Skip to content

Commit

Permalink
detect registries with referrers API support (#1183)
Browse files Browse the repository at this point in the history
Signed-off-by: Brian DeHamer <[email protected]>
  • Loading branch information
bdehamer authored Jun 11, 2024
1 parent 7296bf4 commit 2f409eb
Show file tree
Hide file tree
Showing 5 changed files with 38 additions and 4 deletions.
5 changes: 5 additions & 0 deletions .changeset/chilled-frogs-sort.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@sigstore/oci': patch
---

Fix bug when detecting support for the referrers API
9 changes: 8 additions & 1 deletion packages/oci/src/__tests__/image.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ import {
import { Credentials } from '../credentials';
import { OCIImage } from '../image';
import { ImageName } from '../name';
import { ZERO_DIGEST } from '../registry';
import { ImageIndex } from '../types';

describe('OCIImage', () => {
Expand Down Expand Up @@ -93,6 +94,10 @@ describe('OCIImage', () => {
.reply(201, undefined, {
[HEADER_OCI_SUBJECT]: artifactManifestDigest,
});

nock(`https://${registry}`)
.get(`/v2/${repo}/referrers/${ZERO_DIGEST}`)
.reply(200);
});

it('adds an artifact', async () => {
Expand Down Expand Up @@ -126,7 +131,9 @@ describe('OCIImage', () => {
})
.put(`/v2/${repo}/blobs/uploads/123?digest=${artifactDigest}`)
.matchHeader(HEADER_CONTENT_TYPE, CONTENT_TYPE_OCTET_STREAM)
.reply(201);
.reply(201)
.get(`/v2/${repo}/referrers/${ZERO_DIGEST}`)
.reply(404);

nock(`https://${registry}`)
.filteringPath(/sha256:[0-9a-f]{64}/, artifactManifestDigest)
Expand Down
5 changes: 5 additions & 0 deletions packages/oci/src/__tests__/index.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ import {
HEADER_DIGEST,
HEADER_OCI_SUBJECT,
} from '../constants';
import { ZERO_DIGEST } from '../registry';

describe('attachArtifactToImage', () => {
const registry = 'my-registry';
Expand Down Expand Up @@ -77,6 +78,10 @@ describe('attachArtifactToImage', () => {
.reply(201, undefined, {
[HEADER_OCI_SUBJECT]: artifactManifestDigest,
});

nock(`https://${registry}`)
.get(`/v2/${repo}/referrers/${ZERO_DIGEST}`)
.reply(200, {});
});

it('should return the artifact digest', async () => {
Expand Down
11 changes: 8 additions & 3 deletions packages/oci/src/image.ts
Original file line number Diff line number Diff line change
Expand Up @@ -93,10 +93,15 @@ export class OCIImage {
JSON.stringify(manifest)
);

// Check to see if registry supports the referrers API. For most
// registries the presence of a subjectDigest response header when
// uploading the artifact manifest indicates that the referrers API IS
// supported -- however, this is not a guarantee (AWS ECR does NOT support
// the referrers API but still reports a subjectDigest).
const referrersSupported = await this.#client.pingReferrers();

// Manually update the referrers list if the referrers API is not supported.
// The lack of a subjectDigest indicates that the referrers API is not
// supported.
if (artifactDescriptor.subjectDigest === undefined) {
if (!referrersSupported) {
await this.#createReferrersIndexByTag({
artifact: {
...artifactDescriptor,
Expand Down
12 changes: 12 additions & 0 deletions packages/oci/src/registry.ts
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,9 @@ const ALL_MANIFEST_MEDIA_TYPES = [
CONTENT_TYPE_DOCKER_MANIFEST_LIST,
].join(',');

export const ZERO_DIGEST =
'sha256:0000000000000000000000000000000000000000000000000000000000000000';

export type UploadBlobResponse = Descriptor;

export type UploadManifestOptions = {
Expand Down Expand Up @@ -271,6 +274,15 @@ export class RegistryClient {
};
}

// Returns true if the registry supports the referrers API
async pingReferrers(): Promise<boolean> {
const response = await this.#fetch(
`${this.#baseURL}/v2/${this.#repository}/referrers/${ZERO_DIGEST}`
);

return response.status === 200;
}

async #fetchDistributionToken(
creds: Credentials,
challenge: AuthChallenge
Expand Down

0 comments on commit 2f409eb

Please sign in to comment.