Implemented image encryption

Signed-off-by: Brandon Lum <[email protected]>

copy/copy_test.go

@@ -25,7 +25,7 @@ func TestNewDigestingReader(t *testing.T) {
 		"sha256:0",        // Invalid hex value
 		"sha256:01",       // Invalid length of hex value
 	} {
-		_, err := newDigestingReader(source, input)
+		_, err := newDigestingReader(source, input, true)
 		assert.Error(t, err, input.String())
 	}
 }
@@ -42,7 +42,7 @@ func TestDigestingReaderRead(t *testing.T) {
 	// Valid input
 	for _, c := range cases {
 		source := bytes.NewReader(c.input)
-		reader, err := newDigestingReader(source, c.digest)
+		reader, err := newDigestingReader(source, c.digest, true)
 		require.NoError(t, err, c.digest.String())
 		dest := bytes.Buffer{}
 		n, err := io.Copy(&dest, reader)
@@ -55,7 +55,7 @@ func TestDigestingReaderRead(t *testing.T) {
 	// Modified input
 	for _, c := range cases {
 		source := bytes.NewReader(bytes.Join([][]byte{c.input, []byte("x")}, nil))
-		reader, err := newDigestingReader(source, c.digest)
+		reader, err := newDigestingReader(source, c.digest, true)
 		require.NoError(t, err, c.digest.String())
 		dest := bytes.Buffer{}
 		_, err = io.Copy(&dest, reader)
@@ -66,7 +66,7 @@ func TestDigestingReaderRead(t *testing.T) {
 	// Truncated input
 	for _, c := range cases {
 		source := bytes.NewReader(c.input)
-		reader, err := newDigestingReader(source, c.digest)
+		reader, err := newDigestingReader(source, c.digest, true)
 		require.NoError(t, err, c.digest.String())
 		if len(c.input) != 0 {
 			dest := bytes.Buffer{}

copy/manifest.go

@@ -42,7 +42,7 @@ func (os *orderedSet) append(s string) {
 // Note that the conversion will only happen later, through ic.src.UpdatedImage
 // Returns the preferred manifest MIME type (whether we are converting to it or using it unmodified),
 // and a list of other possible alternatives, in order.
-func (ic *imageCopier) determineManifestConversion(ctx context.Context, destSupportedManifestMIMETypes []string, forceManifestMIMEType string) (string, []string, error) {
+func (ic *imageCopier) determineManifestConversion(ctx context.Context, destSupportedManifestMIMETypes []string, forceManifestMIMEType string, requiresOciEncryption bool) (string, []string, error) {
 	_, srcType, err := ic.src.Manifest(ctx)
 	if err != nil { // This should have been cached?!
 		return "", nil, errors.Wrap(err, "Error reading manifest")
@@ -57,7 +57,7 @@ func (ic *imageCopier) determineManifestConversion(ctx context.Context, destSupp
 		destSupportedManifestMIMETypes = []string{forceManifestMIMEType}
 	}
 
-	if len(destSupportedManifestMIMETypes) == 0 {
+	if len(destSupportedManifestMIMETypes) == 0 && (!requiresOciEncryption || manifestSupportsEncryption(srcType)) {
 		return srcType, []string{}, nil // Anything goes; just use the original as is, do not try any conversions.
 	}
 	supportedByDest := map[string]struct{}{}
@@ -75,7 +75,9 @@ func (ic *imageCopier) determineManifestConversion(ctx context.Context, destSupp
 
 	// First of all, prefer to keep the original manifest unmodified.
 	if _, ok := supportedByDest[srcType]; ok {
-		prioritizedTypes.append(srcType)
+		if !requiresOciEncryption || manifestSupportsEncryption(srcType) {
+			prioritizedTypes.append(srcType)
+		}
 	}
 	if !ic.canModifyManifest {
 		// We could also drop the !ic.canModifyManifest check and have the caller
@@ -89,13 +91,17 @@ func (ic *imageCopier) determineManifestConversion(ctx context.Context, destSupp
 	// Then use our list of preferred types.
 	for _, t := range preferredManifestMIMETypes {
 		if _, ok := supportedByDest[t]; ok {
-			prioritizedTypes.append(t)
+			if !requiresOciEncryption || manifestSupportsEncryption(t) {
+				prioritizedTypes.append(t)
+			}
 		}
 	}
 
 	// Finally, try anything else the destination supports.
 	for _, t := range destSupportedManifestMIMETypes {
-		prioritizedTypes.append(t)
+		if !requiresOciEncryption || manifestSupportsEncryption(t) {
+			prioritizedTypes.append(t)
+		}
 	}
 
 	logrus.Debugf("Manifest has MIME type %s, ordered candidate list [%s]", srcType, strings.Join(prioritizedTypes.list, ", "))

copy/manifest_test.go

@@ -71,6 +71,9 @@ func (f fakeImageSource) UpdatedImageNeedsLayerDiffIDs(options types.ManifestUpd
 func (f fakeImageSource) UpdatedImage(ctx context.Context, options types.ManifestUpdateOptions) (types.Image, error) {
 	panic("Unexpected call to a mock function")
 }
+func (f fakeImageSource) SupportsEncryption(ctx context.Context) bool {
+	panic("Unexpected call to a mock function")
+}
 func (f fakeImageSource) Size() (int64, error) {
 	panic("Unexpected call to a mock function")
 }
@@ -144,7 +147,7 @@ func TestDetermineManifestConversion(t *testing.T) {
 			src:               src,
 			canModifyManifest: true,
 		}
-		preferredMIMEType, otherCandidates, err := ic.determineManifestConversion(context.Background(), c.destTypes, "")
+		preferredMIMEType, otherCandidates, err := ic.determineManifestConversion(context.Background(), c.destTypes, "", false)
 		require.NoError(t, err, c.description)
 		assert.Equal(t, c.expectedUpdate, ic.manifestUpdates.ManifestMIMEType, c.description)
 		if c.expectedUpdate == "" {
@@ -163,7 +166,7 @@ func TestDetermineManifestConversion(t *testing.T) {
 			src:               src,
 			canModifyManifest: false,
 		}
-		preferredMIMEType, otherCandidates, err := ic.determineManifestConversion(context.Background(), c.destTypes, "")
+		preferredMIMEType, otherCandidates, err := ic.determineManifestConversion(context.Background(), c.destTypes, "", false)
 		require.NoError(t, err, c.description)
 		assert.Equal(t, "", ic.manifestUpdates.ManifestMIMEType, c.description)
 		assert.Equal(t, manifest.NormalizedMIMEType(c.sourceType), preferredMIMEType, c.description)
@@ -178,7 +181,7 @@ func TestDetermineManifestConversion(t *testing.T) {
 			src:               src,
 			canModifyManifest: true,
 		}
-		preferredMIMEType, otherCandidates, err := ic.determineManifestConversion(context.Background(), c.destTypes, v1.MediaTypeImageManifest)
+		preferredMIMEType, otherCandidates, err := ic.determineManifestConversion(context.Background(), c.destTypes, v1.MediaTypeImageManifest, false)
 		require.NoError(t, err, c.description)
 		assert.Equal(t, v1.MediaTypeImageManifest, ic.manifestUpdates.ManifestMIMEType, c.description)
 		assert.Equal(t, v1.MediaTypeImageManifest, preferredMIMEType, c.description)
@@ -191,7 +194,7 @@ func TestDetermineManifestConversion(t *testing.T) {
 		src:               fakeImageSource(""),
 		canModifyManifest: true,
 	}
-	_, _, err := ic.determineManifestConversion(context.Background(), supportS1S2, "")
+	_, _, err := ic.determineManifestConversion(context.Background(), supportS1S2, "", false)
 	assert.Error(t, err)
 }
 

go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/VividCortex/ewma v1.1.1 // indirect
 	github.com/containerd/continuity v0.0.0-20180216233310-d8fb8589b0e8 // indirect
 	github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b
+	github.com/containers/ocicrypt v0.0.0-20190930154801-b87a4a69c741
 	github.com/containers/storage v1.13.4
 	github.com/docker/distribution v0.0.0-20170817175659-5f6282db7d65
 	github.com/docker/docker v0.0.0-20180522102801-da99009bbb11
@@ -41,9 +42,9 @@ require (
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190809123943-df4f5c81cb3b // indirect
 	github.com/xeipuuv/gojsonschema v0.0.0-20190816131739-be0936907f66
 	go.etcd.io/bbolt v1.3.3 // indirect
-	golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2
+	golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4
 	golang.org/x/net v0.0.0-20190628185345-da137c7871d7
-	golang.org/x/sync v0.0.0-20181108010431-42b317875d0f
+	golang.org/x/sync v0.0.0-20190423024810-112230192c58
 	golang.org/x/sys v0.0.0-20190902133755-9109b7679e13
 	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
 	k8s.io/client-go v0.0.0-20170217214107-bcde30fb7eae