distribution · brackendawson · Feb 1, 2023 · Feb 2, 2023 · Feb 2, 2023 · Feb 2, 2023
diff --git a/go.mod b/go.mod
@@ -22,7 +22,7 @@ require (
 	github.com/mitchellh/mapstructure v1.1.2
 	github.com/ncw/swift v1.0.47
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.0.2
+	github.com/opencontainers/image-spec v1.1.0-rc3
 	github.com/prometheus/client_golang v1.12.1 // indirect; updated to latest
 	github.com/sirupsen/logrus v1.8.1
 	github.com/spf13/cobra v1.6.1

diff --git a/go.sum b/go.sum
@@ -227,8 +227,8 @@ github.com/ncw/swift v1.0.47 h1:4DQRPj35Y41WogBxyhOXlrI37nzGlyEcsforeudyYPQ=
 github.com/ncw/swift v1.0.47/go.mod h1:23YIA4yWVnGwv2dQlN4bB7egfYX6YLn0Yo/S6zZO/ZM=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM=
-github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
+github.com/opencontainers/image-spec v1.1.0-rc3 h1:fzg1mXZFj8YdPeNkRXMg+zb88BFV0Ys52cJydRwBkb8=
+github.com/opencontainers/image-spec v1.1.0-rc3/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
 github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 h1:Qj1ukM4GlMWXNdMBuXcXfz/Kw9s1qm0CLY32QxuSImI=
 github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4/go.mod h1:N6UoU20jOqggOuDwUaBQpluzLNDqif3kq9z2wpdYEfQ=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=

diff --git a/manifest/ocischema/manifest.go b/manifest/ocischema/manifest.go
@@ -45,10 +45,17 @@ type Manifest struct {
 	// Config references the image configuration as a blob.
 	Config distribution.Descriptor `json:"config"`
 
+	// ArtifactType is the type of an artifact when the manifest is used for an
+	// artifact.
+	ArtifactType string `json:"artifactType,omitempty"`
+
 	// Layers lists descriptors for the layers referenced by the
 	// configuration.
 	Layers []distribution.Descriptor `json:"layers"`
 
+	// Subject is the descriptor of a manifest referred to by this manifest.
+	Subject *distribution.Descriptor `json:"subject,omitempty"`
+
 	// Annotations contains arbitrary metadata for the image manifest.
 	Annotations map[string]string `json:"annotations,omitempty"`
 }
@@ -103,6 +110,21 @@ func (m *DeserializedManifest) UnmarshalJSON(b []byte) error {
 			v1.MediaTypeImageManifest, mfst.MediaType)
 	}
 
+	if mfst.Config.MediaType == v1.MediaTypeScratch && mfst.ArtifactType == &q
E864
uot;" {
+		return fmt.Errorf("if config.mediaType is '%s' then artifactType must be set", v1.MediaTypeScratch)
+	}
+
+	// The subject if specified must be a manifest. This is validated here
+	// rather than in the storage manifest Put handler because the subject does
+	// not have to exist, so there is nothing to validate in the manifest store.
+	// If a non-compliant client provided the digest of a blob then this
+	// registry would still indicate that the referred manifest does not exist.
+	if mfst.Subject != nil {
+		if !distribution.ManifestMediaTypeSupported(mfst.Subject.MediaType) {
+			return fmt.Errorf("subject.mediaType must be a manifest, not '%s'", mfst.Subject.MediaType)
+		}
+	}
+
 	m.Manifest = mfst
 
 	return nil
@@ -124,6 +146,20 @@ func (m DeserializedManifest) Payload() (string, []byte, error) {
 	return v1.MediaTypeImageManifest, m.canonical, nil
 }
 
+// Subject returns a pointer to the subject of this manifest or nil if there is
+// none
+func (m *DeserializedManifest) Subject() *distribution.Descriptor {
+	return m.Manifest.Subject
+}
+
+// Type returns the artifactType of the manifest
+func (m *DeserializedManifest) Type() string {
+	if m.ArtifactType == "" {
+		return m.Config.MediaType
+	}
+	return m.ArtifactType
+}
+
 // unknownDocument represents a manifest, manifest list, or index that has not
 // yet been validated
 type unknownDocument struct {

diff --git a/manifest/ocischema/manifest_test.go b/manifest/ocischema/manifest_test.go
@@ -9,6 +9,7 @@ import (
 	"github.com/distribution/distribution/v3"
 	"github.com/distribution/distribution/v3/manifest"
 	"github.com/distribution/distribution/v3/manifest/manifestlist"
+	"github.com/distribution/distribution/v3/manifest/schema2"
 
 	v1 "github.com/opencontainers/image-spec/specs-go/v1"
 )
@@ -39,6 +40,14 @@ const expectedManifestSerialization = `{
    }
 }`
 
+var (
+	scratchDescriptor = distribution.Descriptor{
+		MediaType: v1.ScratchDescriptor.MediaType,
+		Size:      v1.ScratchDescriptor.Size,
+		Digest:    v1.ScratchDescriptor.Digest,
+	}
+)
+
 func makeTestManifest(mediaType string) Manifest {
 	return Manifest{
 		Versioned: manifest.Versioned{
@@ -214,3 +223,191 @@ func TestValidateManifest(t *testing.T) {
 		}
 	})
 }
+
+func TestArtifactManifest(t *testing.T) {
+	for name, test := range map[string]struct {
+		manifest             Manifest
+		expectValid          bool
+		expectedArtifactType string
+	}{
+		"not_artifact": {
+			manifest: Manifest{
+    				Versioned: SchemaVersion,
+				Config: distribution.Descriptor{
+					MediaType: v1.MediaTypeImageConfig,
+					Size:      200,
+					Digest:    "sha256:4de6702c739d8c9ed907f4c031fd0abc54ee1bf372603a585e139730772cc0b8",
+				},
+				Layers: []distribution.Descriptor{
+					{
+						MediaType: v1.MediaTypeImageLayerGzip,
+						Size:      23423,
+						Digest:    "sha256:ff1b4a27562d8ffc821b4d7368818ad7c759cfc2068b7adf0d2712315d67359a",
+					},
+				},
+			},
+			expectValid:          true,
+			expectedArtifactType: v1.MediaTypeImageConfig,
+		},
+		"typical_artifact": {
+			manifest: Manifest{
+				Versioned: SchemaVersion,
+				Config: distribution.Descriptor{
+					MediaType: "application/vnd.example.thing",
+					Size:      200,
+					Digest:    "sha256:4de6702c739d8c9ed907f4c031fd0abc54ee1bf372603a585e139730772cc0b8",
+				},
+				Layers: []distribution.Descriptor{
+					{
+						MediaType: v1.MediaTypeImageLayerGzip,
+						Size:      23423,
+						Digest:    "sha256:ff1b4a27562d8ffc821b4d7368818ad7c759cfc2068b7adf0d2712315d67359a",
+					},
+				},
+			},
+			expectValid:          true,
+			expectedArtifactType: "application/vnd.example.thing",
+		},
+		"also_typical_artifact": {
+			manifest: Manifest{
+				Versioned:    SchemaVersion,
+				ArtifactType: "application/vnd.example.sbom",
+				Config: distribution.Descriptor{
+					MediaType: v1.MediaTypeImageConfig,
+					Size:      200,
+					Digest:    "sha256:4de6702c739d8c9ed907f4c031fd0abc54ee1bf372603a585e139730772cc0b8",
+				},
+				Layers: []distribution.Descriptor{
+					{
+						MediaType: v1.MediaTypeImageLayerGzip,
+						Size:      23423,
+						Digest:    "sha256:ff1b4a27562d8ffc821b4d7368818ad7c759cfc2068b7adf0d2712315d67359a",
+					},
+				},
+			},
+			expectValid:          true,
+			expectedArtifactType: "application/vnd.example.sbom",
+		},
+		"configless_artifact": {
+			manifest: Manifest{
+				Versioned:    SchemaVersion,
+				ArtifactType: "application/vnd.example.catgif",
+				Config:       scratchDescriptor,
+				Layers: []distribution.Descriptor{
+					{
+						MediaType: "image/gif",
+						Size:      23423,
+						Digest:    "sha256:ff1b4a27562d8ffc821b4d7368818ad7c759cfc2068b7adf0d2712315d67359a",
+					},
+				},
+			},
+			expectValid:          true,
+			expectedArtifactType: "application/vnd.example.catgif",
+		},
+		"invalid_artifact": {
+			manifest: Manifest{
+				Versioned: SchemaVersion,
+				Config:    scratchDescriptor, // This MUST have an artifactType
+				Layers: []distribution.Descriptor{
+					{
+						MediaType: "image/gif",
+						Size:      23423,
+						Digest:    "sha256:ff1b4a27562d8ffc821b4d7368818ad7c759cfc2068b7adf0d2712315d67359a",
+					},
+				},
+			},
+			expectValid: false,
+		},
+		"annotation_artifact": {
+			manifest: Manifest{
+				Versioned:    SchemaVersion,
+				ArtifactType: "application/vnd.example.comment",
+				Config:       scratchDescriptor,
+				Layers: []distribution.Descriptor{
+					scratchDescriptor,
+				},
+				Annotations: map[string]string{
+					"com.example.data": "payload",
+				},
+			},
+			expectValid:          true,
+			expectedArtifactType: "application/vnd.example.comment",
+		},
+		"valid_subject": {
+			manifest: Manifest{
+				Versioned:    SchemaVersion,
+				ArtifactType: "application/vnd.example.comment",
+				Config:       scratchDescriptor,
+				Layers: []distribution.Descriptor{
+					scratchDescriptor,
+				},
+				Subject: &distribution.Descriptor{
+					MediaType: v1.MediaTypeImageManifest,
+					Size:      365,
+					Digest:    "sha256:05b3abf2579a5eb66403cd78be557fd860633a1fe2103c7642030defe32c657f",
+				},
+				Annotations: map[string]string{
+					"com.example.data": "payload",
+				},
+			},
+			expectValid:          true,
+			expectedArtifactType: "application/vnd.example.comment",
+		},
+		"invalid_subject": {
+			manifest: Manifest{
+				Versioned:    SchemaVersion,
+				ArtifactType: "application/vnd.example.comment",
+				Config:       scratchDescriptor,
+				Layers: []distribution.Descriptor{
+					scratchDescriptor,
+				},
+				Subject: &distribution.Descriptor{
+					MediaType: v1.MediaTypeImageLayerGzip, // The subject is a manifest
+					Size:      365,
+					Digest:    "sha256:05b3abf2579a5eb66403cd78be557fd860633a1fe2103c7642030defe32c657f",
+				},
+				Annotations: map[string]string{
+					"com.example.data": "payload",
+				},
+			},
+			expectValid: false,
+		},
+		"docker_manifest_valid_as_subject": {
+			manifest: Manifest{
+				Versioned:    SchemaVersion,
+				ArtifactType: "application/vnd.example.comment",
+				Config:       scratchDescriptor,
+				Layers: []distribution.Descriptor{
+					scratchDescriptor,
+				},
+				Subject: &distribution.Descriptor{
+					MediaType: schema2.MediaTypeManifest,
+					Size:      365,
+					Digest:    "sha256:05b3abf2579a5eb66403cd78be557fd860633a1fe2103c7642030defe32c657f",
+				},
+				Annotations: map[string]string{
+					"com.example.data": "payload",
+				},
+			},
+			expectValid:          true,
+			expectedArtifactType: "application/vnd.example.comment",
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			dm, err := FromStruct(test.manifest)
+			if err != nil {
+				t.Fatalf("Error making DeserializedManifest from struct: %s", err)
+			}
+			m, _, err := distribution.UnmarshalManifest(v1.MediaTypeImageManifest, dm.canonical)
+			if test.expectValid != (nil == err) {
+				t.Fatalf("expectValid=%t but got err=%v", test.expectValid, err)
+			}
+			if err != nil {
+				return
+			}
+			if artifactType := m.(distribution.Referrer).Type(); artifactType != test.expectedArtifactType {
+				t.Errorf("Expected artifactType to be %q but got %q", test.expectedArtifactType, artifactType)
+			}
+		})
+	}
+}
diff --git a/manifests.go b/manifests.go
@@ -26,6 +26,18 @@ type Manifest interface {
 	Payload() (mediaType string, payload []byte, err error)
 }
 
+// Referrer represents a Manifest which can refer to a subject.
+type Referrer interface {
+	// Subject returns a pointer to a Descriptor representing the manifest which
+	// this manifest refers to or nil if this manifest does not refer to a
+	// subject.
+	Subject() *Descriptor
+
+	// Type returns the type of the referrer if there is one, otherwise it
+	// returns empty string
+	Type() string
+}
+
 // ManifestBuilder creates a manifest allowing one to include dependencies.
 // Instances can be obtained from a version-specific manifest package.  Manifest
 // specific data is passed into the function which creates the builder.
@@ -84,6 +96,12 @@ func ManifestMediaTypes() (mediaTypes []string) {
 	return
 }
 
+// ManifestMediaTypeSupported returns true if the given mediaType is supported.
+func ManifestMediaTypeSupported(mediaType string) bool {
+	_, ok := mappings[mediaType]
+	return ok
+}
+
 // UnmarshalFunc implements manifest unmarshalling a given MediaType
 type UnmarshalFunc func([]byte) (Manifest, Descriptor, error)
 

diff --git a/registry/api/v2/errors.go b/registry/api/v2/errors.go
@@ -155,4 +155,14 @@ var (
 		the maximum allowed.`,
 		HTTPStatusCode: http.StatusBadRequest,
 	})
+
+	// ErrorCodeManifestNotAcceptable is returned when the manifest found is not
+	// acceptable according to the client's Accept header
+	ErrorCodeManifestNotAcceptable = errcode.Register(errGroup, errcode.ErrorDescriptor{
+		Value:   "MANIFEST_NOT_ACCEPTABLE",
+		Message: "manifest does not match Accept header",
+		Description: `This is returned if the manifest known to the registry
+		has a different mediaType then the client's Accept header.`,
+		HTTPStatusCode: http.StatusNotAcceptable,
+	})
 )