func schema1ToImage(manifest *schema1.SignedManifest, d digest.Digest) (*api.Image, error) {
if len(manifest.History) == 0 {
return nil, fmt.Errorf("image has no v1Compatibility history and cannot be used")
}
dockerImage, err := unmarshalDockerImage([]byte(manifest.History[0].V1Compatibility))
if err != nil {
return nil, err
}
mediatype, payload, err := manifest.Payload()
if err != nil {
return nil, err
}
if len(d) > 0 {
dockerImage.ID = d.String()
} else {
dockerImage.ID = digest.FromBytes(manifest.Canonical).String()
}
image := &api.Image{
ObjectMeta: kapi.ObjectMeta{
Name: dockerImage.ID,
},
DockerImageMetadata: *dockerImage,
DockerImageManifest: string(payload),
DockerImageManifestMediaType: mediatype,
DockerImageMetadataVersion: "1.0",
}
return image, nil
}
// put stores the manifest in the repository, if not already present. Any
// updated signatures will be stored, as well.
func (rs *revisionStore) put(ctx context.Context, sm *schema1.SignedManifest) (distribution.Descriptor, error) {
// Resolve the payload in the manifest.
payload, err := sm.Payload()
if err != nil {
return distribution.Descriptor{}, err
}
// Digest and store the manifest payload in the blob store.
revision, err := rs.blobStore.Put(ctx, schema1.ManifestMediaType, payload)
if err != nil {
context.GetLogger(ctx).Errorf("error putting payload into blobstore: %v", err)
return distribution.Descriptor{}, err
}
// Link the revision into the repository.
if err := rs.blobStore.linkBlob(ctx, revision); err != nil {
return distribution.Descriptor{}, err
}
// Grab each json signature and store them.
signatures, err := sm.Signatures()
if err != nil {
return distribution.Descriptor{}, err
}
if err := rs.repository.Signatures().Put(revision.Digest, signatures...); err != nil {
return distribution.Descriptor{}, err
}
return revision, nil
}
func digestFromManifest(m *schema1.SignedManifest) (digest.Digest, error) {
payload, err := m.Payload()
if err != nil {
return "", err
}
manifestDigest, err := digest.FromBytes(payload)
return manifestDigest, nil
}
func digestFromManifest(m *schema1.SignedManifest, localName string) (digest.Digest, int, error) {
payload, err := m.Payload()
if err != nil {
// If this failed, the signatures section was corrupted
// or missing. Treat the entire manifest as the payload.
payload = m.Raw
}
manifestDigest, err := digest.FromBytes(payload)
if err != nil {
logrus.Infof("Could not compute manifest digest for %s:%s : %v", localName, m.Tag, err)
}
return manifestDigest, len(payload), nil
}
func manifestDigest(sm *schema1.SignedManifest) (digest.Digest, error) {
payload, err := sm.Payload()
if err != nil {
return "", err
}
dgst, err := digest.FromBytes(payload)
if err != nil {
return "", err
}
return dgst, nil
}
func verifyManifest(signedManifest *schema1.SignedManifest, tag string) (m *schema1.Manifest, err error) {
// If pull by digest, then verify the manifest digest. NOTE: It is
// important to do this first, before any other content validation. If the
// digest cannot be verified, don't even bother with those other things.
if manifestDigest, err := digest.ParseDigest(tag); err == nil {
verifier, err := digest.NewDigestVerifier(manifestDigest)
if err != nil {
return nil, err
}
payload, err := signedManifest.Payload()
if err != nil {
// If this failed, the signatures section was corrupted
// or missing. Treat the entire manifest as the payload.
payload = signedManifest.Raw
}
if _, err := verifier.Write(payload); err != nil {
return nil, err
}
if !verifier.Verified() {
err := fmt.Errorf("image verification failed for digest %s", manifestDigest)
logrus.Error(err)
return nil, err
}
var verifiedManifest schema1.Manifest
if err = json.Unmarshal(payload, &verifiedManifest); err != nil {
return nil, err
}
m = &verifiedManifest
} else {
m = &signedManifest.Manifest
}
if m.SchemaVersion != 1 {
return nil, fmt.Errorf("unsupported schema version %d for tag %q", m.SchemaVersion, tag)
}
if len(m.FSLayers) != len(m.History) {
return nil, fmt.Errorf("length of history not equal to number of layers for tag %q", tag)
}
if len(m.FSLayers) == 0 {
return nil, fmt.Errorf("no FSLayers in manifest for tag %q", tag)
}
return m, nil
}
// ManifestMatchesImage returns true if the provided manifest matches the name of the image.
func ManifestMatchesImage(image *Image, newManifest []byte) (bool, error) {
dgst, err := digest.ParseDigest(image.Name)
if err != nil {
return false, err
}
v, err := digest.NewDigestVerifier(dgst)
if err != nil {
return false, err
}
sm := schema1.SignedManifest{Raw: newManifest}
raw, err := sm.Payload()
if err != nil {
return false, err
}
if _, err := v.Write(raw); err != nil {
return false, err
}
return v.Verified(), nil
}
// digestManifest takes a digest of the given manifest. This belongs somewhere
// better but we'll wait for a refactoring cycle to find that real somewhere.
func digestManifest(ctx context.Context, sm *schema1.SignedManifest) (digest.Digest, error) {
p, err := sm.Payload()
if err != nil {
if !strings.Contains(err.Error(), "missing signature key") {
ctxu.GetLogger(ctx).Errorf("error getting manifest payload: %v", err)
return "", err
}
// NOTE(stevvooe): There are no signatures but we still have a
// payload. The request will fail later but this is not the
// responsibility of this part of the code.
p = sm.Raw
}
dgst, err := digest.FromBytes(p)
if err != nil {
ctxu.GetLogger(ctx).Errorf("error digesting manifest: %v", err)
return "", err
}
return dgst, err
}
func schema1ToImage(manifest *schema1.SignedManifest, d digest.Digest) (*api.Image, error) {
if len(manifest.History) == 0 {
return nil, fmt.Errorf("image has no v1Compatibility history and cannot be used")
}
dockerImage, err := unmarshalDockerImage([]byte(manifest.History[0].V1Compatibility))
if err != nil {
return nil, err
}
if len(d) > 0 {
dockerImage.ID = d.String()
} else {
if p, err := manifest.Payload(); err == nil {
d, err := digest.FromBytes(p)
if err != nil {
return nil, fmt.Errorf("unable to create digest from image payload: %v", err)
}
dockerImage.ID = d.String()
} else {
d, err := digest.FromBytes(manifest.Raw)
if err != nil {
return nil, fmt.Errorf("unable to create digest from image bytes: %v", err)
}
dockerImage.ID = d.String()
}
}
image := &api.Image{
ObjectMeta: kapi.ObjectMeta{
Name: dockerImage.ID,
},
DockerImageMetadata: *dockerImage,
DockerImageManifest: string(manifest.Raw),
DockerImageMetadataVersion: "1.0",
}
return image, nil
}
func (b *bridge) createManifestEvent(action string, repo string, sm *schema1.SignedManifest) (*Event, error) {
event := b.createEvent(action)
event.Target.MediaType = schema1.ManifestMediaType
event.Target.Repository = repo
p, err := sm.Payload()
if err != nil {
return nil, err
}
event.Target.Length = int64(len(p))
event.Target.Size = int64(len(p))
event.Target.Digest, err = digest.FromBytes(p)
if err != nil {
return nil, err
}
event.Target.URL, err = b.ub.BuildManifestURL(sm.Name, event.Target.Digest.String())
if err != nil {
return nil, err
}
return event, nil
}
// Put creates or updates the named manifest.
func (r *repository) Put(manifest *schema1.SignedManifest) error {
// Resolve the payload in the manifest.
payload, err := manifest.Payload()
if err != nil {
return err
}
// Calculate digest
dgst, err := digest.FromBytes(payload)
if err != nil {
return err
}
// Upload to openshift
ism := imageapi.ImageStreamMapping{
ObjectMeta: kapi.ObjectMeta{
Namespace: r.namespace,
Name: r.name,
},
Tag: manifest.Tag,
Image: imageapi.Image{
ObjectMeta: kapi.ObjectMeta{
Name: dgst.String(),
Annotations: map[string]string{
imageapi.ManagedByOpenShiftAnnotation: "true",
},
},
DockerImageReference: fmt.Sprintf("%s/%s/%s@%s", r.registryAddr, r.namespace, r.name, dgst.String()),
DockerImageManifest: string(payload),
},
}
if err := r.registryClient.ImageStreamMappings(r.namespace).Create(&ism); err != nil {
// if the error was that the image stream wasn't found, try to auto provision it
statusErr, ok := err.(*kerrors.StatusError)
if !ok {
context.GetLogger(r.ctx).Errorf("Error creating ImageStreamMapping: %s", err)
return err
}
status := statusErr.ErrStatus
if status.Code != http.StatusNotFound || status.Details.Kind != "imageStream" || status.Details.Name != r.name {
context.GetLogger(r.ctx).Errorf("Error creating ImageStreamMapping: %s", err)
return err
}
stream := imageapi.ImageStream{
ObjectMeta: kapi.ObjectMeta{
Name: r.name,
},
}
client, ok := UserClientFrom(r.ctx)
if !ok {
context.GetLogger(r.ctx).Errorf("Error creating user client to auto provision image stream: Origin user client unavailable")
return statusErr
}
if _, err := client.ImageStreams(r.namespace).Create(&stream); err != nil {
context.GetLogger(r.ctx).Errorf("Error auto provisioning image stream: %s", err)
return statusErr
}
// try to create the ISM again
if err := r.registryClient.ImageStreamMappings(r.namespace).Create(&ism); err != nil {
context.GetLogger(r.ctx).Errorf("Error creating image stream mapping: %s", err)
return err
}
}
// Grab each json signature and store them.
signatures, err := manifest.Signatures()
if err != nil {
return err
}
for _, signature := range signatures {
if err := r.Signatures().Put(dgst, signature); err != nil {
context.GetLogger(r.ctx).Errorf("Error storing signature: %s", err)
return err
}
}
return nil
}