
|
) References {
|
|
|
|
refs := References{log: log}
|
|
|
|
|
2023-07-18 20:27:26 +03:00
|
|
|
refs.referenceList = append(refs.referenceList, NewCosignReference(httpClient, storeController, metaDB, log))
|
2023-10-13 04:45:20 +03:00
|
|
|
refs.referenceList = append(refs.referenceList, NewTagReferences(httpClient, storeController, metaDB, log))
|
2023-07-18 20:27:26 +03:00
|
|
|
refs.referenceList = append(refs.referenceList, NewOciReferences(httpClient, storeController, metaDB, log))
|
|
|
|
refs.referenceList = append(refs.referenceList, NewORASReferences(httpClient, storeController, metaDB, log))
|
2023-05-31 20:26:23 +03:00
|
|
|
|
|
|
|
return refs
|
|
|
|
}
|
|
|
|
|
2023-09-05 19:48:56 +03:00
|
|
|
func (refs References) IsSigned(ctx context.Context, upstreamRepo, subjectDigestStr string) bool {
|
2023-06-16 20:27:33 +03:00
|
|
|
for _, ref := range refs.referenceList {
|
2023-09-05 19:48:56 +03:00
|
|
|
ok := ref.IsSigned(ctx, upstreamRepo, subjectDigestStr)
|
2023-05-31 20:26:23 +03:00
|
|
|
if ok {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2023-09-05 19:48:56 +03:00
|
|
|
func (refs References) SyncAll(ctx context.Context, localRepo, upstreamRepo, subjectDigestStr string) error {
|
2023-06-16 20:27:33 +03:00
|
|
|
seen := &[]godigest.Digest{}
|
|
|
|
|
2023-09-05 19:48:56 +03:00
|
|
|
return refs.syncAll(ctx, localRepo, upstreamRepo, subjectDigestStr, seen)
|
2023-06-16 20:27:33 +03:00
|
|
|
}
|
|
|
|
|
2023-09-05 19:48:56 +03:00
|
|
|
func (refs References) syncAll(ctx context.Context, localRepo, upstreamRepo,
|
|
|
|
subjectDigestStr string, seen *[]godigest.Digest,
|
|
|
|
) error {
|
2023-05-31 20:26:23 +03:00
|
|
|
var err error
|
|
|
|
|
2023-06-16 20:27:33 +03:00
|
|
|
var syncedRefsDigests []godigest.Digest
|
|
|
|
|
|
|
|
// mark subject digest as seen as soon as it comes in
|
|
|
|
*seen = append(*seen, godigest.Digest(subjectDigestStr))
|
|
|
|
|
|
|
|
// for each reference type(cosign/oci/oras reference)
|
|
|
|
for _, ref := range refs.referenceList {
|
2023-09-05 19:48:56 +03:00
|
|
|
syncedRefsDigests, err = ref.SyncReferences(ctx, localRepo, upstreamRepo, subjectDigestStr)
|
2023-05-31 20:26:23 +03:00
|
|
|
if err != nil {
|
2023-09-13 20:00:51 +03:00
|
|
|
refs.log.Error().Err(err).
|
2023-05-31 20:26:23 +03:00
|
|
|
Str("reference type", ref.Name()).
|
|
|
|
Str("image", fmt.Sprintf("%s:%s", upstreamRepo, subjectDigestStr)).
|
|
|
|
Msg("couldn't sync image referrer")
|
|
|
|
}
|
2023-06-16 20:27:33 +03:00
|
|
|
|
|
|
|
// for each synced references
|
|
|
|
for _, refDigest := range syncedRefsDigests {
|
|
|
|
if !common.Contains(*seen, refDigest) {
|
|
|
|
// sync all references pointing to this one
|
2023-09-05 19:48:56 +03:00
|
|
|
err = refs.syncAll(ctx, localRepo, upstreamRepo, refDigest.String(), seen)
|
2023-06-16 20:27:33 +03:00
|
|
|
}
|
|
|
|
}
|
2023-05-31 20:26:23 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2023-09-05 19:48:56 +03:00
|
|
|
func (refs References) SyncReference(ctx context.Context, localRepo, upstreamRepo,
|
|
|
|
subjectDigestStr, referenceType string,
|
|
|
|
) error {
|
2023-06-16 20:27:33 +03:00
|
|
|
var err error
|
|
|
|
|
|
|
|
var syncedRefsDigests []godigest.Digest
|
|
|
|
|
|
|
|
for _, ref := range refs.referenceList {
|
2023-05-31 20:26:23 +03:00
|
|
|
if ref.Name() == referenceType {
|
2023-09-05 19:48:56 +03:00
|
|
|
syncedRefsDigests, err = ref.SyncReferences(ctx, localRepo, upstreamRepo, subjectDigestStr)
|
2023-06-16 20:27:33 +03:00
|
|
|
if err != nil {
|
2023-05-31 20:26:23 +03:00
|
|
|
refs.log.Error().Err(err).
|
|
|
|
Str("reference type", ref.Name()).
|
|
|
|
Str("image", fmt.Sprintf("%s:%s", upstreamRepo, subjectDigestStr)).
|
|
|
|
Msg("couldn't sync image referrer")
|
|
|
|
|
|
|
|
return err
|
|
|
|
}
|
2023-06-16 20:27:33 +03:00
|
|
|
|
|
|
|
for _, refDigest := range syncedRefsDigests {
|
2023-09-05 19:48:56 +03:00
|
|
|
err = refs.SyncAll(ctx, localRepo, upstreamRepo, refDigest.String())
|
2023-06-16 20:27:33 +03:00
|
|
|
}
|
2023-05-31 20:26:23 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-06-16 20:27:33 +03:00
|
|
|
return err
|
2023-05-31 20:26:23 +03:00
|
|
|
}
|
|
|
|
|
2023-09-05 19:48:56 +03:00
|
|
|
func syncBlob(ctx context.Context, client *client.Client, imageStore storageTypes.ImageStore,
|
|
|
|
localRepo, remoteRepo string, digest godigest.Digest, log log.Logger,
|
2023-05-31 20:26:23 +03:00
|
|
|
) error {
|
|
|
|
var resultPtr interface{}
|
|
|
|
|
2023-09-05 19:48:56 +03:00
|
|
|
body, _, statusCode, err := client.MakeGetRequest(ctx, resultPtr, "", "v2", remoteRepo, "blobs", digest.String())
|
2023-05-31 20:26:23 +03:00
|
|
|
if err != nil {
|
|
|
|
if statusCode != http.StatusOK {
|
|
|
|
log.Info().Str("repo", remoteRepo).Str("digest", digest.String()).Msg("couldn't get remote blob")
|
|
|
|
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
_, _, err = imageStore.FullBlobUpload(localRepo, bytes.NewBuffer(body), digest)
|
|
|
|
if err != nil {
|
|
|
|
log.Error().Str("errorType", common.TypeOf(err)).Str("digest", digest.String()).Str("repo", localRepo).
|
|
|
|
Err(err).Msg("couldn't upload blob")
|
|
|
|
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func manifestsEqual(manifest1, manifest2 ispec.Manifest) bool {
|
|
|
|
if manifest1.Config.Digest == manifest2.Config.Digest &&
|
|
|
|
manifest1.Config.MediaType == manifest2.Config.MediaType &&
|
|
|
|
manifest1.Config.Size == manifest2.Config.Size {
|
|
|
|
if descriptorsEqual(manifest1.Layers, manifest2.Layers) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
func artifactDescriptorsEqual(desc1, desc2 []artifactspec.Descriptor) bool {
|
|
|
|
if len(desc1) != len(desc2) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
for id, desc := range desc1 {
|
|
|
|
if desc.Digest != desc2[id].Digest ||
|
|
|
|
desc.Size != desc2[id].Size ||
|
|
|
|
desc.MediaType != desc2[id].MediaType ||
|
|
|
|
desc.ArtifactType != desc2[id].ArtifactType {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
func descriptorsEqual(desc1, desc2 []ispec.Descriptor) bool {
|
|
|
|
if len(desc1) != len(desc2) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
for id, desc := range desc1 {
|
|
|
|
if !descriptorEqual(desc, desc2[id]) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
func descriptorEqual(desc1, desc2 ispec.Descriptor) bool {
|
|
|
|
if desc1.Size == desc2.Size &&
|
|
|
|
desc1.Digest == desc2.Digest &&
|
|
|
|
desc1.MediaType == desc2.MediaType &&
|
|
|
|
desc1.Annotations[static.SignatureAnnotationKey] == desc2.Annotations[static.SignatureAnnotationKey] {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
func getNotationManifestsFromOCIRefs(ociRefs ispec.Index) []ispec.Descriptor {
|
|
|
|
notaryManifests := []ispec.Descriptor{}
|
|
|
|
|
|
|
|
for _, ref := range ociRefs.Manifests {
|
2023-09-06 19:58:00 +03:00
|
|
|
if ref.ArtifactType == common.ArtifactTypeNotation {
|
2023-05-31 20:26:23 +03:00
|
|
|
notaryManifests = append(notaryManifests, ref)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return notaryManifests
|
|
|
|
}
|
2023-10-13 04:45:20 +03:00
|
|
|
|
2023-11-07 00:09:39 +02:00
|
|
|
func getCosignManifestsFromOCIRefs(ociRefs ispec.Index) []ispec.Descriptor {
|
|
|
|
cosignManifests := []ispec.Descriptor{}
|
2023-10-13 04:45:20 +03:00
|
|
|
|
2023-11-07 00:09:39 +02:00
|
|
|
for _, ref := range ociRefs.Manifests {
|
|
|
|
if ref.ArtifactType == common.ArtifactTypeCosign {
|
|
|
|
cosignManifests = append(cosignManifests, ref)
|
|
|
|
}
|
2023-10-13 04:45:20 +03:00
|
|
|
}
|
|
|
|
|
2023-11-07 00:09:39 +02:00
|
|
|
return cosignManifests
|
2023-10-13 04:45:20 +03:00
|
|
|
}
|