Ensure read access to the run image selected by extensions (#1364)

* Ensure read access to the run image selected by extensions Co-authored-by: Nicolas Bender <nicolas.bender@sap.com> Signed-off-by: Pavel Busko <pavel.busko@sap.com> Co-authored-by: Pavel Busko <pavel.busko@sap.com> * move read access check to the restorer cmd Signed-off-by: Pavel Busko <pavel.busko@sap.com> * guard behind platform version check Signed-off-by: Pavel Busko <pavel.busko@sap.com> --------- Signed-off-by: Pavel Busko <pavel.busko@sap.com> Co-authored-by: Nicolas Bender <nicolas.bender@sap.com>
buildpacks · Jul 3, 2024 · a02be03 · a02be03
1 parent 7b5a8ec
commit a02be03
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 0 deletions.
diff --git a/cmd/lifecycle/restorer.go b/cmd/lifecycle/restorer.go
@@ -50,6 +50,9 @@ func (r *restoreCmd) DefineFlags() {
 		cli.FlagBuildImage(&r.BuildImageRef)
 	}
 	cli.FlagAnalyzedPath(&r.AnalyzedPath)
+	if r.PlatformAPI.AtLeast("0.14") {
+		cli.FlagRunPath(&r.RunPath)
+	}
 	cli.FlagCacheDir(&r.CacheDir)
 	cli.FlagCacheImage(&r.CacheImageRef)
 	cli.FlagGID(&r.GID)
@@ -123,6 +126,15 @@ func (r *restoreCmd) Exec() error {
 			runImage imgutil.Image
 		)
 		runImageName := analyzedMD.RunImageImage() // FIXME: if we have a digest reference available in `Reference` (e.g., in the non-daemon case) we should use it
+		accessibleRunImage, err := r.runImageAccessCheck(runImageName)
+		if err != nil {
+			return err
+		}
+		if runImageName != accessibleRunImage {
+			analyzedMD.RunImage.Image = accessibleRunImage
+			analyzedMD.RunImage.Reference = accessibleRunImage
+		}
+
 		if r.supportsRunImageExtension() && needsPulling(analyzedMD.RunImage) {
 			cmd.DefaultLogger.Debugf("Pulling run image metadata for %s...", runImageName)
 			runImage, err = r.pullSparse(runImageName)
@@ -192,6 +204,23 @@ func needsPulling(runImage *files.RunImage) bool {
 	return runImage.Extend
 }
 
+func (r *restoreCmd) runImageAccessCheck(runImageName string) (string, error) {
+	if r.PlatformAPI.LessThan("0.14") {
+		return runImageName, nil
+	}
+
+	runToml, err := files.Handler.ReadRun(r.RunPath, cmd.DefaultLogger)
+	if err != nil {
+		return "", err
+	}
+
+	if !runToml.Contains(runImageName) {
+		return runImageName, nil
+	}
+
+	return platform.BestRunImageMirrorFor("", runToml.FindByRef(runImageName), r.AccessChecker())
+}
+
 func (r *restoreCmd) needsUpdating(runImage *files.RunImage, group buildpack.Group) bool {
 	if r.PlatformAPI.LessThan("0.10") {
 		return false

diff --git a/platform/files/run.go b/platform/files/run.go
@@ -19,3 +19,14 @@ func (r *Run) Contains(providedImage string) bool {
 	}
 	return false
 }
+
+// FindByRef return the RunImageForExport struct which contains the imageRef.
+func (r *Run) FindByRef(imageRef string) RunImageForExport {
+	for _, i := range r.Images {
+		if i.Contains(imageRef) {
+			return i
+		}
+	}
+
+	return RunImageForExport{}
+}