当前位置: 首页>>代码示例>>Golang>>正文


Golang Image.IntendedDockerReference方法代码示例

本文整理汇总了Golang中github.com/containers/image/types.Image.IntendedDockerReference方法的典型用法代码示例。如果您正苦于以下问题:Golang Image.IntendedDockerReference方法的具体用法?Golang Image.IntendedDockerReference怎么用?Golang Image.IntendedDockerReference使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在github.com/containers/image/types.Image的用法示例。


在下文中一共展示了Image.IntendedDockerReference方法的4个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Golang代码示例。

示例1: IsRunningImageAllowed

// IsRunningImageAllowed returns true iff the policy allows running the image.
// If it returns false, err must be non-nil, and should be an PolicyRequirementError if evaluation
// succeeded but the result was rejection.
// WARNING: This validates signatures and the manifest, but does not download or validate the
// layers. Users must validate that the layers match their expected digests.
func (pc *PolicyContext) IsRunningImageAllowed(image types.Image) (res bool, finalErr error) {
	if err := pc.changeState(pcReady, pcInUse); err != nil {
		return false, err
	}
	defer func() {
		if err := pc.changeState(pcInUse, pcReady); err != nil {
			res = false
			finalErr = err
		}
	}()

	logrus.Debugf("IsRunningImageAllowed for image %s", image.IntendedDockerReference())

	reqs, err := pc.requirementsForImage(image)
	if err != nil {
		return false, err
	}

	if len(reqs) == 0 {
		return false, PolicyRequirementError("List of verification policy requirements must not be empty")
	}

	for reqNumber, req := range reqs {
		// FIXME: supply state
		allowed, err := req.isRunningImageAllowed(image)
		if !allowed {
			logrus.Debugf("Requirement %d: denied, done", reqNumber)
			return false, err
		}
		logrus.Debugf(" Requirement %d: allowed", reqNumber)
	}
	// We have tested that len(reqs) != 0, so at least one req must have explicitly allowed this image.
	logrus.Debugf("Overall: allowed")
	return true, nil
}
开发者ID:Ch3ck,项目名称:image,代码行数:40,代码来源:policy_eval.go

示例2: matchesDockerReference

func (prm *prmMatchRepository) matchesDockerReference(image types.Image, signatureDockerReference string) bool {
	intended, signature, err := parseDockerReferences(image.IntendedDockerReference(), signatureDockerReference)
	if err != nil {
		return false
	}
	return signature.Name() == intended.Name()
}
开发者ID:Ch3ck,项目名称:image,代码行数:7,代码来源:policy_reference_match.go

示例3: requirementsForImage

// requirementsForImage selects the appropriate requirements for image.
func (pc *PolicyContext) requirementsForImage(image types.Image) (PolicyRequirements, error) {
	imageIdentity := image.IntendedDockerReference()
	// We don't technically need to parse it first in order to match the full name:tag,
	// but do so anyway to ensure that the intended identity really does follow that
	// format, or at least that it is not demonstrably wrong.
	ref, err := reference.ParseNamed(imageIdentity)
	if err != nil {
		return nil, err
	}
	ref = reference.WithDefaultTag(ref)

	// Look for a full match.
	fullyExpanded, err := fullyExpandedDockerReference(ref)
	if err != nil { // Coverage: This cannot currently happen.
		return nil, err
	}
	if req, ok := pc.Policy.Specific[fullyExpanded]; ok {
		logrus.Debugf(" Using specific policy section %s", fullyExpanded)
		return req, nil
	}

	// Look for a match of the repository, and then of the possible parent
	// namespaces. Note that this only happens on the expanded host names
	// and repository names, i.e. "busybox" is looked up as "docker.io/library/busybox",
	// then in its parent "docker.io/library"; in none of "busybox",
	// un-namespaced "library" nor in "" implicitly representing "library/".
	//
	// ref.FullName() == ref.Hostname() + "/" + ref.RemoteName(), so the last
	// iteration matches the host name (for any namespace).
	name := ref.FullName()
	for {
		if req, ok := pc.Policy.Specific[name]; ok {
			logrus.Debugf(" Using specific policy section %s", name)
			return req, nil
		}

		lastSlash := strings.LastIndex(name, "/")
		if lastSlash == -1 {
			break
		}
		name = name[:lastSlash]
	}

	logrus.Debugf(" Using default policy section")
	return pc.Policy.Default, nil
}
开发者ID:Ch3ck,项目名称:image,代码行数:47,代码来源:policy_eval.go

示例4: GetSignaturesWithAcceptedAuthor

// GetSignaturesWithAcceptedAuthor returns those signatures from an image
// for which the policy accepts the author (and which have been successfully
// verified).
// NOTE: This may legitimately return an empty list and no error, if the image
// has no signatures or only invalid signatures.
// WARNING: This makes the signature contents acceptable for futher processing,
// but it does not necessarily mean that the contents of the signature are
// consistent with local policy.
// For example:
// - Do not use a an existence of an accepted signature to determine whether to run
//   a container based on this image; use IsRunningImageAllowed instead.
// - Just because a signature is accepted does not automatically mean the contents of the
//   signature are authorized to run code as root, or to affect system or cluster configuration.
func (pc *PolicyContext) GetSignaturesWithAcceptedAuthor(image types.Image) (sigs []*Signature, finalErr error) {
	if err := pc.changeState(pcReady, pcInUse); err != nil {
		return nil, err
	}
	defer func() {
		if err := pc.changeState(pcInUse, pcReady); err != nil {
			sigs = nil
			finalErr = err
		}
	}()

	logrus.Debugf("GetSignaturesWithAcceptedAuthor for image %s", image.IntendedDockerReference())

	reqs, err := pc.requirementsForImage(image)
	if err != nil {
		return nil, err
	}

	// FIXME: rename Signatures to UnverifiedSignatures
	unverifiedSignatures, err := image.Signatures()
	if err != nil {
		return nil, err
	}

	res := make([]*Signature, 0, len(unverifiedSignatures))
	for sigNumber, sig := range unverifiedSignatures {
		var acceptedSig *Signature // non-nil if accepted
		rejected := false
		// FIXME? Say more about the contents of the signature, i.e. parse it even before verification?!
		logrus.Debugf("Evaluating signature %d:", sigNumber)
	interpretingReqs:
		for reqNumber, req := range reqs {
			// FIXME: Log the requirement itself? For now, we use just the number.
			// FIXME: supply state
			switch res, as, err := req.isSignatureAuthorAccepted(image, sig); res {
			case sarAccepted:
				if as == nil { // Coverage: this should never happen
					logrus.Debugf(" Requirement %d: internal inconsistency: sarAccepted but no parsed contents", reqNumber)
					rejected = true
					break interpretingReqs
				}
				logrus.Debugf(" Requirement %d: signature accepted", reqNumber)
				if acceptedSig == nil {
					acceptedSig = as
				} else if *as != *acceptedSig { // Coverage: this should never happen
					// Huh?! Two ways of verifying the same signature blob resulted in two different parses of its already accepted contents?
					logrus.Debugf(" Requirement %d: internal inconsistency: sarAccepted but different parsed contents", reqNumber)
					rejected = true
					acceptedSig = nil
					break interpretingReqs
				}
			case sarRejected:
				logrus.Debugf(" Requirement %d: signature rejected: %s", reqNumber, err.Error())
				rejected = true
				break interpretingReqs
			case sarUnknown:
				if err != nil { // Coverage: this should never happen
					logrus.Debugf(" Requirement %d: internal inconsistency: sarUnknown but an error message %s", reqNumber, err.Error())
					rejected = true
					break interpretingReqs
				}
				logrus.Debugf(" Requirement %d: signature state unknown, continuing", reqNumber)
			default: // Coverage: this should never happen
				logrus.Debugf(" Requirement %d: internal inconsistency: unknown result %#v", reqNumber, string(res))
				rejected = true
				break interpretingReqs
			}
		}
		// This also handles the (invalid) case of empty reqs, by rejecting the signature.
		if acceptedSig != nil && !rejected {
			logrus.Debugf(" Overall: OK, signature accepted")
			res = append(res, acceptedSig)
		} else {
			logrus.Debugf(" Overall: Signature not accepted")
		}
	}
	return res, nil
}
开发者ID:Ch3ck,项目名称:image,代码行数:91,代码来源:policy_eval.go


注:本文中的github.com/containers/image/types.Image.IntendedDockerReference方法示例由纯净天空整理自Github/MSDocs等开源代码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。