From a1dc432d69bfbaf80c420443799e8d2e35e73c5d Mon Sep 17 00:00:00 2001 From: Pavel Busko Date: Mon, 17 Jun 2024 10:52:25 +0200 Subject: [PATCH] Ensure read access to the run image selected by extensions Co-authored-by: Nicolas Bender Signed-off-by: Pavel Busko --- phase/generator.go | 7 +++++++ phase/generator_test.go | 34 ++++++++++++++++++++++++++++++++++ platform/files/run.go | 10 ++++++++++ 3 files changed, 51 insertions(+) diff --git a/phase/generator.go b/phase/generator.go index 8a2106e82..1aa65b5ae 100644 --- a/phase/generator.go +++ b/phase/generator.go @@ -27,6 +27,7 @@ type Generator struct { DirStore DirStore Executor buildpack.GenerateExecutor Extensions []buildpack.GroupElement + AccessChecker platform.CheckReadAccess Logger log.Logger Out, Err io.Writer Plan files.Plan @@ -43,6 +44,7 @@ func (f *HermeticFactory) NewGenerator(inputs platform.LifecycleInputs, stdout, PlatformDir: inputs.PlatformDir, DirStore: f.dirStore, Executor: &buildpack.DefaultGenerateExecutor{}, + AccessChecker: inputs.AccessChecker(), Logger: logger, Out: stdout, Err: stderr, @@ -119,6 +121,11 @@ func (g *Generator) Generate() (GenerateResult, error) { if generatedRunImageRef != "" && g.isNew(generatedRunImageRef) { if !g.RunMetadata.Contains(generatedRunImageRef) { g.Logger.Warnf("new runtime base image '%s' not found in run metadata", generatedRunImageRef) + } else { + generatedRunImageRef, err = platform.BestRunImageMirrorFor("", g.RunMetadata.FindByRef(generatedRunImageRef), g.AccessChecker) + if err != nil { + return GenerateResult{}, err + } } g.Logger.Debugf("Updating analyzed metadata with new run image '%s'", generatedRunImageRef) finalAnalyzedMD.RunImage = &files.RunImage{ // target data is cleared diff --git a/phase/generator_test.go b/phase/generator_test.go index aefc13e1f..518e03462 100644 --- a/phase/generator_test.go +++ b/phase/generator_test.go @@ -13,6 +13,7 @@ import ( "github.com/apex/log/handlers/discard" "github.com/apex/log/handlers/memory" "github.com/golang/mock/gomock" + "github.com/google/go-containerregistry/pkg/authn" "github.com/pkg/errors" "github.com/sclevine/spec" "github.com/sclevine/spec/report" @@ -587,6 +588,39 @@ func testGenerator(t *testing.T, when spec.G, it spec.S) { h.AssertLogEntry(t, logHandler, "new runtime base image 'some-other-run-image' not found in run metadata") }, }, + { + before: func() { + generator.RunMetadata = files.Run{ + Images: []files.RunImageForExport{ + {Image: "some-run-image"}, + {Image: "some-second-run-image", Mirrors: []string{"some-second-run-image-mirror"}}, + }, + } + + generator.AccessChecker = func(repo string, keychain authn.Keychain) (bool, error) { + switch repo { + case "some-second-run-image-mirror": + return true, nil + default: + return false, nil + } + } + }, + descCondition: "run metadata is provided but the image is not accessible", + descResult: "selects the run image mirror", + aDockerfiles: []buildpack.DockerfileInfo{ + { + ExtensionID: "A", + Kind: "run", + Path: runDockerfilePathA, + WithBase: "some-second-run-image", + Extend: false, + }, + }, + bDockerfiles: []buildpack.DockerfileInfo{}, + expectedRunImageImage: "some-second-run-image-mirror", + expectedRunImageReference: "some-second-run-image-mirror", + }, } { tc := tc when := when diff --git a/platform/files/run.go b/platform/files/run.go index 00fbe038a..8da123f06 100644 --- a/platform/files/run.go +++ b/platform/files/run.go @@ -19,3 +19,13 @@ func (r *Run) Contains(providedImage string) bool { } return false } + +func (r *Run) FindByRef(imageRef string) RunImageForExport { + for _, i := range r.Images { + if i.Contains(imageRef) { + return i + } + } + + return RunImageForExport{} +}