-
Notifications
You must be signed in to change notification settings - Fork 384
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix subdomain matching FIXMEs in commit 373440662 #1366
Conversation
d66525d
to
b5b7ba0
Compare
ready for review (afaict) |
FIXMEs addressed: 1. containers#1191 (comment) 2. containers#1191 (comment) 3. containers#1191 (comment) 4. containers#1191 (comment) 5. containers#1191 (comment) Signed-off-by: Lokesh Mandvekar <[email protected]>
b5b7ba0
to
207f85d
Compare
Before I start looking at the changes: the commit message isn't really helpful since it merely points to 5 comments "somewhere". The reader has to put the puzzle pieces together of what the changes are intended to do but I really want the author to explain the changes in detail. Since there are 5 different comments, it may be worth splitting them into 5 different commits. |
@@ -343,6 +343,21 @@ func (config *V1RegistriesConf) ConvertToV2() (*V2RegistriesConf, error) { | |||
// anchoredDomainRegexp is an internal implementation detail of postProcess, defining the valid values of elements of UnqualifiedSearchRegistries. | |||
var anchoredDomainRegexp = regexp.MustCompile("^" + reference.DomainRegexp.String() + "$") | |||
|
|||
// WildcardedPrefixCheck is the only place to check if a prefix contains "*." | |||
func WildcardedPrefixCheck(prefix string) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please make this private. We try to keep new public APIs at the bare minimum to prevent bumping the major version.
return prefix[:2] == "*." | ||
} | ||
|
||
func EmptyLocationWildcardedPrefixCheck(location string, prefix string) int { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here. Please add a comment on the return value.
// https://github.com/containers/image/pull/1191#discussion_r610622495 | ||
if reg.Prefix[:2] != "*." && reg.Location == "" { | ||
return &InvalidRegistries{s: "invalid condition: location is unset and prefix is not in the format: *.example.com"} | ||
if reg.Location != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks suspicious. Why are we allowing a config with an empty location?
If that's desired, we need tests for that case and probably some sanity checks and some massaging of the docs. For instance, unless it's blocked, it would require at least one mirror to make sense which in turn would bring up the question: why lift the requirement to specify a location,
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See all the “prefix is a wildcard” and “prefix is empty” conditions in https://github.com/openshift/runtime-utils/pull/11/files EditRegistriesConfig
.
Right now, if the user wants to set properties (insecure/blocked/mirrors) on a registry without redirecting it, there are two different syntaxes: (prefix=*.domain, location="") or (prefix="", location="non-wildcard.domain/…"), with little reason to for the two to differ. It would conceptually be much simpler if we always required prefix
to exist as a lookup key, and made location
entirely optional for redirection only; we can’t do that any more due to compatibility, but at least allowing software that writes entries from scratch to always use prefix
could simplify it.
sgtm, will do. |
@@ -343,6 +343,21 @@ func (config *V1RegistriesConf) ConvertToV2() (*V2RegistriesConf, error) { | |||
// anchoredDomainRegexp is an internal implementation detail of postProcess, defining the valid values of elements of UnqualifiedSearchRegistries. | |||
var anchoredDomainRegexp = regexp.MustCompile("^" + reference.DomainRegexp.String() + "$") | |||
|
|||
// WildcardedPrefixCheck is the only place to check if a prefix contains "*." | |||
func WildcardedPrefixCheck(prefix string) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typically (not quite always), it’s more readable if function names are either commands (saveFile
) or predicates (isPrime
).
return prefix[:2] == "*." | ||
} | ||
|
||
func EmptyLocationWildcardedPrefixCheck(location string, prefix string) int { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don’t think a comment is enough — it should either be structured in some completely different way, or use an enum, not hard-coded 0/1/-1.
if prefix[:2] != "*." { | ||
return nil, fmt.Errorf("invalid prefix '%v' for empty location, should be in the format: *.example.com", prefix) | ||
} | ||
locationPrefixCheck := EmptyLocationWildcardedPrefixCheck(e.Location, prefix) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The FIXME was to drop the check for prefix
starting with "*."
in this location, (after ensuring postProcessRegistries
enforces that constraint), not to keep exactly the same check and move it into a single-use function. That move, along with the undocumented 0/1/-1 values, just makes this harder to read with AFAICS no change to behavior.
// and does not prevent correct operation. | ||
// https://github.com/containers/image/pull/1191#discussion_r610122617 | ||
// | ||
// if trimmed == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The request around #1191 (comment) was to reintroduce this check, and handle the cases that do allow ""
into the callers . See more in there.
// parsePrefix parses the input string, performs some sanity checks and returns | ||
// the sanitized input string. An error is returned if the input string is | ||
// empty or if contains an "http{s,}://" prefix. | ||
func parsePrefix(input string) (string, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How does this differ from parseLocation
now? Only in the error message? IIRC location
was supposed to reject wildcards, and the like…
} | ||
|
||
// make sure mirrors are valid | ||
for _, mir := range reg.Mirrors { | ||
if mir.Location == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- I don’t see that the caller of
parseLocation
should need to specifically reject""
- Moving the check for
""
beforeparseLocation
changes semantics;"/"
was previously rejected, now it is allowed.
mir.Location, err = parseLocation(mir.Location) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
//FIXME: unqualifiedSearchRegistries now also accepts empty values |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Has anything been done to fix that?
// https://github.com/containers/image/pull/1191#discussion_r610623829 | ||
for i := range res.partialV2.Registries { | ||
prefix := res.partialV2.Registries[i].Prefix | ||
if prefix[:2] == "*." && strings.ContainsAny(prefix, "/@:") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What replaces the validation?
Thanks for all the comments @mtrmac @vrothberg . Closing this. I'll open a separate PR for each FIXME. Starting with: #1368 |
FIXMEs addressed:
Enable subdomain matching in registries.conf #1191 (comment)
Enable subdomain matching in registries.conf #1191 (comment)
Enable subdomain matching in registries.conf #1191 (comment)
Enable subdomain matching in registries.conf #1191 (comment)
Enable subdomain matching in registries.conf #1191 (comment)
Signed-off-by: Lokesh Mandvekar [email protected]
@vrothberg @mtrmac @ashcrow PTAL