Merge branch 'main' into dev-image-index

buildpacks · Jun 30, 2023 · 111bb42 · 111bb42
2 parents 0ca19aa + 726f02e
commit 111bb42
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 29 deletions.
diff --git a/go.mod b/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/google/go-containerregistry v0.15.2
 	github.com/pkg/errors v0.9.1
 	github.com/sclevine/spec v1.4.0
-	golang.org/x/sync v0.2.0
+	golang.org/x/sync v0.3.0
 )
 
 require (

diff --git a/go.sum b/go.sum
@@ -81,8 +81,8 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI=
-golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

diff --git a/remote/remote.go b/remote/remote.go
@@ -528,25 +528,35 @@ func (i *Image) ReuseLayerWithHistory(sha string, history v1.History) error {
 
 // extras
 
-func (i *Image) CheckReadAccess() bool {
-	_, err := i.found()
-	if err != nil {
-		if transportErr, ok := err.(*transport.Error); ok {
-			return transportErr.StatusCode != http.StatusUnauthorized &&
-				transportErr.StatusCode != http.StatusForbidden
+func (i *Image) CheckReadAccess() (bool, error) {
+	var err error
+	if _, err = i.found(); err == nil {
+		return true, nil
+	}
+	var canRead bool
+	if transportErr, ok := err.(*transport.Error); ok {
+		if canRead = transportErr.StatusCode != http.StatusUnauthorized &&
+			transportErr.StatusCode != http.StatusForbidden; canRead {
+			err = nil
 		}
-		return false
 	}
-	return true
+	return canRead, err
 }
 
-func (i *Image) CheckReadWriteAccess() bool {
+func (i *Image) CheckReadWriteAccess() (bool, error) {
+	if canRead, err := i.CheckReadAccess(); !canRead {
+		return false, err
+	}
 	reg := getRegistry(i.repoName, i.registrySettings)
 	ref, _, err := referenceForRepoName(i.keychain, i.repoName, reg.insecure)
 	if err != nil {
-		return false
+		return false, err
+	}
+	err = remote.CheckPushPermission(ref, i.keychain, http.DefaultTransport)
+	if err != nil {
+		return false, err
 	}
-	return i.CheckReadAccess() && remote.CheckPushPermission(ref, i.keychain, http.DefaultTransport) == nil
+	return true, nil
 }
 
 // UnderlyingImage exposes the underlying image for testing

diff --git a/remote/remote_test.go b/remote/remote_test.go
@@ -1927,15 +1927,19 @@ func testImage(t *testing.T, when spec.G, it spec.S) {
 			it("returns true", func() {
 				image, err := remote.NewImage(repoName, authn.DefaultKeychain)
 				h.AssertNil(t, err)
-				h.AssertEq(t, image.CheckReadAccess(), true)
+				canRead, err := image.CheckReadAccess()
+				h.AssertNil(t, err)
+				h.AssertEq(t, canRead, true)
 			})
 		})
 
 		when("image does not exist in the registry and client has read access", func() {
 			it("returns true", func() {
 				image, err := remote.NewImage(repoName, authn.DefaultKeychain)
 				h.AssertNil(t, err)
-				h.AssertEq(t, image.CheckReadAccess(), true)
+				canRead, err := image.CheckReadAccess()
+				h.AssertNil(t, err)
+				h.AssertEq(t, canRead, true)
 			})
 		})
 
@@ -1951,7 +1955,8 @@ func testImage(t *testing.T, when spec.G, it spec.S) {
 			it("returns false", func() {
 				image, err := remote.NewImage(repoName, authn.DefaultKeychain)
 				h.AssertNil(t, err)
-				h.AssertEq(t, image.CheckReadAccess(), false)
+				canRead, _ := image.CheckReadAccess()
+				h.AssertEq(t, canRead, false)
 			})
 		})
 
@@ -1968,31 +1973,37 @@ func testImage(t *testing.T, when spec.G, it spec.S) {
 				it("returns true", func() {
 					image, err := remote.NewImage(customRegistry.RepoName(readWriteImage), authn.DefaultKeychain)
 					h.AssertNil(t, err)
-					h.AssertEq(t, image.CheckReadAccess(), true)
+					canRead, err := image.CheckReadAccess()
+					h.AssertNil(t, err)
+					h.AssertEq(t, canRead, true)
 				})
 			})
 
 			when("image has read access but no write access", func() {
 				it("returns true", func() {
 					image, err := remote.NewImage(customRegistry.RepoName(readOnlyImage), authn.DefaultKeychain)
 					h.AssertNil(t, err)
-					h.AssertEq(t, image.CheckReadAccess(), true)
+					canRead, err := image.CheckReadAccess()
+					h.AssertNil(t, err)
+					h.AssertEq(t, canRead, true)
 				})
 			})
 
 			when("image doesn't have read access but has write access", func() {
 				it("returns false", func() {
 					image, err := remote.NewImage(customRegistry.RepoName(writeOnlyImage), authn.DefaultKeychain)
 					h.AssertNil(t, err)
-					h.AssertEq(t, image.CheckReadAccess(), false)
+					canReadWrite, _ := image.CheckReadAccess()
+					h.AssertEq(t, canReadWrite, false)
 				})
 			})
 
 			when("image doesn't have read nor write access", func() {
 				it("returns false", func() {
 					image, err := remote.NewImage(customRegistry.RepoName(inaccessibleImage), authn.DefaultKeychain)
 					h.AssertNil(t, err)
-					h.AssertEq(t, image.CheckReadAccess(), false)
+					canReadWrite, _ := image.CheckReadAccess()
+					h.AssertEq(t, canReadWrite, false)
 				})
 			})
 		})
@@ -2009,7 +2020,9 @@ func testImage(t *testing.T, when spec.G, it spec.S) {
 			it("returns true", func() {
 				image, err := remote.NewImage(repoName, authn.DefaultKeychain)
 				h.AssertNil(t, err)
-				h.AssertEq(t, image.CheckReadWriteAccess(), true)
+				canRead, err := image.CheckReadWriteAccess()
+				h.AssertNil(t, err)
+				h.AssertEq(t, canRead, true)
 			})
 		})
 
@@ -2025,15 +2038,18 @@ func testImage(t *testing.T, when spec.G, it spec.S) {
 			it("returns false", func() {
 				image, err := remote.NewImage(repoName, authn.DefaultKeychain)
 				h.AssertNil(t, err)
-				h.AssertEq(t, image.CheckReadWriteAccess(), false)
+				canReadWrite, _ := image.CheckReadWriteAccess()
+				h.AssertEq(t, canReadWrite, false)
 			})
 		})
 
 		when("image does not exist in the registry and client has read/write access", func() {
 			it("returns true", func() {
 				image, err := remote.NewImage(repoName, authn.DefaultKeychain)
 				h.AssertNil(t, err)
-				h.AssertEq(t, image.CheckReadWriteAccess(), true)
+				canRead, err := image.CheckReadWriteAccess()
+				h.AssertNil(t, err)
+				h.AssertEq(t, canRead, true)
 			})
 		})
 
@@ -2049,7 +2065,8 @@ func testImage(t *testing.T, when spec.G, it spec.S) {
 			it("returns false", func() {
 				image, err := remote.NewImage(repoName, authn.DefaultKeychain)
 				h.AssertNil(t, err)
-				h.AssertEq(t, image.CheckReadWriteAccess(), false)
+				canReadWrite, _ := image.CheckReadWriteAccess()
+				h.AssertEq(t, canReadWrite, false)
 			})
 		})
 
@@ -2066,31 +2083,36 @@ func testImage(t *testing.T, when spec.G, it spec.S) {
 				it("returns true", func() {
 					image, err := remote.NewImage(customRegistry.RepoName(readWriteImage), authn.DefaultKeychain)
 					h.AssertNil(t, err)
-					h.AssertEq(t, image.CheckReadWriteAccess(), true)
+					canRead, err := image.CheckReadWriteAccess()
+					h.AssertNil(t, err)
+					h.AssertEq(t, canRead, true)
 				})
 			})
 
 			when("image has read access but no write access", func() {
 				it("returns false", func() {
 					image, err := remote.NewImage(customRegistry.RepoName(readOnlyImage), authn.DefaultKeychain)
 					h.AssertNil(t, err)
-					h.AssertEq(t, image.CheckReadWriteAccess(), false)
+					canReadWrite, _ := image.CheckReadWriteAccess()
+					h.AssertEq(t, canReadWrite, false)
 				})
 			})
 
 			when("image doesn't have read access but has write access", func() {
 				it("returns true", func() {
 					image, err := remote.NewImage(customRegistry.RepoName(writeOnlyImage), authn.DefaultKeychain)
 					h.AssertNil(t, err)
-					h.AssertEq(t, image.CheckReadWriteAccess(), false)
+					canReadWrite, _ := image.CheckReadWriteAccess()
+					h.AssertEq(t, canReadWrite, false)
 				})
 			})
 
 			when("image doesn't have read nor write access", func() {
 				it("returns false", func() {
 					image, err := remote.NewImage(customRegistry.RepoName(inaccessibleImage), authn.DefaultKeychain)
 					h.AssertNil(t, err)
-					h.AssertEq(t, image.CheckReadWriteAccess(), false)
+					canReadWrite, _ := image.CheckReadWriteAccess()
+					h.AssertEq(t, canReadWrite, false)
 				})
 			})
 		})