libimage: {un}tag: reject digests

Make sure that tag and untag reject digested input. Also add unit tests for both to make sure we're not regressing in the future. Fixes: containers/common#710 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
2021-08-05 11:15:20 +02:00 · 2021-08-05 11:15:20 +02:00 · 2a36074db6
parent 64369e9623
commit 2a36074db6
2 changed files with 120 additions and 1 deletions
--- a/common/libimage/image.go
+++ b/common/libimage/image.go
@ -448,14 +448,24 @@ func (i *Image) removeRecursive(ctx context.Context, rmMap map[string]*RemoveIma
 	return parent.removeRecursive(ctx, rmMap, processedIDs, "", options)
 }

+var errTagDigest = errors.New("tag by digest not supported")
+
 // Tag the image with the specified name and store it in the local containers
 // storage.  The name is normalized according to the rules of NormalizeName.
 func (i *Image) Tag(name string) error {
+	if strings.HasPrefix(name, "sha256:") { // ambiguous input
+		return errors.Wrap(errTagDigest, name)
+	}
+
 	ref, err := NormalizeName(name)
 	if err != nil {
 		return errors.Wrapf(err, "error normalizing name %q", name)
 	}

+	if _, isDigested := ref.(reference.Digested); isDigested {
+		return errors.Wrap(errTagDigest, name)
+	}
+
 	logrus.Debugf("Tagging image %s with %q", i.ID(), ref.String())
 	if i.runtime.eventChannel != nil {
 		defer i.runtime.writeEvent(&Event{ID: i.ID(), Name: name, Time: time.Now(), Type: EventTypeImageTag})
@ -480,7 +490,7 @@ var errUntagDigest = errors.New("untag by digest not supported")
 // the local containers storage.  The name is normalized according to the rules
 // of NormalizeName.
 func (i *Image) Untag(name string) error {
-	if strings.HasPrefix(name, "sha256:") {
+	if strings.HasPrefix(name, "sha256:") { // ambiguous input
 		return errors.Wrap(errUntagDigest, name)
 	}

@ -488,6 +498,11 @@ func (i *Image) Untag(name string) error {
 	if err != nil {
 		return errors.Wrapf(err, "error normalizing name %q", name)
 	}
+
+	if _, isDigested := ref.(reference.Digested); isDigested {
+		return errors.Wrap(errUntagDigest, name)
+	}
+
 	name = ref.String()

 	logrus.Debugf("Untagging %q from image %s", ref.String(), i.ID())
--- a/common/libimage/image_test.go
+++ b/common/libimage/image_test.go
@ -164,3 +164,107 @@ func TestImageFunctions(t *testing.T) {
 	require.Equal(t, labels, imageData.Labels, "inspect data should match")
 	require.Equal(t, image.NamesHistory(), imageData.NamesHistory, "inspect data should match")
 }
+
+func TestTag(t *testing.T) {
+	// Note: this will resolve pull from the GCR registry (see
+	// testdata/registries.conf).
+	busyboxLatest := "docker.io/library/busybox:latest"
+
+	runtime, cleanup := testNewRuntime(t)
+	defer cleanup()
+	ctx := context.Background()
+
+	pullOptions := &PullOptions{}
+	pullOptions.Writer = os.Stdout
+	pulledImages, err := runtime.Pull(ctx, busyboxLatest, config.PullPolicyMissing, pullOptions)
+	require.NoError(t, err)
+	require.Len(t, pulledImages, 1)
+
+	image := pulledImages[0]
+
+	digest := "sha256:adab3844f497ab9171f070d4cae4114b5aec565ac772e2f2579405b78be67c96"
+
+	// Tag
+	for _, test := range []struct {
+		tag         string
+		resolvesTo  string
+		expectError bool
+	}{
+		{"foo", "localhost/foo:latest", false},
+		{"docker.io/foo", "docker.io/library/foo:latest", false},
+		{"quay.io/bar/foo:tag", "quay.io/bar/foo:tag", false},
+		{"registry.com/$invalid", "", true},
+		{digest, "", true},
+		{"foo@" + digest, "", true},
+		{"quay.io/foo@" + digest, "", true},
+		{"", "", true},
+	} {
+		err := image.Tag(test.tag)
+		if test.expectError {
+			require.Error(t, err, "tag should have failed: %v", test)
+			continue
+		}
+		require.NoError(t, err, "tag should have succeeded: %v", test)
+
+		_, resolvedName, err := runtime.LookupImage(test.tag, nil)
+		require.NoError(t, err, "image should have resolved locally: %v", test)
+		require.Equal(t, test.resolvesTo, resolvedName, "image should have resolved correctly: %v", test)
+	}
+
+	// Check for specific error.
+	err = image.Tag("foo@" + digest)
+	require.True(t, errors.Cause(err) == errTagDigest, "check for specific digest error")
+}
+
+func TestUntag(t *testing.T) {
+	// Note: this will resolve pull from the GCR registry (see
+	// testdata/registries.conf).
+	busyboxLatest := "docker.io/library/busybox:latest"
+
+	runtime, cleanup := testNewRuntime(t)
+	defer cleanup()
+	ctx := context.Background()
+
+	pullOptions := &PullOptions{}
+	pullOptions.Writer = os.Stdout
+	pulledImages, err := runtime.Pull(ctx, busyboxLatest, config.PullPolicyMissing, pullOptions)
+	require.NoError(t, err)
+	require.Len(t, pulledImages, 1)
+
+	image := pulledImages[0]
+
+	digest := "sha256:adab3844f497ab9171f070d4cae4114b5aec565ac772e2f2579405b78be67c96"
+
+	// Untag
+	for _, test := range []struct {
+		tag         string
+		untag       string
+		expectError bool
+	}{
+		{"foo", "foo", false},
+		{"foo", "foo:latest", false},
+		{"foo", "localhost/foo", false},
+		{"foo", "localhost/foo:latest", false},
+		{"quay.io/image/foo", "quay.io/image/foo", false},
+		{"foo", "doNotExist", true},
+		{"foo", digest, true},
+		{"foo", "foo@" + digest, true},
+		{"foo", "localhost/foo@" + digest, true},
+	} {
+		err := image.Tag(test.tag)
+		require.NoError(t, err, "tag should have succeeded: %v", test)
+
+		err = image.Untag(test.untag)
+		if test.expectError {
+			require.Error(t, err, "untag should have failed: %v", test)
+			continue
+		}
+		require.NoError(t, err, "untag should have succeedded: %v", test)
+		_, resolvedName, err := runtime.LookupImage(test.tag, nil)
+		require.Error(t, err, "image should not resolve after untag anymore (%s): %v", resolvedName, test)
+	}
+
+	// Check for specific error.
+	err = image.Untag("foo@" + digest)
+	require.True(t, errors.Cause(err) == errUntagDigest, "check for specific digest error")
+}