fix(sync): fixed way of updating repodb when syncing a signature (#1439)

Signed-off-by: Laurentiu Niculae <niculae.laurentiu1@gmail.com>
2026-06-16 20:38:08 +08:00 · 2023-05-15 12:02:23 +03:00
parent bf4b2b9b45
commit 7bf40e7308
15 changed files with 284 additions and 276 deletions
@@ -180,7 +180,7 @@ func (sig *signaturesCopier) syncCosignSignature(localRepo, remoteRepo, digestSt
 	}

 	// push manifest
-	_, _, err = imageStore.PutImageManifest(localRepo, cosignTag,
+	signatureDigest, _, err := imageStore.PutImageManifest(localRepo, cosignTag,
 		ispec.MediaTypeImageManifest, cosignManifestBuf)
 	if err != nil {
 		sig.log.Error().Str("errorType", common.TypeOf(err)).
@@ -193,9 +193,10 @@ func (sig *signaturesCopier) syncCosignSignature(localRepo, remoteRepo, digestSt
 		sig.log.Debug().Str("repository", localRepo).Str("digest", digestStr).
 			Msg("trying to sync cosign signature for repo digest")

-		err = repodb.SetMetadataFromInput(localRepo, cosignTag, ispec.MediaTypeImageManifest,
-			godigest.FromBytes(cosignManifestBuf), cosignManifestBuf, sig.storeController.GetImageStore(localRepo),
-			sig.repoDB, sig.log)
+		err := sig.repoDB.AddManifestSignature(localRepo, godigest.Digest(digestStr), repodb.SignatureMetadata{
+			SignatureType:   repodb.CosignType,
+			SignatureDigest: signatureDigest.String(),
+		})
 		if err != nil {
 			return fmt.Errorf("failed to set metadata for cosign signature '%s@%s': %w", localRepo, digestStr, err)
 		}
@@ -258,7 +259,7 @@ func (sig *signaturesCopier) syncORASRefs(localRepo, remoteRepo, digestStr strin
 			}
 		}

-		_, _, err = imageStore.PutImageManifest(localRepo, ref.Digest.String(),
+		signatureDigest, _, err := imageStore.PutImageManifest(localRepo, ref.Digest.String(),
 			oras.MediaTypeArtifactManifest, body)
 		if err != nil {
 			sig.log.Error().Str("errorType", common.TypeOf(err)).
@@ -272,8 +273,10 @@ func (sig *signaturesCopier) syncORASRefs(localRepo, remoteRepo, digestStr strin
 			sig.log.Debug().Str("repository", localRepo).Str("digest", digestStr).
 				Msg("trying to sync oras artifact for digest")

-			err = repodb.SetMetadataFromInput(localRepo, ref.Digest.String(), ref.MediaType,
-				ref.Digest, body, sig.storeController.GetImageStore(localRepo), sig.repoDB, sig.log)
+			err := sig.repoDB.AddManifestSignature(localRepo, godigest.Digest(digestStr), repodb.SignatureMetadata{
+				SignatureType:   repodb.NotationType,
+				SignatureDigest: signatureDigest.String(),
+			})
 			if err != nil {
 				return fmt.Errorf("failed to set metadata for oras artifact '%s@%s': %w", localRepo, digestStr, err)
 			}
@@ -371,9 +374,22 @@ func (sig *signaturesCopier) syncOCIRefs(localRepo, remoteRepo, digestStr string
 		if sig.repoDB != nil {
 			sig.log.Debug().Str("repository", localRepo).Str("digest", digestStr).Msg("trying to add OCI refs for repo digest")

-			err = repodb.SetMetadataFromInput(localRepo, digestStr, ref.MediaType,
-				digest, OCIRefBody, sig.storeController.GetImageStore(localRepo),
-				sig.repoDB, sig.log)
+			isSig, _, signedManifestDig, err := storage.CheckIsImageSignature(localRepo, OCIRefBody, ref.Digest.String())
+			if err != nil {
+				return fmt.Errorf("failed to set metadata for OCI ref in '%s@%s': %w", localRepo, digestStr, err)
+			}
+
+			if isSig {
+				err = sig.repoDB.AddManifestSignature(localRepo, signedManifestDig, repodb.SignatureMetadata{
+					SignatureType:   repodb.NotationType,
+					SignatureDigest: digestStr,
+				})
+			} else {
+				err = repodb.SetImageMetaFromInput(localRepo, digestStr, ref.MediaType,
+					digest, OCIRefBody, sig.storeController.GetImageStore(localRepo),
+					sig.repoDB, sig.log)
+			}
+
 			if err != nil {
 				return fmt.Errorf("failed to set metadata for OCI ref in '%s@%s': %w", localRepo, digestStr, err)
 			}
@@ -41,6 +41,7 @@ import (
 	syncconf "zotregistry.io/zot/pkg/extensions/config/sync"
 	"zotregistry.io/zot/pkg/extensions/sync"
 	logger "zotregistry.io/zot/pkg/log"
+	"zotregistry.io/zot/pkg/meta/repodb"
 	"zotregistry.io/zot/pkg/storage"
 	"zotregistry.io/zot/pkg/storage/local"
 	"zotregistry.io/zot/pkg/test"
@@ -3637,6 +3638,97 @@ func TestSignatures(t *testing.T) {
 	})
 }

+func getPortFromBaseURL(baseURL string) string {
+	slice := strings.Split(baseURL, ":")
+
+	return slice[len(slice)-1]
+}
+
+func TestSyncedSignaturesRepoDB(t *testing.T) {
+	Convey("Verify that repodb update correctly when syncing a signature", t, func() {
+		repoName := "signed-repo"
+		tag := "random-signed-image"
+		updateDuration := 30 * time.Minute
+
+		// Create source registry
+
+		sctlr, srcBaseURL, srcDir, _, _ := makeUpstreamServer(t, false, false)
+		t.Log(srcDir)
+		srcPort := getPortFromBaseURL(srcBaseURL)
+
+		scm := test.NewControllerManager(sctlr)
+		scm.StartAndWait(sctlr.Config.HTTP.Port)
+		defer scm.StopServer()
+
+		// Push an image
+		destImage, err := test.GetRandomImage(tag)
+		So(err, ShouldBeNil)
+
+		signedImageDigest, err := destImage.Digest()
+		So(err, ShouldBeNil)
+
+		err = test.UploadImage(destImage, srcBaseURL, repoName)
+		So(err, ShouldBeNil)
+
+		err = test.SignImageUsingNotary(repoName+":"+tag, srcPort)
+		So(err, ShouldBeNil)
+
+		err = test.SignImageUsingCosign(repoName+":"+tag, srcPort)
+		So(err, ShouldBeNil)
+
+		// Create destination registry
+		var (
+			regex      = ".*"
+			semver     = false
+			tlsVerify  = false
+			defaultVal = true
+		)
+
+		syncConfig := &syncconf.Config{
+			Enable: &defaultVal,
+			Registries: []syncconf.RegistryConfig{
+				{
+					Content: []syncconf.Content{
+						{
+							Prefix: repoName,
+							Tags:   &syncconf.Tags{Regex: &regex, Semver: &semver},
+						},
+					},
+					URLs:         []string{srcBaseURL},
+					PollInterval: updateDuration,
+					TLSVerify:    &tlsVerify,
+					CertDir:      "",
+					OnDemand:     true,
+				},
+			},
+		}
+
+		dctlr, destBaseURL, dstDir, _ := makeDownstreamServer(t, false, syncConfig)
+		t.Log(dstDir)
+
+		dcm := test.NewControllerManager(dctlr)
+		dcm.StartAndWait(dctlr.Config.HTTP.Port)
+		defer dcm.StopServer()
+
+		// Trigger SyncOnDemand
+		resp, err := resty.R().Get(destBaseURL + "/v2/" + repoName + "/manifests/" + tag)
+		So(err, ShouldBeNil)
+		So(resp.StatusCode(), ShouldEqual, http.StatusOK)
+
+		repoMeta, err := dctlr.RepoDB.GetRepoMeta(repoName)
+		So(err, ShouldBeNil)
+		So(repoMeta.Tags, ShouldContainKey, tag)
+		So(len(repoMeta.Tags), ShouldEqual, 1)
+		So(repoMeta.Signatures, ShouldContainKey, signedImageDigest.String())
+
+		imageSignatures := repoMeta.Signatures[signedImageDigest.String()]
+		So(imageSignatures, ShouldContainKey, repodb.CosignType)
+		So(len(imageSignatures[repodb.CosignType]), ShouldEqual, 1)
+		So(imageSignatures, ShouldContainKey, repodb.NotationType)
+		So(len(imageSignatures[repodb.NotationType]), ShouldEqual, 1)
+	})
+}
+
 func TestOnDemandRetryGoroutine(t *testing.T) {
 	Convey("Verify ondemand sync retries in background on error", t, func() {
 		srcPort := test.GetFreePort()
@@ -346,7 +346,7 @@ func pushSyncedLocalImage(localRepo, reference, localCachePath string,
 		}

 		if repoDB != nil {
-			err = repodb.SetMetadataFromInput(localRepo, reference, mediaType,
+			err = repodb.SetImageMetaFromInput(localRepo, reference, mediaType,
 				manifestDigest, manifestBlob, imageStore, repoDB, log)
 			if err != nil {
 				return fmt.Errorf("failed to set metadata for image '%s %s': %w", localRepo, reference, err)
@@ -403,7 +403,7 @@ func copyManifest(localRepo string, manifestContent []byte, reference string, re
 	}

 	if repoDB != nil {
-		err = repodb.SetMetadataFromInput(localRepo, reference, ispec.MediaTypeImageManifest,
+		err = repodb.SetImageMetaFromInput(localRepo, reference, ispec.MediaTypeImageManifest,
 			digest, manifestContent, imageStore, repoDB, log)
 		if err != nil {
 			log.Error().Str("errorType", common.TypeOf(err)).