vendor/github.com/docker/distribution/registry/storage/ocimanifesthandler.go - cloudstack-kubernetes-provider - Git at Google

 package storage

 import (
 	"context"
 	"fmt"
 	"net/url"

 	"github.com/docker/distribution"
 	dcontext "github.com/docker/distribution/context"
 	"github.com/docker/distribution/manifest/ocischema"
 	"github.com/opencontainers/go-digest"
 	"github.com/opencontainers/image-spec/specs-go/v1"
 )

 //ocischemaManifestHandler is a ManifestHandler that covers ocischema manifests.
 type ocischemaManifestHandler struct {
 	repository   distribution.Repository
 	blobStore    distribution.BlobStore
 	ctx          context.Context
 	manifestURLs manifestURLs
 }

 var _ ManifestHandler = &ocischemaManifestHandler{}

 func (ms *ocischemaManifestHandler) Unmarshal(ctx context.Context, dgst digest.Digest, content []byte) (distribution.Manifest, error) {
 	dcontext.GetLogger(ms.ctx).Debug("(*ocischemaManifestHandler).Unmarshal")

 	m := &ocischema.DeserializedManifest{}
 	if err := m.UnmarshalJSON(content); err != nil {
 		return nil, err
 	}

 	return m, nil
 }

 func (ms *ocischemaManifestHandler) Put(ctx context.Context, manifest distribution.Manifest, skipDependencyVerification bool) (digest.Digest, error) {
 	dcontext.GetLogger(ms.ctx).Debug("(*ocischemaManifestHandler).Put")

 	m, ok := manifest.(*ocischema.DeserializedManifest)
 	if !ok {
 		return "", fmt.Errorf("non-ocischema manifest put to ocischemaManifestHandler: %T", manifest)
 	}

 	if err := ms.verifyManifest(ms.ctx, *m, skipDependencyVerification); err != nil {
 		return "", err
 	}

 	mt, payload, err := m.Payload()
 	if err != nil {
 		return "", err
 	}

 	revision, err := ms.blobStore.Put(ctx, mt, payload)
 	if err != nil {
 		dcontext.GetLogger(ctx).Errorf("error putting payload into blobstore: %v", err)
 		return "", err
 	}

 	return revision.Digest, nil
 }

 // verifyManifest ensures that the manifest content is valid from the
 // perspective of the registry. As a policy, the registry only tries to store
 // valid content, leaving trust policies of that content up to consumers.
 func (ms *ocischemaManifestHandler) verifyManifest(ctx context.Context, mnfst ocischema.DeserializedManifest, skipDependencyVerification bool) error {
 	var errs distribution.ErrManifestVerification

 	if mnfst.Manifest.SchemaVersion != 2 {
 		return fmt.Errorf("unrecognized manifest schema version %d", mnfst.Manifest.SchemaVersion)
 	}

 	if skipDependencyVerification {
 		return nil
 	}

 	manifestService, err := ms.repository.Manifests(ctx)
 	if err != nil {
 		return err
 	}

 	blobsService := ms.repository.Blobs(ctx)

 	for _, descriptor := range mnfst.References() {
 		var err error

 		switch descriptor.MediaType {
 		case v1.MediaTypeImageLayer, v1.MediaTypeImageLayerGzip, v1.MediaTypeImageLayerNonDistributable, v1.MediaTypeImageLayerNonDistributableGzip:
 			allow := ms.manifestURLs.allow
 			deny := ms.manifestURLs.deny
 			for _, u := range descriptor.URLs {
 				var pu *url.URL
 				pu, err = url.Parse(u)
 				if err != nil || (pu.Scheme != "http" && pu.Scheme != "https") || pu.Fragment != "" || (allow != nil && !allow.MatchString(u)) || (deny != nil && deny.MatchString(u)) {
 					err = errInvalidURL
 					break
 				}
 			}
 			if err == nil && len(descriptor.URLs) == 0 {
 				// If no URLs, require that the blob exists
 				_, err = blobsService.Stat(ctx, descriptor.Digest)
 			}

 		case v1.MediaTypeImageManifest:
 			var exists bool
 			exists, err = manifestService.Exists(ctx, descriptor.Digest)
 			if err != nil || !exists {
 				err = distribution.ErrBlobUnknown // just coerce to unknown.
 			}

 			fallthrough // double check the blob store.
 		default:
 			// forward all else to blob storage
 			if len(descriptor.URLs) == 0 {
 				_, err = blobsService.Stat(ctx, descriptor.Digest)
 			}
 		}

 		if err != nil {
 			if err != distribution.ErrBlobUnknown {
 				errs = append(errs, err)
 			}

 			// On error here, we always append unknown blob errors.
 			errs = append(errs, distribution.ErrManifestBlobUnknown{Digest: descriptor.Digest})
 		}
 	}

 	if len(errs) != 0 {
 		return errs
 	}

 	return nil
 }
	package storage

	import (
	"context"
	"fmt"
	"net/url"

	"github.com/docker/distribution"
	dcontext "github.com/docker/distribution/context"
	"github.com/docker/distribution/manifest/ocischema"
	"github.com/opencontainers/go-digest"
	"github.com/opencontainers/image-spec/specs-go/v1"
	)

	//ocischemaManifestHandler is a ManifestHandler that covers ocischema manifests.
	type ocischemaManifestHandler struct {
	repository distribution.Repository
	blobStore distribution.BlobStore
	ctx context.Context
	manifestURLs manifestURLs
	}

	var _ ManifestHandler = &ocischemaManifestHandler{}

	func (ms *ocischemaManifestHandler) Unmarshal(ctx context.Context, dgst digest.Digest, content []byte) (distribution.Manifest, error) {
	dcontext.GetLogger(ms.ctx).Debug("(*ocischemaManifestHandler).Unmarshal")

	m := &ocischema.DeserializedManifest{}
	if err := m.UnmarshalJSON(content); err != nil {
	return nil, err
	}

	return m, nil
	}

	func (ms *ocischemaManifestHandler) Put(ctx context.Context, manifest distribution.Manifest, skipDependencyVerification bool) (digest.Digest, error) {
	dcontext.GetLogger(ms.ctx).Debug("(*ocischemaManifestHandler).Put")

	m, ok := manifest.(*ocischema.DeserializedManifest)
	if !ok {
	return "", fmt.Errorf("non-ocischema manifest put to ocischemaManifestHandler: %T", manifest)
	}

	if err := ms.verifyManifest(ms.ctx, *m, skipDependencyVerification); err != nil {
	return "", err
	}

	mt, payload, err := m.Payload()
	if err != nil {
	return "", err
	}

	revision, err := ms.blobStore.Put(ctx, mt, payload)
	if err != nil {
	dcontext.GetLogger(ctx).Errorf("error putting payload into blobstore: %v", err)
	return "", err
	}

	return revision.Digest, nil
	}

	// verifyManifest ensures that the manifest content is valid from the
	// perspective of the registry. As a policy, the registry only tries to store
	// valid content, leaving trust policies of that content up to consumers.
	func (ms *ocischemaManifestHandler) verifyManifest(ctx context.Context, mnfst ocischema.DeserializedManifest, skipDependencyVerification bool) error {
	var errs distribution.ErrManifestVerification

	if mnfst.Manifest.SchemaVersion != 2 {
	return fmt.Errorf("unrecognized manifest schema version %d", mnfst.Manifest.SchemaVersion)
	}

	if skipDependencyVerification {
	return nil
	}

	manifestService, err := ms.repository.Manifests(ctx)
	if err != nil {
	return err
	}

	blobsService := ms.repository.Blobs(ctx)

	for _, descriptor := range mnfst.References() {
	var err error

	switch descriptor.MediaType {
	case v1.MediaTypeImageLayer, v1.MediaTypeImageLayerGzip, v1.MediaTypeImageLayerNonDistributable, v1.MediaTypeImageLayerNonDistributableGzip:
	allow := ms.manifestURLs.allow
	deny := ms.manifestURLs.deny
	for _, u := range descriptor.URLs {
	var pu *url.URL
	pu, err = url.Parse(u)
	if err != nil \|\| (pu.Scheme != "http" && pu.Scheme != "https") \|\| pu.Fragment != "" \|\| (allow != nil && !allow.MatchString(u)) \|\| (deny != nil && deny.MatchString(u)) {
	err = errInvalidURL
	break
	}
	}
	if err == nil && len(descriptor.URLs) == 0 {
	// If no URLs, require that the blob exists
	_, err = blobsService.Stat(ctx, descriptor.Digest)
	}

	case v1.MediaTypeImageManifest:
	var exists bool
	exists, err = manifestService.Exists(ctx, descriptor.Digest)
	if err != nil \|\| !exists {
	err = distribution.ErrBlobUnknown // just coerce to unknown.
	}

	fallthrough // double check the blob store.
	default:
	// forward all else to blob storage
	if len(descriptor.URLs) == 0 {
	_, err = blobsService.Stat(ctx, descriptor.Digest)
	}
	}

	if err != nil {
	if err != distribution.ErrBlobUnknown {
	errs = append(errs, err)
	}

	// On error here, we always append unknown blob errors.
	errs = append(errs, distribution.ErrManifestBlobUnknown{Digest: descriptor.Digest})
	}
	}

	if len(errs) != 0 {
	return errs
	}

	return nil
	}