Added manifest verification

Michal Minář · Michal Minář · commit 57f9cf6f010c · 2016-12-19T22:16:19.000+01:00
Mostly copied from docker/distribution repo.

Signed-off-by: Michal Minář &lt;miminar@redhat.com&gt;
diff --git a/pkg/dockerregistry/server/blobdescriptorservice_test.go b/pkg/dockerregistry/server/blobdescriptorservice_test.go
@@ -90,7 +90,7 @@ func TestBlobDescriptorServiceIsApplied(t *testing.T) {
 	}
 	os.Setenv("DOCKER_REGISTRY_URL", serverURL.Host)
 
-	desc, _, err := registrytest.UploadTestBlob(serverURL, "user/app")
+	desc, _, err := registrytest.UploadTestBlob(serverURL, nil, "user/app")
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/pkg/dockerregistry/server/manifesthandler.go b/pkg/dockerregistry/server/manifesthandler.go
@@ -25,6 +25,9 @@ type ManifestHandler interface {
 	// Payload returns manifest's media type, complete payload with signatures and canonical payload without
 	// signatures or an error if the information could not be fetched.
 	Payload() (mediaType string, payload []byte, canonical []byte, err error)
+
+	// Verify returns an error if the contained manifest is not valid or has missing dependencies.
+	Verify(ctx context.Context, skipDependencyVerification bool) error
 }
 
 // NewManifestHandler creates a manifest handler for the given manifest.
diff --git a/pkg/dockerregistry/server/manifestschema1handler.go b/pkg/dockerregistry/server/manifestschema1handler.go
@@ -2,10 +2,13 @@ package server
 
 import (
 	"encoding/json"
+	"fmt"
+	"path"
 
 	"github.com/docker/distribution"
 	"github.com/docker/distribution/context"
 	"github.com/docker/distribution/manifest/schema1"
+	"github.com/docker/distribution/reference"
 	"github.com/docker/libtrust"
 
 	"k8s.io/kubernetes/pkg/util/sets"
@@ -103,3 +106,69 @@ func (h *manifestSchema1Handler) Payload() (mediaType string, payload []byte, ca
 	mt, payload, err := h.manifest.Payload()
 	return mt, payload, h.manifest.Canonical, err
 }
+
+func (h *manifestSchema1Handler) Verify(ctx context.Context, skipDependencyVerification bool) error {
+	var errs distribution.ErrManifestVerification
+
+	// we want to verify that referenced blobs exist locally - thus using upstream repository object directly
+	repo := h.repo.Repository
+
+	if len(path.Join(h.repo.registryAddr, h.manifest.Name)) > reference.NameTotalLengthMax {
+		errs = append(errs,
+			distribution.ErrManifestNameInvalid{
+				Name:   h.manifest.Name,
+				Reason: fmt.Errorf("<registry-host>/<manifest-name> must not be more than %d characters", reference.NameTotalLengthMax),
+			})
+	}
+
+	if !reference.NameRegexp.MatchString(h.manifest.Name) {
+		errs = append(errs,
+			distribution.ErrManifestNameInvalid{
+				Name:   h.manifest.Name,
+				Reason: fmt.Errorf("invalid manifest name format"),
+			})
+	}
+
+	if len(h.manifest.History) != len(h.manifest.FSLayers) {
+		errs = append(errs, fmt.Errorf("mismatched history and fslayer cardinality %d != %d",
+			len(h.manifest.History), len(h.manifest.FSLayers)))
+	}
+
+	if _, err := schema1.Verify(h.manifest); err != nil {
+		switch err {
+		case libtrust.ErrMissingSignatureKey, libtrust.ErrInvalidJSONContent, libtrust.ErrMissingSignatureKey:
+			errs = append(errs, distribution.ErrManifestUnverified{})
+		default:
+			if err.Error() == "invalid signature" {
+				errs = append(errs, distribution.ErrManifestUnverified{})
+			} else {
+				errs = append(errs, err)
+			}
+		}
+	}
+
+	if skipDependencyVerification {
+		if len(errs) > 0 {
+			return errs
+		}
+		return nil
+	}
+
+	for _, fsLayer := range h.manifest.References() {
+		_, err := repo.Blobs(ctx).Stat(ctx, fsLayer.Digest)
+		if err != nil {
+			if err != distribution.ErrBlobUnknown {
+				errs = append(errs, err)
+				continue
+			}
+
+			// On error here, we always append unknown blob errors.
+			errs = append(errs, distribution.ErrManifestBlobUnknown{Digest: fsLayer.Digest})
+		}
+	}
+
+	if len(errs) > 0 {
+		return errs
+	}
+	return nil
+}
diff --git a/pkg/dockerregistry/server/manifestschema2handler.go b/pkg/dockerregistry/server/manifestschema2handler.go
@@ -2,6 +2,7 @@ package server
 
 import (
 	"encoding/json"
+	"errors"
 
 	"github.com/docker/distribution"
 	"github.com/docker/distribution/context"
@@ -10,6 +11,11 @@ import (
 	imageapi "github.com/openshift/origin/pkg/image/api"
 )
 
+var (
+	errMissingURL    = errors.New("missing URL on layer")
+	errUnexpectedURL = errors.New("unexpected URL on layer")
+)
+
 func unmarshalManifestSchema2(content []byte) (distribution.Manifest, error) {
 	var deserializedManifest schema2.DeserializedManifest
 	if err := json.Unmarshal(content, &deserializedManifest); err != nil {
@@ -51,3 +57,56 @@ func (h *manifestSchema2Handler) Payload() (mediaType string, payload []byte, ca
 	mt, p, err := h.manifest.Payload()
 	return mt, p, p, err
 }
+
+func (h *manifestSchema2Handler) Verify(ctx context.Context, skipDependencyVerification bool) error {
+	var errs distribution.ErrManifestVerification
+
+	if skipDependencyVerification {
+		return nil
+	}
+
+	// we want to verify that referenced blobs exist locally - thus using upstream repository object directly
+	repo := h.repo.Repository
+
+	target := h.manifest.Target()
+	_, err := repo.Blobs(ctx).Stat(ctx, target.Digest)
+	if err != nil {
+		if err != distribution.ErrBlobUnknown {
+			errs = append(errs, err)
+		}
+
+		// On error here, we always append unknown blob errors.
+		errs = append(errs, distribution.ErrManifestBlobUnknown{Digest: target.Digest})
+	}
+
+	for _, fsLayer := range h.manifest.References() {
+		var err error
+		if fsLayer.MediaType != schema2.MediaTypeForeignLayer {
+			if len(fsLayer.URLs) == 0 {
+				_, err = repo.Blobs(ctx).Stat(ctx, fsLayer.Digest)
+			} else {
+				err = errUnexpectedURL
+			}
+		} else {
+			// Clients download this layer from an external URL, so do not check for
+			// its presense.
+			if len(fsLayer.URLs) == 0 {
+				err = errMissingURL
+			}
+		}
+		if err != nil {
+			if err != distribution.ErrBlobUnknown {
+				errs = append(errs, err)
+				continue
+			}
+
+			// On error here, we always append unknown blob errors.
+			errs = append(errs, distribution.ErrManifestBlobUnknown{Digest: fsLayer.Digest})
+		}
+	}
+
+	if len(errs) > 0 {
+		return errs
+	}
+	return nil
+}
diff --git a/pkg/dockerregistry/server/pullthroughblobstore_test.go b/pkg/dockerregistry/server/pullthroughblobstore_test.go
@@ -88,11 +88,11 @@ func TestPullthroughServeBlob(t *testing.T) {
 
 	client.AddReactor("get", "imagestreams", imagetest.GetFakeImageStreamGetHandler(t, *testImageStream))
 
-	blob1Desc, blob1Content, err := registrytest.UploadTestBlob(serverURL, "user/app")
+	blob1Desc, blob1Content, err := registrytest.UploadTestBlob(serverURL, nil, "user/app")
 	if err != nil {
 		t.Fatal(err)
 	}
-	blob2Desc, blob2Content, err := registrytest.UploadTestBlob(serverURL, "user/app")
+	blob2Desc, blob2Content, err := registrytest.UploadTestBlob(serverURL, nil, "user/app")
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/pkg/dockerregistry/server/repositorymiddleware.go b/pkg/dockerregistry/server/repositorymiddleware.go
@@ -326,11 +326,18 @@ func (r *repository) Put(ctx context.Context, manifest distribution.Manifest, op
 		return "", regapi.ErrorCodeManifestInvalid.WithDetail(err)
 	}
 
+	// this is fast to check, let's do it before verification
 	if !r.acceptschema2 && mediaType == schema2.MediaTypeManifest {
 		err = fmt.Errorf("manifest V2 schema 2 not allowed")
 		return "", regapi.ErrorCodeManifestInvalid.WithDetail(err)
 	}
 
+	// in order to stat the referenced blobs, repository need to be set on the context
+	ctx = WithRepository(ctx, r)
+	if err := mh.Verify(ctx, false); err != nil {
+		return "", err
+	}
+
 	// Calculate digest
 	dgst := digest.FromBytes(canonical)
 
diff --git a/pkg/dockerregistry/testutil/util.go b/pkg/dockerregistry/testutil/util.go
@@ -9,6 +9,7 @@ import (
 	"io"
 	"io/ioutil"
 	mrand "math/rand"
+	"net/http"
 	"net/url"
 	"testing"
 	"time"
@@ -19,6 +20,8 @@ import (
 	"github.com/docker/distribution/manifest"
 	"github.com/docker/distribution/reference"
 	distclient "github.com/docker/distribution/registry/client"
+	"github.com/docker/distribution/registry/client/auth"
+	"github.com/docker/distribution/registry/client/transport"
 
 	kapi "k8s.io/kubernetes/pkg/api"
 	kerrors "k8s.io/kubernetes/pkg/api/errors"
@@ -61,7 +64,7 @@ func NewImageForManifest(repoName string, rawManifest string, managedByOpenShift
 }
 
 // UploadTestBlob generates a random tar file and uploads it to the given repository.
-func UploadTestBlob(serverURL *url.URL, repoName string) (distribution.Descriptor, []byte, error) {
+func UploadTestBlob(serverURL *url.URL, creds auth.CredentialStore, repoName string) (distribution.Descriptor, []byte, error) {
 	rs, ds, err := CreateRandomTarFile()
 	if err != nil {
 		return distribution.Descriptor{}, nil, fmt.Errorf("unexpected error generating test layer file: %v", err)
@@ -73,7 +76,22 @@ func UploadTestBlob(serverURL *url.URL, repoName string) (distribution.Descripto
 	if err != nil {
 		return distribution.Descriptor{}, nil, err
 	}
-	repo, err := distclient.NewRepository(ctx, ref, serverURL.String(), nil)
+
+	var rt http.RoundTripper
+	if creds != nil {
+		challengeManager := auth.NewSimpleChallengeManager()
+		_, err := ping(challengeManager, serverURL.String()+"/v2/", "")
+		if err != nil {
+			return distribution.Descriptor{}, nil, err
+		}
+		rt = transport.NewTransport(
+			nil,
+			auth.NewAuthorizer(
+				challengeManager,
+				auth.NewTokenHandler(nil, creds, repoName, "pull", "push"),
+				auth.NewBasicHandler(creds)))
+	}
+	repo, err := distclient.NewRepository(ctx, ref, serverURL.String(), rt)
 	if err != nil {
 		return distribution.Descriptor{}, nil, fmt.Errorf("failed to get repository %q: %v", repoName, err)
 	}
@@ -247,3 +265,50 @@ func TestNewImageStreamObject(namespace, name, tag, imageName, dockerImageRefere
 		},
 	}
 }
+
+type testCredentialStore struct {
+	username      string
+	password      string
+	refreshTokens map[string]string
+}
+
+var _ auth.CredentialStore = &testCredentialStore{}
+
+// NewBasicCredentialStore returns a test credential store for use with registry token handler and/or basic
+// handler.
+func NewBasicCredentialStore(username, password string) auth.CredentialStore {
+	return &testCredentialStore{
+		username: username,
+		password: password,
+	}
+}
+
+func (tcs *testCredentialStore) Basic(*url.URL) (string, string) {
+	return tcs.username, tcs.password
+}
+
+func (tcs *testCredentialStore) RefreshToken(u *url.URL, service string) string {
+	return tcs.refreshTokens[service]
+}
+
+func (tcs *testCredentialStore) SetRefreshToken(u *url.URL, service string, token string) {
+	if tcs.refreshTokens != nil {
+		tcs.refreshTokens[service] = token
+	}
+}
+
+// ping pings the provided endpoint to determine its required authorization challenges.
+// If a version header is provided, the versions will be returned.
+func ping(manager auth.ChallengeManager, endpoint, versionHeader string) ([]auth.APIVersion, error) {
+	resp, err := http.Get(endpoint)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if err := manager.AddResponse(resp); err != nil {
+		return nil, err
+	}
+
+	return auth.APIVersions(resp, versionHeader), err
+}
diff --git a/test/end-to-end/core.sh b/test/end-to-end/core.sh
@@ -139,10 +139,10 @@ os::log::info "Pushed ruby-22-centos7"
 
 # get image's digest
 rubyimagedigest="$(oc get -o jsonpath='{.status.tags[?(@.tag=="latest")].items[0].image}' is/ruby-22-centos7)"
-os::log::info "Ruby image digest: $rubyimagedigest"
+os::log::info "Ruby image digest: ${rubyimagedigest}"
 # get a random, non-empty blob
 rubyimageblob="$(oc get isimage -o go-template='{{range .image.dockerImageLayers}}{{if gt .size 1024.}}{{.name}},{{end}}{{end}}' "ruby-22-centos7@${rubyimagedigest}" | cut -d , -f 1)"
-os::log::info "Ruby's testing blob digest: $rubyimageblob"
+os::log::info "Ruby's testing blob digest: ${rubyimageblob}"
 
 # verify remote images can be pulled directly from the local registry
 os::log::info "Docker pullthrough"
@@ -154,6 +154,24 @@ os::cmd::expect_success "curl -H 'Authorization: bearer $(oc whoami -t)' 'http:/
 # verify the blob exists on disk in the registry due to mirroring under .../blobs/sha256/<2 char prefix>/<sha value>
 os::cmd::try_until_success "oc exec --context='${CLUSTER_ADMIN_CONTEXT}' -n default -p '${registry_pod}' du /registry | tee '${LOG_DIR}/registry-images.txt' | grep '${mysqlblob:7:100}' | grep blobs"
 
+os::log::info "Docker registry refuses manifest with missing dependencies"
+os::cmd::expect_success 'oc new-project verify-manifest'
+os::cmd::expect_success "oc get -o jsonpath=$'{.dockerImageManifest}\n' 'image/${rubyimagedigest}' --context="${CLUSTER_ADMIN_CONTEXT}" >'${ARTIFACT_DIR}/rubyimagemanifest.json'"
+os::cmd::expect_success "curl --head                                                \
+    --silent                                                                        \
+    --request PUT                                                                   \
+    --header 'Content-Type: application/vnd.docker.distribution.manifest.v1+json'   \
+    --user 'e2e_user:${e2e_user_token}'                                             \
+    --upload-file '${ARTIFACT_DIR}/rubyimagemanifest.json'                          \
+    'http://${DOCKER_REGISTRY}/v2/verify-manifest/ruby-22-centos7/manifests/latest' \
+    >'${ARTIFACT_DIR}/curl-ruby-manifest-put.txt'"
+os::cmd::expect_success_and_text "cat '${ARTIFACT_DIR}/curl-ruby-manifest-put.txt'" '400 Bad Request'
+os::cmd::expect_success_and_text "cat '${ARTIFACT_DIR}/curl-ruby-manifest-put.txt'" '"errors":.*MANIFEST_BLOB_UNKNOWN'
+os::cmd::expect_success_and_text "cat '${ARTIFACT_DIR}/curl-ruby-manifest-put.txt'" '"errors":.*blob unknown to registry'
+os::log::info "Docker registry successfuly refused manifest with missing dependencies"
+
+os::cmd::expect_success 'oc project cache'
+
 os::log::info "Docker registry start with GCS"
 os::cmd::expect_failure_and_text "docker run -e REGISTRY_STORAGE=\"gcs: {}\" openshift/origin-docker-registry:${TAG}" "No bucket parameter provided"
 
diff --git a/test/integration/v2_docker_registry_test.go b/test/integration/v2_docker_registry_test.go

Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,7 @@ func TestBlobDescriptorServiceIsApplied(t *testing.T) {`
`90`	`90`	`}`
`91`	`91`	`os.Setenv("DOCKER_REGISTRY_URL", serverURL.Host)`
`92`	`92`
`93`		`- desc, _, err := registrytest.UploadTestBlob(serverURL, "user/app")`
	`93`	`+ desc, _, err := registrytest.UploadTestBlob(serverURL, nil, "user/app")`
`94`	`94`	`if err != nil {`
`95`	`95`	`t.Fatal(err)`
`96`	`96`	`}`
Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,9 @@ type ManifestHandler interface {`
`25`	`25`	`// Payload returns manifest's media type, complete payload with signatures and canonical payload without`
`26`	`26`	`// signatures or an error if the information could not be fetched.`
`27`	`27`	`Payload() (mediaType string, payload []byte, canonical []byte, err error)`
	`28`	`+`
	`29`	`+ // Verify returns an error if the contained manifest is not valid or has missing dependencies.`
	`30`	`+ Verify(ctx context.Context, skipDependencyVerification bool) error`
`28`	`31`	`}`
`29`	`32`
`30`	`33`	`// NewManifestHandler creates a manifest handler for the given manifest.`
Original file line number	Diff line number	Diff line change
`@@ -88,11 +88,11 @@ func TestPullthroughServeBlob(t *testing.T) {`
`88`	`88`
`89`	`89`	`client.AddReactor("get", "imagestreams", imagetest.GetFakeImageStreamGetHandler(t, *testImageStream))`
`90`	`90`
`91`		`- blob1Desc, blob1Content, err := registrytest.UploadTestBlob(serverURL, "user/app")`
	`91`	`+ blob1Desc, blob1Content, err := registrytest.UploadTestBlob(serverURL, nil, "user/app")`
`92`	`92`	`if err != nil {`
`93`	`93`	`t.Fatal(err)`
`94`	`94`	`}`
`95`		`- blob2Desc, blob2Content, err := registrytest.UploadTestBlob(serverURL, "user/app")`
	`95`	`+ blob2Desc, blob2Content, err := registrytest.UploadTestBlob(serverURL, nil, "user/app")`
`96`	`96`	`if err != nil {`
`97`	`97`	`t.Fatal(err)`
`98`	`98`	`}`