images: Add list of Platforms to CheckAuthorization()

stefanberger · lumjjb · commit 6fdd9818a4d8 · 2022-03-21T09:52:07.000-04:00
To be able to properly perform an authorization check on an image we need to know the platform to perform check when in cryptManifestList(). Extend the logic for cryptoOp == cryptoOpUnwrapOnly to skip over manifests that do not correspond to the local platform and return an error if no manifest was found that matches the local platform. The following projects seem NOT to be affect due to the change in the code path of CheckAuthorization() since they are not using it: - cri-o - nerdctl - skopeo - buildah - podman The impact on imgcrypt via ctr-enc is not so clear either since CheckAuthorization() is not called on the server side but by the ctr-enc client, thus can be modified easily. Resolves: #69 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
diff --git a/images/encryption/encryption.go b/images/encryption/encryption.go
@@ -50,6 +50,13 @@ const (
 // LayerFilter allows to select Layers by certain criteria
 type LayerFilter func(desc ocispec.Descriptor) bool
 
+// isLocalPlatform determines whether the given platform matches the local one
+func isLocalPlatform(platform *ocispec.Platform) bool {
+	matcher := platforms.NewMatcher(*platform)
+
+	return matcher.Match(platforms.DefaultSpec())
+}
+
 // IsEncryptedDiff returns true if mediaType is a known encrypted media type.
 func IsEncryptedDiff(ctx context.Context, mediaType string) bool {
 	switch mediaType {
@@ -380,6 +387,9 @@ func cryptManifestList(ctx context.Context, cs content.Store, desc ocispec.Descr
 	var newManifests []ocispec.Descriptor
 	modified := false
 	for _, manifest := range index.Manifests {
+		if cryptoOp == cryptoOpUnwrapOnly && !isLocalPlatform(manifest.Platform) {
+			continue
+		}
 		newManifest, m, err := cryptChildren(ctx, cs, manifest, cc, lf, cryptoOp, manifest.Platform)
 		if err != nil || cryptoOp == cryptoOpUnwrapOnly {
 			return ocispec.Descriptor{}, false, err
@@ -389,6 +399,9 @@ func cryptManifestList(ctx context.Context, cs content.Store, desc ocispec.Descr
 		}
 		newManifests = append(newManifests, newManifest)
 	}
+	if cryptoOp == cryptoOpUnwrapOnly {
+		return ocispec.Descriptor{}, false, fmt.Errorf("No manifest found for local platform")
+	}
 
 	if modified {
 		// we need to update the index
