libartifact: strong type where possible

common/go.mod

@@ -45,6 +45,7 @@ require (
 	go.etcd.io/bbolt v1.4.3
 	go.podman.io/image/v5 v5.38.0
 	go.podman.io/storage v1.61.0
+	go.step.sm/crypto v0.57.0
 	golang.org/x/crypto v0.44.0
 	golang.org/x/sync v0.18.0
 	golang.org/x/sys v0.38.0

common/go.sum

@@ -254,6 +254,8 @@ github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/skeema/knownhosts v1.3.2 h1:EDL9mgf4NzwMXCTfaxSD/o/a5fxDw/xL9nkU28JjdBg=
 github.com/skeema/knownhosts v1.3.2/go.mod h1:bEg3iQAuw+jyiw+484wwFJoKSLwcfd7fqRy+N0QTiow=
+github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262 h1:unQFBIznI+VYD1/1fApl1A+9VcBk+9dcqGfnePY87LY=
+github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262/go.mod h1:MyOHs9Po2fbM1LHej6sBUT8ozbxmMOFG+E+rx/GSGuc=
 github.com/smallstep/pkcs7 v0.1.1 h1:x+rPdt2W088V9Vkjho4KtoggyktZJlMduZAtRHm68LU=
 github.com/smallstep/pkcs7 v0.1.1/go.mod h1:dL6j5AIz9GHjVEBTXtW+QliALcgM19RtXaTeyxI+AfA=
 github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
@@ -325,6 +327,8 @@ go.podman.io/image/v5 v5.38.0 h1:aUKrCANkPvze1bnhLJsaubcfz0d9v/bSDLnwsXJm6G4=
 go.podman.io/image/v5 v5.38.0/go.mod h1:hSIoIUzgBnmc4DjoIdzk63aloqVbD7QXDMkSE/cvG90=
 go.podman.io/storage v1.61.0 h1:5hD/oyRYt1f1gxgvect+8syZBQhGhV28dCw2+CZpx0Q=
 go.podman.io/storage v1.61.0/go.mod h1:A3UBK0XypjNZ6pghRhuxg62+2NIm5lcUGv/7XyMhMUI=
+go.step.sm/crypto v0.57.0 h1:YjoRQDaJYAxHLVwjst0Bl0xcnoKzVwuHCJtEo2VSHYU=
+go.step.sm/crypto v0.57.0/go.mod h1:+Lwp5gOVPaTa3H/Ul/TzGbxQPXZZcKIUGMS0lG6n9Go=
 go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
 go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=

common/pkg/libartifact/artifact.go → common/pkg/libartifact/store/artifact.go

@@ -1,4 +1,4 @@
-package libartifact
+package store
 
 import (
 	"encoding/json"
@@ -7,6 +7,7 @@ import (
 
 	"github.com/opencontainers/go-digest"
 	"go.podman.io/common/pkg/libartifact/types"
+	"go.podman.io/image/v5/docker/reference"
 	"go.podman.io/image/v5/manifest"
 )
 
@@ -36,7 +37,7 @@ func (a *Artifact) GetName() (string, error) {
 	return "", types.ErrArtifactUnamed
 }
 
-// SetName is a accessor for setting the artifact name
+// SetName is an accessor for setting the artifact name
 // Note: long term this may not be needed, and we would
 // be comfortable with simply using the exported field
 // called Name.
@@ -55,16 +56,16 @@ func (a *Artifact) GetDigest() (*digest.Digest, error) {
 
 type ArtifactList []*Artifact
 
-// GetByNameOrDigest returns an artifact, if present, by a given name
+// getByNameOrDigest returns an artifact, if present, by a given name
 // Returns an error if not found.
-func (al ArtifactList) GetByNameOrDigest(nameOrDigest string) (*Artifact, bool, error) {
+func (al ArtifactList) getByNameOrDigest(nameOrDigest string) (*Artifact, bool, error) {
 	// This is the hot route through
 	for _, artifact := range al {
 		if artifact.Name == nameOrDigest {
 			return artifact, false, nil
 		}
 	}
-	// Before giving up, check by digest
+	// Before giving up, check by full or partial ID
 	for _, artifact := range al {
 		artifactDigest, err := artifact.GetDigest()
 		if err != nil {
@@ -75,5 +76,30 @@ func (al ArtifactList) GetByNameOrDigest(nameOrDigest string) (*Artifact, bool,
 			return artifact, true, nil
 		}
 	}
+	named, err := reference.ParseNamed(nameOrDigest)
+	if err != nil {
+		return nil, false, fmt.Errorf("invalid artifact: %q", nameOrDigest)
+	}
+
+	// And finally, check for things with a name and digest
+	// i.e. quay.io/podman/machine-os:sha256:7e952f1deece2717022d7cc066dd21d1468236560d23a79c80448d49b2048e99
+	if d, isDigested := named.(reference.Digested); isDigested {
+		for _, a := range al {
+			storedArtifactNamed, err := reference.ParseNamed(a.Name)
+			if err != nil {
+				return nil, false, err
+			}
+			if storedArtifactNamed.Name() == named.Name() {
+				artifactDigest, err := a.GetDigest()
+				if err != nil {
+					return nil, false, err
+				}
+				if d.Digest() == *artifactDigest {
+					return a, true, nil
+				}
+			}
+		}
+	}
+	// Nothing was found in the store that matches
 	return nil, false, fmt.Errorf("%s: %w", nameOrDigest, types.ErrArtifactNotExist)
 }

common/pkg/libartifact/store/reference.go

@@ -0,0 +1,100 @@
+//go:build !remote
+
+package store
+
+import (
+	"context"
+
+	"go.podman.io/image/v5/docker/reference"
+)
+
+type ArtifactReference struct {
+	reference.Named
+}
+
+// NewArtifactReference is a theoretical reference to an artifact.  It needs to be
+// a fully qualified oci reference except for tag, where we add
+// "latest" as the tag if tag is empty.  Valid references:
+//
+// quay.io/podman/machine-os:latest
+// quay.io/podman/machine-os
+// quay.io/podman/machine-os@sha256:916ede4b2b9012f91f63100f8ba82d07ed81bf8a55d23c1503285a22a9759a1e
+//
+// Note: Partial sha references and digests (IDs) are not allowed.
+func NewArtifactReference(input string) (ArtifactReference, error) {
+	ar := ArtifactReference{}
+	named, err := stringToNamed(input)
+	if err != nil {
+		return ArtifactReference{}, err
+	}
+	ar.Named = named
+	return ar, nil
+}
+
+func (ar ArtifactReference) IsDigested() bool {
+	_, isDigested := ar.Named.(reference.Digested)
+	return isDigested
+}
+
+type ArtifactStoreReference struct {
+	ArtifactFromStore *Artifact
+	IsDigested        bool
+	Ref               reference.Named
+}
+
+// NewArtifactStorageReference refers to an object already in the artifact store.  It
+// can be a name or a full or partial digest.  Conveniently, it also embeds the artifact
+// as part of its return.
+func NewArtifactStorageReference(nameOrDigest string, as *ArtifactStore) (ArtifactStoreReference, error) {
+	lookupInput := nameOrDigest
+	asf := ArtifactStoreReference{}
+	al, err := as.getArtifacts(context.Background(), nil)
+	if err != nil {
+		return ArtifactStoreReference{}, err
+	}
+
+	// Try to parse as a valid OCI reference
+	named, parseErr := stringToNamed(nameOrDigest)
+	if parseErr == nil {
+		lookupInput = named.String()
+	}
+
+	// Lookup in the store
+	a, isDigest, err := al.getByNameOrDigest(lookupInput)
+	if err != nil {
+		return ArtifactStoreReference{}, err
+	}
+
+	// If parsing failed, parse the artifact's name instead
+	if parseErr != nil {
+		fqName, err := a.GetName()
+		if err != nil {
+			return ArtifactStoreReference{}, err
+		}
+		named, err = stringToNamed(fqName)
+		if err != nil {
+			return ArtifactStoreReference{}, err
+		}
+	}
+
+	asf.Ref = named
+	asf.IsDigested = isDigest
+	asf.ArtifactFromStore = a
+	return asf, nil
+}
+
+// stringToNamed converts a string to a reference.Named.
+func stringToNamed(s string) (reference.Named, error) {
+	named, err := reference.ParseNamed(s)
+	if err != nil {
+		return ArtifactReference{}, err
+	}
+	// If the supplied input is neither tagged nor has
+	// a digest, then add "latest"
+	_, isTagged := named.(reference.Tagged)
+	_, isDigested := named.(reference.Digested)
+	if !isTagged && !isDigested {
+		named = reference.TagNameOnly(named)
+	}
+	return named, nil
+}

common/pkg/libartifact/store/reference_test.go

@@ -0,0 +1,186 @@
+package store
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.podman.io/image/v5/types"
+)
+
+func TestNewArtifactReference(t *testing.T) {
+	// Test valid reference
+	ar, err := NewArtifactReference("quay.io/podman/machine-os:5.1")
+	assert.NoError(t, err)
+	assert.NotNil(t, ar.Named)
+	assert.Equal(t, "quay.io/podman/machine-os:5.1", ar.Named.String())
+
+	// Test another valid reference
+	ar, err = NewArtifactReference("docker.io/library/nginx:latest")
+	assert.NoError(t, err)
+	assert.NotNil(t, ar.Named)
+
+	// Test invalid reference - empty string
+	_, err = NewArtifactReference("")
+	assert.Error(t, err)
+
+	// Test invalid reference - malformed
+	_, err = NewArtifactReference("invalid::reference")
+	assert.Error(t, err)
+
+	// Test latest is added when no tag is provided
+	ar, err = NewArtifactReference("quay.io/machine-os/podman")
+	assert.NoError(t, err)
+	assert.Equal(t, "quay.io/machine-os/podman:latest", ar.Named.String())
+
+	// Input with a digest is good
+	ar, err = NewArtifactReference("quay.io/machine-os/podman@sha256:8b96f36deaf1d2713858eebd9ef2fee9610df8452fbd083bbfa7dca66d6fcd0b")
+	assert.NoError(t, err)
+	assert.True(t, ar.IsDigested())
+
+	// Partial digests are a no-go
+	_, err = NewArtifactReference("quay.io/machine-os/podman@sha256:8b96f36deaf1d2")
+	assert.Error(t, err)
+
+	// "IDs" are also a no-go
+	_, err = NewArtifactReference("84ddb405470e733d0202d6946e48fc75a7ee231337bdeb31a8579407a7052d9e")
+	assert.Error(t, err)
+}
+
+func TestArtifactReference_IsDigested(t *testing.T) {
+	// Test reference with tag (not digested)
+	ar, err := NewArtifactReference("quay.io/podman/machine-os:5.1")
+	require.NoError(t, err)
+	assert.False(t, ar.IsDigested())
+
+	// Test reference with digest (digested)
+	ar, err = NewArtifactReference("quay.io/podman/machine-os@sha256:8b96f36deaf1d2713858eebd9ef2fee9610df8452fbd083bbfa7dca66d6fcd0b")
+	require.NoError(t, err)
+	assert.True(t, ar.IsDigested())
+
+	// Test reference with latest tag (not digested)
+	ar, err = NewArtifactReference("quay.io/podman/machine-os:latest")
+	require.NoError(t, err)
+	assert.False(t, ar.IsDigested())
+}
+
+func TestNewArtifactStorageReference_ValidReference(t *testing.T) {
+	repo := "quay.io/podman/machine-os"
+	tag := "5.1"
+	ref := fmt.Sprintf("%s:%s", repo, tag)
+	as, artifactDigest := setupNewStore(t, ref, nil, nil)
+
+	// Test with a valid named reference - should find the artifact in the store
+	asr, err := NewArtifactStorageReference(ref, as)
+	assert.NoError(t, err)
+	assert.NotNil(t, asr.Ref)
+	assert.Equal(t, "quay.io/podman/machine-os:5.1", asr.Ref.String())
+	assert.False(t, asr.IsDigested)
+	assert.NotNil(t, asr.ArtifactFromStore)
+	assert.Equal(t, "quay.io/podman/machine-os:5.1", asr.ArtifactFromStore.Name)
+
+	// Lookup by Digest
+	asr, err = NewArtifactStorageReference(fmt.Sprintf("%s@%s", repo, artifactDigest.String()), as)
+	assert.NoError(t, err)
+	assert.NotNil(t, asr.ArtifactFromStore)
+	assert.True(t, asr.IsDigested)
+	assert.NotNil(t, asr.ArtifactFromStore)
+}
+
+func TestNewArtifactStorageReference_AutoTagLatest(t *testing.T) {
+	repoNameOnly := "quay.io/podman/machine-os"
+	as, _ := setupNewStore(t, repoNameOnly, nil, nil)
+
+	// Test with a reference without a tag (should auto-add :latest)
+	asr, err := NewArtifactStorageReference(repoNameOnly, as)
+	assert.NoError(t, err)
+	assert.NotNil(t, asr.Ref)
+	assert.Equal(t, fmt.Sprintf("%s:latest", repoNameOnly), asr.Ref.String())
+	assert.False(t, asr.IsDigested)
+}
+
+func TestNewArtifactStorageReference_InvalidReference(t *testing.T) {
+	storePath := filepath.Join(t.TempDir(), "store")
+	sc := &types.SystemContext{}
+
+	// Create an artifact store
+	as, err := NewArtifactStore(storePath, sc)
+	require.NoError(t, err)
+	require.NotNil(t, as)
+
+	// Test with an invalid reference that also doesn't exist in the store
+	// This should fail both as a reference parse and as a store lookup
+	_, err = NewArtifactStorageReference("nonexistent-digest-12345", as)
+	assert.Error(t, err)
+}
+
+func TestNewArtifactStorageReference_EmptyString(t *testing.T) {
+	storePath := filepath.Join(t.TempDir(), "store")
+	sc := &types.SystemContext{}
+
+	// Create an artifact store
+	as, err := NewArtifactStore(storePath, sc)
+	require.NoError(t, err)
+	require.NotNil(t, as)
+
+	// Test with empty string
+	_, err = NewArtifactStorageReference("", as)
+	assert.Error(t, err)
+}
+
+func TestStringToNamed(t *testing.T) {
+	// Test valid named reference
+	named, err := stringToNamed("quay.io/podman/machine-os:5.1")
+	assert.NoError(t, err)
+	assert.NotNil(t, named)
+	assert.Equal(t, "quay.io/podman/machine-os:5.1", named.String())
+
+	// Test reference without tag (should add :latest)
+	named, err = stringToNamed("quay.io/podman/machine-os")
+	assert.NoError(t, err)
+	assert.NotNil(t, named)
+	assert.Equal(t, "quay.io/podman/machine-os:latest", named.String())
+
+	// Test reference with digest
+	named, err = stringToNamed("quay.io/podman/machine-os@sha256:8b96f36deaf1d2713858eebd9ef2fee9610df8452fbd083bbfa7dca66d6fcd0b")
+	assert.NoError(t, err)
+	assert.NotNil(t, named)
+	assert.Equal(t, "quay.io/podman/machine-os@sha256:8b96f36deaf1d2713858eebd9ef2fee9610df8452fbd083bbfa7dca66d6fcd0b", named.String())
+
+	// Test invalid reference
+	_, err = stringToNamed("invalid::reference")
+	assert.Error(t, err)
+
+	// Test empty string
+	_, err = stringToNamed("")
+	assert.Error(t, err)
+}
+
+func TestNewArtifactStore(t *testing.T) {
+	// Test with valid absolute path
+	storePath := filepath.Join(t.TempDir(), "store")
+	sc := &types.SystemContext{}
+
+	as, err := NewArtifactStore(storePath, sc)
+	assert.NoError(t, err)
+	assert.NotNil(t, as)
+	assert.Equal(t, storePath, as.storePath)
+
+	// Verify the index file was created
+	indexPath := filepath.Join(storePath, "index.json")
+	_, err = os.Stat(indexPath)
+	assert.NoError(t, err)
+
+	// Test with empty path
+	_, err = NewArtifactStore("", sc)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "store path cannot be empty")
+
+	// Test with relative path
+	_, err = NewArtifactStore("relative/path", sc)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "must be absolute")
+}