Feature/docker validate sha (#1386)

* Add --validate-sha flag for Docker push command

Author: agrasth

artifactory/utils/container/buildinfo.go

@@ -2,11 +2,12 @@ package container
 
 import (
 	"encoding/json"
-	ioutils "github.com/jfrog/gofrog/io"
 	"os"
 	"path"
 	"strings"
 
+	ioutils "github.com/jfrog/gofrog/io"
+
 	buildinfo "github.com/jfrog/build-info-go/entities"
 
 	artutils "github.com/jfrog/jfrog-cli-core/v2/artifactory/utils"
@@ -91,10 +92,23 @@ func (builder *buildInfoBuilder) getSearchableRepo() string {
 
 // Set build properties on image layers in Artifactory.
 func setBuildProperties(buildName, buildNumber, project string, imageLayers []utils.ResultItem, serviceManager artifactory.ArtifactoryServicesManager) (err error) {
+	// Skip if no build info is provided
+	if buildName == "" || buildNumber == "" {
+		log.Debug("Skipping setting properties - build name and build number are required")
+		return nil
+	}
+
 	props, err := build.CreateBuildProperties(buildName, buildNumber, project)
 	if err != nil {
 		return
 	}
+
+	// Skip if no properties were created
+	if len(props) == 0 {
+		log.Debug("Skipping setting properties - no properties created")
+		return nil
+	}
+
 	pathToFile, err := writeLayersToFile(imageLayers)
 	if err != nil {
 		return

artifactory/utils/container/remoteagent.go

@@ -53,16 +53,14 @@ func (rabib *RemoteAgentBuildInfoBuilder) Build(module string) (*buildinfo.Build
 // Search for image manifest and layers in Artifactory.
 func (rabib *RemoteAgentBuildInfoBuilder) handleManifest(resultMap map[string]*utils.ResultItem) (map[string]*utils.ResultItem, *manifest, error) {
 	if manifest, ok := resultMap["manifest.json"]; ok {
-		err := rabib.isVerifiedManifest(manifest)
-		if err != nil {
-			return nil, nil, err
-
+		if !rabib.isVerifiedManifest(manifest) {
+			log.Debug("Manifest verification failed, continuing with SHA-based validation...")
 		}
 		manifest, err := getManifest(resultMap, rabib.buildInfoBuilder.serviceManager, rabib.buildInfoBuilder.repositoryDetails.key)
 		if err != nil {
 			return nil, nil, err
 		}
-		// // Manifest may hold 'empty layers'. As a result, promotion will fail to promote the same layer more than once.
+		// Manifest may hold 'empty layers'. As a result, promotion will fail to promote the same layer more than once.
 		rabib.buildInfoBuilder.imageSha2 = manifest.Config.Digest
 		log.Debug("Found manifest.json. Proceeding to create build-info.")
 		return resultMap, manifest, nil
@@ -95,6 +93,8 @@ func (rabib *RemoteAgentBuildInfoBuilder) searchImage() (resultMap map[string]*u
 	// Search image's manifest.
 	manifestPathsCandidates := getManifestPaths(imagePath, rabib.buildInfoBuilder.getSearchableRepo(), Push)
 	log.Debug("Start searching for image manifest.json")
+
+	// First try standard tag-based search
 	for _, path := range manifestPathsCandidates {
 		log.Debug(`Searching in:"` + path + `"`)
 		resultMap, err = performSearch(path, rabib.buildInfoBuilder.serviceManager)
@@ -108,15 +108,39 @@ func (rabib *RemoteAgentBuildInfoBuilder) searchImage() (resultMap map[string]*u
 			return resultMap, nil
 		}
 	}
+
+	// If tag-based search failed and we have a SHA, try SHA-based search
+	if rabib.manifestSha2 != "" {
+		log.Debug("Tag-based search failed. Trying SHA-based search with: " + rabib.manifestSha2)
+		// Extract repository path without tag
+		repoPath := imagePath[:strings.LastIndex(imagePath, "/")]
+		// Convert SHA format from sha256:xxx to sha256__xxx for Artifactory path format
+		shaPath := strings.Replace(rabib.manifestSha2, ":", "__", 1)
+		// Search for the image using SHA path
+		shaSearchPath := repoPath + "/" + shaPath + "/*"
+		log.Debug(`Searching by SHA in:"` + shaSearchPath + `"`)
+		resultMap, err = performSearch(shaSearchPath, rabib.buildInfoBuilder.serviceManager)
+		if err != nil {
+			return nil, err
+		}
+		if resultMap != nil && (resultMap["list.manifest.json"] != nil || resultMap["manifest.json"] != nil) {
+			log.Info("Found image by SHA digest in repository")
+			return resultMap, nil
+		}
+	}
+
 	return nil, errorutils.CheckErrorf(imageNotFoundErrorMessage, rabib.buildInfoBuilder.image.name)
 }
 
-// Verify manifest's sha256. If there is no match, return nil.
-func (rabib *RemoteAgentBuildInfoBuilder) isVerifiedManifest(imageManifest *utils.ResultItem) error {
+// Verify manifest's sha256. Returns true if manifest is verified, false otherwise.
+func (rabib *RemoteAgentBuildInfoBuilder) isVerifiedManifest(imageManifest *utils.ResultItem) bool {
 	if imageManifest.GetProperty("docker.manifest.digest") != rabib.manifestSha2 {
-		return errorutils.CheckErrorf(`Found incorrect manifest.json file. Expects digest "` + rabib.manifestSha2 + `" found "` + imageManifest.GetProperty("docker.manifest.digest"))
+		manifestDigest := imageManifest.GetProperty("docker.manifest.digest")
+		log.Warn("Manifest digest mismatch detected. Local image digest: " + rabib.manifestSha2 + ", Repository digest: " + manifestDigest)
+		log.Info("Proceeding with SHA-based validation to ensure correct image identification...")
+		return false
 	}
-	return nil
+	return true
 }
 
 func getFatManifestRoot(fatManifestPath string) string {

utils/coreutils/cmdutils.go

@@ -1,11 +1,12 @@
 package coreutils
 
 import (
-	"github.com/forPelevin/gomoji"
-	"github.com/jfrog/jfrog-client-go/utils/log"
 	"strconv"
 	"strings"
 
+	"github.com/forPelevin/gomoji"
+	"github.com/jfrog/jfrog-client-go/utils/log"
+
 	"github.com/gookit/color"
 	"github.com/jfrog/jfrog-client-go/utils/errorutils"
 )
@@ -169,6 +170,11 @@ func ExtractSkipLoginFromArgs(args []string) (cleanArgs []string, skipLogin bool
 	return extractBoolOptionFromArgs(args, "skip-login")
 }
 
+// Used by docker
+func ExtractBoolFlagFromArgs(args []string, flagName string) (cleanArgs []string, flagValue bool, err error) {
+	return extractBoolOptionFromArgs(args, flagName)
+}
+
 // Used by docker
 func ExtractFailFromArgs(args []string) (cleanArgs []string, fail bool, err error) {
 	return extractBoolOptionFromArgs(args, "fail")