Skip to content

Commit

Permalink
images: Add list of Platforms to CheckAuthorization()
Browse files Browse the repository at this point in the history 
To be able to properly perform an authorization check on an image we need
to know the platform to perform check when in cryptManifestList(). Extend
the logic for cryptoOp == cryptoOpUnwrapOnly to skip over manifests that
do not correspond to the local platform and return an error if no manifest
was found that matches the local platform.

The following projects seem NOT to be affect due to the change in the code
path of CheckAuthorization() since they are not using it:

- cri-o
- nerdctl
- skopeo
- buildah
- podman

The impact on imgcrypt via ctr-enc is not so clear either since
CheckAuthorization() is not called on the server side but by the ctr-enc
client, thus can be modified easily.

Resolves: #69
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
  • Loading branch information
@stefanberger @lumjjb
stefanberger authored and lumjjb committed Mar 21, 2022
1 parent f440058 commit 6fdd981
Showing 1 changed file with 13 additions and 0 deletions.
13 changes: 13 additions & 0 deletions images/encryption/encryption.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,13 @@ const (
// LayerFilter allows to select Layers by certain criteria
type LayerFilter func(desc ocispec.Descriptor) bool

// isLocalPlatform determines whether the given platform matches the local one
func isLocalPlatform(platform *ocispec.Platform) bool {
matcher := platforms.NewMatcher(*platform)

return matcher.Match(platforms.DefaultSpec())
}

// IsEncryptedDiff returns true if mediaType is a known encrypted media type.
func IsEncryptedDiff(ctx context.Context, mediaType string) bool {
switch mediaType {
Expand Down Expand Up @@ -380,6 +387,9 @@ func cryptManifestList(ctx context.Context, cs content.Store, desc ocispec.Descr
var newManifests []ocispec.Descriptor
modified := false
for _, manifest := range index.Manifests {
if cryptoOp == cryptoOpUnwrapOnly && !isLocalPlatform(manifest.Platform) {
continue
}
newManifest, m, err := cryptChildren(ctx, cs, manifest, cc, lf, cryptoOp, manifest.Platform)
if err != nil || cryptoOp == cryptoOpUnwrapOnly {
return ocispec.Descriptor{}, false, err
Expand All @@ -389,6 +399,9 @@ func cryptManifestList(ctx context.Context, cs content.Store, desc ocispec.Descr
}
newManifests = append(newManifests, newManifest)
}
if cryptoOp == cryptoOpUnwrapOnly {
return ocispec.Descriptor{}, false, fmt.Errorf("No manifest found for local platform")
}

if modified {
// we need to update the index
Expand Down

0 comments on commit 6fdd981

Please sign in to comment.