// parseDockerReferences converts two reference strings into parsed entities, failing on any error
func parseDockerReferences(s1, s2 string) (reference.Named, reference.Named, error) {
	r1, err := reference.ParseNamed(s1)
	if err != nil {
		return nil, nil, err
	r2, err := reference.ParseNamed(s2)
	if err != nil {
		return nil, nil, err
	return r1, r2, nil
// newPRMExactRepository is NewPRMExactRepository, except it resturns the private type.
func newPRMExactRepository(dockerRepository string) (*prmExactRepository, error) {
	if _, err := reference.ParseNamed(dockerRepository); err != nil {
		return nil, InvalidPolicyFormatError(fmt.Sprintf("Invalid format of dockerRepository %s: %s", dockerRepository, err.Error()))
	return &prmExactRepository{
		prmCommon:        prmCommon{Type: prmTypeExactRepository},
		DockerRepository: dockerRepository,
	}, nil
// newPRMExactReference is NewPRMExactReference, except it resturns the private type.
func newPRMExactReference(dockerReference string) (*prmExactReference, error) {
	ref, err := reference.ParseNamed(dockerReference)
	if err != nil {
		return nil, InvalidPolicyFormatError(fmt.Sprintf("Invalid format of dockerReference %s: %s", dockerReference, err.Error()))
	if reference.IsNameOnly(ref) {
		return nil, InvalidPolicyFormatError(fmt.Sprintf("dockerReference %s contains neither a tag nor digest", dockerReference))
	return &prmExactReference{
		prmCommon:       prmCommon{Type: prmTypeExactReference},
		DockerReference: dockerReference,
	}, nil
func TestFullyExpandedDockerReference(t *testing.T) {
	sha256Digest := "@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
	// Test both that fullyExpandedDockerReference returns the expected value (fullName+suffix),
	// and that .FullName returns the expected value (fullName), i.e. that the two functions are
	// consistent.
	for inputName, fullName := range map[string]string{
		"example.com/ns/repo": "example.com/ns/repo",
		"example.com/repo":    "example.com/repo",
		"localhost/ns/repo":   "localhost/ns/repo",
		// Note that "localhost" is special here: notlocalhost/repo is be parsed as docker.io/notlocalhost.repo:
		"localhost/repo":         "localhost/repo",
		"notlocalhost/repo":      "docker.io/notlocalhost/repo",
		"docker.io/ns/repo":      "docker.io/ns/repo",
		"docker.io/library/repo": "docker.io/library/repo",
		"docker.io/repo":         "docker.io/library/repo",
		"ns/repo":                "docker.io/ns/repo",
		"library/repo":           "docker.io/library/repo",
		"repo":                   "docker.io/library/repo",
	} {
		for inputSuffix, mappedSuffix := range map[string]string{
			":tag":       ":tag",
			sha256Digest: sha256Digest,
			"":           "",
			// A github.com/distribution/reference value can have a tag and a digest at the same time!
			// github.com/skopeo/reference handles that by dropping the tag. That is not obviously the
			// right thing to do, but it is at least reasonable, so test that we keep behaving reasonably.
			// This test case should not be construed to make this an API promise.
			":tag" + sha256Digest: sha256Digest,
		} {
			fullInput := inputName + inputSuffix
			ref, err := reference.ParseNamed(fullInput)
			require.NoError(t, err)
			assert.Equal(t, fullName, ref.FullName(), fullInput)
			expanded, err := fullyExpandedDockerReference(ref)
			require.NoError(t, err)
			assert.Equal(t, fullName+mappedSuffix, expanded, fullInput)