Merge pull request #2335 from mtrmac/enforce-digests

Use UnparsedInstance.Manifest instead of ImageSource.GetManifest

common/libimage/image.go

@@ -14,6 +14,7 @@ import (
 	"github.com/containerd/platforms"
 	"github.com/containers/common/libimage/platform"
 	"github.com/containers/image/v5/docker/reference"
+	"github.com/containers/image/v5/image"
 	"github.com/containers/image/v5/manifest"
 	storageTransport "github.com/containers/image/v5/storage"
 	"github.com/containers/image/v5/types"
@@ -1002,7 +1003,7 @@ func (i *Image) Manifest(ctx context.Context) (rawManifest []byte, mimeType stri
 	if err != nil {
 		return nil, "", err
 	}
-	return src.GetManifest(ctx, nil)
+	return image.UnparsedInstance(src, nil).Manifest(ctx)
 }
 
 // getImageID creates an image object and uses the hex value of the config

common/libimage/inspect.go

@@ -6,6 +6,7 @@ import (
 	"context"
 	"time"
 
+	"github.com/containers/image/v5/image"
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/types"
 	"github.com/opencontainers/go-digest"
@@ -159,7 +160,7 @@ func (i *Image) Inspect(ctx context.Context, options *InspectOptions) (*ImageDat
 	if err != nil {
 		return nil, err
 	}
-	manifestRaw, manifestType, err := src.GetManifest(ctx, nil)
+	manifestRaw, manifestType, err := image.UnparsedInstance(src, nil).Manifest(ctx)
 	if err != nil {
 		return nil, err
 	}

common/libimage/manifest_list.go

@@ -18,6 +18,7 @@ import (
 	"github.com/containers/common/pkg/supplemented"
 	imageCopy "github.com/containers/image/v5/copy"
 	"github.com/containers/image/v5/docker"
+	"github.com/containers/image/v5/image"
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/oci/layout"
 	"github.com/containers/image/v5/signature"
@@ -370,11 +371,12 @@ func (i *Image) IsManifestList(ctx context.Context) (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	imgRef, err := ref.NewImageSource(ctx, i.runtime.systemContextCopy())
+	imgSrc, err := ref.NewImageSource(ctx, i.runtime.systemContextCopy())
 	if err != nil {
 		return false, err
 	}
-	_, manifestType, err := imgRef.GetManifest(ctx, nil)
+	defer imgSrc.Close()
+	_, manifestType, err := image.UnparsedInstance(imgSrc, nil).Manifest(ctx)
 	if err != nil {
 		return false, err
 	}
@@ -717,7 +719,7 @@ func (m *ManifestList) AnnotateInstance(d digest.Digest, options *ManifestListAn
 			return err
 		}
 		defer src.Close()
-		subjectManifestBytes, subjectManifestType, err := src.GetManifest(ctx, nil)
+		subjectManifestBytes, subjectManifestType, err := image.UnparsedInstance(src, nil).Manifest(ctx)
 		if err != nil {
 			return err
 		}

common/libimage/manifest_list_test.go

@@ -20,6 +20,7 @@ import (
 
 	"github.com/containers/common/pkg/config"
 	cp "github.com/containers/image/v5/copy"
+	"github.com/containers/image/v5/image"
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/pkg/compression"
 	"github.com/containers/image/v5/transports/alltransports"
@@ -329,7 +330,7 @@ func TestAddArtifacts(t *testing.T) {
 		src, err := ref.NewImageSource(ctx, nil)
 		require.NoError(t, err)
 		defer src.Close()
-		manifestBytes, manifestType, err := src.GetManifest(ctx, nil)
+		manifestBytes, manifestType, err := image.UnparsedInstance(src, nil).Manifest(ctx)
 		require.NoError(t, err)
 		manifestDigest, err := manifest.Digest(manifestBytes)
 		require.NoError(t, err)
@@ -390,7 +391,7 @@ func TestAddArtifacts(t *testing.T) {
 
 			src, err := ref.NewImageSource(ctx, list.image.runtime.systemContextCopy())
 			require.NoError(t, err)
-			indexManifest, indexType, err := src.GetManifest(ctx, nil)
+			indexManifest, indexType, err := image.UnparsedInstance(src, nil).Manifest(ctx)
 			require.NoError(t, err)
 			require.True(t, manifest.MIMETypeIsMultiImage(indexType))
 			var index imgspecv1.Index
@@ -401,7 +402,7 @@ func TestAddArtifacts(t *testing.T) {
 				assert.Equal(t, indexSubjectDescriptor, *index.Subject, "subject in index was not preserved")
 			}
 			for _, descriptor := range index.Manifests {
-				artifactManifest, artifactManifestType, err := src.GetManifest(ctx, &descriptor.Digest)
+				artifactManifest, artifactManifestType, err := image.UnparsedInstance(src, &descriptor.Digest).Manifest(ctx)
 				require.NoError(t, err)
 				require.False(t, manifest.MIMETypeIsMultiImage(artifactManifestType))
 				var artifact imgspecv1.Manifest

common/libimage/manifests/manifests.go

@@ -526,7 +526,7 @@ func (l *list) Add(ctx context.Context, sys *types.SystemContext, ref types.Imag
 	var instanceInfos []instanceInfo
 	var manifestDigest digest.Digest
 
-	primaryManifestBytes, primaryManifestType, err := src.GetManifest(ctx, nil)
+	primaryManifestBytes, primaryManifestType, err := image.UnparsedInstance(src, nil).Manifest(ctx)
 	if err != nil {
 		return "", fmt.Errorf("reading manifest from %q: %w", transports.ImageName(ref), err)
 	}
@@ -613,7 +613,8 @@ func (l *list) Add(ctx context.Context, sys *types.SystemContext, ref types.Imag
 
 	knownConfigTypes := []string{manifest.DockerV2Schema2ConfigMediaType, v1.MediaTypeImageConfig}
 	for _, instanceInfo := range instanceInfos {
-		manifestBytes, manifestType, err := src.GetManifest(ctx, instanceInfo.instanceDigest)
+		unparsedInstance := image.UnparsedInstance(src, instanceInfo.instanceDigest)
+		manifestBytes, manifestType, err := unparsedInstance.Manifest(ctx)
 		if err != nil {
 			return "", fmt.Errorf("reading manifest from %q, instance %q: %w", transports.ImageName(ref), instanceInfo.instanceDigest, err)
 		}
@@ -625,7 +626,7 @@ func (l *list) Add(ctx context.Context, sys *types.SystemContext, ref types.Imag
 		hasPlatformConfig := instanceInfo.ArtifactType == "" && slices.Contains(knownConfigTypes, instanceInfo.ConfigInfo.MediaType)
 		needToParsePlatformConfig := (instanceInfo.OS == "" || instanceInfo.Architecture == "")
 		if hasPlatformConfig && needToParsePlatformConfig {
-			img, err := image.FromUnparsedImage(ctx, sys, image.UnparsedInstance(src, instanceInfo.instanceDigest))
+			img, err := image.FromUnparsedImage(ctx, sys, unparsedInstance)
 			if err != nil {
 				return "", fmt.Errorf("reading configuration blob from %q: %w", transports.ImageName(ref), err)
 			}
@@ -712,12 +713,12 @@ func (l *list) AddArtifact(ctx context.Context, sys *types.SystemContext, option
 	// reason.
 	var subject *v1.Descriptor
 	if options.SubjectReference != nil {
-		subjectReference, err := options.SubjectReference.NewImageSource(ctx, sys)
+		subjectSource, err := options.SubjectReference.NewImageSource(ctx, sys)
 		if err != nil {
 			return "", fmt.Errorf("setting up to read manifest and configuration from subject %q: %w", transports.ImageName(options.SubjectReference), err)
 		}
-		defer subjectReference.Close()
-		subjectManifestBytes, subjectManifestType, err := subjectReference.GetManifest(ctx, nil)
+		defer subjectSource.Close()
+		subjectManifestBytes, subjectManifestType, err := image.UnparsedInstance(subjectSource, nil).Manifest(ctx)
 		if err != nil {
 			return "", fmt.Errorf("reading manifest from subject %q: %w", transports.ImageName(options.SubjectReference), err)
 		}

common/libimage/manifests/manifests_test.go

@@ -19,6 +19,7 @@ import (
 	"github.com/containers/common/pkg/manifests"
 	cp "github.com/containers/image/v5/copy"
 	"github.com/containers/image/v5/directory"
+	"github.com/containers/image/v5/image"
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/pkg/compression"
 	"github.com/containers/image/v5/signature"
@@ -120,8 +121,8 @@ func TestAddRemove(t *testing.T) {
 	src, err := ref.NewImageSource(ctx, sys)
 	assert.NoError(t, err, "NewImageSource(%q)", otherListImage)
 	defer assert.NoError(t, src.Close(), "ImageSource.Close()")
-	m, _, err := src.GetManifest(ctx, nil)
-	assert.NoError(t, err, "ImageSource.GetManifest()")
+	m, _, err := image.UnparsedInstance(src, nil).Manifest(ctx)
+	require.NoError(t, err, "UnparsedInstance.Manifest()")
 	assert.NoError(t, src.Close(), "ImageSource.GetManifest()")
 	listDigest, err := manifest.Digest(m)
 	assert.NoError(t, err, "manifest.Digest()")
@@ -271,7 +272,7 @@ func TestAddArtifact(t *testing.T) {
 			src, err := ref.NewImageSource(ctx, &types.SystemContext{})
 			require.NoError(t, err)
 			defer src.Close()
-			manifestBytes, manifestType, err := src.GetManifest(ctx, &instanceDigest)
+			manifestBytes, manifestType, err := image.UnparsedInstance(src, &instanceDigest).Manifest(ctx)
 			require.NoError(t, err)
 			// decode the artifact manifest
 			var m v1.Manifest
@@ -361,7 +362,7 @@ func TestAddArtifact(t *testing.T) {
 				subject, err := subjectReference.NewImageSource(ctx, &types.SystemContext{})
 				require.NoError(t, err)
 				defer subject.Close()
-				subjectManifestBytes, subjectManifestType, err := subject.GetManifest(ctx, nil)
+				subjectManifestBytes, subjectManifestType, err := image.UnparsedInstance(subject, nil).Manifest(ctx)
 				require.NoError(t, err)
 				subjectManifestDigest, err := manifest.Digest(subjectManifestBytes)
 				require.NoError(t, err)

common/pkg/supplemented/supplemented.go

@@ -205,7 +205,7 @@ func (s *supplementedImageReference) NewImageSource(ctx context.Context, sys *ty
 		}
 
 		// Read the default manifest for the image.
-		manifestBytes, manifestType, err := src.GetManifest(ctx, nil)
+		manifestBytes, manifestType, err := image.UnparsedInstance(src, nil).Manifest(ctx)
 		if err != nil {
 			return nil, fmt.Errorf("reading default manifest from image %q: %w", transports.ImageName(ref), err)
 		}
@@ -261,7 +261,7 @@ func (s *supplementedImageReference) NewImageSource(ctx context.Context, sys *ty
 		}
 
 		// Read the instance's manifest.
-		manifestBytes, manifestType, err := manifestToRead.src.GetManifest(ctx, manifestToRead.instance)
+		manifestBytes, manifestType, err := image.UnparsedInstance(manifestToRead.src, manifestToRead.instance).Manifest(ctx)
 		if err != nil {
 			// if errors.Is(err, storage.ErrImageUnknown) || errors.Is(err, os.ErrNotExist) {
 			// Trust that we either don't need it, or that it's in another reference.