feat(CVP-4333): add more helper functions for FIPS check

This commit adds two functions, first is process_image_digest_mirror_set which takes imageDigestMirrorSet as yaml and returns a map of source and mirrors. The second is replace_image_pullspec which replaces the image registry and repo with that of a mirror. Signed-off-by: Yashvardhan Nanavati <yashn@bu.edu>
konflux-ci · Dec 16, 2024 · 732ee4b · 732ee4b
1 parent 646f4ee
commit 732ee4b
Show file tree

Hide file tree

Showing 2 changed files with 114 additions and 0 deletions.
diff --git a/test/utils.sh b/test/utils.sh
@@ -399,3 +399,60 @@ extract_related_images_from_bundle(){
   echo "${related_images}" | tr ' ' '\n'
 
 }
+
+# This function will be used by tasks in build-definitions
+# It returns a map of {source: [mirror1, mirror2]} for imageDigestMirrorSet yaml
+process_image_digest_mirror_set() {
+  local yaml_input="$1"
+  local pullspec_map="{"
+
+  if ! echo "${yaml_input}" | yq '.' &>/dev/null; then
+    echo "Invalid YAML input" >&2
+    exit 2
+  fi
+
+  for entry in $(yq '.spec.imageDigestMirrors' <<<"${yaml_input}" | jq -c '.[]'); do
+    local source=$(echo "${entry}" | jq -r '.source')
+    local mirrors_list=$(echo "${entry}" | jq -r '.mirrors | map("\"" + . + "\"") | join(",")')
+    pullspec_map+="\""${source}"\":["${mirrors_list}"],"
+  done
+
+  pullspec_map="${pullspec_map%,}}"
+
+  echo "${pullspec_map}"
+
+}
+
+# This function will be used by tasks in build-definitions
+# It replaces the image pullspec with the mirror and returns the modified pullspec
+# The image should be in `<image>:<tag>`, `<image>@<digest>` or `<image>:<tag>@<digest>` format
+replace_image_pullspec() {
+  local image="$1"
+  local mirror="$2"
+
+  if [[ -z "$image" || -z "$mirror" ]]; then
+    echo "Invalid input. Usage: replace_image_pullspec <image> <mirror>" >&2
+    exit 2
+  fi
+
+  local image_regex="^([^:@]+)(:[^@]+)?(@sha256:[a-f0-9]{64})?$"
+  if [[ "$image" =~ $image_regex ]]; then
+    local registry_and_repo=$(echo "$image" | sed -E 's/^([^:@]+).*$/\1/')
+
+    local digest=""
+    if [[ "$image" =~ (@sha256:[a-f0-9]{64}) ]]; then
+      digest=$(echo "$image" | sed -E 's/^.*(@sha256:[a-f0-9]{64})$/\1/')
+      image=$(echo "$image" | sed -e 's/@.*$//')
+    fi
+
+    local tag=""
+    if [[ "$image" =~ (:[^@]+) ]]; then
+      tag=$(echo "$image" | sed -E 's/^.*(:[^@]+).*$/\1/')
+    fi
+
+    echo "${mirror}${tag}${digest}"
+  else
+    echo "Invalid pullspec format: ${image}" >&2
+    exit 2
+  fi
+}
diff --git a/unittests_bash/test_utils.bats b/unittests_bash/test_utils.bats
@@ -252,3 +252,60 @@ setup() {
     EXPECTED_RESPONSE='Failed to render the image'
     [[ "${EXPECTED_RESPONSE}" = "${output}" && "$status" -eq 1 ]]
 }
+
+@test "Process imageDigestMirrorSet: success" {
+    yaml_input=$(cat <<EOF
+---
+apiVersion: operator.openshift.io/v1alpha1
+kind: ImageDigestMirrorSet
+metadata:
+  name: example-mirror-set
+spec:
+  imageDigestMirrors:
+    - mirrors:
+        - quay.io/mirror-namespace/mirror-repo
+        - other-registry.io/namespace/repo
+      source: quay.io/gatekeeper/gatekeeper
+EOF
+)
+    run process_image_digest_mirror_set "${yaml_input}"
+    EXPECTED_RESPONSE="{\"quay.io/gatekeeper/gatekeeper\":[\"quay.io/mirror-namespace/mirror-repo\",\"other-registry.io/namespace/repo\"]}"
+    echo "${output}"
+    [[ "${EXPECTED_RESPONSE}" = "${output}" && "$status" -eq 0 ]]
+}
+
+@test "Process process_image_digest_mirror_set: invalid input" {
+    run process_image_digest_mirror_set "\"invalid yaml"
+    EXPECTED_RESPONSE="Invalid YAML input"
+    [[ "${EXPECTED_RESPONSE}" = "${output}" && "$status" -eq 2 ]]
+}
+
+@test "Replace image pullspec: invalid input" {
+    run replace_image_pullspec "quay.io/some/image"
+    EXPECTED_RESPONSE="Invalid input. Usage: replace_image_pullspec <image> <mirror>"
+    [[ "${EXPECTED_RESPONSE}" = "${output}" && "$status" -eq 2 ]]
+}
+
+@test "Replace image pullspec: success digest" {
+    run replace_image_pullspec "registry.io/unavailable/pullspec@sha256:7441ff12e3d200521512247e053f5ed1c6157bc5f1cbe818dd3cc46903a1c72f" "quay.io/some/mirror"
+    EXPECTED_RESPONSE="quay.io/some/mirror@sha256:7441ff12e3d200521512247e053f5ed1c6157bc5f1cbe818dd3cc46903a1c72f"
+    [[ "${EXPECTED_RESPONSE}" = "${output}" && "$status" -eq 0 ]]
+}
+
+@test "Replace image pullspec: success tag" {
+    run replace_image_pullspec "registry.io/unavailable/pullspec:latest" "quay.io/some/mirror"
+    EXPECTED_RESPONSE="quay.io/some/mirror:latest"
+    [[ "${EXPECTED_RESPONSE}" = "${output}" && "$status" -eq 0 ]]
+}
+
+@test "Replace image pullspec: success tag@sha256" {
+    run replace_image_pullspec "registry.io/unavailable/pullspec:latest@sha256:7441ff12e3d200521512247e053f5ed1c6157bc5f1cbe818dd3cc46903a1c72f" "quay.io/some/mirror"
+    EXPECTED_RESPONSE="quay.io/some/mirror:latest@sha256:7441ff12e3d200521512247e053f5ed1c6157bc5f1cbe818dd3cc46903a1c72f"
+    [[ "${EXPECTED_RESPONSE}" = "${output}" && "$status" -eq 0 ]]
+}
+
+@test "Replace image pullspec: invalid image format" {
+    run replace_image_pullspec "registry.io/unavailable/pullspec@sha256:short-sha" "quay.io/some/mirror"
+    EXPECTED_RESPONSE="Invalid pullspec format: registry.io/unavailable/pullspec@sha256:short-sha"
+    [[ "${EXPECTED_RESPONSE}" = "${output}" && "$status" -eq 2 ]]
+}