libartifact: strong type where possible

introduction of ArtifactReference and ArtifactStorageReference types for
libartifact.  ArtifactReference is a theoretical reference to an
artifact like for things like pull.  ArtifactStorageReference is for
looking things up in the existing store for things like rm or inspect.
ArtifactStoreReference allows for things like full or partial "id"
lookups.

the pr also accomdates a user ask for appending "latest" as a tag when
no tag is provided.

and finally, here we introduce a bunch of artifact tests to get the ball
rolling.  it should not be considered fully complete but a good start.

Signed-off-by: Brent Baude <[email protected]>

Author: baude

common/go.mod

@@ -45,6 +45,7 @@ require (
 	go.etcd.io/bbolt v1.4.3
 	go.podman.io/image/v5 v5.38.0
 	go.podman.io/storage v1.61.0
+	go.step.sm/crypto v0.57.0
 	golang.org/x/crypto v0.43.0
 	golang.org/x/sync v0.18.0
 	golang.org/x/sys v0.38.0

common/go.sum

@@ -254,6 +254,8 @@ github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/skeema/knownhosts v1.3.2 h1:EDL9mgf4NzwMXCTfaxSD/o/a5fxDw/xL9nkU28JjdBg=
 github.com/skeema/knownhosts v1.3.2/go.mod h1:bEg3iQAuw+jyiw+484wwFJoKSLwcfd7fqRy+N0QTiow=
+github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262 h1:unQFBIznI+VYD1/1fApl1A+9VcBk+9dcqGfnePY87LY=
+github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262/go.mod h1:MyOHs9Po2fbM1LHej6sBUT8ozbxmMOFG+E+rx/GSGuc=
 github.com/smallstep/pkcs7 v0.1.1 h1:x+rPdt2W088V9Vkjho4KtoggyktZJlMduZAtRHm68LU=
 github.com/smallstep/pkcs7 v0.1.1/go.mod h1:dL6j5AIz9GHjVEBTXtW+QliALcgM19RtXaTeyxI+AfA=
 github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
@@ -325,6 +327,8 @@ go.podman.io/image/v5 v5.38.0 h1:aUKrCANkPvze1bnhLJsaubcfz0d9v/bSDLnwsXJm6G4=
 go.podman.io/image/v5 v5.38.0/go.mod h1:hSIoIUzgBnmc4DjoIdzk63aloqVbD7QXDMkSE/cvG90=
 go.podman.io/storage v1.61.0 h1:5hD/oyRYt1f1gxgvect+8syZBQhGhV28dCw2+CZpx0Q=
 go.podman.io/storage v1.61.0/go.mod h1:A3UBK0XypjNZ6pghRhuxg62+2NIm5lcUGv/7XyMhMUI=
+go.step.sm/crypto v0.57.0 h1:YjoRQDaJYAxHLVwjst0Bl0xcnoKzVwuHCJtEo2VSHYU=
+go.step.sm/crypto v0.57.0/go.mod h1:+Lwp5gOVPaTa3H/Ul/TzGbxQPXZZcKIUGMS0lG6n9Go=
 go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
 go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=

common/pkg/libartifact/artifact.go renamed to common/pkg/libartifact/store/artifact.go

@@ -1,4 +1,4 @@
-package libartifact
+package store
 
 import (
 	"encoding/json"
@@ -7,6 +7,7 @@ import (
 
 	"github.com/opencontainers/go-digest"
 	"go.podman.io/common/pkg/libartifact/types"
+	"go.podman.io/image/v5/docker/reference"
 	"go.podman.io/image/v5/manifest"
 )
 
@@ -36,7 +37,7 @@ func (a *Artifact) GetName() (string, error) {
 	return "", types.ErrArtifactUnamed
 }
 
-// SetName is a accessor for setting the artifact name
+// SetName is an accessor for setting the artifact name
 // Note: long term this may not be needed, and we would
 // be comfortable with simply using the exported field
 // called Name.
@@ -55,16 +56,16 @@ func (a *Artifact) GetDigest() (*digest.Digest, error) {
 
 type ArtifactList []*Artifact
 
-// GetByNameOrDigest returns an artifact, if present, by a given name
+// getByNameOrDigest returns an artifact, if present, by a given name
 // Returns an error if not found.
-func (al ArtifactList) GetByNameOrDigest(nameOrDigest string) (*Artifact, bool, error) {
+func (al ArtifactList) getByNameOrDigest(nameOrDigest string) (*Artifact, bool, error) {
 	// This is the hot route through
 	for _, artifact := range al {
 		if artifact.Name == nameOrDigest {
 			return artifact, false, nil
 		}
 	}
-	// Before giving up, check by digest
+	// Before giving up, check by full or partial ID
 	for _, artifact := range al {
 		artifactDigest, err := artifact.GetDigest()
 		if err != nil {
@@ -75,5 +76,30 @@ func (al ArtifactList) GetByNameOrDigest(nameOrDigest string) (*Artifact, bool,
 			return artifact, true, nil
 		}
 	}
+	named, err := reference.ParseNamed(nameOrDigest)
+	if err != nil {
+		return nil, false, fmt.Errorf("invalid artifact: %q", nameOrDigest)
+	}
+
+	// And finally, check for things with a name and digest
+	// i.e. quay.io/podman/machine-os:sha256:7e952f1deece2717022d7cc066dd21d1468236560d23a79c80448d49b2048e99
+	if d, isDigested := named.(reference.Digested); isDigested {
+		for _, a := range al {
+			storedArtifactNamed, err := reference.ParseNamed(a.Name)
+			if err != nil {
+				return nil, false, err
+			}
+			if storedArtifactNamed.Name() == named.Name() {
+				artifactDigest, err := a.GetDigest()
+				if err != nil {
+					return nil, false, err
+				}
+				if d.Digest() == *artifactDigest {
+					return a, true, nil
+				}
+			}
+		}
+	}
+	// Nothing was found in the store that matches
 	return nil, false, fmt.Errorf("%s: %w", nameOrDigest, types.ErrArtifactNotExist)
 }

common/pkg/libartifact/store/reference.go

@@ -0,0 +1,100 @@
+//go:build !remote
+
+package store
+
+import (
+	"context"
+
+	"go.podman.io/image/v5/docker/reference"
+)
+
+type ArtifactReference struct {
+	reference.Named
+}
+
+// NewArtifactReference is a theoretical reference to an artifact.  It needs to be
+// a fully qualified oci reference except for tag, where we add
+// "latest" as the tag if tag is empty.  Valid references:
+//
+// quay.io/podman/machine-os:latest
+// quay.io/podman/machine-os
+// quay.io/podman/machine-os@sha256:916ede4b2b9012f91f63100f8ba82d07ed81bf8a55d23c1503285a22a9759a1e
+//
+// Note: Partial sha references and digests (IDs) are not allowed.
+func NewArtifactReference(input string) (ArtifactReference, error) {
+	ar := ArtifactReference{}
+	named, err := stringToNamed(input)
+	if err != nil {
+		return ArtifactReference{}, err
+	}
+	ar.Named = named
+	return ar, nil
+}
+
+func (ar ArtifactReference) IsDigested() bool {
+	_, isDigested := ar.Named.(reference.Digested)
+	return isDigested
+}
+
+type ArtifactStoreReference struct {
+	ArtifactFromStore *Artifact
+	IsDigested        bool
+	Ref               reference.Named
+}
+
+// NewArtifactStorageReference refers to an object already in the artifact store.  It
+// can be a name or a full or partial digest.  Conveniently, it also embeds the artifact
+// as part of its return.
+func NewArtifactStorageReference(nameOrDigest string, as *ArtifactStore) (ArtifactStoreReference, error) {
+	lookupInput := nameOrDigest
+	asf := ArtifactStoreReference{}
+	al, err := as.getArtifacts(context.Background(), nil)
+	if err != nil {
+		return ArtifactStoreReference{}, err
+	}
+
+	// Try to parse as a valid OCI reference
+	named, parseErr := stringToNamed(nameOrDigest)
+	if parseErr == nil {
+		lookupInput = named.String()
+	}
+
+	// Lookup in the store
+	a, isDigest, err := al.getByNameOrDigest(lookupInput)
+	if err != nil {
+		return ArtifactStoreReference{}, err
+	}
+
+	// If parsing failed, parse the artifact's name instead
+	if parseErr != nil {
+		fqName, err := a.GetName()
+		if err != nil {
+			return ArtifactStoreReference{}, err
+		}
+		named, err = stringToNamed(fqName)
+		if err != nil {
+			return ArtifactStoreReference{}, err
+		}
+	}
+
+	asf.Ref = named
+	asf.IsDigested = isDigest
+	asf.ArtifactFromStore = a
+	return asf, nil
+}
+
+// stringToNamed converts a string to a reference.Named.
+func stringToNamed(s string) (reference.Named, error) {
+	named, err := reference.ParseNamed(s)
+	if err != nil {
+		return ArtifactReference{}, err
+	}
+	// If the supplied input is neither tagged nor has
+	// a digest, then add "latest"
+	_, isTagged := named.(reference.Tagged)
+	_, isDigested := named.(reference.Digested)
+	if !isTagged && !isDigested {
+		named = reference.TagNameOnly(named)
+	}
+	return named, nil
+}

common/pkg/libartifact/store/reference_test.go

@@ -0,0 +1,186 @@
+package store
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.podman.io/image/v5/types"
+)
+
+func TestNewArtifactReference(t *testing.T) {
+	// Test valid reference
+	ar, err := NewArtifactReference("quay.io/podman/machine-os:5.1")
+	assert.NoError(t, err)
+	assert.NotNil(t, ar.Named)
+	assert.Equal(t, "quay.io/podman/machine-os:5.1", ar.Named.String())
+
+	// Test another valid reference
+	ar, err = NewArtifactReference("docker.io/library/nginx:latest")
+	assert.NoError(t, err)
+	assert.NotNil(t, ar.Named)
+
+	// Test invalid reference - empty string
+	_, err = NewArtifactReference("")
+	assert.Error(t, err)
+
+	// Test invalid reference - malformed
+	_, err = NewArtifactReference("invalid::reference")
+	assert.Error(t, err)
+
+	// Test latest is added when no tag is provided
+	ar, err = NewArtifactReference("quay.io/machine-os/podman")
+	assert.NoError(t, err)
+	assert.Equal(t, "quay.io/machine-os/podman:latest", ar.Named.String())
+
+	// Input with a digest is good
+	ar, err = NewArtifactReference("quay.io/machine-os/podman@sha256:8b96f36deaf1d2713858eebd9ef2fee9610df8452fbd083bbfa7dca66d6fcd0b")
+	assert.NoError(t, err)
+	assert.True(t, ar.IsDigested())
+
+	// Partial digests are a no-go
+	_, err = NewArtifactReference("quay.io/machine-os/podman@sha256:8b96f36deaf1d2")
+	assert.Error(t, err)
+
+	// "IDs" are also a no-go
+	_, err = NewArtifactReference("84ddb405470e733d0202d6946e48fc75a7ee231337bdeb31a8579407a7052d9e")
+	assert.Error(t, err)
+}
+
+func TestArtifactReference_IsDigested(t *testing.T) {
+	// Test reference with tag (not digested)
+	ar, err := NewArtifactReference("quay.io/podman/machine-os:5.1")
+	require.NoError(t, err)
+	assert.False(t, ar.IsDigested())
+
+	// Test reference with digest (digested)
+	ar, err = NewArtifactReference("quay.io/podman/machine-os@sha256:8b96f36deaf1d2713858eebd9ef2fee9610df8452fbd083bbfa7dca66d6fcd0b")
+	require.NoError(t, err)
+	assert.True(t, ar.IsDigested())
+
+	// Test reference with latest tag (not digested)
+	ar, err = NewArtifactReference("quay.io/podman/machine-os:latest")
+	require.NoError(t, err)
+	assert.False(t, ar.IsDigested())
+}
+
+func TestNewArtifactStorageReference_ValidReference(t *testing.T) {
+	repo := "quay.io/podman/machine-os"
+	tag := "5.1"
+	ref := fmt.Sprintf("%s:%s", repo, tag)
+	as, artifactDigest := setupNewStore(t, ref, nil, nil)
+
+	// Test with a valid named reference - should find the artifact in the store
+	asr, err := NewArtifactStorageReference(ref, as)
+	assert.NoError(t, err)
+	assert.NotNil(t, asr.Ref)
+	assert.Equal(t, "quay.io/podman/machine-os:5.1", asr.Ref.String())
+	assert.False(t, asr.IsDigested)
+	assert.NotNil(t, asr.ArtifactFromStore)
+	assert.Equal(t, "quay.io/podman/machine-os:5.1", asr.ArtifactFromStore.Name)
+
+	// Lookup by Digest
+	asr, err = NewArtifactStorageReference(fmt.Sprintf("%s@%s", repo, artifactDigest.String()), as)
+	assert.NoError(t, err)
+	assert.NotNil(t, asr.ArtifactFromStore)
+	assert.True(t, asr.IsDigested)
+	assert.NotNil(t, asr.ArtifactFromStore)
+}
+
+func TestNewArtifactStorageReference_AutoTagLatest(t *testing.T) {
+	repoNameOnly := "quay.io/podman/machine-os"
+	as, _ := setupNewStore(t, repoNameOnly, nil, nil)
+
+	// Test with a reference without a tag (should auto-add :latest)
+	asr, err := NewArtifactStorageReference(repoNameOnly, as)
+	assert.NoError(t, err)
+	assert.NotNil(t, asr.Ref)
+	assert.Equal(t, fmt.Sprintf("%s:latest", repoNameOnly), asr.Ref.String())
+	assert.False(t, asr.IsDigested)
+}
+
+func TestNewArtifactStorageReference_InvalidReference(t *testing.T) {
+	storePath := filepath.Join(t.TempDir(), "store")
+	sc := &types.SystemContext{}
+
+	// Create an artifact store
+	as, err := NewArtifactStore(storePath, sc)
+	require.NoError(t, err)
+	require.NotNil(t, as)
+
+	// Test with an invalid reference that also doesn't exist in the store
+	// This should fail both as a reference parse and as a store lookup
+	_, err = NewArtifactStorageReference("nonexistent-digest-12345", as)
+	assert.Error(t, err)
+}
+
+func TestNewArtifactStorageReference_EmptyString(t *testing.T) {
+	storePath := filepath.Join(t.TempDir(), "store")
+	sc := &types.SystemContext{}
+
+	// Create an artifact store
+	as, err := NewArtifactStore(storePath, sc)
+	require.NoError(t, err)
+	require.NotNil(t, as)
+
+	// Test with empty string
+	_, err = NewArtifactStorageReference("", as)
+	assert.Error(t, err)
+}
+
+func TestStringToNamed(t *testing.T) {
+	// Test valid named reference
+	named, err := stringToNamed("quay.io/podman/machine-os:5.1")
+	assert.NoError(t, err)
+	assert.NotNil(t, named)
+	assert.Equal(t, "quay.io/podman/machine-os:5.1", named.String())
+
+	// Test reference without tag (should add :latest)
+	named, err = stringToNamed("quay.io/podman/machine-os")
+	assert.NoError(t, err)
+	assert.NotNil(t, named)
+	assert.Equal(t, "quay.io/podman/machine-os:latest", named.String())
+
+	// Test reference with digest
+	named, err = stringToNamed("quay.io/podman/machine-os@sha256:8b96f36deaf1d2713858eebd9ef2fee9610df8452fbd083bbfa7dca66d6fcd0b")
+	assert.NoError(t, err)
+	assert.NotNil(t, named)
+	assert.Equal(t, "quay.io/podman/machine-os@sha256:8b96f36deaf1d2713858eebd9ef2fee9610df8452fbd083bbfa7dca66d6fcd0b", named.String())
+
+	// Test invalid reference
+	_, err = stringToNamed("invalid::reference")
+	assert.Error(t, err)
+
+	// Test empty string
+	_, err = stringToNamed("")
+	assert.Error(t, err)
+}
+
+func TestNewArtifactStore(t *testing.T) {
+	// Test with valid absolute path
+	storePath := filepath.Join(t.TempDir(), "store")
+	sc := &types.SystemContext{}
+
+	as, err := NewArtifactStore(storePath, sc)
+	assert.NoError(t, err)
+	assert.NotNil(t, as)
+	assert.Equal(t, storePath, as.storePath)
+
+	// Verify the index file was created
+	indexPath := filepath.Join(storePath, "index.json")
+	_, err = os.Stat(indexPath)
+	assert.NoError(t, err)
+
+	// Test with empty path
+	_, err = NewArtifactStore("", sc)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "store path cannot be empty")
+
+	// Test with relative path
+	_, err = NewArtifactStore("relative/path", sc)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "must be absolute")
+}