buildah/internal/source/pull.go

package source

import (
	"context"
	"os"

	"github.com/containers/buildah/pkg/parse"
	"github.com/containers/image/v5/copy"
	"github.com/containers/image/v5/pkg/shortnames"
	"github.com/containers/image/v5/signature"
	"github.com/containers/image/v5/transports/alltransports"
	"github.com/containers/image/v5/types"
	"github.com/pkg/errors"
)

// PullOptions includes data to alter certain knobs when pulling a source
// image.
type PullOptions struct {
	// Require HTTPS and verify certificates when accessing the registry.
	TLSVerify bool
	// [username[:password] to use when connecting to the registry.
	Credentials string
}

// Pull `imageInput` from a container registry to `sourcePath`.
func Pull(ctx context.Context, imageInput string, sourcePath string, options PullOptions) error {
	if _, err := os.Stat(sourcePath); err == nil {
		return errors.Errorf("%q already exists", sourcePath)
	}

	srcRef, err := stringToImageReference(imageInput)
	if err != nil {
		return err
	}

	sysCtx := &types.SystemContext{
		DockerInsecureSkipTLSVerify: types.NewOptionalBool(!options.TLSVerify),
	}
	if options.Credentials != "" {
		authConf, err := parse.AuthConfig(options.Credentials)
		if err != nil {
			return err
		}
		sysCtx.DockerAuthConfig = authConf
	}

	if err := validateSourceImageReference(ctx, srcRef, sysCtx); err != nil {
		return err
	}

	ociDest, err := openOrCreateSourceImage(ctx, sourcePath)
	if err != nil {
		return err
	}

	policy, err := signature.DefaultPolicy(sysCtx)
	if err != nil {
		return errors.Wrapf(err, "error obtaining default signature policy")
	}
	policyContext, err := signature.NewPolicyContext(policy)
	if err != nil {
		return errors.Wrapf(err, "error creating new signature policy context")
	}

	copyOpts := copy.Options{
		SourceCtx: sysCtx,
	}
	if _, err := copy.Image(ctx, policyContext, ociDest.Reference(), srcRef, &copyOpts); err != nil {
		return errors.Wrap(err, "error pulling source image")
	}

	return nil
}

func stringToImageReference(imageInput string) (types.ImageReference, error) {
	if shortnames.IsShortName(imageInput) {
		return nil, errors.Errorf("pulling source images by short name (%q) is not supported, please use a fully-qualified name", imageInput)
	}

	ref, err := alltransports.ParseImageName("docker://" + imageInput)
	if err != nil {
		return nil, errors.Wrap(err, "error parsing image name")
	}

	return ref, nil
}

func validateSourceImageReference(ctx context.Context, ref types.ImageReference, sysCtx *types.SystemContext) error {
	src, err := ref.NewImageSource(ctx, sysCtx)
	if err != nil {
		return errors.Wrap(err, "error creating image source from reference")
	}
	defer src.Close()

	ociManifest, _, _, err := readManifestFromImageSource(ctx, src)
	if err != nil {
		return err
	}

	if ociManifest.Config.MediaType != MediaTypeSourceImageConfig {
		return errors.Errorf("invalid media type of image config %q (expected: %q)", ociManifest.Config.MediaType, MediaTypeSourceImageConfig)
	}

	return nil
}
buildah source - create and manage source images Add new `buildah source {create,add,push,pull}` commands. All commands are marked as experimental. None of it is meant to be officially supported at the time of writing. All code resides in `internal/source` and is hence not visible to external consumers of Buildah; just to be on the safe side. A source container or source image is an OCI artifact, that is an OCI image with custom config (media type). There is a longer history behind source images which are intended to ship the source artifacts of an ordinary "executable" container image. Until now, source images at Red Hat are built with github.com/containers/BuildSourceImage. We had a growing desire (and always the long-term plan) to eventually replace BuildSurceImage with something else, in this case Buildah. This commit adds the initial base functionality along with tests to make sure we're not regressing. The new commands do the following: * `create` - creates an empty and initialized source image * `add` - tar up a local path and add it as a layer to the souce image * `push/pull` - intentionally separate commands from `buildah push/pull` to allow for an easier usage and prevent the implementations from undesired (future) interference Further note: also vendor in c/image@master which ships a required fix. Signed-off-by: Valentin Rothberg <rothberg@redhat.com> 2021-03-22 20:02:39 +08:00			`package source`

			`import (`
			`"context"`
			`"os"`

			`"github.com/containers/buildah/pkg/parse"`
			`"github.com/containers/image/v5/copy"`
			`"github.com/containers/image/v5/pkg/shortnames"`
			`"github.com/containers/image/v5/signature"`
			`"github.com/containers/image/v5/transports/alltransports"`
			`"github.com/containers/image/v5/types"`
			`"github.com/pkg/errors"`
			`)`

			`// PullOptions includes data to alter certain knobs when pulling a source`
			`// image.`
			`type PullOptions struct {`
			`// Require HTTPS and verify certificates when accessing the registry.`
			`TLSVerify bool`
			`// [username[:password] to use when connecting to the registry.`
			`Credentials string`
			`}`

			// Pull `imageInput` from a container registry to `sourcePath`.
			`func Pull(ctx context.Context, imageInput string, sourcePath string, options PullOptions) error {`
			`if _, err := os.Stat(sourcePath); err == nil {`
			`return errors.Errorf("%q already exists", sourcePath)`
			`}`

			`srcRef, err := stringToImageReference(imageInput)`
			`if err != nil {`
			`return err`
			`}`

			`sysCtx := &types.SystemContext{`
			`DockerInsecureSkipTLSVerify: types.NewOptionalBool(!options.TLSVerify),`
			`}`
			`if options.Credentials != "" {`
			`authConf, err := parse.AuthConfig(options.Credentials)`
			`if err != nil {`
			`return err`
			`}`
			`sysCtx.DockerAuthConfig = authConf`
			`}`

			`if err := validateSourceImageReference(ctx, srcRef, sysCtx); err != nil {`
			`return err`
			`}`

			`ociDest, err := openOrCreateSourceImage(ctx, sourcePath)`
			`if err != nil {`
			`return err`
			`}`

			`policy, err := signature.DefaultPolicy(sysCtx)`
			`if err != nil {`
			`return errors.Wrapf(err, "error obtaining default signature policy")`
			`}`
			`policyContext, err := signature.NewPolicyContext(policy)`
			`if err != nil {`
			`return errors.Wrapf(err, "error creating new signature policy context")`
			`}`

			`copyOpts := copy.Options{`
			`SourceCtx: sysCtx,`
			`}`
			`if _, err := copy.Image(ctx, policyContext, ociDest.Reference(), srcRef, &copyOpts); err != nil {`
			`return errors.Wrap(err, "error pulling source image")`
			`}`

			`return nil`
			`}`

			`func stringToImageReference(imageInput string) (types.ImageReference, error) {`
			`if shortnames.IsShortName(imageInput) {`
			`return nil, errors.Errorf("pulling source images by short name (%q) is not supported, please use a fully-qualified name", imageInput)`
			`}`

			`ref, err := alltransports.ParseImageName("docker://" + imageInput)`
			`if err != nil {`
			`return nil, errors.Wrap(err, "error parsing image name")`
			`}`

			`return ref, nil`
			`}`

			`func validateSourceImageReference(ctx context.Context, ref types.ImageReference, sysCtx *types.SystemContext) error {`
			`src, err := ref.NewImageSource(ctx, sysCtx)`
			`if err != nil {`
			`return errors.Wrap(err, "error creating image source from reference")`
			`}`
			`defer src.Close()`

			`ociManifest, _, _, err := readManifestFromImageSource(ctx, src)`
			`if err != nil {`
			`return err`
			`}`

			`if ociManifest.Config.MediaType != MediaTypeSourceImageConfig {`
			`return errors.Errorf("invalid media type of image config %q (expected: %q)", ociManifest.Config.MediaType, MediaTypeSourceImageConfig)`
			`}`

			`return nil`
			`}`