fix: check content-type when using referrers API (#635)

When accessing the referrer's API, this adds a check to make sure the content-type is an OCI index. Also fixes the tests to properly set the content-type header in the response. Closes #633 Signed-off-by: Kyle M. Tarplee <[email protected]>
oras-project · Nov 21, 2023 · 79a08b4 · 79a08b4
1 parent 3776676
commit 79a08b4
Show file tree

Hide file tree

Showing 5 changed files with 270 additions and 130 deletions.
diff --git a/example_copy_test.go b/example_copy_test.go
@@ -144,6 +144,7 @@ func TestMain(m *testing.M) {
 				MediaType: ocispec.MediaTypeImageIndex,
 				Manifests: referrers,
 			}
+			w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
 			if err := json.NewEncoder(w).Encode(result); err != nil {
 				panic(err)
 			}

diff --git a/extendedcopy_test.go b/extendedcopy_test.go
@@ -1031,15 +1031,20 @@ func TestExtendedCopyGraph_FilterAnnotationWithMultipleRegex_Referrers(t *testin
 	// set up test server
 	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		p := r.URL.Path
+		var manifests []ocispec.Descriptor
 		switch {
 		case p == "/v2/test/referrers/"+descs[0].Digest.String():
+			manifests = descs[1:]
+			fallthrough
+		case strings.HasPrefix(p, "/v2/test/referrers/"):
 			result := ocispec.Index{
 				Versioned: specs.Versioned{
 					SchemaVersion: 2, // historical value. does not pertain to OCI or docker version
 				},
 				MediaType: ocispec.MediaTypeImageIndex,
-				Manifests: descs[1:],
+				Manifests: manifests,
 			}
+			w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
 			if err := json.NewEncoder(w).Encode(result); err != nil {
 				t.Errorf("failed to write response: %v", err)
 			}
@@ -1076,7 +1081,6 @@ func TestExtendedCopyGraph_FilterAnnotationWithMultipleRegex_Referrers(t *testin
 		default:
 			t.Errorf("unexpected access: %s %s", r.Method, r.URL)
 			w.WriteHeader(http.StatusNotFound)
-			return
 		}
 	}))
 	defer ts.Close()
@@ -1454,15 +1458,20 @@ func TestExtendedCopyGraph_FilterArtifactTypeWithMultipleRegex_Referrers(t *test
 	// set up test server
 	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		p := r.URL.Path
+		var manifests []ocispec.Descriptor
 		switch {
 		case p == "/v2/test/referrers/"+descs[0].Digest.String():
+			manifests = descs[1:]
+			fallthrough
+		case strings.HasPrefix(p, "/v2/test/referrers/"):
 			result := ocispec.Index{
 				Versioned: specs.Versioned{
 					SchemaVersion: 2, // historical value. does not pertain to OCI or docker version
 				},
 				MediaType: ocispec.MediaTypeImageIndex,
-				Manifests: descs[1:],
+				Manifests: manifests,
 			}
+			w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
 			if err := json.NewEncoder(w).Encode(result); err != nil {
 				t.Errorf("failed to write response: %v", err)
 			}
@@ -1695,15 +1704,20 @@ func TestExtendedCopyGraph_FilterArtifactTypeAndAnnotationWithMultipleRegex_Refe
 	// set up test server
 	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		p := r.URL.Path
+		var manifests []ocispec.Descriptor
 		switch {
 		case p == "/v2/test/referrers/"+descs[0].Digest.String():
+			manifests = descs[1:]
+			fallthrough
+		case strings.HasPrefix(p, "/v2/test/referrers/"):
 			result := ocispec.Index{
 				Versioned: specs.Versioned{
 					SchemaVersion: 2, // historical value. does not pertain to OCI or docker version
 				},
 				MediaType: ocispec.MediaTypeImageIndex,
-				Manifests: descs[1:],
+				Manifests: manifests,
 			}
+			w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
 			if err := json.NewEncoder(w).Encode(result); err != nil {
 				t.Errorf("failed to write response: %v", err)
 			}

diff --git a/registry/remote/example_test.go b/registry/remote/example_test.go
@@ -174,6 +174,17 @@ func TestMain(m *testing.M) {
 			w.Header().Set("Content-Digest", string(blobDescriptor.Digest))
 			w.Header().Set("Content-Length", strconv.Itoa(len(blobContent)))
 			w.Write([]byte(blobContent))
+		case p == fmt.Sprintf("/v2/%s/referrers/%s", exampleRepositoryName, "sha256:0000000000000000000000000000000000000000000000000000000000000000"):
+			result := ocispec.Index{
+				Versioned: specs.Versioned{
+					SchemaVersion: 2, // historical value. does not pertain to OCI or docker version
+				},
+				MediaType: ocispec.MediaTypeImageIndex,
+			}
+			w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
+			if err := json.NewEncoder(w).Encode(result); err != nil {
+				panic(err)
+			}
 		case p == fmt.Sprintf("/v2/%s/referrers/%s", exampleRepositoryName, exampleManifestDescriptor.Digest.String()):
 			q := r.URL.Query()
 			var referrers []ocispec.Descriptor
@@ -191,6 +202,7 @@ func TestMain(m *testing.M) {
 				MediaType: ocispec.MediaTypeImageIndex,
 				Manifests: referrers,
 			}
+			w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
 			if err := json.NewEncoder(w).Encode(result); err != nil {
 				panic(err)
 			}

diff --git a/registry/remote/repository.go b/registry/remote/repository.go
@@ -483,18 +483,12 @@ func (r *Repository) Referrers(ctx context.Context, desc ocispec.Descriptor, art
 
 	// The referrers state is unknown.
 	if err != nil {
-		var errResp *errcode.ErrorResponse
-		if !errors.As(err, &errResp) || errResp.StatusCode != http.StatusNotFound {
-			return err
-		}
-		if errutil.IsErrorCode(errResp, errcode.ErrorCodeNameUnknown) {
-			// The repository is not found, no fallback.
-			return err
+		if errors.Is(err, errdef.ErrUnsupported) {
+			// Referrers API is not supported, fallback to referrers tag schema.
+			r.SetReferrersCapability(false)
+			return r.referrersByTagSchema(ctx, desc, artifactType, fn)
 		}
-		// A 404 returned by Referrers API indicates that Referrers API is
-		// not supported. Fallback to referrers tag schema.
-		r.SetReferrersCapability(false)
-		return r.referrersByTagSchema(ctx, desc, artifactType, fn)
+		return err
 	}
 
 	r.SetReferrersCapability(true)
@@ -544,10 +538,24 @@ func (r *Repository) referrersPageByAPI(ctx context.Context, artifactType string
 	}
 	defer resp.Body.Close()
 
-	if resp.StatusCode != http.StatusOK {
+	switch resp.StatusCode {
+	case http.StatusOK:
+	case http.StatusNotFound:
+		if errResp := errutil.ParseErrorResponse(resp); errutil.IsErrorCode(errResp, errcode.ErrorCodeNameUnknown) {
+			// The repository is not found, Referrers API status is unknown
+			return "", errResp
+		}
+		// Referrers API is not supported.
+		return "", fmt.Errorf("failed to query referrers API: %w", errdef.ErrUnsupported)
+	default:
 		return "", errutil.ParseErrorResponse(resp)
 	}
 
+	// also check the content type
+	if ct := resp.Header.Get("Content-Type"); ct != ocispec.MediaTypeImageIndex {
+		return "", fmt.Errorf("unknown content returned (%s), expecting image index: %w", ct, errdef.ErrUnsupported)
+	}
+
 	var index ocispec.Index
 	lr := limitReader(resp.Body, r.MaxMetadataBytes)
 	if err := json.NewDecoder(lr).Decode(&index); err != nil {
@@ -657,8 +665,9 @@ func (r *Repository) pingReferrers(ctx context.Context) (bool, error) {
 
 	switch resp.StatusCode {
 	case http.StatusOK:
-		r.SetReferrersCapability(true)
-		return true, nil
+		supported := resp.Header.Get("Content-Type") == ocispec.MediaTypeImageIndex
+		r.SetReferrersCapability(supported)
+		return supported, nil
 	case http.StatusNotFound:
 		if err := errutil.ParseErrorResponse(resp); errutil.IsErrorCode(err, errcode.ErrorCodeNameUnknown) {
 			// repository not found