From 1b339f800054ce5c00ebd036d1fceee664e2d372 Mon Sep 17 00:00:00 2001 From: Andreea-Lupu Date: Thu, 26 Oct 2023 12:50:36 +0300 Subject: [PATCH] fix: duplicates entries for cosign signatures in metadb Signed-off-by: Andreea-Lupu --- pkg/extensions/sync/references/references.go | 1 + pkg/meta/boltdb/boltdb.go | 35 +++++++++++++++++--- pkg/meta/boltdb/boltdb_test.go | 20 +++++++---- pkg/meta/common/common.go | 7 ++++ pkg/meta/dynamodb/dynamodb.go | 35 +++++++++++++++++--- pkg/meta/hooks.go | 1 + pkg/meta/meta_test.go | 12 +++++++ pkg/meta/parse.go | 1 + pkg/meta/types/types.go | 1 + 9 files changed, 98 insertions(+), 15 deletions(-) diff --git a/pkg/extensions/sync/references/references.go b/pkg/extensions/sync/references/references.go index c41d49a972..d27623f9a9 100644 --- a/pkg/extensions/sync/references/references.go +++ b/pkg/extensions/sync/references/references.go @@ -244,6 +244,7 @@ func addSigToMeta( return metaDB.AddManifestSignature(repo, signedManifestDig, mTypes.SignatureMetadata{ SignatureType: sigType, SignatureDigest: referenceDigest.String(), + SignatureTag: tag, LayersInfo: layersInfo, }) } diff --git a/pkg/meta/boltdb/boltdb.go b/pkg/meta/boltdb/boltdb.go index 9ab34f3243..d4b3f21104 100644 --- a/pkg/meta/boltdb/boltdb.go +++ b/pkg/meta/boltdb/boltdb.go @@ -952,10 +952,37 @@ func (bdw *BoltDB) AddManifestSignature(repo string, signedManifestDigest godige signatureSlice := manifestSignatures[sygMeta.SignatureType] if !common.SignatureAlreadyExists(signatureSlice, sygMeta) { - signatureSlice = append(signatureSlice, mTypes.SignatureInfo{ - SignatureManifestDigest: sygMeta.SignatureDigest, - LayersInfo: sygMeta.LayersInfo, - }) + if sygMeta.SignatureType == zcommon.NotationSignature { + signatureSlice = append(signatureSlice, mTypes.SignatureInfo{ + SignatureManifestDigest: sygMeta.SignatureDigest, + LayersInfo: sygMeta.LayersInfo, + }) + } else if sygMeta.SignatureType == zcommon.CosignSignature { + newCosignSig := mTypes.SignatureInfo{ + SignatureManifestDigest: sygMeta.SignatureDigest, + LayersInfo: sygMeta.LayersInfo, + } + + if common.IsCosignTag(sygMeta.SignatureTag) { + // the entry for "sha256-{digest}.sig" signatures should be overwritten if + // it exists or added on the first position if it doesn't exists + if len(signatureSlice) == 0 { + signatureSlice = []mTypes.SignatureInfo{newCosignSig} + } else { + signatureSlice[0] = newCosignSig + } + } else { + // the first position should be reserved for "sha256-{digest}.sig" signatures + if len(signatureSlice) == 0 { + signatureSlice = []mTypes.SignatureInfo{{ + SignatureManifestDigest: "undefined", + LayersInfo: []mTypes.LayerInfo{}, + }} + } + + signatureSlice = append(signatureSlice, newCosignSig) + } + } } manifestSignatures[sygMeta.SignatureType] = signatureSlice diff --git a/pkg/meta/boltdb/boltdb_test.go b/pkg/meta/boltdb/boltdb_test.go index da01350b2d..f433ba1504 100644 --- a/pkg/meta/boltdb/boltdb_test.go +++ b/pkg/meta/boltdb/boltdb_test.go @@ -5,6 +5,7 @@ import ( "crypto/rand" "encoding/base64" "encoding/json" + "fmt" "math" "testing" "time" @@ -506,28 +507,33 @@ func TestWrapperErrors(t *testing.T) { }) So(err, ShouldBeNil) - err = boltdbWrapper.AddManifestSignature("repo1", digest.FromString("dig"), + signedManifestDigest := digest.FromString("dig") + signatureTag := fmt.Sprintf("sha256-%s.sig", signedManifestDigest.Encoded()) + + err = boltdbWrapper.AddManifestSignature("repo1", signedManifestDigest, mTypes.SignatureMetadata{ SignatureType: "cosign", + SignatureTag: signatureTag, SignatureDigest: "digest1", }) So(err, ShouldBeNil) - err = boltdbWrapper.AddManifestSignature("repo1", digest.FromString("dig"), + err = boltdbWrapper.AddManifestSignature("repo1", signedManifestDigest, mTypes.SignatureMetadata{ SignatureType: "cosign", + SignatureTag: signatureTag, SignatureDigest: "digest2", }) So(err, ShouldBeNil) repoData, err := boltdbWrapper.GetRepoMeta("repo1") So(err, ShouldBeNil) - So(len(repoData.Signatures[string(digest.FromString("dig"))][zcommon.CosignSignature]), - ShouldEqual, 2) - So(repoData.Signatures[string(digest.FromString("dig"))][zcommon.CosignSignature][0].SignatureManifestDigest, - ShouldEqual, "digest1") + So(len(repoData.Signatures[string(signedManifestDigest)][zcommon.CosignSignature]), + ShouldEqual, 1) + So(repoData.Signatures[string(signedManifestDigest)][zcommon.CosignSignature][0].SignatureManifestDigest, + ShouldEqual, "digest2") - err = boltdbWrapper.AddManifestSignature("repo1", digest.FromString("dig"), + err = boltdbWrapper.AddManifestSignature("repo1", signedManifestDigest, mTypes.SignatureMetadata{ SignatureType: "notation", SignatureDigest: "digest2", diff --git a/pkg/meta/common/common.go b/pkg/meta/common/common.go index f97dfa010f..8a4238fdf2 100644 --- a/pkg/meta/common/common.go +++ b/pkg/meta/common/common.go @@ -3,6 +3,7 @@ package common import ( "encoding/json" "fmt" + "regexp" "strings" "time" @@ -344,3 +345,9 @@ func InitializeImageConfig(blob []byte) ispec.Image { return configContent } + +func IsCosignTag(tag string) bool { + cosignTagRule := regexp.MustCompile(`sha256\-.+\.sig`) + + return cosignTagRule.MatchString(tag) +} diff --git a/pkg/meta/dynamodb/dynamodb.go b/pkg/meta/dynamodb/dynamodb.go index 4bf76b2d81..37409653fa 100644 --- a/pkg/meta/dynamodb/dynamodb.go +++ b/pkg/meta/dynamodb/dynamodb.go @@ -818,10 +818,37 @@ func (dwr *DynamoDB) AddManifestSignature(repo string, signedManifestDigest godi signatureSlice := manifestSignatures[sygMeta.SignatureType] if !common.SignatureAlreadyExists(signatureSlice, sygMeta) { - signatureSlice = append(signatureSlice, mTypes.SignatureInfo{ - SignatureManifestDigest: sygMeta.SignatureDigest, - LayersInfo: sygMeta.LayersInfo, - }) + if sygMeta.SignatureType == zcommon.NotationSignature { + signatureSlice = append(signatureSlice, mTypes.SignatureInfo{ + SignatureManifestDigest: sygMeta.SignatureDigest, + LayersInfo: sygMeta.LayersInfo, + }) + } else if sygMeta.SignatureType == zcommon.CosignSignature { + newCosignSig := mTypes.SignatureInfo{ + SignatureManifestDigest: sygMeta.SignatureDigest, + LayersInfo: sygMeta.LayersInfo, + } + + if common.IsCosignTag(sygMeta.SignatureTag) { + // the entry for "sha256-{digest}.sig" signatures should be overwritten if + // it exists or added on the first position if it doesn't exists + if len(signatureSlice) == 0 { + signatureSlice = []mTypes.SignatureInfo{newCosignSig} + } else { + signatureSlice[0] = newCosignSig + } + } else { + // the first position should be reserved for "sha256-{digest}.sig" signatures + if len(signatureSlice) == 0 { + signatureSlice = []mTypes.SignatureInfo{{ + SignatureManifestDigest: "undefined", + LayersInfo: []mTypes.LayerInfo{}, + }} + } + + signatureSlice = append(signatureSlice, newCosignSig) + } + } } manifestSignatures[sygMeta.SignatureType] = signatureSlice diff --git a/pkg/meta/hooks.go b/pkg/meta/hooks.go index 3817f2c95a..9f234c34a7 100644 --- a/pkg/meta/hooks.go +++ b/pkg/meta/hooks.go @@ -48,6 +48,7 @@ func OnUpdateManifest(repo, reference, mediaType string, digest godigest.Digest, err = metaDB.AddManifestSignature(repo, signedManifestDigest, mTypes.SignatureMetadata{ SignatureType: signatureType, SignatureDigest: digest.String(), + SignatureTag: reference, LayersInfo: layersInfo, }) if err != nil { diff --git a/pkg/meta/meta_test.go b/pkg/meta/meta_test.go index 7e9996df49..942c7eaab3 100644 --- a/pkg/meta/meta_test.go +++ b/pkg/meta/meta_test.go @@ -1334,9 +1334,18 @@ func RunMetaDBTests(t *testing.T, metaDB mTypes.MetaDB, preparationFuncs ...func }) So(err, ShouldBeNil) + err = metaDB.AddManifestSignature(repo1, manifestDigest1, mTypes.SignatureMetadata{ + SignatureType: "cosign", + SignatureTag: fmt.Sprintf("sha256-%s.sig", manifestDigest1.Encoded()), + SignatureDigest: "digesttag", + }) + So(err, ShouldBeNil) + repoMeta, err := metaDB.GetRepoMeta(repo1) So(err, ShouldBeNil) So(repoMeta.Signatures[manifestDigest1.String()]["cosign"][0].SignatureManifestDigest, + ShouldResemble, "digesttag") + So(repoMeta.Signatures[manifestDigest1.String()]["cosign"][1].SignatureManifestDigest, ShouldResemble, "digest") _, err = metaDB.GetManifestMeta(repo1, "badDigest") @@ -1365,6 +1374,7 @@ func RunMetaDBTests(t *testing.T, metaDB mTypes.MetaDB, preparationFuncs ...func err = metaDB.AddManifestSignature(repo1, manifestDigest1, mTypes.SignatureMetadata{ SignatureType: "cosign", SignatureDigest: string(manifestDigest1), + SignatureTag: fmt.Sprintf("sha256-%s.sig", manifestDigest1.Encoded()), LayersInfo: []mTypes.LayerInfo{layerInfo}, }) So(err, ShouldBeNil) @@ -1493,6 +1503,7 @@ func RunMetaDBTests(t *testing.T, metaDB mTypes.MetaDB, preparationFuncs ...func err := metaDB.AddManifestSignature(repo1, manifestDigest1, mTypes.SignatureMetadata{ SignatureType: "cosign", + SignatureTag: fmt.Sprintf("sha256-%s.sig", manifestDigest1.Encoded()), SignatureDigest: "digest", }) So(err, ShouldBeNil) @@ -1527,6 +1538,7 @@ func RunMetaDBTests(t *testing.T, metaDB mTypes.MetaDB, preparationFuncs ...func err = metaDB.AddManifestSignature(repo1, manifestDigest1, mTypes.SignatureMetadata{ SignatureType: "cosign", + SignatureTag: fmt.Sprintf("sha256-%s.sig", manifestDigest1.Encoded()), SignatureDigest: "digest", }) So(err, ShouldBeNil) diff --git a/pkg/meta/parse.go b/pkg/meta/parse.go index 6613d29b2b..d156734fa0 100644 --- a/pkg/meta/parse.go +++ b/pkg/meta/parse.go @@ -111,6 +111,7 @@ func ParseRepo(repo string, metaDB mTypes.MetaDB, storeController storage.StoreC mTypes.SignatureMetadata{ SignatureType: signatureType, SignatureDigest: descriptor.Digest.String(), + SignatureTag: tag, LayersInfo: layers, }) if err != nil { diff --git a/pkg/meta/types/types.go b/pkg/meta/types/types.go index 6e64280bef..d8011a7a50 100644 --- a/pkg/meta/types/types.go +++ b/pkg/meta/types/types.go @@ -248,6 +248,7 @@ type SignatureInfo struct { type SignatureMetadata struct { SignatureType string SignatureDigest string + SignatureTag string LayersInfo []LayerInfo }