Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Drop image signature annotations #19037

Merged
merged 3 commits into from
Mar 22, 2018
Merged

Drop image signature annotations #19037

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8a653a5
signature-controller: stop adding managed annotation
Mar 20, 2018
9742ee0
image-strategy: unset image signature annotations
Mar 20, 2018
6feafaf
switch reversed old/new objects to validation
deads2k Mar 20, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 0 additions & 3 deletions pkg/image/controller/signature/container_image_downloader.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,9 +62,6 @@ func (s *containerImageSignatureDownloader) DownloadImageSignatures(image *image
// signature.
sig.Name = imageapi.JoinImageStreamImage(image.Name, fmt.Sprintf("%x", sha256.Sum256(blob)))
sig.Content = blob
sig.Annotations = map[string]string{
SignatureManagedAnnotation: "true",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mfojtik does the controller do something with this annotation later?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, there's no other reference to the annotation apart those referenced here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no and I don't remember adding this

}
sig.CreationTimestamp = metav1.Now()
ret = append(ret, sig)
}
Expand Down
6 changes: 0 additions & 6 deletions pkg/image/controller/signature/signature_import_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,6 @@ import (
imagelister "github.com/openshift/origin/pkg/image/generated/listers/image/internalversion"
)

const (
// SignatureManagedAnnotation marks signatures that were imported by this
// controller.
SignatureManagedAnnotation = "image.openshift.io/managed-signature"
)

type SignatureDownloader interface {
DownloadImageSignatures(*imageapi.Image) ([]imageapi.ImageSignature, error)
}
Expand Down
18 changes: 17 additions & 1 deletion pkg/image/registry/image/strategy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ import (
"github.com/openshift/origin/pkg/image/util"
)

// managedSignatureAnnotation used to be set by image signature import controller as a signature annotation.
const managedSignatureAnnotation = "image.openshift.io/managed-signature"

// imageStrategy implements behavior for Images.
type imageStrategy struct {
runtime.ObjectTyper
Expand Down Expand Up @@ -49,6 +52,8 @@ func (s imageStrategy) PrepareForCreate(ctx apirequest.Context, obj runtime.Obje
newImage.DockerImageManifest = ""
newImage.DockerImageConfig = ""
}

removeManagedSignatureAnnotation(newImage)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since it's now only going to drop the one annotation, i think i'm ok w/ doing this on create, for the (unlikely) backup/restore use case. @deads2k ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since it's now only going to drop the one annotation, i think i'm ok w/ doing this on create, for the (unlikely) backup/restore use case. @deads2k ?

Ok.

}

// Validate validates a new image.
Expand Down Expand Up @@ -127,9 +132,20 @@ func (s imageStrategy) PrepareForUpdate(ctx apirequest.Context, obj, old runtime
newImage.DockerImageManifest = ""
newImage.DockerImageConfig = ""
}

removeManagedSignatureAnnotation(newImage)
}

// ValidateUpdate is the default update validation for an end user.
func (imageStrategy) ValidateUpdate(ctx apirequest.Context, obj, old runtime.Object) field.ErrorList {
return validation.ValidateImageUpdate(old.(*imageapi.Image), obj.(*imageapi.Image))
return validation.ValidateImageUpdate(obj.(*imageapi.Image), old.(*imageapi.Image))
}

// removeManagedSignatureAnnotation removes deprecated annotation from image signatures. A bug in image update
// logic allowed to set arbitrary annotations that would otherwise be rejected by validation.
// Resolves rhbz#1557607
func removeManagedSignatureAnnotation(img *imageapi.Image) {
for i := range img.Signatures {
delete(img.Signatures[i].Annotations, managedSignatureAnnotation)
}
}
77 changes: 73 additions & 4 deletions pkg/image/registry/image/strategy_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,13 +76,20 @@ func TestStrategyPrepareForCreate(t *testing.T) {

Strategy.PrepareForCreate(ctx, image)

if len(image.Signatures) != len(fuzzed.Signatures) {
t.Errorf("unexpected number of signatures: %d != %d", len(image.Signatures), len(fuzzed.Signatures))
testVerifySignatures(t, fuzzed, image)
}

func testVerifySignatures(t *testing.T, orig, new *imageapi.Image) {
if len(new.Signatures) != len(orig.Signatures) {
t.Errorf("unexpected number of signatures: %d != %d", len(new.Signatures), len(orig.Signatures))
}

for i, sig := range image.Signatures {
for i, sig := range new.Signatures {
// expect annotations to be cleared
delete(orig.Signatures[i].Annotations, managedSignatureAnnotation)

vi := reflect.ValueOf(&sig).Elem()
vf := reflect.ValueOf(&fuzzed.Signatures[i]).Elem()
vf := reflect.ValueOf(&orig.Signatures[i]).Elem()
typeOfT := vf.Type()

for j := 0; j < vf.NumField(); j++ {
Expand All @@ -98,3 +105,65 @@ func TestStrategyPrepareForCreate(t *testing.T) {
}
}
}

func TestStrategyPrepareForCreateSignature(t *testing.T) {
ctx := apirequest.NewDefaultContext()

original := imageapi.Image{
ObjectMeta: metav1.ObjectMeta{
Name: "image",
},
}

seed := int64(2703387474910584091) //rand.Int63()
fuzzed := fuzzImage(t, &original, seed)

if len(fuzzed.Signatures) == 0 {
t.Fatalf("fuzzifier failed to generate signatures")
}

for _, tc := range []struct {
name string
annotations map[string]string
expected map[string]string
}{
{
name: "unset annotations",
annotations: nil,
expected: nil,
},
{
name: "empty annotations",
annotations: map[string]string{},
expected: map[string]string{},
},
{
name: "managed annotation shall be removed",
annotations: map[string]string{managedSignatureAnnotation: "value"},
expected: map[string]string{},
},
{
name: "other annotations shall stay",
annotations: map[string]string{"key": "value"},
expected: map[string]string{"key": "value"},
},
{
name: "remove and keep",
annotations: map[string]string{"key": "value", managedSignatureAnnotation: "true"},
expected: map[string]string{"key": "value"},
},
} {
t.Run(tc.name, func(t *testing.T) {
fuzzed.Signatures[0].Annotations = tc.annotations
image := fuzzed.DeepCopy()

Strategy.PrepareForCreate(ctx, image)

testVerifySignatures(t, fuzzed, image)

if !reflect.DeepEqual(image.Signatures[0].Annotations, tc.expected) {
t.Errorf("unexpected signature annotations: %s", diff.ObjectGoPrintDiff(image.Annotations, tc.expected))
}
})
}
}