Merge pull request from GHSA-55r9-5mx9-qq7r

when a client pushes an image zot's inline dedupe
will try to find the blob path corresponding with the blob digest
that it's currently pushed and if it's found in the cache
then zot will make a symbolic link to that cache entry and report
to the client that the blob already exists on the location.

Before this patch authorization was not applied on this process meaning
that a user could copy blobs without having permissions on the source repo.

Added a rule which says that the client should have read permissions on the source repo
before deduping, otherwise just Stat() the blob and return the corresponding status code.

Signed-off-by: Petu Eusebiu <peusebiu@cisco.com>
Co-authored-by: Petu Eusebiu <peusebiu@cisco.com>

pkg/test/mocks/cache_mock.go

@@ -6,6 +6,8 @@ type CacheMock struct {
 	// Returns the human-readable "name" of the driver.
 	NameFn func() string
 
+	GetAllBlobsFn func(digest godigest.Digest) ([]string, error)
+
 	// Retrieves the blob matching provided digest.
 	GetBlobFn func(digest godigest.Digest) (string, error)
 
@@ -68,3 +70,11 @@ func (cacheMock CacheMock) DeleteBlob(digest godigest.Digest, path string) error
 
 	return nil
 }
+
+func (cacheMock CacheMock) GetAllBlobs(digest godigest.Digest) ([]string, error) {
+	if cacheMock.GetAllBlobsFn != nil {
+		return cacheMock.GetAllBlobsFn(digest)
+	}
+
+	return []string{}, nil
+}