Bump github.com/containers/image/v5 from 5.8.1 to 5.9.0

Bumps [github.com/containers/image/v5](https://github.com/containers/image) from 5.8.1 to 5.9.0.
- [Release notes](https://github.com/containers/image/releases)
- [Commits](https://github.com/containers/image/compare/v5.8.1...v5.9.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Signed-off-by: Miloslav Trmač <mitr@redhat.com>

go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/containers/buildah v1.18.1-0.20201125084616-dd26b137459c
 	github.com/containers/common v0.31.0
 	github.com/containers/conmon v2.0.20+incompatible
-	github.com/containers/image/v5 v5.8.1
+	github.com/containers/image/v5 v5.9.0
 	github.com/containers/psgo v1.5.1
 	github.com/containers/storage v1.24.1
 	github.com/coreos/go-systemd/v22 v22.1.0

go.sum

@@ -101,6 +101,8 @@ github.com/containers/conmon v2.0.20+incompatible h1:YbCVSFSCqFjjVwHTPINGdMX1F6J
 github.com/containers/conmon v2.0.20+incompatible/go.mod h1:hgwZ2mtuDrppv78a/cOBNiCm6O0UMWGx1mu7P00nu5I=
 github.com/containers/image/v5 v5.8.1 h1:aHW8a/Kd0dTJ7PTL/fc6y12sJqHxWgqilu+XyHfjD8Q=
 github.com/containers/image/v5 v5.8.1/go.mod h1:blOEFd/iFdeyh891ByhCVUc+xAcaI3gBegXECwz9UbQ=
+github.com/containers/image/v5 v5.9.0 h1:dRmUtcluQcmasNo3DpnRoZjfU0rOu1qZeL6wlDJr10Q=
+github.com/containers/image/v5 v5.9.0/go.mod h1:blOEFd/iFdeyh891ByhCVUc+xAcaI3gBegXECwz9UbQ=
 github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDplZ7U33NwHZkrVELsZP5fYj9pM5WBZB2GE=
 github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
 github.com/containers/ocicrypt v1.0.3 h1:vYgl+RZ9Q3DPMuTfxmN+qp0X2Bj52uuY2vnt6GzVe1c=

vendor/github.com/containers/image/v5/copy/copy.go

@@ -53,6 +53,14 @@ var (
 // compressionBufferSize is the buffer size used to compress a blob
 var compressionBufferSize = 1048576
 
+// expectedCompressionFormats is used to check if a blob with a specified media type is compressed
+// using the algorithm that the media type says it should be compressed with
+var expectedCompressionFormats = map[string]*compression.Algorithm{
+	imgspecv1.MediaTypeImageLayerGzip:      &compression.Gzip,
+	imgspecv1.MediaTypeImageLayerZstd:      &compression.Zstd,
+	manifest.DockerV2Schema2LayerMediaType: &compression.Gzip,
+}
+
 // newDigestingReader returns an io.Reader implementation with contents of source, which will eventually return a non-EOF error
 // or set validationSucceeded/validationFailed to true if the source stream does/does not match expectedDigest.
 // (neither is set if EOF is never reached).
@@ -1234,6 +1242,10 @@ func (c *copier) copyBlobFromStream(ctx context.Context, srcStream io.Reader, sr
 	isCompressed := decompressor != nil
 	destStream = bar.ProxyReader(destStream)
 
+	if expectedCompressionFormat, known := expectedCompressionFormats[srcInfo.MediaType]; known && isCompressed && compressionFormat.Name() != expectedCompressionFormat.Name() {
+		logrus.Debugf("blob %s with type %s should be compressed with %s, but compressor appears to be %s", srcInfo.Digest.String(), srcInfo.MediaType, expectedCompressionFormat.Name(), compressionFormat.Name())
+	}
+
 	// === Send a copy of the original, uncompressed, stream, to a separate path if necessary.
 	var originalLayerReader io.Reader // DO NOT USE this other than to drain the input if no other consumer in the pipeline has done so.
 	if getOriginalLayerCopyWriter != nil {

vendor/github.com/containers/image/v5/pkg/compression/compression.go

@@ -91,7 +91,8 @@ func CompressStream(dest io.Writer, algo Algorithm, level *int) (io.WriteCloser,
 	return internal.AlgorithmCompressor(algo)(dest, level)
 }
 
-// DetectCompressionFormat returns a DecompressorFunc if the input is recognized as a compressed format, nil otherwise.
+// DetectCompressionFormat returns an Algorithm and DecompressorFunc if the input is recognized as a compressed format, an invalid
+// value and nil otherwise.
 // Because it consumes the start of input, other consumers must use the returned io.Reader instead to also read from the beginning.
 func DetectCompressionFormat(input io.Reader) (Algorithm, DecompressorFunc, io.Reader, error) {
 	buffer := [8]byte{}

vendor/github.com/containers/image/v5/pkg/shortnames/shortnames.go

@@ -225,9 +225,8 @@ func (c *PullCandidate) Record() error {
 // Note that tags and digests are stripped from the specified name before
 // looking up an alias. Stripped off tags and digests are later on appended to
 // all candidates.  If neither tag nor digest is specified, candidates are
-// normalized with the "latest" tag. PullCandidates in the returned value may
+// normalized with the "latest" tag.  An error is returned if there is no
-// be empty if there is no matching alias and no unqualified-search registries
+// matching alias and no unqualified-search registries are configured.
-// are configured.
 //
 // Note that callers *must* call `(PullCandidate).Record` after a returned
 // item has been pulled successfully; this callback will record a new
@@ -312,6 +311,10 @@ func Resolve(ctx *types.SystemContext, name string) (*Resolved, error) {
 	if err != nil {
 		return nil, err
 	}
+	// Error out if there's no matching alias and no search registries.
+	if len(unqualifiedSearchRegistries) == 0 {
+		return nil, errors.Errorf("short-name %q did not resolve to an alias and no unqualified-search registries are defined in %q", name, usrConfig)
+	}
 	resolved.originDescription = usrConfig
 
 	for _, reg := range unqualifiedSearchRegistries {
@@ -331,10 +334,8 @@ func Resolve(ctx *types.SystemContext, name string) (*Resolved, error) {
 		return resolved, nil
 	}
 
-	// If we have only one candidate, there's no ambiguity. In case of an
+	// If we have only one candidate, there's no ambiguity.
-	// empty candidate slices, callers can implement custom logic or raise
+	if len(resolved.PullCandidates) == 1 {
-	// an error.
-	if len(resolved.PullCandidates) <= 1 {
 		return resolved, nil
 	}
 

vendor/github.com/containers/image/v5/signature/policy_config.go

@@ -19,6 +19,7 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"regexp"
 
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/transports"
@@ -507,6 +508,8 @@ func newPolicyReferenceMatchFromJSON(data []byte) (PolicyReferenceMatch, error)
 		res = &prmExactReference{}
 	case prmTypeExactRepository:
 		res = &prmExactRepository{}
+	case prmTypeRemapIdentity:
+		res = &prmRemapIdentity{}
 	default:
 		return nil, InvalidPolicyFormatError(fmt.Sprintf("Unknown policy reference match type \"%s\"", typeField.Type))
 	}
@@ -693,3 +696,76 @@ func (prm *prmExactRepository) UnmarshalJSON(data []byte) error {
 	*prm = *res
 	return nil
 }
+
+// Private objects for validateIdentityRemappingPrefix
+var (
+	// remapIdentityDomainRegexp matches exactly a reference domain (name[:port])
+	remapIdentityDomainRegexp = regexp.MustCompile("^" + reference.DomainRegexp.String() + "$")
+	// remapIdentityDomainPrefixRegexp matches a reference that starts with a domain;
+	// we need this because reference.NameRegexp accepts short names with docker.io implied.
+	remapIdentityDomainPrefixRegexp = regexp.MustCompile("^" + reference.DomainRegexp.String() + "/")
+	// remapIdentityNameRegexp matches exactly a reference.Named name (possibly unnormalized)
+	remapIdentityNameRegexp = regexp.MustCompile("^" + reference.NameRegexp.String() + "$")
+)
+
+// validateIdentityRemappingPrefix returns an InvalidPolicyFormatError if s is detected to be invalid
+// for the Prefix or SignedPrefix values of prmRemapIdentity.
+// Note that it may not recognize _all_ invalid values.
+func validateIdentityRemappingPrefix(s string) error {
+	if remapIdentityDomainRegexp.MatchString(s) ||
+		(remapIdentityNameRegexp.MatchString(s) && remapIdentityDomainPrefixRegexp.MatchString(s)) {
+		// FIXME? This does not reject "shortname" nor "ns/shortname", because docker/reference
+		// does not provide an API for the short vs. long name logic.
+		// It will either not match, or fail in the ParseNamed call of
+		// prmRemapIdentity.remapReferencePrefix when trying to use such a prefix.
+		return nil
+	}
+	return InvalidPolicyFormatError(fmt.Sprintf("prefix %q is not valid", s))
+}
+
+// newPRMRemapIdentity is NewPRMRemapIdentity, except it returns the private type.
+func newPRMRemapIdentity(prefix, signedPrefix string) (*prmRemapIdentity, error) {
+	if err := validateIdentityRemappingPrefix(prefix); err != nil {
+		return nil, err
+	}
+	if err := validateIdentityRemappingPrefix(signedPrefix); err != nil {
+		return nil, err
+	}
+	return &prmRemapIdentity{
+		prmCommon:    prmCommon{Type: prmTypeRemapIdentity},
+		Prefix:       prefix,
+		SignedPrefix: signedPrefix,
+	}, nil
+}
+
+// NewPRMRemapIdentity returns a new "remapIdentity" PolicyRepositoryMatch.
+func NewPRMRemapIdentity(prefix, signedPrefix string) (PolicyReferenceMatch, error) {
+	return newPRMRemapIdentity(prefix, signedPrefix)
+}
+
+// Compile-time check that prmRemapIdentity implements json.Unmarshaler.
+var _ json.Unmarshaler = (*prmRemapIdentity)(nil)
+
+// UnmarshalJSON implements the json.Unmarshaler interface.
+func (prm *prmRemapIdentity) UnmarshalJSON(data []byte) error {
+	*prm = prmRemapIdentity{}
+	var tmp prmRemapIdentity
+	if err := paranoidUnmarshalJSONObjectExactFields(data, map[string]interface{}{
+		"type":         &tmp.Type,
+		"prefix":       &tmp.Prefix,
+		"signedPrefix": &tmp.SignedPrefix,
+	}); err != nil {
+		return err
+	}
+
+	if tmp.Type != prmTypeRemapIdentity {
+		return InvalidPolicyFormatError(fmt.Sprintf("Unexpected policy requirement type \"%s\"", tmp.Type))
+	}
+
+	res, err := newPRMRemapIdentity(tmp.Prefix, tmp.SignedPrefix)
+	if err != nil {
+		return err
+	}
+	*prm = *res
+	return nil
+}

vendor/github.com/containers/image/v5/signature/policy_reference_match.go

@@ -4,6 +4,7 @@ package signature
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/containers/image/v5/docker/reference"
 	"github.com/containers/image/v5/transports"
@@ -36,12 +37,9 @@ func (prm *prmMatchExact) matchesDockerReference(image types.UnparsedImage, sign
 	return signature.String() == intended.String()
 }
 
-func (prm *prmMatchRepoDigestOrExact) matchesDockerReference(image types.UnparsedImage, signatureDockerReference string) bool {
+// matchRepoDigestOrExactReferenceValues implements prmMatchRepoDigestOrExact.matchesDockerReference
-	intended, signature, err := parseImageAndDockerReference(image, signatureDockerReference)
+// using reference.Named values.
-	if err != nil {
+func matchRepoDigestOrExactReferenceValues(intended, signature reference.Named) bool {
-		return false
-	}
-
 	// Do not add default tags: image.Reference().DockerReference() should contain it already, and signatureDockerReference should be exact; so, verify that now.
 	if reference.IsNameOnly(signature) {
 		return false
@@ -58,6 +56,13 @@ func (prm *prmMatchRepoDigestOrExact) matchesDockerReference(image types.Unparse
 		return false
 	}
 }
+func (prm *prmMatchRepoDigestOrExact) matchesDockerReference(image types.UnparsedImage, signatureDockerReference string) bool {
+	intended, signature, err := parseImageAndDockerReference(image, signatureDockerReference)
+	if err != nil {
+		return false
+	}
+	return matchRepoDigestOrExactReferenceValues(intended, signature)
+}
 
 func (prm *prmMatchRepository) matchesDockerReference(image types.UnparsedImage, signatureDockerReference string) bool {
 	intended, signature, err := parseImageAndDockerReference(image, signatureDockerReference)
@@ -99,3 +104,51 @@ func (prm *prmExactRepository) matchesDockerReference(image types.UnparsedImage,
 	}
 	return signature.Name() == intended.Name()
 }
+
+// refMatchesPrefix returns true if ref matches prm.Prefix.
+func (prm *prmRemapIdentity) refMatchesPrefix(ref reference.Named) bool {
+	name := ref.Name()
+	switch {
+	case len(name) < len(prm.Prefix):
+		return false
+	case len(name) == len(prm.Prefix):
+		return name == prm.Prefix
+	case len(name) > len(prm.Prefix):
+		// We are matching only ref.Name(), not ref.String(), so the only separator we are
+		// expecting is '/':
+		// - '@' is only valid to separate a digest, i.e. not a part of ref.Name()
+		// - similarly ':' to mark a tag would not be a part of ref.Name(); it can be a part of a
+		//   host:port domain syntax, but we don't treat that specially and require an exact match
+		//   of the domain.
+		return strings.HasPrefix(name, prm.Prefix) && name[len(prm.Prefix)] == '/'
+	default:
+		panic("Internal error: impossible comparison outcome")
+	}
+}
+
+// remapReferencePrefix returns the result of remapping ref, if it matches prm.Prefix
+// or the original ref if it does not.
+func (prm *prmRemapIdentity) remapReferencePrefix(ref reference.Named) (reference.Named, error) {
+	if !prm.refMatchesPrefix(ref) {
+		return ref, nil
+	}
+	refString := ref.String()
+	newNamedRef := strings.Replace(refString, prm.Prefix, prm.SignedPrefix, 1)
+	newParsedRef, err := reference.ParseNamed(newNamedRef)
+	if err != nil {
+		return nil, fmt.Errorf(`error rewriting reference from "%s" to "%s": %v`, refString, newNamedRef, err)
+	}
+	return newParsedRef, nil
+}
+
+func (prm *prmRemapIdentity) matchesDockerReference(image types.UnparsedImage, signatureDockerReference string) bool {
+	intended, signature, err := parseImageAndDockerReference(image, signatureDockerReference)
+	if err != nil {
+		return false
+	}
+	intended, err = prm.remapReferencePrefix(intended)
+	if err != nil {
+		return false
+	}
+	return matchRepoDigestOrExactReferenceValues(intended, signature)
+}

vendor/github.com/containers/image/v5/signature/policy_types.go

@@ -121,6 +121,7 @@ const (
 	prmTypeMatchRepository        prmTypeIdentifier = "matchRepository"
 	prmTypeExactReference         prmTypeIdentifier = "exactReference"
 	prmTypeExactRepository        prmTypeIdentifier = "exactRepository"
+	prmTypeRemapIdentity          prmTypeIdentifier = "remapIdentity"
 )
 
 // prmMatchExact is a PolicyReferenceMatch with type = prmMatchExact: the two references must match exactly.
@@ -150,3 +151,13 @@ type prmExactRepository struct {
 	prmCommon
 	DockerRepository string `json:"dockerRepository"`
 }
+
+// prmRemapIdentity is a PolicyReferenceMatch with type = prmRemapIdentity: like prmMatchRepoDigestOrExact,
+// except that a namespace (at least a host:port, at most a single repository) is substituted before matching the two references.
+type prmRemapIdentity struct {
+	prmCommon
+	Prefix       string `json:"prefix"`
+	SignedPrefix string `json:"signedPrefix"`
+	// Possibly let the users make a choice for tag/digest matching behavior
+	// similar to prmMatchExact/prmMatchRepository?
+}

vendor/github.com/containers/image/v5/version/version.go

@@ -6,9 +6,9 @@ const (
 	// VersionMajor is for an API incompatible changes
 	VersionMajor = 5
 	// VersionMinor is for functionality in a backwards-compatible manner
-	VersionMinor = 8
+	VersionMinor = 9
 	// VersionPatch is for backwards-compatible bug fixes
-	VersionPatch = 1
+	VersionPatch = 0
 
 	// VersionDev indicates development branch. Releases will be empty string.
 	VersionDev = ""

vendor/modules.txt

@@ -104,7 +104,7 @@ github.com/containers/common/pkg/umask
 github.com/containers/common/version
 # github.com/containers/conmon v2.0.20+incompatible
 github.com/containers/conmon/runner/config
-# github.com/containers/image/v5 v5.8.1
+# github.com/containers/image/v5 v5.9.0
 github.com/containers/image/v5/copy
 github.com/containers/image/v5/directory
 github.com/containers/image/v5/directory/explicitfilepath