Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add check for required referrers API response Content-Type header #173

Closed
wants to merge 2 commits into from
Closed

Add check for required referrers API response Content-Type header #173

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
dc23d31
add check for response content type
malancas Jul 1, 2024
1e09863
simplify comment
malancas Jul 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 20 additions & 10 deletions pkg/webhook/bundle.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import (
"github.com/google/go-containerregistry/pkg/name"
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/google/go-containerregistry/pkg/v1/remote"
"github.com/google/go-containerregistry/pkg/v1/types"

"github.com/sigstore/sigstore-go/pkg/bundle"
"github.com/sigstore/sigstore-go/pkg/root"
Expand All @@ -21,18 +22,27 @@ import (

type noncompliantRegistryTransport struct{}

// RoundTrip will check if a request and associated response fulfill the following:
// 1. The response returns a 406 status code
// 2. The request path contains /referrers/
// If both conditions are met, the response's status code will be overwritten to 404
// This is a temporary solution to handle non compliant registries that return
// an unexpected status code 406 when the go-containerregistry library used
// by this code attempts to make a request to the referrers API.
// The go-containerregistry library can handle 404 response but not a 406 response.
// See the related go-containerregistry issue: https://github.com/google/go-containerregistry/issues/1962
/*
RoundTrip will check if a request and associated response fulfill the following:
1. The response returns a 406 status code and the request path contains /referrers/
2. The response content type is not application/vnd.oci.image.index.v1+json

If either condition is met, the response's status code will be overwritten to 404.

This is a temporary solution to handle non compliant registries that either:
1. return an unexpected status code 406 when the go-containerregistry library used
by this code attempts to make a request to the referrers API.
The go-containerregistry library can handle 404 response but not a 406 response.
See the related go-containerregistry issue: https://github.com/google/go-containerregistry/issues/1962
2. Do not return a response with the required application/vnd.oci.image.index.v1+json Content-Type header.
If https://github.com/google/go-containerregistry/pull/1968 is merged,
we can remove the Content-Type check.
*/
func (a *noncompliantRegistryTransport) RoundTrip(req *http.Request) (*http.Response, error) {
resp, err := http.DefaultTransport.RoundTrip(req)
if resp.StatusCode == http.StatusNotAcceptable && strings.Contains(req.URL.Path, "/referrers/") {
respContentType := resp.Header.Get("Content-Type")

if (resp.StatusCode == http.StatusNotAcceptable && strings.Contains(req.URL.Path, "/referrers/")) || respContentType != string(types.OCIImageIndex) {
resp.StatusCode = http.StatusNotFound
}

Expand Down
Loading