From f991fd1f9d7d4ee51f42d18807bec9373d5c3722 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 18 Jun 2024 13:43:55 -0600 Subject: [PATCH 1/5] handle non compliant response with transport Signed-off-by: Meredith Lancaster --- pkg/webhook/bundle.go | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/pkg/webhook/bundle.go b/pkg/webhook/bundle.go index 3d2dbf1b..b67c52aa 100644 --- a/pkg/webhook/bundle.go +++ b/pkg/webhook/bundle.go @@ -7,6 +7,7 @@ import ( "errors" "fmt" "io" + "net/http" "strings" "github.com/google/go-containerregistry/pkg/name" @@ -18,6 +19,17 @@ import ( "github.com/sigstore/sigstore-go/pkg/verify" ) +type noncompliantRegistryTransport struct{} + +func (a *noncompliantRegistryTransport) RoundTrip(req *http.Request) (*http.Response, error) { + resp, err := http.DefaultTransport.RoundTrip(req) + if resp.StatusCode == http.StatusNotAcceptable && strings.Contains(req.URL.Path, "/referrers/") { + resp.StatusCode = http.StatusNotFound + } + + return resp, err +} + type VerifiedBundle struct { SGBundle *bundle.ProtobufBundle Result *verify.VerificationResult @@ -93,7 +105,9 @@ func getBundles(ref name.Reference, remoteOpts []remote.Option) ([]*bundle.Proto digest := ref.Context().Digest(desc.Digest.String()) - referrers, err := remote.Referrers(digest, remoteOpts...) + transportOpts := []remote.Option{remote.WithTransport(&noncompliantRegistryTransport{})} + transportOpts = append(transportOpts, remoteOpts...) + referrers, err := remote.Referrers(digest, transportOpts...) if err != nil { return nil, nil, fmt.Errorf("error getting referrers: %w", err) } From 02944507c1fa599e042af16c09e7718f7217069b Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 18 Jun 2024 13:53:13 -0600 Subject: [PATCH 2/5] add comment Signed-off-by: Meredith Lancaster --- pkg/webhook/bundle.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkg/webhook/bundle.go b/pkg/webhook/bundle.go index b67c52aa..e87feac9 100644 --- a/pkg/webhook/bundle.go +++ b/pkg/webhook/bundle.go @@ -21,6 +21,10 @@ import ( type noncompliantRegistryTransport struct{} +// noncompliantRegistryTransport#RoundTrip will check if the response from a referrers +// endpoint returns a 406 status code, which is unexpected and not handled by default. +// If a 406 status code is found, it will be updated to a 404, which is handled by +// the underlying go-containerregistry library used func (a *noncompliantRegistryTransport) RoundTrip(req *http.Request) (*http.Response, error) { resp, err := http.DefaultTransport.RoundTrip(req) if resp.StatusCode == http.StatusNotAcceptable && strings.Contains(req.URL.Path, "/referrers/") { From 8a1f805398306b70c5d8391db8a66171fbc88536 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 18 Jun 2024 14:09:10 -0600 Subject: [PATCH 3/5] update comment Signed-off-by: Meredith Lancaster --- pkg/webhook/bundle.go | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/pkg/webhook/bundle.go b/pkg/webhook/bundle.go index e87feac9..86691056 100644 --- a/pkg/webhook/bundle.go +++ b/pkg/webhook/bundle.go @@ -21,10 +21,14 @@ import ( type noncompliantRegistryTransport struct{} -// noncompliantRegistryTransport#RoundTrip will check if the response from a referrers -// endpoint returns a 406 status code, which is unexpected and not handled by default. -// If a 406 status code is found, it will be updated to a 404, which is handled by -// the underlying go-containerregistry library used +// RoundTrip will check if a request and associated response fulfill the following: +// 1. The response returns a 406 status code +// 2. The request path contains /referrers/ +// If both conditions are met, the response's status code will be overwritten to 404 +// This is a temporary solution to handle non compliant registries that return +// an unexpected status code 406 when the go-containerregistry library used +// by this code attempts to make a request to the referrers API. +// The go-contqainerregistry library can handle 404 response but not a 406 response. func (a *noncompliantRegistryTransport) RoundTrip(req *http.Request) (*http.Response, error) { resp, err := http.DefaultTransport.RoundTrip(req) if resp.StatusCode == http.StatusNotAcceptable && strings.Contains(req.URL.Path, "/referrers/") { From 030b3df348c9d2622267be78f2fbc9ada9aaf73a Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Tue, 18 Jun 2024 16:38:30 -0600 Subject: [PATCH 4/5] add link to issue Signed-off-by: Meredith Lancaster --- pkg/webhook/bundle.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/webhook/bundle.go b/pkg/webhook/bundle.go index 86691056..4a9813d5 100644 --- a/pkg/webhook/bundle.go +++ b/pkg/webhook/bundle.go @@ -29,6 +29,7 @@ type noncompliantRegistryTransport struct{} // an unexpected status code 406 when the go-containerregistry library used // by this code attempts to make a request to the referrers API. // The go-contqainerregistry library can handle 404 response but not a 406 response. +// See the related go-containerregistry issue: https://github.com/google/go-containerregistry/issues/1962 func (a *noncompliantRegistryTransport) RoundTrip(req *http.Request) (*http.Response, error) { resp, err := http.DefaultTransport.RoundTrip(req) if resp.StatusCode == http.StatusNotAcceptable && strings.Contains(req.URL.Path, "/referrers/") { From 2f571a7646612d4e43016b94ccaaa65b7d4cb20b Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Tue, 18 Jun 2024 19:34:10 -0400 Subject: [PATCH 5/5] Update pkg/webhook/bundle.go --- pkg/webhook/bundle.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/webhook/bundle.go b/pkg/webhook/bundle.go index 4a9813d5..35c75007 100644 --- a/pkg/webhook/bundle.go +++ b/pkg/webhook/bundle.go @@ -28,7 +28,7 @@ type noncompliantRegistryTransport struct{} // This is a temporary solution to handle non compliant registries that return // an unexpected status code 406 when the go-containerregistry library used // by this code attempts to make a request to the referrers API. -// The go-contqainerregistry library can handle 404 response but not a 406 response. +// The go-containerregistry library can handle 404 response but not a 406 response. // See the related go-containerregistry issue: https://github.com/google/go-containerregistry/issues/1962 func (a *noncompliantRegistryTransport) RoundTrip(req *http.Request) (*http.Response, error) { resp, err := http.DefaultTransport.RoundTrip(req)