fix: duplicates entries for cosign signatures in metadb

Signed-off-by: Andreea-Lupu <[email protected]>
project-zot · Oct 26, 2023 · 1e1f4f5 · 1e1f4f5
1 parent a3d85b4
commit 1e1f4f5
Show file tree

Hide file tree

Showing 9 changed files with 90 additions and 15 deletions.
diff --git a/pkg/extensions/sync/references/references.go b/pkg/extensions/sync/references/references.go
@@ -244,6 +244,7 @@ func addSigToMeta(
 	return metaDB.AddManifestSignature(repo, signedManifestDig, mTypes.SignatureMetadata{
 		SignatureType:   sigType,
 		SignatureDigest: referenceDigest.String(),
+		SignatureTag:    tag,
 		LayersInfo:      layersInfo,
 	})
 }
diff --git a/pkg/meta/boltdb/boltdb.go b/pkg/meta/boltdb/boltdb.go
@@ -952,10 +952,37 @@ func (bdw *BoltDB) AddManifestSignature(repo string, signedManifestDigest godige
 
 		signatureSlice := manifestSignatures[sygMeta.SignatureType]
 		if !common.SignatureAlreadyExists(signatureSlice, sygMeta) {
-			signatureSlice = append(signatureSlice, mTypes.SignatureInfo{
-				SignatureManifestDigest: sygMeta.SignatureDigest,
-				LayersInfo:              sygMeta.LayersInfo,
-			})
+			if sygMeta.SignatureType == zcommon.NotationSignature {
+				signatureSlice = append(signatureSlice, mTypes.SignatureInfo{
+					SignatureManifestDigest: sygMeta.SignatureDigest,
+					LayersInfo:              sygMeta.LayersInfo,
+				})
+			} else if sygMeta.SignatureType == zcommon.CosignSignature {
+				newCosignSig := mTypes.SignatureInfo{
+					SignatureManifestDigest: sygMeta.SignatureDigest,
+					LayersInfo:              sygMeta.LayersInfo,
+				}
+
+				if common.IsCosignTag(sygMeta.SignatureTag) {
+					// the entry for "sha256-{digest}.sig" signatures should be overwritten if
+					// it exists or added on the first position if it doesn't exists
+					if len(signatureSlice) == 0 {
+						signatureSlice = []mTypes.SignatureInfo{newCosignSig}
+					} else {
+						signatureSlice[0] = newCosignSig
+					}
+				} else {
+					// the first position should be reserved for "sha256-{digest}.sig" signatures
+					if len(signatureSlice) == 0 {
+						signatureSlice = []mTypes.SignatureInfo{{
+							SignatureManifestDigest: "undefined",
+							LayersInfo:              []mTypes.LayerInfo{},
+						}}
+					}
+
+					signatureSlice = append(signatureSlice, newCosignSig)
+				}
+			}
 		}
 
 		manifestSignatures[sygMeta.SignatureType] = signatureSlice

diff --git a/pkg/meta/boltdb/boltdb_test.go b/pkg/meta/boltdb/boltdb_test.go
@@ -5,6 +5,7 @@ import (
 	"crypto/rand"
 	"encoding/base64"
 	"encoding/json"
+	"fmt"
 	"math"
 	"testing"
 	"time"
@@ -506,28 +507,33 @@ func TestWrapperErrors(t *testing.T) {
 			})
 			So(err, ShouldBeNil)
 
-			err = boltdbWrapper.AddManifestSignature("repo1", digest.FromString("dig"),
+			signedManifestDigest := digest.FromString("dig")
+			signatureTag := fmt.Sprintf("sha256-%s.sig", signedManifestDigest.Encoded())
+
+			err = boltdbWrapper.AddManifestSignature("repo1", signedManifestDigest,
 				mTypes.SignatureMetadata{
 					SignatureType:   "cosign",
+					SignatureTag:    signatureTag,
 					SignatureDigest: "digest1",
 				})
 			So(err, ShouldBeNil)
 
-			err = boltdbWrapper.AddManifestSignature("repo1", digest.FromString("dig"),
+			err = boltdbWrapper.AddManifestSignature("repo1", signedManifestDigest,
 				mTypes.SignatureMetadata{
 					SignatureType:   "cosign",
+					SignatureTag:    signatureTag,
 					SignatureDigest: "digest2",
 				})
 			So(err, ShouldBeNil)
 
 			repoData, err := boltdbWrapper.GetRepoMeta("repo1")
 			So(err, ShouldBeNil)
-			So(len(repoData.Signatures[string(digest.FromString("dig"))][zcommon.CosignSignature]),
-				ShouldEqual, 2)
-			So(repoData.Signatures[string(digest.FromString("dig"))][zcommon.CosignSignature][0].SignatureManifestDigest,
-				ShouldEqual, "digest1")
+			So(len(repoData.Signatures[string(signedManifestDigest)][zcommon.CosignSignature]),
+				ShouldEqual, 1)
+			So(repoData.Signatures[string(signedManifestDigest)][zcommon.CosignSignature][0].SignatureManifestDigest,
+				ShouldEqual, "digest2")
 
-			err = boltdbWrapper.AddManifestSignature("repo1", digest.FromString("dig"),
+			err = boltdbWrapper.AddManifestSignature("repo1", signedManifestDigest,
 				mTypes.SignatureMetadata{
 					SignatureType:   "notation",
 					SignatureDigest: "digest2",

diff --git a/pkg/meta/common/common.go b/pkg/meta/common/common.go
@@ -3,6 +3,7 @@ package common
 import (
 	"encoding/json"
 	"fmt"
+	"regexp"
 	"strings"
 	"time"
 
@@ -344,3 +345,9 @@ func InitializeImageConfig(blob []byte) ispec.Image {
 
 	return configContent
 }
+
+func IsCosignTag(tag string) bool {
+	cosignTagRule := regexp.MustCompile(`sha256\-.+\.sig`)
+
+	return cosignTagRule.MatchString(tag)
+}
diff --git a/pkg/meta/dynamodb/dynamodb.go b/pkg/meta/dynamodb/dynamodb.go
@@ -818,10 +818,37 @@ func (dwr *DynamoDB) AddManifestSignature(repo string, signedManifestDigest godi
 
 	signatureSlice := manifestSignatures[sygMeta.SignatureType]
 	if !common.SignatureAlreadyExists(signatureSlice, sygMeta) {
-		signatureSlice = append(signatureSlice, mTypes.SignatureInfo{
-			SignatureManifestDigest: sygMeta.SignatureDigest,
-			LayersInfo:              sygMeta.LayersInfo,
-		})
+		if sygMeta.SignatureType == zcommon.NotationSignature {
+			signatureSlice = append(signatureSlice, mTypes.SignatureInfo{
+				SignatureManifestDigest: sygMeta.SignatureDigest,
+				LayersInfo:              sygMeta.LayersInfo,
+			})
+		} else if sygMeta.SignatureType == zcommon.CosignSignature {
+			newCosignSig := mTypes.SignatureInfo{
+				SignatureManifestDigest: sygMeta.SignatureDigest,
+				LayersInfo:              sygMeta.LayersInfo,
+			}
+
+			if common.IsCosignTag(sygMeta.SignatureTag) {
+				// the entry for "sha256-{digest}.sig" signatures should be overwritten if
+				// it exists or added on the first position if it doesn't exists
+				if len(signatureSlice) == 0 {
+					signatureSlice = []mTypes.SignatureInfo{newCosignSig}
+				} else {
+					signatureSlice[0] = newCosignSig
+				}
+			} else {
+				// the first position should be reserved for "sha256-{digest}.sig" signatures
+				if len(signatureSlice) == 0 {
+					signatureSlice = []mTypes.SignatureInfo{{
+						SignatureManifestDigest: "undefined",
+						LayersInfo:              []mTypes.LayerInfo{},
+					}}
+				}
+
+				signatureSlice = append(signatureSlice, newCosignSig)
+			}
+		}
 	}
 
 	manifestSignatures[sygMeta.SignatureType] = signatureSlice

diff --git a/pkg/meta/hooks.go b/pkg/meta/hooks.go
@@ -48,6 +48,7 @@ func OnUpdateManifest(repo, reference, mediaType string, digest godigest.Digest,
 			err = metaDB.AddManifestSignature(repo, signedManifestDigest, mTypes.SignatureMetadata{
 				SignatureType:   signatureType,
 				SignatureDigest: digest.String(),
+				SignatureTag:    reference,
 				LayersInfo:      layersInfo,
 			})
 			if err != nil {

diff --git a/pkg/meta/meta_test.go b/pkg/meta/meta_test.go
@@ -1330,6 +1330,7 @@ func RunMetaDBTests(t *testing.T, metaDB mTypes.MetaDB, preparationFuncs ...func
 
 			err = metaDB.AddManifestSignature(repo1, manifestDigest1, mTypes.SignatureMetadata{
 				SignatureType:   "cosign",
+				SignatureTag:    fmt.Sprintf("sha256-%s.sig", manifestDigest1.Encoded()),
 				SignatureDigest: "digest",
 			})
 			So(err, ShouldBeNil)
@@ -1365,6 +1366,7 @@ func RunMetaDBTests(t *testing.T, metaDB mTypes.MetaDB, preparationFuncs ...func
 				err = metaDB.AddManifestSignature(repo1, manifestDigest1, mTypes.SignatureMetadata{
 					SignatureType:   "cosign",
 					SignatureDigest: string(manifestDigest1),
+					SignatureTag:    fmt.Sprintf("sha256-%s.sig", manifestDigest1.Encoded()),
 					LayersInfo:      []mTypes.LayerInfo{layerInfo},
 				})
 				So(err, ShouldBeNil)
@@ -1493,6 +1495,7 @@ func RunMetaDBTests(t *testing.T, metaDB mTypes.MetaDB, preparationFuncs ...func
 
 			err := metaDB.AddManifestSignature(repo1, manifestDigest1, mTypes.SignatureMetadata{
 				SignatureType:   "cosign",
+				SignatureTag:    fmt.Sprintf("sha256-%s.sig", manifestDigest1.Encoded()),
 				SignatureDigest: "digest",
 			})
 			So(err, ShouldBeNil)
@@ -1527,6 +1530,7 @@ func RunMetaDBTests(t *testing.T, metaDB mTypes.MetaDB, preparationFuncs ...func
 
 			err = metaDB.AddManifestSignature(repo1, manifestDigest1, mTypes.SignatureMetadata{
 				SignatureType:   "cosign",
+				SignatureTag:    fmt.Sprintf("sha256-%s.sig", manifestDigest1.Encoded()),
 				SignatureDigest: "digest",
 			})
 			So(err, ShouldBeNil)

diff --git a/pkg/meta/parse.go b/pkg/meta/parse.go
@@ -111,6 +111,7 @@ func ParseRepo(repo string, metaDB mTypes.MetaDB, storeController storage.StoreC
 				mTypes.SignatureMetadata{
 					SignatureType:   signatureType,
 					SignatureDigest: descriptor.Digest.String(),
+					SignatureTag:    tag,
 					LayersInfo:      layers,
 				})
 			if err != nil {

diff --git a/pkg/meta/types/types.go b/pkg/meta/types/types.go
@@ -248,6 +248,7 @@ type SignatureInfo struct {
 type SignatureMetadata struct {
 	SignatureType   string
 	SignatureDigest string
+	SignatureTag    string
 	LayersInfo      []LayerInfo
 }