Transport-abstracted signature policy #33
Conversation
|
See also containers/skopeo#138 for the consumer. |
transports.go
Outdated
| docker.Transport, | ||
| oci.Transport, | ||
| openshift.Transport, | ||
| } { |
There was a problem hiding this comment.
This would nicely fit into image, but it needs to be a separate package because these transport-dependent packages depend on image, which would cause a circular dependency.
Adding a containers/image/transports for this small file feels a bit silly, and having the top-level containers/image package point at the contained transports seems to make sense — OTOH using both containers/image and containers/image/image in a single source file then ends up pretty very ugly.
|
Generally, based on comments in the code also, seems like a very well welcome improvement and it makes up space for cleaning other interface parts (like So I'm +1 here |
mtrmac
force-pushed
the
location-namespaced-signatures
branch
12 times, most recently
from
367fd7f to
85a62e2
Compare
mtrmac
force-pushed
the
location-namespaced-signatures
branch
from
85a62e2 to
522f718
Compare
mtrmac
force-pushed
the
location-namespaced-signatures
branch
from
27a97d2 to
8e535e1
Compare
mtrmac
changed the title
|
Updated:
WIP because I need to re-integrate into mtrmac/image:integrate-all-the-things before being 100% certain, a corresponding skopeo branch is missing, and it seems highly desirable to validate policy scope names when parsing the policy; but it is very unlikely that anything in this PR will change. |
mtrmac
changed the title
mtrmac
force-pushed
the
location-namespaced-signatures
branch
from
8e535e1 to
2903ae4
Compare
mtrmac
changed the title
|
Rebased and ready for individual review; I will add scope name verification when parsing the policy. |
mtrmac
force-pushed
the
location-namespaced-signatures
branch
from
2903ae4 to
0ac31b2
Compare
|
Scope name validation added; works with @runcom PTAL |
| // This is necessary to prevent directory paths returned by PolicyConfigurationNamespaces | ||
| // from being ambiguous with values of PolicyConfigurationIdentity. | ||
| if strings.Contains(resolved, ":") { | ||
| return nil, fmt.Errorf("Invalid OCI reference %s:%s: path %s contains a colon", dir, tag, resolved) |
There was a problem hiding this comment.
I think this ok now. Eventually this OCI isn't mean for directory like output like dir - that means oci_dest.go will work exactly as docker_img_dest.go works (remote services). I have a TODO to create a new OCITar destination probably which will adhere to this and not allow colon in path.
There was a problem hiding this comment.
Does “This is OK now" mean “this naming restriction is acceptable” or “we need to allow such paths”?
There was a problem hiding this comment.
acceptable, I don't see why not. OCI_dest right now is kind of the same as dir - OCI image transportation and distribution isn't even yet defined so I treat oci: as dir: and this lgtm
|
The rest LGTM - if I understand correctly the last 2 commits leave some todos around also |
|
lgtm |
This makes the core policy lookup logic Docker-independent, with the underlying Docker-specific implementation moved to docker/policyconfiguration/naming.go. Does not change behavior, only docker: and atomic: transports currently implement the policy configuration naming, in a compatible way, and the policy configuration is still not transport-aware. That happens next. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Instead of specific/$dockerreference, use transports/$transport/$policyconfigurationscope This will allow transport-specific policies in the future. This changes the data structures and parsing code, but mostly not yet the functionality; everything is looked up through transports/"docker"/... , and Docker-reference-less transports are not yet supported. The only new functionality is that there is a transport-level default scope (transports/docker/""); at the moment it is redundant with the global default, but soon it will not be so. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
mtrmac
force-pushed
the
location-namespaced-signatures
branch
from
0ac31b2 to
ff31c8d
Compare
Users will be added imminently; this is used to convert an arbitrary path for dir: and oci: image names into a path suitable for policy lookup (absolute, with no symlinks or special components). Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Implement PolicyConfigurationIdentity and PolicyConfigurationNamespaces for all transports, which makes them all possible to use in policy configurations. Then use Transport().Name instead of hard-coded "docker" in policy transport lookup. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This e.g. rejects relative paths for directories. Notably docker: transport is the only one which does not do any real validation; we could copy&paste the character ranges and lengths directly from docker/distribution/reference, which feels fairly ugly. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
mtrmac
force-pushed
the
location-namespaced-signatures
branch
from
ff31c8d to
55bcc37
Compare
|
Updated:
OK to commit? |
|
ACK |
|
👍 |
2 participants
@runcom PTAL . This is by no means finished, but shows the direction I’m planning to use, early feedback on the API would help me avoid a dead end. Start with
types.goI think, I will comment more on the code.