Skip to content

Commit

Permalink
Ensure read access to the run image selected by extensions
Browse files Browse the repository at this point in the history 
Co-authored-by: Nicolas Bender <nicolas.bender@sap.com>
Signed-off-by: Pavel Busko <pavel.busko@sap.com>
  • Loading branch information
@pbusko @nicolasbender
pbusko and nicolasbender committed Jun 17, 2024
1 parent 7b5a8ec commit a1dc432
Show file tree
Hide file tree
Showing 3 changed files with 51 additions and 0 deletions.
7 changes: 7 additions & 0 deletions phase/generator.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ type Generator struct {
DirStore DirStore
Executor buildpack.GenerateExecutor
Extensions []buildpack.GroupElement
AccessChecker platform.CheckReadAccess
Logger log.Logger
Out, Err io.Writer
Plan files.Plan
Expand All @@ -43,6 +44,7 @@ func (f *HermeticFactory) NewGenerator(inputs platform.LifecycleInputs, stdout,
PlatformDir: inputs.PlatformDir,
DirStore: f.dirStore,
Executor: &buildpack.DefaultGenerateExecutor{},
AccessChecker: inputs.AccessChecker(),
Logger: logger,
Out: stdout,
Err: stderr,
Expand Down Expand Up @@ -119,6 +121,11 @@ func (g *Generator) Generate() (GenerateResult, error) {
if generatedRunImageRef != "" && g.isNew(generatedRunImageRef) {
if !g.RunMetadata.Contains(generatedRunImageRef) {
g.Logger.Warnf("new runtime base image '%s' not found in run metadata", generatedRunImageRef)
} else {
generatedRunImageRef, err = platform.BestRunImageMirrorFor("", g.RunMetadata.FindByRef(generatedRunImageRef), g.AccessChecker)
if err != nil {
return GenerateResult{}, err
}
}
g.Logger.Debugf("Updating analyzed metadata with new run image '%s'", generatedRunImageRef)
finalAnalyzedMD.RunImage = &files.RunImage{ // target data is cleared
Expand Down
34 changes: 34 additions & 0 deletions phase/generator_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import (
"github.com/apex/log/handlers/discard"
"github.com/apex/log/handlers/memory"
"github.com/golang/mock/gomock"
"github.com/google/go-containerregistry/pkg/authn"
"github.com/pkg/errors"
"github.com/sclevine/spec"
"github.com/sclevine/spec/report"
Expand Down Expand Up @@ -587,6 +588,39 @@ func testGenerator(t *testing.T, when spec.G, it spec.S) {
h.AssertLogEntry(t, logHandler, "new runtime base image 'some-other-run-image' not found in run metadata")
},
},
{
before: func() {
generator.RunMetadata = files.Run{
Images: []files.RunImageForExport{
{Image: "some-run-image"},
{Image: "some-second-run-image", Mirrors: []string{"some-second-run-image-mirror"}},
},
}

generator.AccessChecker = func(repo string, keychain authn.Keychain) (bool, error) {

Check failure on line 600 in phase/generator_test.go

View workflow job for this annotation

GitHub Actions / test-linux-amd64 

unused-parameter: parameter 'keychain' seems to be unused, consider removing or renaming it as _ (revive)

Check failure on line 600 in phase/generator_test.go

View workflow job for this annotation

GitHub Actions / test-linux-arm64 

unused-parameter: parameter 'keychain' seems to be unused, consider removing or renaming it as _ (revive)

Check failure on line 600 in phase/generator_test.go

View workflow job for this annotation

GitHub Actions / test-windows 

unused-parameter: parameter 'keychain' seems to be unused, consider removing or renaming it as _ (revive)
switch repo {
case "some-second-run-image-mirror":
return true, nil
default:
return false, nil
}
}
},
descCondition: "run metadata is provided but the image is not accessible",
descResult: "selects the run image mirror",
aDockerfiles: []buildpack.DockerfileInfo{
{
ExtensionID: "A",
Kind: "run",
Path: runDockerfilePathA,
WithBase: "some-second-run-image",
Extend: false,
},
},
bDockerfiles: []buildpack.DockerfileInfo{},
expectedRunImageImage: "some-second-run-image-mirror",
expectedRunImageReference: "some-second-run-image-mirror",
},
} {
tc := tc
when := when
Expand Down
10 changes: 10 additions & 0 deletions platform/files/run.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,13 @@ func (r *Run) Contains(providedImage string) bool {
}
return false
}

func (r *Run) FindByRef(imageRef string) RunImageForExport {

Check failure on line 23 in platform/files/run.go

View workflow job for this annotation

GitHub Actions / test-linux-amd64 

exported: exported method Run.FindByRef should have comment or be unexported (revive)

Check failure on line 23 in platform/files/run.go

View workflow job for this annotation

GitHub Actions / test-linux-arm64 

exported: exported method Run.FindByRef should have comment or be unexported (revive)

Check failure on line 23 in platform/files/run.go

View workflow job for this annotation

GitHub Actions / test-windows 

exported: exported method Run.FindByRef should have comment or be unexported (revive)
for _, i := range r.Images {
if i.Contains(imageRef) {
return i
}
}

return RunImageForExport{}
}

0 comments on commit a1dc432

Please sign in to comment.