Skip to content

Commit

Permalink
errors: add error for wild card scope validation
Browse files Browse the repository at this point in the history
Signed-off-by: Sajay Antony <[email protected]>
  • Loading branch information
sajayantony committed Jul 18, 2023
1 parent 3981f69 commit ae9ac7b
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 3 deletions.
10 changes: 9 additions & 1 deletion verifier/trustpolicy/trustpolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -550,7 +550,15 @@ func validateRegistryScopeFormat(scope string) error {
// https://github.com/distribution/distribution/blob/main/reference/regexp.go#L31
domainRegexp := regexp.MustCompile(`^(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:(?:\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(?::[0-9]+)?$`)
repositoryRegexp := regexp.MustCompile(`^[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$`)
errorMessage := "registry scope %q is not valid, make sure it is a fully qualified registry URL without the scheme/protocol, e.g domain.com/my/repository OR a local trust policy scope, e.g local/myOCILayout"
ensureMessage := "make sure it is a fully qualified repository without the scheme, protocol or tag. For example domain.com/my/repository or a local scope like local/myOCILayout"
errorMessage := "registry scope %q is not valid, " + ensureMessage
errorWildCardMessage := "registry scope %q with wild card(s) is not valid, " + ensureMessage

// Check for presence of * in scope
if len(scope) > 1 && strings.Contains(scope, "*") {
return fmt.Errorf(errorWildCardMessage, scope)
}

domain, repository, found := strings.Cut(scope, "/")
if !found {
return fmt.Errorf(errorMessage, scope)
Expand Down
18 changes: 16 additions & 2 deletions verifier/trustpolicy/trustpolicy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -206,7 +206,21 @@ func TestInvalidRegistryScopes(t *testing.T) {
policyStatement.RegistryScopes = []string{scope}
policyDoc.TrustPolicies = []TrustPolicy{policyStatement}
err := policyDoc.Validate()
if err == nil || err.Error() != "registry scope \""+scope+"\" is not valid, make sure it is a fully qualified registry URL without the scheme/protocol, e.g domain.com/my/repository OR a local trust policy scope, e.g local/myOCILayout" {
if err == nil || err.Error() != "registry scope \""+scope+"\" is not valid, make sure it is a fully qualified repository without the scheme, protocol or tag. For example domain.com/my/repository or a local scope like local/myOCILayout" {
t.Fatalf("invalid registry scope should return error. Error : %q", err)
}
}

// Test invalid scope with wild card suffix

invalidWildCardScopes := []string{"example.com/*", "*/", "example*/", "ex*test"}
for _, scope := range invalidWildCardScopes {
policyDoc := dummyPolicyDocument()
policyStatement := dummyPolicyStatement()
policyStatement.RegistryScopes = []string{scope}
policyDoc.TrustPolicies = []TrustPolicy{policyStatement}
err := policyDoc.Validate()
if err == nil || err.Error() != "registry scope \""+scope+"\" with wild card(s) is not valid, make sure it is a fully qualified repository without the scheme, protocol or tag. For example domain.com/my/repository or a local scope like local/myOCILayout" {
t.Fatalf("invalid registry scope should return error. Error : %q", err)
}
}
Expand All @@ -215,7 +229,7 @@ func TestInvalidRegistryScopes(t *testing.T) {
// TestValidRegistryScopes tests valid scopes are accepted
func TestValidRegistryScopes(t *testing.T) {
validScopes := []string{
"example.com/rep", "example.com:8080/rep/rep2", "example.com/rep/subrep/subsub",
"*", "example.com/rep", "example.com:8080/rep/rep2", "example.com/rep/subrep/subsub",
"10.10.10.10:8080/rep/rep2", "domain/rep", "domain:1234/rep",
}

Expand Down

0 comments on commit ae9ac7b

Please sign in to comment.