Add index.json validation

[zhouhao3]

if the ManifestList exists, it needs to be validated
Signed-off-by: zhouhao [email protected]

[vbatts]

LGTM
for a first pass

[wking]

The validation approach here is strange. Instead of:

1. Walk from the initial descriptor to a manifest, validating the manifest if you find one.
2. Walk from the initial descriptor to a manifest list, validating the manifest list if you find one.
3. Walk from the initial descriptor to …

I'd rather land opencontainers/image-spec#403 and use:

1. Get an initial descriptor.
2. Fetch the object referenced by the descriptor.
3. Run the appropriate intra-blob validation on it (opencontainers/image-spec#403).
4. For any children referenced from the blob, recurse to (2).

[wking]

The consensus seems to be that this sort of intra-JSON-blob validation should live in image-spec.

[wking]

Mixing camelCase and underscores is strange. This should probably be findManifestList, although now that we have #29's (r *tarReader) Get and will hopefully soon have #5's CAS engine, I don't see much point to the find* functions.

[wking]

This is currently raising:

d.Descriptor.validate undefined (type "github.com/opencontainers/image-tools/vendor/github.com/opencontainers/image-spec/specs-go".Descriptor has no field or method validate)

That's because this repo currently defines it's own descriptor type which has a validate method, but you're using the spec's Descriptor which does not have that method. Validating descriptors will become easier with opencontainers/image-spec#403, but until then you'll want to convert your image-spec Descriptor to an image-tools descriptor before calling the local validate method.

[zhouhao3]

But the manifest also have spec's Descriptor, it can use validate ,I think as long as the manifest file to the Descriptor as specific, you can call.

[wking]

The Manifests → ManifestDescriptor change has hidden my earlier comment, but I think it's important enough to re-post with more visibility:

The consensus seems to be that this sort of intra-JSON-blob validation should live in image-spec. So I think checkPlatform belongs in image-spec, and not here.

[coolljt0725]

@q384566678 build failed

image/image.go:98: cannot use err (type error) as type string in argument to strings.Contains
image/manifest_list.go:37: undefined: io in io.Reader
image/manifest_list.go:42: undefined: ioutil in ioutil.ReadAll
image/manifest_list.go:47: undefined: bytes in bytes.NewReader
image/manifest_list.go:72: d.Descriptor.validate undefined (type "github.com/opencontainers/image-tools/vendor/github.com/opencontainers/image-spec/specs-go".Descriptor has no field or method validate)

[zhouhao3]

I know,I'm trying to fix that @coolljt0725

[wking]

On Mon, Oct 31, 2016 at 01:54:49AM -0700, Zhou Hao wrote:

• if err := d.Descriptor.validate(w, []string{v1.MediaTypeImageConfig}); err != nil {
  

But the manifest also have spec's
Descriptor,
it can use
validate
,I think as long as the manifest file to the Descriptor as specific,
you can call.

That validate call is using the image-tools-specific manifest 1,
which uses the image-tools-specific descriptor 2. I don't think
image-tools-specific types are a good pattern to follow, but you'll
need to convert v1.Descriptors to image-tools-specific descriptors
before you can call the image-tools-specific-descriptor's Validate
3. Ideally these would all be functions that took the image-spec
types.

[coolljt0725]

At the moment, the manifest list is OPTIONAL(https://github.com/opencontainers/image-spec/blob/master/manifest-list.md#oci-image-manifest-list-specification) , so we should not error out if there is no manifest list

[zhouhao3]

Yes, I was in accordance with the idea to write, I first made a judgment on the error message, if it is because there is no manifest list and return, not error out.（There is one“!” symbol follows the if）

[coolljt0725]

Should we findManifestList first and if manifest_list exists, then extract the manifest from the manifest_list and then validate the manifest?

I +1 with @wking 's proposal

I'd rather land opencontainers/image-spec#403 and use:

Get an initial descriptor.
Fetch the object referenced by the descriptor.
Run the appropriate intra-blob validation on it (opencontainers/image-spec#403).
For any children referenced from the blob, recurse to (2).

[coolljt0725]

You need to fix the exist test:

1. createRefFile needs to point to the manifest list
2. add a createManifestlistFile to add a manifest list blob which contains the manifest.

[coolljt0725]

This seems not correct, findManifestList(w, d) here just assume the d is a manifest list, but actually, d could be manifest or manifest list. This is why the test failed.

--- FAIL: TestValidateLayout (0.03s)
    image_test.go:175: blobs/sha256/3b6be0edf862ac9e6e790fb010cf26770d9ab266f3ff81b5b82f0cf8d6f7d1a6: manifestlist validation failed: [manifests: manifests is required]

I think we should check the d after d.validate(w, validRefMediaTypes), if it is a manifest, then go to findManifest, if it is a manifest list, then go to findManifestList

[zhouhao3]

Nice,I will do that.Thank you for your suggestion.

[coolljt0725]

test failed

go test -race -cover github.com/opencontainers/image-tools/cmd/oci-create-runtime-bundle github.com/opencontainers/image-tools/cmd/oci-image-validate github.com/opencontainers/image-tools/cmd/oci-unpack github.com/opencontainers/image-tools/image
?       github.com/opencontainers/image-tools/cmd/oci-create-runtime-bundle [no test files]
?       github.com/opencontainers/image-tools/cmd/oci-image-validate    [no test files]
?       github.com/opencontainers/image-tools/cmd/oci-unpack    [no test files]
--- FAIL: TestValidateLayout (0.03s)
    image_test.go:175: blobs/sha256/f175ad817b1c75958e74e224f57b17d3a3e746bc434737b1bde837dbe7d33409: manifest validation failed: [config: config is required layers: layers is required]
FAIL
coverage: 29.3% of statements
FAIL    github.com/opencontainers/image-tools/image 0.096s
make: *** [test] Error 1

[zhouhao3]

@vbatts @coolljt0725 @cyphar @xiekeyang @stevvooe @jonboulle I updated test file, PTAL.

[stevvooe]

I still don't know how to use this from this description. Is there an example?

[zhouhao3]

@stevvooe I have modified the introduction of information and added examples. PTAL

[zhouhao3]

reping @opencontainers/image-tools-maintainers

[cyphar]

Just to make sure, if I want to validate an entire image with ./oci-image-tool validate --type imageLayout it will still work? In other words, is the --platform filter the same as the --ref filter in that they don't filter anything if you don't specify them?

[cyphar]

Either this should be checked far earlier (when you do the splitting) or you should only split it here. I would prefer if you just passed the string down to filterManifest and then you verify the arguments here.

[zhouhao3]

updated.Thanks for your advice.

[zhouhao3]

Just to make sure, if I want to validate an entire image with ./oci-image-tool validate --type imageLayout it will still work?

Yes.

In other words, is the --platform filter the same as the --ref filter in that they don't filter anything if you don't specify them?

Yes, just to filter the manifest in certain circumstances.

[cyphar]

LGTM, thanks.

[zhouhao3]

ping @coolljt0725 @xiekeyang @stevvooe

[xiekeyang]

LGTM

It is OK from my side, PTAL from others.

[zhouhao3]

If someone else has no objection, I will merge it tomorrow.

[zhouhao3]

@cyphar @xiekeyang @coolljt0725 rebased, PTAL, thanks

[zhouhao3]

reping @vbatts @coolljt0725 @xiekeyang @cyphar @stevvooe PTAL

[xiekeyang]

LGTM

[cyphar]

LGTM.