func (r *REST) Delete(ctx kapi.Context, name string) (runtime.Object, error) { imageName, _, err := imageapi.SplitImageSignatureName(name) if err != nil { return nil, kapierrors.NewBadRequest("ImageSignatures must be accessed with <imageName>@<signatureName>") } image, err := r.imageClient.Get(imageName) if err != nil { return nil, err } index := imageapi.IndexOfImageSignatureByName(image.Signatures, name) if index < 0 { return nil, kapierrors.NewNotFound(imageapi.Resource("imageSignatures"), name) } size := len(image.Signatures) copy(image.Signatures[index:size-1], image.Signatures[index+1:size]) image.Signatures = image.Signatures[0 : size-1] if _, err := r.imageClient.Update(image); err != nil { return nil, err } return &unversioned.Status{Status: unversioned.StatusSuccess}, nil }
func validateImageSignature(signature *api.ImageSignature, fldPath *field.Path) field.ErrorList { allErrs := validation.ValidateObjectMeta(&signature.ObjectMeta, false, oapi.MinimalNameRequirements, fldPath.Child("metadata")) if len(signature.Labels) > 0 { allErrs = append(allErrs, field.Forbidden(fldPath.Child("metadata").Child("labels"), "signature labels cannot be set")) } if len(signature.Annotations) > 0 { allErrs = append(allErrs, field.Forbidden(fldPath.Child("metadata").Child("annotations"), "signature annotations cannot be set")) } if _, _, err := api.SplitImageSignatureName(signature.Name); err != nil { allErrs = append(allErrs, field.Invalid(fldPath.Child("metadata").Child("name"), signature.Name, "name must be of format <imageName>@<signatureName>")) } if len(signature.Type) == 0 { allErrs = append(allErrs, field.Required(fldPath.Child("type"), "")) } if len(signature.Content) == 0 { allErrs = append(allErrs, field.Required(fldPath.Child("content"), "")) } var trustedCondition, forImageCondition *api.SignatureCondition for i := range signature.Conditions { cond := &signature.Conditions[i] if cond.Type == api.SignatureTrusted && (trustedCondition == nil || !cond.LastProbeTime.Before(trustedCondition.LastProbeTime)) { trustedCondition = cond } else if cond.Type == api.SignatureForImage && forImageCondition == nil || !cond.LastProbeTime.Before(forImageCondition.LastProbeTime) { forImageCondition = cond } } if trustedCondition != nil && forImageCondition == nil { msg := fmt.Sprintf("missing %q condition type", api.SignatureForImage) allErrs = append(allErrs, field.Invalid(fldPath.Child("conditions"), signature.Conditions, msg)) } else if forImageCondition != nil && trustedCondition == nil { msg := fmt.Sprintf("missing %q condition type", api.SignatureTrusted) allErrs = append(allErrs, field.Invalid(fldPath.Child("conditions"), signature.Conditions, msg)) } if trustedCondition == nil || trustedCondition.Status == kapi.ConditionUnknown { if len(signature.ImageIdentity) != 0 { allErrs = append(allErrs, field.Invalid(fldPath.Child("imageIdentity"), signature.ImageIdentity, "must be unset for unknown signature state")) } if len(signature.SignedClaims) != 0 { allErrs = append(allErrs, field.Invalid(fldPath.Child("signedClaims"), signature.SignedClaims, "must be unset for unknown signature state")) } if signature.IssuedBy != nil { allErrs = append(allErrs, field.Invalid(fldPath.Child("issuedBy"), signature.IssuedBy, "must be unset for unknown signature state")) } if signature.IssuedTo != nil { allErrs = append(allErrs, field.Invalid(fldPath.Child("issuedTo"), signature.IssuedTo, "must be unset for unknown signature state")) } } return allErrs }
func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (runtime.Object, error) { signature := obj.(*imageapi.ImageSignature) if err := rest.BeforeCreate(Strategy, ctx, obj); err != nil { return nil, err } imageName, _, err := imageapi.SplitImageSignatureName(signature.Name) if err != nil { return nil, kapierrors.NewBadRequest(err.Error()) } image, err := r.imageClient.Get(imageName) if err != nil { return nil, err } // ensure that given signature already doesn't exist - either by its name or type:content if byName, byContent := imageapi.IndexOfImageSignatureByName(image.Signatures, signature.Name), imageapi.IndexOfImageSignature(image.Signatures, signature.Type, signature.Content); byName >= 0 || byContent >= 0 { return nil, kapierrors.NewAlreadyExists(imageapi.Resource("imageSignatures"), signature.Name) } image.Signatures = append(image.Signatures, *signature) image, err = r.imageClient.Update(image) if err != nil { return nil, err } byName := imageapi.IndexOfImageSignatureByName(image.Signatures, signature.Name) if byName < 0 { return nil, kapierrors.NewInternalError(errors.New("failed to store given signature")) } return &image.Signatures[byName], nil }