From 81627a460d496aa612571c253129a63479f2dd0c Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Tue, 31 Aug 2021 22:50:55 -0400 Subject: [PATCH] Move prefix validation to postProcessRegistries Fixes: https://github.com/containers/image/pull/1191#discussion_r610623829 Signed-off-by: Lokesh Mandvekar --- pkg/sysregistriesv2/system_registries_v2.go | 22 +++++++++---------- .../system_registries_v2_test.go | 19 ++++++++++++++++ 2 files changed, 29 insertions(+), 12 deletions(-) diff --git a/pkg/sysregistriesv2/system_registries_v2.go b/pkg/sysregistriesv2/system_registries_v2.go index d0ddbf1914..86e84c0337 100644 --- a/pkg/sysregistriesv2/system_registries_v2.go +++ b/pkg/sysregistriesv2/system_registries_v2.go @@ -359,6 +359,10 @@ func (config *V2RegistriesConf) postProcessRegistries() error { // Allow config authors to always use Prefix. if reg.Prefix != "" { + if isWildcardedPrefix(reg.Prefix) && strings.ContainsAny(reg.Prefix, "/@:") { + msg := fmt.Sprintf("Wildcarded prefix should be in the format: *.example.com. Current prefix %q is incorrectly formatted", reg.Prefix) + return &InvalidRegistries{s: msg} + } reg.Prefix, err = parseLocation(reg.Prefix) if err != nil { return err @@ -773,6 +777,11 @@ func CredentialHelpers(sys *types.SystemContext) ([]string, error) { return config.partialV2.CredentialHelpers, nil } +// isWildcardedPrefix only checks if the first two characters match "*.". +func isWildcardedPrefix(prefix string) bool { + return prefix[:2] == "*." +} + // refMatchingSubdomainPrefix returns the length of ref // iff ref, which is a registry, repository namespace, repository or image reference (as formatted by // reference.Domain(), reference.Named.Name() or reference.Reference.String() @@ -809,7 +818,7 @@ func refMatchingSubdomainPrefix(ref, prefix string) int { // (This is split from the caller primarily to make testing easier.) func refMatchingPrefix(ref, prefix string) int { switch { - case prefix[0:2] == "*.": + case isWildcardedPrefix(prefix): return refMatchingSubdomainPrefix(ref, prefix) case len(ref) < len(prefix): return -1 @@ -924,17 +933,6 @@ func loadConfigFile(path string, forceV2 bool) (*parsedConfig, error) { res.shortNameMode = types.ShortNameModeInvalid } - // Valid wildcarded prefixes must be in the format: *.example.com - // FIXME: Move to postProcessRegistries - // https://github.com/containers/image/pull/1191#discussion_r610623829 - for i := range res.partialV2.Registries { - prefix := res.partialV2.Registries[i].Prefix - if prefix[:2] == "*." && strings.ContainsAny(prefix, "/@:") { - msg := fmt.Sprintf("Wildcarded prefix should be in the format: *.example.com. Current prefix %q is incorrectly formatted", prefix) - return nil, &InvalidRegistries{s: msg} - } - } - // Parse and validate short-name aliases. cache, err := newShortNameAliasCache(path, &res.partialV2.shortNameAliasConf) if err != nil { diff --git a/pkg/sysregistriesv2/system_registries_v2_test.go b/pkg/sysregistriesv2/system_registries_v2_test.go index 9092ddba63..237d1f125f 100644 --- a/pkg/sysregistriesv2/system_registries_v2_test.go +++ b/pkg/sysregistriesv2/system_registries_v2_test.go @@ -134,6 +134,25 @@ func TestMirrors(t *testing.T) { assert.True(t, reg.Mirrors[1].Insecure) } +func TestWildcardedPrefix(t *testing.T) { + for _, c := range []struct { + prefix string + expected bool + }{ + // Only check if the first two characters are "*." + {"*.io", true}, + {"*.com/foo@bar", true}, + {"foo.com/bar", false}, + {"*foo.com/bar", false}, + {"foo*.com/bar", false}, + {".foo*.com/bar", false}, + {"*.foo*.com/bar", true}, + } { + isValid := isWildcardedPrefix(c.prefix) + assert.Equal(t, c.expected, isValid) + } +} + func TestRefMatchingSubdomainPrefix(t *testing.T) { for _, c := range []struct { ref, prefix string