Glob against official dockerhub images

Signed-off-by: Denny Hoang <dhoang@vmware.com>
sigstore · May 4, 2022 · 4d49cfa · 4d49cfa
1 parent 2150887
commit 4d49cfa
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 7 deletions.
diff --git a/pkg/apis/config/glob.go b/pkg/apis/config/glob.go
@@ -18,16 +18,22 @@ package config
 import (
 	"net/url"
 	"path/filepath"
+	"strings"
 )
 
 const (
 	ResolvedDockerhubHost = "index.docker.io/"
+	// Images such as "busybox" reside in the dockerhub "library" repository
+	// The full resolved image reference would be index.docker.io/library/busybox
+	DockerhubPublicRepository = "library/"
 )
 
-// GlobMatch will attempt to match the glob first
-// When it is not matched, it will check if it needs to glob against index.docker.io
-// When the pattern is <repository>/*, it should match for the resolved image digest
-// in the form of index.docker.io/<repository>/*
+// GlobMatch will attempt to:
+// 1. match the glob first
+// 2. When the pattern is <repository>/*, therefore missing a host,
+//    it should match for the resolved image digest in the form of index.docker.io/<repository>/*
+// 3. When the pattern is <image>, it should match for the resolved image digest
+//    against the official Dockerhub repository in the form of index.docker.io/library/*
 func GlobMatch(glob, image string) (bool, error) {
 	matched, err := filepath.Match(glob, image)
 	if err != nil {
@@ -46,7 +52,14 @@ func GlobMatch(glob, image string) (bool, error) {
 	}
 
 	if u.Host == "" {
-		dockerhubGlobPattern := ResolvedDockerhubHost + glob
+		dockerhubGlobPattern := ResolvedDockerhubHost
+
+		// If the image is expected to be part of the Dockerhub official "library" repository
+		if len(strings.Split(u.Path, "/")) < 2 {
+			dockerhubGlobPattern += DockerhubPublicRepository
+		}
+
+		dockerhubGlobPattern += glob
 		return filepath.Match(dockerhubGlobPattern, image)
 	}
 

diff --git a/pkg/apis/config/glob_test.go b/pkg/apis/config/glob_test.go
@@ -36,8 +36,9 @@ func TestGlobMatch(t *testing.T) {
 		{glob: "*.repository/*", input: "other.repository/image", match: true},
 		{glob: "repository/*", input: "repository/image", match: true},
 		{glob: "repository/*", input: "other.repository/image", match: false},
-		{glob: "repository/*", input: "index.docker.io/repository/image", match: true},
-		{glob: "[", input: "[", match: false, errString: "syntax error in pattern"}, // Invalid glob pattern
+		{glob: "repository/*", input: "index.docker.io/repository/image", match: true}, // Testing resolved digest
+		{glob: "image", input: "index.docker.io/library/image", match: true},           // Testing resolved digest and official dockerhub public repository
+		{glob: "[", input: "[", match: false, errString: "syntax error in pattern"},    // Invalid glob pattern
 	}
 	for _, tc := range tests {
 		got, err := GlobMatch(tc.glob, tc.input)