Add tests for format conversion combined with encryption

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
containers · Aug 4, 2023 · 3c759f9 · 3c759f9
1 parent 91f9fc6
commit 3c759f9
Show file tree

Hide file tree

Showing 3 changed files with 133 additions and 0 deletions.
diff --git a/internal/image/docker_schema1_test.go b/internal/image/docker_schema1_test.go
@@ -507,6 +507,18 @@ func TestManifestSchema1ConvertToSchema2(t *testing.T) {
 		},
 	}, s2Manifest.LayerInfos())
 
+	// Conversion to schema2 with encryption fails
+	encryptedLayers := layerInfosWithCryptoOperation(original.LayerInfos(), types.Encrypt)
+	_, err = original.UpdatedImage(context.Background(), types.ManifestUpdateOptions{
+		LayerInfos:       encryptedLayers,
+		ManifestMIMEType: manifest.DockerV2Schema2MediaType,
+		InformationOnly: types.ManifestUpdateInformation{
+			LayerInfos:   updatedLayers,
+			LayerDiffIDs: schema1WithThrowawaysFixtureLayerDiffIDs,
+		},
+	})
+	assert.Error(t, err)
+
 	// FIXME? Test also the various failure cases, if only to see that we don't crash?
 }
 
@@ -582,6 +594,51 @@ func TestManifestSchema1ConvertToManifestOCI1(t *testing.T) {
 		},
 	}, ociManifest.LayerInfos())
 
+	// Conversion to OCI with encryption is possible.
+	encryptedLayers := layerInfosWithCryptoOperation(schema1WithThrowawaysFixtureLayerInfos, types.Encrypt)
+	res, err = original.UpdatedImage(context.Background(), types.ManifestUpdateOptions{
+		LayerInfos:       encryptedLayers,
+		ManifestMIMEType: imgspecv1.MediaTypeImageManifest,
+		InformationOnly: types.ManifestUpdateInformation{
+			LayerInfos:   encryptedLayers,
+			LayerDiffIDs: schema1WithThrowawaysFixtureLayerDiffIDs,
+		},
+	})
+	require.NoError(t, err)
+	convertedJSON, mt, err = res.Manifest(context.Background())
+	require.NoError(t, err)
+	assert.Equal(t, imgspecv1.MediaTypeImageManifest, mt)
+	// Layers have been updated as expected
+	ociManifest, err = manifestOCI1FromManifest(originalSrc, convertedJSON)
+	require.NoError(t, err)
+	assert.Equal(t, []types.BlobInfo{
+		{
+			Digest:    "sha256:6a5a5368e0c2d3e5909184fa28ddfd56072e7ff3ee9a945876f7eee5896ef5bb",
+			Size:      51354364,
+			MediaType: "application/vnd.oci.image.layer.v1.tar+gzip+encrypted",
+		},
+		{
+			Digest:    "sha256:1bbf5d58d24c47512e234a5623474acf65ae00d4d1414272a893204f44cc680c",
+			Size:      150,
+			MediaType: "application/vnd.oci.image.layer.v1.tar+gzip+encrypted",
+		},
+		{
+			Digest:    "sha256:8f5dc8a4b12c307ac84de90cdd9a7f3915d1be04c9388868ca118831099c67a9",
+			Size:      11739507,
+			MediaType: "application/vnd.oci.image.layer.v1.tar+gzip+encrypted",
+		},
+		{
+			Digest:    "sha256:bbd6b22eb11afce63cc76f6bc41042d99f10d6024c96b655dafba930b8d25909",
+			Size:      8841833,
+			MediaType: "application/vnd.oci.image.layer.v1.tar+gzip+encrypted",
+		},
+		{
+			Digest:    "sha256:960e52ecf8200cbd84e70eb2ad8678f4367e50d14357021872c10fa3fc5935fa",
+			Size:      291,
+			MediaType: "application/vnd.oci.image.layer.v1.tar+gzip+encrypted",
+		},
+	}, ociManifest.LayerInfos())
+
 	// FIXME? Test also the various failure cases, if only to see that we don't crash?
 }
 

diff --git a/internal/image/docker_schema2_test.go b/internal/image/docker_schema2_test.go
@@ -436,6 +436,15 @@ func modifiedLayerInfos(t *testing.T, input []types.BlobInfo) ([]types.BlobInfo,
 	return modified, copy
 }
 
+// layerInfosWithCryptoOperation returns a copy of input where CryptoOperation is set to op
+func layerInfosWithCryptoOperation(input []types.BlobInfo, op types.LayerCrypto) []types.BlobInfo {
+	res := slices.Clone(input)
+	for i := range res {
+		res[i].CryptoOperation = op
+	}
+	return res
+}
+
 func TestManifestSchema2UpdatedImage(t *testing.T) {
 	originalSrc := newSchema2ImageSource(t, "httpd:latest")
 	original := manifestSchema2FromFixture(t, originalSrc, "schema2.json", false)
@@ -514,6 +523,46 @@ func TestConvertToManifestOCI(t *testing.T) {
 	convertedConfig, err := res.ConfigBlob(context.Background())
 	require.NoError(t, err)
 	assertJSONEqualsFixture(t, convertedConfig, "schema2-to-oci1-config.json")
+
+	// Conversion to OCI with encryption is possible.
+	res, err = original.UpdatedImage(context.Background(), types.ManifestUpdateOptions{
+		LayerInfos:       layerInfosWithCryptoOperation(original.LayerInfos(), types.Encrypt),
+		ManifestMIMEType: imgspecv1.MediaTypeImageManifest,
+	})
+	require.NoError(t, err)
+	convertedJSON, mt, err = res.Manifest(context.Background())
+	require.NoError(t, err)
+	assert.Equal(t, imgspecv1.MediaTypeImageManifest, mt)
+	// Layers have been updated as expected
+	ociManifest, err := manifestOCI1FromManifest(originalSrc, convertedJSON)
+	require.NoError(t, err)
+	assert.Equal(t, []types.BlobInfo{
+		{
+			Digest:    "sha256:6a5a5368e0c2d3e5909184fa28ddfd56072e7ff3ee9a945876f7eee5896ef5bb",
+			Size:      51354364,
+			MediaType: "application/vnd.oci.image.layer.v1.tar+gzip+encrypted",
+		},
+		{
+			Digest:    "sha256:1bbf5d58d24c47512e234a5623474acf65ae00d4d1414272a893204f44cc680c",
+			Size:      150,
+			MediaType: "application/vnd.oci.image.layer.v1.tar+gzip+encrypted",
+		},
+		{
+			Digest:    "sha256:8f5dc8a4b12c307ac84de90cdd9a7f3915d1be04c9388868ca118831099c67a9",
+			Size:      11739507,
+			MediaType: "application/vnd.oci.image.layer.v1.tar+gzip+encrypted",
+		},
+		{
+			Digest:    "sha256:bbd6b22eb11afce63cc76f6bc41042d99f10d6024c96b655dafba930b8d25909",
+			Size:      8841833,
+			MediaType: "application/vnd.oci.image.layer.v1.tar+gzip+encrypted",
+		},
+		{
+			Digest:    "sha256:960e52ecf8200cbd84e70eb2ad8678f4367e50d14357021872c10fa3fc5935fa",
+			Size:      291,
+			MediaType: "application/vnd.oci.image.layer.v1.tar+gzip+encrypted",
+		},
+	}, ociManifest.LayerInfos())
 }
 
 func TestConvertToManifestOCIAllMediaTypes(t *testing.T) {
@@ -597,6 +646,16 @@ func TestConvertToManifestSchema1(t *testing.T) {
 		{Digest: GzippedEmptyLayerDigest, Size: -1},
 	}, s1Manifest.LayerInfos())
 
+	// Conversion to schema1 with encryption fails
+	_, err = original.UpdatedImage(context.Background(), types.ManifestUpdateOptions{
+		LayerInfos:       layerInfosWithCryptoOperation(original.LayerInfos(), types.Encrypt),
+		ManifestMIMEType: manifest.DockerV2Schema1SignedMediaType,
+		InformationOnly: types.ManifestUpdateInformation{
+			Destination: memoryDest,
+		},
+	})
+	assert.Error(t, err)
+
 	// FIXME? Test also the various failure cases, if only to see that we don't crash?
 }
 

diff --git a/internal/image/oci_test.go b/internal/image/oci_test.go
@@ -497,6 +497,16 @@ func TestManifestOCI1ConvertToManifestSchema1(t *testing.T) {
 	var expected manifest.NonImageArtifactError
 	assert.ErrorAs(t, err, &expected)
 
+	// Conversion to schema1 with encryption fails
+	_, err = original.UpdatedImage(context.Background(), types.ManifestUpdateOptions{
+		LayerInfos:       layerInfosWithCryptoOperation(original.LayerInfos(), types.Encrypt),
+		ManifestMIMEType: manifest.DockerV2Schema1SignedMediaType,
+		InformationOnly: types.ManifestUpdateInformation{
+			Destination: memoryDest,
+		},
+	})
+	assert.Error(t, err)
+
 	// FIXME? Test also the other failure cases, if only to see that we don't crash?
 }
 
@@ -525,6 +535,13 @@ func TestConvertToManifestSchema2(t *testing.T) {
 	var expected manifest.NonImageArtifactError
 	assert.ErrorAs(t, err, &expected)
 
+	// Conversion to schema2 with encryption fails
+	_, err = original.UpdatedImage(context.Background(), types.ManifestUpdateOptions{
+		LayerInfos:       layerInfosWithCryptoOperation(original.LayerInfos(), types.Encrypt),
+		ManifestMIMEType: manifest.DockerV2Schema2MediaType,
+	})
+	assert.Error(t, err)
+
 	// FIXME? Test also the other failure cases, if only to see that we don't crash?
 }