Allow insecure localhost connections

Before this change, the `docker.MatchLocalhost` function was applied to
hosts retrieved from labels on snapshots, but not in the artifact
fetcher. This meant that data could be lazily loaded from an insecure
localhost, but we couldn't fetch the SOCI index/ztocs from an insecure
localhost. This change adds the matcher to the artifact fetcher so that
images can be lazily loaded from an insecure localhost.

Signed-off-by: Kern Walster <[email protected]>

Author: Kern--

fs/artifact_fetcher.go

@@ -29,6 +29,7 @@ import (
 	"github.com/awslabs/soci-snapshotter/soci/store"
 	"github.com/awslabs/soci-snapshotter/util/ioutils"
 	"github.com/containerd/containerd/reference"
+	"github.com/containerd/containerd/remotes/docker"
 	"github.com/containerd/log"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"golang.org/x/sync/errgroup"
@@ -73,6 +74,11 @@ func newRemoteStore(refspec reference.Spec, client *http.Client) (*remote.Reposi
 		return nil, fmt.Errorf("cannot create repository %s: %w", refspec.Locator, err)
 	}
 	repo.Client = client
+	repo.PlainHTTP, err = docker.MatchLocalhost(refspec.Hostname())
+	if err != nil {
+		return nil, fmt.Errorf("cannot create repository %s: %w", refspec.Locator, err)
+	}
+
 	return repo, nil
 }
 

fs/artifact_fetcher_test.go

@@ -21,6 +21,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"net/http"
 	"testing"
 
 	"github.com/containerd/containerd/reference"
@@ -213,6 +214,47 @@ func TestArtifactFetcherFetchOnlyOnce(t *testing.T) {
 	}
 }
 
+func TestNewRemoteStore(t *testing.T) {
+	client := http.Client{}
+	testCases := []struct {
+		name              string
+		ref               string
+		shouldBePlainHTTP bool
+		expectedError     error
+	}{
+		{
+			name:              "ECR public is not plain http",
+			ref:               "public.ecr.aws/ref:tag",
+			shouldBePlainHTTP: false,
+		},
+		{
+			name:              "localhost is plain http",
+			ref:               "localhost:5000/ref:tag",
+			shouldBePlainHTTP: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			refspec, err := reference.Parse(tc.ref)
+			if err != nil {
+				t.Fatalf("unexpected failure parsing reference: %v", err)
+			}
+			r, err := newRemoteStore(refspec, &client)
+			if err != nil {
+				t.Fatalf("unexpected error, got %v", err)
+			}
+			if r.Client != &client {
+				t.Fatalf("unexpected http client, expected %v, got %v", &client, r.Client)
+			}
+			if r.PlainHTTP != tc.shouldBePlainHTTP {
+				t.Fatalf("unepected plain http, expected: %v, got %v", tc.shouldBePlainHTTP, r.PlainHTTP)
+			}
+		})
+	}
+}
+
 func newFakeArtifactFetcher(ref string, contents []byte) (*artifactFetcher, error) {
 	refspec, err := reference.Parse(ref)
 	if err != nil {