Merge pull request containers#202 from cgwalters/add-digest-type

Add Digest and SHA256Digest
cgwalters · Aug 30, 2024 · d3ddc0b · d3ddc0b
2 parents 57570dd + 5601907
commit d3ddc0b
Show file tree

Hide file tree

Showing 7 changed files with 334 additions and 25 deletions.
diff --git a/README.md b/README.md
@@ -37,42 +37,44 @@ assert_eq!(image_manifest.layers().len(), 5);
 
 - Create new image manifest using builder
 ```rust no_run
+use std::str::FromStr;
 use oci_spec::image::{
     Descriptor, 
     DescriptorBuilder, 
     ImageManifest, 
     ImageManifestBuilder, 
     MediaType, 
+    Sha256Digest,
     SCHEMA_VERSION
 };
 
 let config = DescriptorBuilder::default()
             .media_type(MediaType::ImageConfig)
             .size(7023u64)
-            .digest("sha256:b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7")
+            .digest(Sha256Digest::from_str("b5b2b2c507a0944348e0303114d8d93aaaa081732b86451d9bce1f432a537bc7").unwrap())
             .build()
             .expect("build config descriptor");
 
 let layers: Vec<Descriptor> = [
     (
         32654u64,
-        "sha256:9834876dcfb05cb167a5c24953eba58c4ac89b1adf57f28f2f9d09af107ee8f0",
+        "9834876dcfb05cb167a5c24953eba58c4ac89b1adf57f28f2f9d09af107ee8f0",
     ),
     (
         16724,
-        "sha256:3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b",
+        "3c3a4604a545cdc127456d94e421cd355bca5b528f4a9c1905b15da2eb4a4c6b",
     ),
     (
         73109,
-        "sha256:ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736",
+        "ec4b8955958665577945c89419d1af06b5f7636b4ac3da7f12184802ad867736",
     ),
 ]
     .iter()
     .map(|l| {
     DescriptorBuilder::default()
         .media_type(MediaType::ImageLayerGzip)
         .size(l.0)
-        .digest(l.1.to_owned())
+        .digest(Sha256Digest::from_str(l.1).unwrap())
         .build()
         .expect("build layer")
     })

diff --git a/src/image/artifact.rs b/src/image/artifact.rs
@@ -216,8 +216,8 @@ impl ArtifactManifest {
 #[cfg(test)]
 mod tests {
     use super::*;
-    use crate::image::DescriptorBuilder;
-    use std::path::PathBuf;
+    use crate::image::{DescriptorBuilder, Sha256Digest};
+    use std::{path::PathBuf, str::FromStr};
 
     fn get_manifest_path() -> PathBuf {
         PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("test/data/artifact_manifest.json")
@@ -228,17 +228,21 @@ mod tests {
             .media_type(MediaType::Other("application/gzip".to_string()))
             .size(123u64)
             .digest(
-                "sha256:87923725d74f4bfb94c9e86d64170f7521aad8221a5de834851470ca142da630"
-                    .to_string(),
+                Sha256Digest::from_str(
+                    "87923725d74f4bfb94c9e86d64170f7521aad8221a5de834851470ca142da630",
+                )
+                .unwrap(),
             )
             .build()
             .unwrap();
         let subject = DescriptorBuilder::default()
             .media_type(MediaType::ImageManifest)
             .size(1234u64)
             .digest(
-                "sha256:cc06a2839488b8bd2a2b99dcdc03d5cfd818eed72ad08ef3cc197aac64c0d0a0"
-                    .to_string(),
+                Sha256Digest::from_str(
+                    "cc06a2839488b8bd2a2b99dcdc03d5cfd818eed72ad08ef3cc197aac64c0d0a0",
+                )
+                .unwrap(),
             )
             .build()
             .unwrap();

diff --git a/src/image/descriptor.rs b/src/image/descriptor.rs
@@ -1,4 +1,4 @@
-use super::{Arch, MediaType, Os};
+use super::{Arch, Digest, MediaType, Os};
 use crate::error::OciSpecError;
 use derive_builder::Builder;
 use getset::{CopyGetters, Getters, Setters};
@@ -30,7 +30,7 @@ pub struct Descriptor {
     /// content SHOULD be verified against this digest when consumed via
     /// untrusted sources.
     #[getset(get = "pub", set = "pub")]
-    digest: String,
+    digest: Digest,
     /// This REQUIRED property specifies the size, in bytes, of the raw
     /// content. This property exists so that a client will have an
     /// expected size for the content before processing. If the
@@ -133,7 +133,7 @@ pub struct Platform {
 
 impl Descriptor {
     /// Construct a new descriptor with the required fields.
-    pub fn new(media_type: MediaType, size: u64, digest: impl Into<String>) -> Self {
+    pub fn new(media_type: MediaType, size: u64, digest: impl Into<Digest>) -> Self {
         Self {
             media_type,
             size,
@@ -145,10 +145,17 @@ impl Descriptor {
             data: Default::default(),
         }
     }
+
+    /// Return a view of [`Self::digest()`] that has been parsed as a valid SHA-256 digest.
+    pub fn digest_sha256(&self) -> crate::Result<super::Sha256Digest> {
+        super::Sha256Digest::try_from(self.digest().clone())
+    }
 }
 
 #[cfg(test)]
 mod tests {
+    use std::str::FromStr;
+
     use super::*;
 
     #[test]
@@ -163,7 +170,10 @@ mod tests {
         assert_eq!(descriptor.media_type, MediaType::ImageManifest);
         assert_eq!(
             descriptor.digest,
-            "sha256:c2b8beca588702777e5f35dafdbeae9ec16c2bab802331f81cacd2a92f1d5356"
+            Digest::from_str(
+                "sha256:c2b8beca588702777e5f35dafdbeae9ec16c2bab802331f81cacd2a92f1d5356"
+            )
+            .unwrap()
         );
         assert_eq!(descriptor.size, 769);
         assert_eq!(
@@ -178,4 +188,15 @@ mod tests {
             MediaType::Other("application/spdx+json".to_string())
         );
     }
+
+    #[test]
+    fn test_malformed_digest() {
+        let descriptor_str = r#"{
+            "mediaType": "application/vnd.oci.image.manifest.v1+json",
+            "digest":"../blah:this-is-an-attack",
+            "size":769,
+            "annotations":{"org.opencontainers.image.created": "2023-10-11T22:37:26Z"},
+            "artifactType":"application/spdx+json"}"#;
+        assert!(serde_json::from_str::<Descriptor>(descriptor_str).is_err());
+    }
 }