Skip to content

Commit

Permalink
Improve error message when converting an encrypted image to schema[12]
Browse files Browse the repository at this point in the history
... and add tests.

Signed-off-by: Miloslav Trmač <[email protected]>
  • Loading branch information
mtrmac committed Sep 7, 2023
1 parent 0227805 commit 3743a56
Show file tree
Hide file tree
Showing 3 changed files with 65 additions and 0 deletions.
43 changes: 43 additions & 0 deletions internal/image/fixtures/oci1.encrypted.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.image.config.v1+json",
"size": 5940,
"digest": "sha256:9ca4bda0a6b3727a6ffcc43e981cad0f24e2ec79d338f6ba325b4dfd0756fb8f",
"annotations": {
"test-annotation-1": "one"
}
},
"layers": [
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip+encrypted",
"size": 51354364,
"digest": "sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
},
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip+encrypted",
"size": 150,
"digest": "sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
},
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip+encrypted",
"size": 11739507,
"digest": "sha256:cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc",
"urls": ["https://layer.url"]
},
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip+encrypted",
"size": 8841833,
"digest": "sha256:dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd",
"annotations": {
"test-annotation-2": "two"
}
},
{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip+encrypted",
"size": 291,
"digest": "sha256:eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee"
}
]
}
5 changes: 5 additions & 0 deletions internal/image/oci.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"github.com/containers/image/v5/manifest"
"github.com/containers/image/v5/pkg/blobinfocache/none"
"github.com/containers/image/v5/types"
ociencspec "github.com/containers/ocicrypt/spec"
"github.com/opencontainers/go-digest"
imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
)
Expand Down Expand Up @@ -227,6 +228,10 @@ func (m *manifestOCI1) convertToManifestSchema2(_ context.Context, _ *types.Mani
layers[idx].MediaType = manifest.DockerV2Schema2LayerMediaType
case imgspecv1.MediaTypeImageLayerZstd:
return nil, fmt.Errorf("Error during manifest conversion: %q: zstd compression is not supported for docker images", layers[idx].MediaType)
// FIXME: s/Zsdt/Zstd/ after ocicrypt with https://github.com/containers/ocicrypt/pull/91 is released
case ociencspec.MediaTypeLayerEnc, ociencspec.MediaTypeLayerGzipEnc, ociencspec.MediaTypeLayerZstdEnc,
ociencspec.MediaTypeLayerNonDistributableEnc, ociencspec.MediaTypeLayerNonDistributableGzipEnc, ociencspec.MediaTypeLayerNonDistributableZsdtEnc:
return nil, fmt.Errorf("during manifest conversion: encrypted layers (%q) are not supported in docker images", layers[idx].MediaType)
default:
return nil, fmt.Errorf("Unknown media type during manifest conversion: %q", layers[idx].MediaType)
}
Expand Down
17 changes: 17 additions & 0 deletions internal/image/oci_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -538,6 +538,16 @@ func TestManifestOCI1ConvertToManifestSchema1(t *testing.T) {
var expected manifest.NonImageArtifactError
assert.ErrorAs(t, err, &expected)

// Conversion of an encrypted image fails
encrypted := manifestOCI1FromFixture(t, originalSrc, "oci1.encrypted.json")
_, err = encrypted.UpdatedImage(context.Background(), types.ManifestUpdateOptions{
ManifestMIMEType: manifest.DockerV2Schema1SignedMediaType,
InformationOnly: types.ManifestUpdateInformation{
Destination: memoryDest,
},
})
assert.Error(t, err)

// Conversion to schema1 with encryption fails
_, err = original.UpdatedImage(context.Background(), types.ManifestUpdateOptions{
LayerInfos: layerInfosWithCryptoOperation(original.LayerInfos(), types.Encrypt),
Expand Down Expand Up @@ -576,6 +586,13 @@ func TestConvertToManifestSchema2(t *testing.T) {
var expected manifest.NonImageArtifactError
assert.ErrorAs(t, err, &expected)

// Conversion of an encrypted image fails
encrypted := manifestOCI1FromFixture(t, originalSrc, "oci1.encrypted.json")
_, err = encrypted.UpdatedImage(context.Background(), types.ManifestUpdateOptions{
ManifestMIMEType: manifest.DockerV2Schema2MediaType,
})
assert.Error(t, err)

// Conversion to schema2 with encryption fails
_, err = original.UpdatedImage(context.Background(), types.ManifestUpdateOptions{
LayerInfos: layerInfosWithCryptoOperation(original.LayerInfos(), types.Encrypt),
Expand Down

0 comments on commit 3743a56

Please sign in to comment.