Allow insecure localhost connections

Before this change, the `docker.MatchLocalhost` function was applied to hosts retrieved from labels on snapshots, but not in the artifact fetcher. This meant that data could be lazily loaded from an insecure localhost, but we couldn't fetch the SOCI index/ztocs from an insecure localhost. This change adds the matcher to the artifact fetcher so that images can be lazily loaded from an insecure localhost. Signed-off-by: Kern Walster <[email protected]>
awslabs · Jun 25, 2024 · 075affe · 075affe
1 parent a857d2b
commit 075affe
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 0 deletions.
diff --git a/fs/artifact_fetcher.go b/fs/artifact_fetcher.go
@@ -29,6 +29,7 @@ import (
 	"github.com/awslabs/soci-snapshotter/soci/store"
 	"github.com/awslabs/soci-snapshotter/util/ioutils"
 	"github.com/containerd/containerd/reference"
+	"github.com/containerd/containerd/remotes/docker"
 	"github.com/containerd/log"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"golang.org/x/sync/errgroup"
@@ -73,6 +74,11 @@ func newRemoteStore(refspec reference.Spec, client *http.Client) (*remote.Reposi
 		return nil, fmt.Errorf("cannot create repository %s: %w", refspec.Locator, err)
 	}
 	repo.Client = client
+	repo.PlainHTTP, err = docker.MatchLocalhost(refspec.Hostname())
+	if err != nil {
+		return nil, fmt.Errorf("cannot create repository %s: %w", refspec.Locator, err)
+	}
+
 	return repo, nil
 }
 

diff --git a/fs/artifact_fetcher_test.go b/fs/artifact_fetcher_test.go
@@ -21,6 +21,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"net/http"
 	"testing"
 
 	"github.com/containerd/containerd/reference"
@@ -213,6 +214,47 @@ func TestArtifactFetcherFetchOnlyOnce(t *testing.T) {
 	}
 }
 
+func TestNewRemoteStore(t *testing.T) {
+	client := http.Client{}
+	testCases := []struct {
+		name              string
+		ref               string
+		shouldBePlainHTTP bool
+		expectedError     error
+	}{
+		{
+			name:              "ECR public is not plain http",
+			ref:               "public.ecr.aws/ref:tag",
+			shouldBePlainHTTP: false,
+		},
+		{
+			name:              "localhost is plain http",
+			ref:               "localhost:5000/ref:tag",
+			shouldBePlainHTTP: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			refspec, err := reference.Parse(tc.ref)
+			if err != nil {
+				t.Fatalf("unexpected failure parsing reference: %v", err)
+			}
+			r, err := newRemoteStore(refspec, &client)
+			if err != nil {
+				t.Fatalf("unexpected error, got %v", err)
+			}
+			if r.Client != &client {
+				t.Fatalf("unexpected http client, expected %v, got %v", &client, r.Client)
+			}
+			if r.PlainHTTP != tc.shouldBePlainHTTP {
+				t.Fatalf("unepected plain http, expected: %v, got %v", tc.shouldBePlainHTTP, r.PlainHTTP)
+			}
+		})
+	}
+}
+
 func newFakeArtifactFetcher(ref string, contents []byte) (*artifactFetcher, error) {
 	refspec, err := reference.Parse(ref)
 	if err != nil {