Implement more TODOs in oci-validate code

tianon · tianon · commit 1d193405d52b · 2025-04-30T16:43:37.000-07:00
I'm much happier with this interface now -- it can properly handle an image with attestations now, for example.
diff --git a/helpers/oci-validate.sh b/helpers/oci-validate.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -Eeuo pipefail
 
-# given an OCI image layout (https://github.com/opencontainers/image-spec/blob/v1.1.1/image-layout.md), verifies all descriptors as much as possible (digest matches content, size, some media types, layer diff_ids, etc)
+# given an OCI image layout (https://github.com/opencontainers/image-spec/blob/v1.1.1/image-layout.md), verifies all descriptors as much as possible (digest matches content, size, media types, layer diff_ids, etc)
 
 layout="$1"; shift
 
@@ -23,85 +23,131 @@ jq -L"$BASHBREW_META_SCRIPTS" --slurp '
 	| empty
 ' oci-layout
 
-# TODO this is all rubbish; it needs more thought (the jq functions it invokes are pretty solid now though)
+# TODO (recursively?) validate subject descriptors in here somewhere 🤔
 
 descriptor() {
 	local file="$1"; shift # "blobs/sha256/xxx"
-	echo "blob: $file"
-	local digest="$1"; shift # "sha256:xxx"
-	local size="$1"; shift # "123"
-	local algo="${digest%%:*}" # sha256
-	local hash="${digest#$algo:}" # xxx
-	local diskSize
-	[ "$algo" = 'sha256' ] # TODO error message
-	diskSize="$(stat --dereference --format '%s' "$file")"
-	[ "$size" = "$diskSize" ] # TODO error message
-	"${algo}sum" <<<"$hash *$file" --check --quiet --strict -
+	local desc; desc="$(cat)"
+	local shell
+	shell="$(jq <<<"$desc" -L"$BASHBREW_META_SCRIPTS" --slurp --raw-output '
+		include "validate";
+		include "oci";
+		validate_one
+		| validate_oci_descriptor
+		| (
+			@sh "local algo=\(
+				.digest
+				| split(":")[0]
+				| validate_IN(.; "sha256", "sha512") # TODO more algorithms? need more tools on the host
+			)",
+
+			@sh "local data=\(
+				if has("data") then
+					.data
+				else " " end # empty string is valid base64 (which we should validate), but spaces are not, so we can use a single space to detect "data not set"
+			)",
+
+			empty
+		)
+	')"
+	eval "$shell"
+	local digest size dataDigest= dataSize=
+	digest="$("${algo}sum" "$file" | cut -d' ' -f1)"
+	digest="$algo:$digest"
+	size="$(stat --dereference --format '%s' "$file")"
+	if [ "$data" != ' ' ]; then
+		dataDigest="$(base64 <<<"$data" -d | "${algo}sum" | cut -d' ' -f1)"
+		dataDigest="$algo:$dataDigest"
+		dataSize="$(base64 <<<"$data" -d | wc --bytes)"
+		# TODO *technically* we could get clever here and pass `base64 -d` to something like `tee >(wc --bytes) >(dig="$(sha256sum | cut -d' ' -f1)" && echo "sha256:$dig" && false) > /dev/null` to avoid parsing the base64 twice, but then failure cases are less likely to be caught, so it's safer to simply redecode (and we can't decode into a variable because this might be binary data *and* bash will do newline munging in both directions)
+	fi
+	jq <<<"$desc" -L"$BASHBREW_META_SCRIPTS" --slurp --arg digest "$digest" --arg size "$size" --arg dataDigest "$dataDigest" --arg dataSize "$dataSize" '
+		include "validate";
+		validate_one
+		| validate_IN(.digest; $digest)
+		| validate_IN(.size; $size | tonumber)
+		| if has("data") then
+			validate(.data;
+				$digest == $dataDigest
+				and $size == $dataSize
+			; "(decoded) data has size \($dataSize) and digest \($dataDigest) (expected \($size) and \($digest))")
+		else . end
+		| empty
+	'
 }
 
-images() {
-	echo "image: $*"
+# TODO validate config (diff_ids, history, platform - gotta carry *two* levels of descriptors for that, and decompress all the layers 🙊)
+# TODO validate provenance/SBOM layer contents?
+
+image() {
+	local file="$1"; shift
+	echo "image: $file"
+	local desc; desc="$(cat)"
+	descriptor <<<"$desc" "$file"
 	local shell
 	shell="$(
-		jq -L"$BASHBREW_META_SCRIPTS" --arg expected "$#" --slurp --raw-output '
+		jq <<<"$desc" -L"$BASHBREW_META_SCRIPTS" --slurp --raw-output '
 			include "validate";
 			include "oci";
-			# TODO technically, this would pass if one file is empty and another file has two documents in it (since it is counting the total), so that is not great, but probably is not a real problem
-			validate_length(.; $expected | tonumber)
-			| map(validate_oci_image)
+			validate_length(.; 2)
+			| .[0] as $desc
+			| .[1]
+			| validate_oci_image({
+				imageAttestation: IN($desc.annotations["vnd.docker.reference.type"]; "attestation-manifest"),
+			})
+			| if $desc then
+				validate_IN(.mediaType; $desc.mediaType)
+				| validate_IN(.artifactType; $desc.artifactType)
+			else . end
 			| (
 				(
-					.[].config, .[].layers[]
-					| @sh "descriptor \("blobs/\(.digest | sub(":"; "/"))") \(.digest) \(.size)"
-					# TODO data?
+					.config, .layers[]
+					| @sh "descriptor <<<\(tojson) \(.digest | "blobs/\(sub(":"; "/"))")"
 				),
 
 				empty # trailing comma
 			)
-		' "$@"
+		' /dev/stdin "$file"
 	)"
 	eval "$shell"
 }
 
-# TODO pass descriptor values down so we can validate that they match (.mediaType, .artifactType, .platform across *two* levels index->manifest->config), similar to .data
-# TODO disallow urls completely?
-
-indexes() {
-	echo "index: $*"
+index() {
+	local file="$1"; shift
+	echo "index: $file"
+	local desc; desc="$(cat)"
+	if [ "$desc" != 'null' ]; then
+		descriptor <<<"$desc" "$file"
+	fi
 	local shell
 	shell="$(
-		jq -L"$BASHBREW_META_SCRIPTS" --arg expected "$#" --slurp --raw-output '
+		jq <<<"$desc" -L"$BASHBREW_META_SCRIPTS" --slurp --raw-output '
 			include "validate";
 			include "oci";
-			# TODO technically, this would pass if one file is empty and another file has two documents in it (since it is counting the total), so that is not great, but probably is not a real problem
-			validate_length(.; $expected | tonumber)
-			| map(validate_oci_index)
+			validate_length(.; 2)
+			| .[0] as $desc
+			| .[1]
+			| validate_oci_index({
+				indexPlatformsOptional: (input_filename == "index.json"),
+			})
+			| if $desc then
+				validate_IN(.mediaType; $desc.mediaType)
+				| validate_IN(.artifactType; $desc.artifactType)
+			else . end
+			| .manifests[]
 			| (
-				(
-					.[].manifests[]
-					| @sh "descriptor \("blobs/\(.digest | sub(":"; "/"))") \(.digest) \(.size)"
-					# TODO data?
-				),
-
-				(
-					[ .[].manifests[] | select(IN(.mediaType; media_types_image)) | .digest ]
-					| if length > 0 then
-						"images \(map("blobs/\(sub(":"; "/"))" | @sh) | join(" "))"
-					else empty end
-				),
-
-				(
-					[ .[].manifests[] | select(IN(.mediaType; media_types_index)) | .digest ]
-					| if length > 0 then
-						"indexes \(map("blobs/\(sub(":"; "/"))" | @sh) | join(" "))"
-					else empty end
-				),
-
-				empty # trailing comma
-			)
-		' "$@"
+				.mediaType
+				| if IN(media_types_index) then
+					"index"
+				elif IN(media_types_image) then
+					"image"
+				else
+					error("UNSUPPORTED MEDIA TYPE: \(.)")
+				end
+			) + @sh " <<<\(tojson) \(.digest | "blobs/\(sub(":"; "/"))")"
+		' /dev/stdin "$file"
 	)"
 	eval "$shell"
 }
 
-indexes index.json
+index <<<'null' index.json
diff --git a/oci.jq b/oci.jq
@@ -165,6 +165,7 @@ def validate_oci_digest:
 	| {
 		"sha256": [ 64 ],
 		"sha512": [ 128 ],
+		# TODO "blake3": [ 64 ], # https://github.com/opencontainers/image-spec/pull/1240
 	} as $lengths
 	| validate_IN($dig.algorithm; $lengths | keys[])
 	| validate_length($dig.encoded; $lengths[$dig.algorithm][])
@@ -191,7 +192,11 @@ def validate_oci_descriptor:
 	| validate(.size; . == floor; "size must be whole")
 	| validate(.size; . == ceil; "size must be whole")
 
-	# TODO urls?
+	| if has("urls") then
+		validate(.urls; type == "array")
+		| validate(.urls[]; type == "string")
+		| validate_length(.urls; 0) # TODO this intentionally contradicts the above lines -- are there cases where we should allow urls?
+	else . end
 
 	| validate_oci_annotations_haver
 
@@ -205,7 +210,9 @@ def validate_oci_descriptor:
 		# someday, maybe we can validate that .data matches .digest here (needs more jq functionality, including and especially the ability to deal with non-UTF8 binary data from base64 and perform sha256 over it)
 	else . end
 
-	# TODO artifactType?
+	| if has("artifactType") then
+		validate(.artifactType; type == "string")
+	else . end
 
 	# https://github.com/opencontainers/image-spec/blob/v1.1.1/image-index.md#image-index-property-descriptions
 	| if has("platform") then
@@ -240,47 +247,87 @@ def validate_oci_subject_haver:
 ;
 
 # https://github.com/opencontainers/image-spec/blob/v1.1.1/image-index.md
-def validate_oci_index:
+def validate_oci_index($opt):
 	validate_IN(type; "object")
 	| validate_IN(.schemaVersion; 2)
-	| validate_IN(.mediaType; media_types_index) # TODO allow "null" here too? (https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh)
-	# TODO artifactType?
+	| validate_IN(.mediaType; media_types_index)
+	| if has("artifactType") then
+		validate(.artifactType; type == "string")
+		| validate_IN(.artifactType; null) # TODO acceptable values? (this check intentionally contradicts the one above so artifactType generates an error)
+	else . end
 	| validate(.manifests[];
 		validate_oci_descriptor
 		| validate_IN(.mediaType; media_types_index, media_types_image)
 		| validate(.size; . > 2; "manifest size must be at *least* big enough for {} plus *some* content")
 		# https://github.com/opencontainers/distribution-spec/pull/293#issuecomment-1452780554
 		| validate(.size; . <= 4 * 1024 * 1024; "manifest size must be 4MiB (\(4 * 1024 * 1024)) or less")
+
+		# slightly stricter enforcement than "validate_oci_descriptor" by default
+		| if $opt.indexPlatformsOptional then . else
+			validate(.platform; type == "object")
+		end
+
+		# https://github.com/moby/buildkit/blob/c6145c2423de48f891862ac02f9b2653864d3c9e/docs/attestations/attestation-storage.md
+		| if .annotations | has("vnd.docker.reference.type") or has("vnd.docker.reference.digest") then
+			validate_IN(.mediaType; media_type_oci_image)
+			| validate_IN(.artifactType; null, "application/vnd.docker.attestation.manifest.v1+json") # https://github.com/moby/buildkit/pull/5573/files#r2069525281
+			| validate_IN(.annotations["vnd.docker.reference.type"]; "attestation-manifest")
+			| validate(.annotations["vnd.docker.reference.digest"]; validate_oci_digest)
+			| validate_IN(.platform.os; "unknown")
+			| validate_IN(.platform.architecture; "unknown")
+		else
+			validate_IN(.artifactType; null)
+		end
 	)
-	# TODO if any manifest has "vnd.docker.reference.digest", validate the subject exists in the list
+	| if any(.manifests[].annotations; has("vnd.docker.reference.digest")) then
+		[ .manifests[].digest ] as $digests
+		| validate_IN(.manifests[].annotations["vnd.docker.reference.digest"]; null, $digests[])
+	else . end
 	| validate_oci_subject_haver
 	| validate_oci_annotations_haver
 ;
+def validate_oci_index: validate_oci_index({});
 
 # https://github.com/opencontainers/image-spec/blob/v1.1.1/manifest.md
-def validate_oci_image:
+def validate_oci_image($opt):
 	validate_IN(type; "object")
 	| validate_IN(.schemaVersion; 2)
-	| validate_IN(.mediaType; media_types_image) # TODO allow "null" here too? (https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh)
-	# TODO artifactType (but only selectively / certain values)
+	| validate_IN(.mediaType; media_types_image)
+	| if has("artifactType") then
+		validate(.artifactType; type == "string")
+		| validate_IN(.artifactType;
+			if $opt.imageAttestation then
+				"application/vnd.docker.attestation.manifest.v1+json" # https://github.com/moby/buildkit/pull/5573/files#r2069525281
+			else null end # (this check intentionally contradicts the one above so artifactType normally generates an error)
+		)
+	else . end
 	| validate(.config;
 		validate_oci_descriptor
 		| validate(.size; . >= 2; "config must be at *least* big enough for {}")
 		| validate_IN(.mediaType; media_types_config)
+		| validate_IN(.artifactType; null)
 	)
 	| validate(.layers[];
 		validate_oci_descriptor
-		| validate_IN(.mediaType; media_types_layer) # TODO allow "application/vnd.in-toto+json" and friends, but selectively 🤔
+		| if $opt.imageAttestation then
+			# https://github.com/moby/buildkit/blob/c6145c2423de48f891862ac02f9b2653864d3c9e/docs/attestations/attestation-storage.md
+			validate_IN(.mediaType; "application/vnd.in-toto+json")
+			| validate_IN(.annotations["in-toto.io/predicate-type"];
+				"https://slsa.dev/provenance/v0.2",
+				"https://spdx.dev/Document",
+				empty # trailing comma
+			)
+		else
+			validate_IN(.mediaType; media_types_layer)
+		end
+		| validate_IN(.artifactType; null)
 	)
 	| validate_oci_subject_haver
 	| validate_oci_annotations_haver
 ;
+def validate_oci_image: validate_oci_image({});
 
 # https://github.com/opencontainers/image-spec/blob/v1.1.1/image-layout.md#oci-layout-file
 def validate_oci_layout_file:
 	validate_IN(.imageLayoutVersion; "1.0.0")
 ;
-
-# TODO validate digest, size of blobs (*somewhere*, probably not here - this is all "cheap" validations / version+ordering+format assumption validations)
-# TODO if .data, validate that somehow too (size, digest); https://github.com/jqlang/jq/issues/1116#issuecomment-2515814615
-# TODO also we should validate that the length of every/any manifest is <= 4MiB (https://github.com/opencontainers/distribution-spec/pull/293#issuecomment-1452780554)
