Merge pull request #2255 from lcarva/EC-1038

Allow unpinned refs in descriptor/image_manifest
enterprise-contract · Jan 13, 2025 · 07a1fc2 · 07a1fc2
2 parents 7f35564 + a398353
commit 07a1fc2
Show file tree

Hide file tree

Showing 3 changed files with 416 additions and 26 deletions.
diff --git a/internal/rego/oci/__snapshots__/oci_test.snap b/internal/rego/oci/__snapshots__/oci_test.snap
@@ -1220,3 +1220,286 @@
  ]
 }
 ---
+
+[TestOCIImageManifest/missing_digest - 1]
+{
+ "type": "object",
+ "value": [
+  [
+   {
+    "type": "string",
+    "value": "annotations"
+   },
+   {
+    "type": "object",
+    "value": []
+   }
+  ],
+  [
+   {
+    "type": "string",
+    "value": "config"
+   },
+   {
+    "type": "object",
+    "value": [
+     [
+      {
+       "type": "string",
+       "value": "annotations"
+      },
+      {
+       "type": "object",
+       "value": []
+      }
+     ],
+     [
+      {
+       "type": "string",
+       "value": "artifactType"
+      },
+      {
+       "type": "string",
+       "value": ""
+      }
+     ],
+     [
+      {
+       "type": "string",
+       "value": "data"
+      },
+      {
+       "type": "string",
+       "value": ""
+      }
+     ],
+     [
+      {
+       "type": "string",
+       "value": "digest"
+      },
+      {
+       "type": "string",
+       "value": "sha256:4e388ab32b10dc8dbc7e28144f552830adc74787c1e2c0824032078a79f227fb"
+      }
+     ],
+     [
+      {
+       "type": "string",
+       "value": "mediaType"
+      },
+      {
+       "type": "string",
+       "value": "application/vnd.oci.image.config.v1+json"
+      }
+     ],
+     [
+      {
+       "type": "string",
+       "value": "size"
+      },
+      {
+       "type": "number",
+       "value": 123
+      }
+     ],
+     [
+      {
+       "type": "string",
+       "value": "urls"
+      },
+      {
+       "type": "array",
+       "value": []
+      }
+     ]
+    ]
+   }
+  ],
+  [
+   {
+    "type": "string",
+    "value": "layers"
+   },
+   {
+    "type": "array",
+    "value": [
+     {
+      "type": "object",
+      "value": [
+       [
+        {
+         "type": "string",
+         "value": "annotations"
+        },
+        {
+         "type": "object",
+         "value": []
+        }
+       ],
+       [
+        {
+         "type": "string",
+         "value": "artifactType"
+        },
+        {
+         "type": "string",
+         "value": ""
+        }
+       ],
+       [
+        {
+         "type": "string",
+         "value": "data"
+        },
+        {
+         "type": "string",
+         "value": ""
+        }
+       ],
+       [
+        {
+         "type": "string",
+         "value": "digest"
+        },
+        {
+         "type": "string",
+         "value": "sha256:325392e8dd2826a53a9a35b7a7f8d71683cd27ebc2c73fee85dab673bc909b67"
+        }
+       ],
+       [
+        {
+         "type": "string",
+         "value": "mediaType"
+        },
+        {
+         "type": "string",
+         "value": "application/vnd.oci.image.layer.v1.tar+gzip"
+        }
+       ],
+       [
+        {
+         "type": "string",
+         "value": "size"
+        },
+        {
+         "type": "number",
+         "value": 9999
+        }
+       ],
+       [
+        {
+         "type": "string",
+         "value": "urls"
+        },
+        {
+         "type": "array",
+         "value": []
+        }
+       ]
+      ]
+     }
+    ]
+   }
+  ],
+  [
+   {
+    "type": "string",
+    "value": "mediaType"
+   },
+   {
+    "type": "string",
+    "value": "application/vnd.oci.image.manifest.v1+json"
+   }
+  ],
+  [
+   {
+    "type": "string",
+    "value": "schemaVersion"
+   },
+   {
+    "type": "number",
+    "value": 2
+   }
+  ]
+ ]
+}
+---
+
+[TestOCIDescriptorManifest/missing_digest - 1]
+{
+ "type": "object",
+ "value": [
+  [
+   {
+    "type": "string",
+    "value": "annotations"
+   },
+   {
+    "type": "object",
+    "value": []
+   }
+  ],
+  [
+   {
+    "type": "string",
+    "value": "artifactType"
+   },
+   {
+    "type": "string",
+    "value": ""
+   }
+  ],
+  [
+   {
+    "type": "string",
+    "value": "data"
+   },
+   {
+    "type": "string",
+    "value": ""
+   }
+  ],
+  [
+   {
+    "type": "string",
+    "value": "digest"
+   },
+   {
+    "type": "string",
+    "value": "sha256:4e388ab32b10dc8dbc7e28144f552830adc74787c1e2c0824032078a79f227fb"
+   }
+  ],
+  [
+   {
+    "type": "string",
+    "value": "mediaType"
+   },
+   {
+    "type": "string",
+    "value": "application/vnd.oci.image.manifest.v1+json"
+   }
+  ],
+  [
+   {
+    "type": "string",
+    "value": "size"
+   },
+   {
+    "type": "number",
+    "value": 123
+   }
+  ],
+  [
+   {
+    "type": "string",
+    "value": "urls"
+   },
+   {
+    "type": "array",
+    "value": []
+   }
+  ]
+ ]
+}
+---
diff --git a/internal/rego/oci/oci.go b/internal/rego/oci/oci.go
@@ -26,6 +26,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"strings"
 
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
@@ -36,6 +37,7 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"github.com/enterprise-contract/ec-cli/internal/fetchers/oci/files"
+	"github.com/enterprise-contract/ec-cli/internal/image"
 	"github.com/enterprise-contract/ec-cli/internal/utils/oci"
 )
 
@@ -288,18 +290,28 @@ func ociBlob(bctx rego.BuiltinContext, a *ast.Term) (*ast.Term, error) {
 
 func ociDescriptor(bctx rego.BuiltinContext, a *ast.Term) (*ast.Term, error) {
 	log := log.WithField("rego", ociDescriptor)
-	uri, ok := a.Value.(ast.String)
+
+	uriValue, ok := a.Value.(ast.String)
 	if !ok {
 		return nil, nil
 	}
 
-	ref, err := name.NewDigest(string(uri))
+	client := oci.NewClient(bctx.Context)
+
+	uri, err := resolveIfNeeded(client, string(uriValue))
+	if err != nil {
+		log.Error(err)
+		return nil, nil
+	}
+	log = log.WithField("ref", uri)
+
+	ref, err := name.NewDigest(uri)
 	if err != nil {
 		log.Errorf("new digest: %s", err)
 		return nil, nil
 	}
 
-	descriptor, err := oci.NewClient(bctx.Context).Head(ref)
+	descriptor, err := client.Head(ref)
 	if err != nil {
 		log.Errorf("fetch image: %s", err)
 		return nil, nil
@@ -310,18 +322,27 @@ func ociDescriptor(bctx rego.BuiltinContext, a *ast.Term) (*ast.Term, error) {
 
 func ociImageManifest(bctx rego.BuiltinContext, a *ast.Term) (*ast.Term, error) {
 	log := log.WithField("rego", ociImageManifestName)
-	uri, ok := a.Value.(ast.String)
+	uriValue, ok := a.Value.(ast.String)
 	if !ok {
 		return nil, nil
 	}
 
-	ref, err := name.NewDigest(string(uri))
+	client := oci.NewClient(bctx.Context)
+
+	uri, err := resolveIfNeeded(client, string(uriValue))
+	if err != nil {
+		log.Error(err)
+		return nil, nil
+	}
+	log = log.WithField("ref", uri)
+
+	ref, err := name.NewDigest(uri)
 	if err != nil {
 		log.Errorf("new digest: %s", err)
 		return nil, nil
 	}
 
-	image, err := oci.NewClient(bctx.Context).Image(ref)
+	image, err := client.Image(ref)
 	if err != nil {
 		log.Errorf("fetch image: %s", err)
 		return nil, nil
@@ -459,6 +480,25 @@ func newAnnotationsTerm(annotations map[string]string) *ast.Term {
 	return ast.ObjectTerm(annotationTerms...)
 }
 
+func resolveIfNeeded(client oci.Client, uri string) (string, error) {
+	if !strings.Contains(uri, "@") {
+		original := uri
+		ref, err := image.NewImageReference(uri)
+		if err != nil {
+			return "", fmt.Errorf("unable to parse reference: %w", err)
+		}
+
+		digest, err := client.ResolveDigest(ref.Ref())
+		if err != nil {
+			return "", fmt.Errorf("unable to resolve digest: %w", err)
+		}
+		uri = fmt.Sprintf("%s@%s", uri, digest)
+
+		log.Debugf("resolved image reference %q to %q", original, uri)
+	}
+	return uri, nil
+}
+
 func init() {
 	registerOCIBlob()
 	registerOCIDescriptor()