simplify validation

internal/validate/image.go

@@ -66,21 +66,12 @@ func (s *notaryService) Validate(ctx context.Context, image string, imagePullCre
 		return nil
 	}
 
-	if len(image) == 0 {
-		return pkg.NewValidationFailedErr(errors.New("empty image provided"))
-	}
-
-	ref, err := name.ParseReference(image)
+	// strict validation requires image name to contain domain and a tag, and/or sha256
+	ref, err := name.ParseReference(image, name.StrictValidation)
 	if err != nil {
 		return pkg.NewValidationFailedErr(errors.Wrap(err, "image name could not be parsed"))
 	}
 
-	// name.ParseReference() uses default `latest` tag when no tag/digest was provided
-	// we want to block all images with no explicit tag/digest provided
-	if !imageContainsTag(image, ref) {
-		return pkg.NewValidationFailedErr(errors.New("image is missing tag or hash"))
-	}
-
 	expectedShaBytes, err := s.loggedGetNotaryImageDigestHash(ctx, ref)
 	if err != nil {
 		return err
@@ -103,10 +94,6 @@ func (s *notaryService) Validate(ctx context.Context, image string, imagePullCre
 	return pkg.NewValidationFailedErr(errors.New("unexpected image hash value"))
 }
 
-func imageContainsTag(image string, ref name.Reference) bool {
-	return strings.Contains(image, ref.Identifier())
-}
-
 func (s *notaryService) isImageAllowed(imgRepo string) bool {
 	for _, allowed := range s.AllowedRegistries {
 		// repository is in allowed list

internal/validate/image_internal_test.go

@@ -6,8 +6,6 @@ import (
 
 	cliType "github.com/docker/cli/cli/config/types"
 	"github.com/google/go-containerregistry/pkg/authn"
-	"github.com/google/go-containerregistry/pkg/name"
-	"github.com/stretchr/testify/assert"
 )
 
 func Test_parseCredentials(t *testing.T) {
@@ -72,40 +70,3 @@ func Test_parseCredentials(t *testing.T) {
 		})
 	}
 }
-
-func Test_ImageContainsTag(t *testing.T) {
-	tests := []struct {
-		name  string
-		image string
-		want  bool
-	}{
-		{
-			name:  "image with no tag",
-			image: "image",
-			want:  false,
-		},
-		{
-			name:  "image with tag",
-			image: "image:tag",
-			want:  true,
-		},
-		{
-			name:  "image with digest",
-			image: "image@sha256:fdd33d7bf8cc80f223e30b4aa6c2ad705ffc7cf1a77697f37ed7232bc74484b0",
-			want:  true,
-		},
-		{
-			name:  "image with tag and digest",
-			image: "image:tag@sha256:fdd33d7bf8cc80f223e30b4aa6c2ad705ffc7cf1a77697f37ed7232bc74484b0",
-			want:  true,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			ref, err := name.ParseReference(tt.image)
-			assert.NoError(t, err)
-			containsTag := imageContainsTag(tt.image, ref)
-			assert.Equal(t, tt.want, containsTag)
-		})
-	}
-}

internal/validate/image_test.go

@@ -107,7 +107,7 @@ func Test_Validate_InvalidImageName_ShouldReturnError(t *testing.T) {
 		{
 			name:           "image name without semicolon",
 			imageName:      "makapaka",
-			expectedErrMsg: "image is missing tag or hash",
+			expectedErrMsg: "image name could not be parsed",
 		},
 		{
 			name:           "",
@@ -116,7 +116,7 @@ func Test_Validate_InvalidImageName_ShouldReturnError(t *testing.T) {
 		},
 		{
 			name:           "image name with more than two semicolon", //TODO: IMO it's proper image name, but now is not allowed
-			imageName:      "repo:port/image-name:tag:hash",
+			imageName:      "repo.com:123/image-name:tag:hash",
 			expectedErrMsg: "image name could not be parsed",
 		},
 	}