feat: follow oci content digest spec

Author: viceice

src/main/java/org/jenkinsci/plugins/docker/commons/credentials/ImageNameValidator.java

@@ -78,21 +78,18 @@ public static boolean skipped() {
             }
             if (digestIdx > 0) {
                 int start = slashIdx > 0 ? slashIdx + 1 : 0;
-                args[1] = userAndRepo.substring(start, digestIdx);
-                tagIdx = args[1].lastIndexOf(':');
-                if (tagIdx > 0 && tagIdx < args[1].length() - 1) {
-                    args[2] = args[1].substring(tagIdx + 1);
-                    args[1] = args[1].substring(0, tagIdx);
-                }
-                if (digestIdx < userAndRepo.length() - 1) {
-                    args[3] = userAndRepo.substring(digestIdx + 1);
+                String name = userAndRepo.substring(start, digestIdx);
+                args[1] = name;
+                tagIdx = name.lastIndexOf(':');
+                if (tagIdx > 0) {
+                    args[1] = name.substring(0, tagIdx);
+                    args[2] = name.substring(tagIdx);
                 }
+                args[3] = userAndRepo.substring(digestIdx);
             } else if (tagIdx > 0) {
                 int start = slashIdx > 0 ? slashIdx + 1 : 0;
                 args[1] = userAndRepo.substring(start, tagIdx);
-                if (tagIdx < userAndRepo.length() - 1) {
-                    args[2] = userAndRepo.substring(tagIdx + 1);
-                }
+                args[2] = userAndRepo.substring(tagIdx);
             }
         }
         return args;
@@ -148,15 +145,28 @@ public static void checkUserAndRepo(@NonNull String userAndRepo) throws FormVali
     }
 
     /**
-     * A digest starts with 'sha256:' and must be valid ASCII and may contain
-     * lowercase and digits.
-     * A digest contains 71 additional characters.
+     * A content digest specified by open container spec.
      *
-     * @see <a href=
-     *      "https://docs.docker.com/engine/reference/commandline/images/#list-the-full-length-image-ids">docker
-     *      digests</a>
+     * @see <a href="https://docs.docker.com/registry/spec/api/#content-digests">Content Digests</a>
+     *      <a href="https://github.com/opencontainers/image-spec/blob/v1.0.1/descriptor.md#digests">OCI Digests</a>
      */
-    public static final Pattern VALID_DIGEST = Pattern.compile("^sha256:([a-z0-9]){64}$");
+    public static final Pattern VALID_DIGEST = Pattern.compile("^@[a-z0-9]+([+._-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$");
+
+    /**
+     * A SHA-256 content digest specified by open container spec.
+     *
+     * @see <a href="https://docs.docker.com/registry/spec/api/#content-digests">Content Digests</a>
+     *      <a href="https://github.com/opencontainers/image-spec/blob/v1.0.1/descriptor.md#digests">OCI Digests</a>
+     */
+    public static final Pattern VALID_DIGEST_SHA256 = Pattern.compile("^@sha256:[a-z0-9]{64}$");
+
+    /**
+     * A SHA-512 content digest specified by open container spec.
+     *
+     * @see <a href="https://docs.docker.com/registry/spec/api/#content-digests">Content Digests</a>
+     *      <a href="https://github.com/opencontainers/image-spec/blob/v1.0.1/descriptor.md#digests">OCI Digests</a>
+     */
+    public static final Pattern VALID_DIGEST_SHA512 = Pattern.compile("^@sha512:[a-z0-9]{128}$");
 
     /**
      * Validates a digest is following the rules.
@@ -174,8 +184,23 @@ public static void checkUserAndRepo(@NonNull String userAndRepo) throws FormVali
         if (StringUtils.isEmpty(digest)) {
             return FormValidation.ok();
         }
-        if (digest.length() != 71) {
-            return FormValidation.error("Digest length != 71");
+        if (digest.startsWith("@sha256")) { 
+            if (digest.length() != 72) {
+                return FormValidation.error("Digest length != 72");
+            }
+            if (!VALID_DIGEST_SHA256.matcher(digest).matches()) {
+                return FormValidation.error("Digest must follow the pattern '%s' for sha-256 algorithm", VALID_DIGEST_SHA256.pattern());
+            }
+            return FormValidation.ok();
+        }
+        if (digest.startsWith("@sha512")) { 
+            if (digest.length() != 136) {
+                return FormValidation.error("Digest length != 136");
+            }
+            if (!VALID_DIGEST_SHA512.matcher(digest).matches()) {
+                return FormValidation.error("Digest must follow the pattern '%s' for sha-512 algorithm", VALID_DIGEST_SHA512.pattern());
+            }
+            return FormValidation.ok();
         }
         if (VALID_DIGEST.matcher(digest).matches()) {
             return FormValidation.ok();
@@ -191,7 +216,7 @@ public static void checkUserAndRepo(@NonNull String userAndRepo) throws FormVali
      *
      * @see <a href="https://docs.docker.com/engine/reference/commandline/tag/">docker tag</a>
      */
-    public static final Pattern VALID_TAG = Pattern.compile("^[a-zA-Z0-9_]([a-zA-Z0-9_.-]){0,127}");
+    public static final Pattern VALID_TAG = Pattern.compile("^:[a-zA-Z0-9_]([a-zA-Z0-9_.-]){0,127}");
 
 
     /**

src/test/java/org/jenkinsci/plugins/docker/commons/credentials/ImageNameValidatorTest.java

@@ -19,20 +19,23 @@ public class ImageNameValidatorTest {
                 {"docker:80/jenkinsci/workflow-demo",                                                                                FormValidation.Kind.OK},
                 {"jenkinsci/workflow-demo:latest",                                                                                   FormValidation.Kind.OK},
                 {"docker:80/jenkinsci/workflow-demo:latest",                                                                         FormValidation.Kind.OK},
+                {"jenkinsci/workflow-demo@",                                                                                         FormValidation.Kind.ERROR},
                 {"workflow-demo:latest",                                                                                             FormValidation.Kind.OK},
                 {"workflow-demo",                                                                                                    FormValidation.Kind.OK},
                 {"workflow-demo:latest@sha256:56930391cf0e1be83108422bbef43001650cfb75f64b3429928f0c5986fdb750",                     FormValidation.Kind.OK},
                 {"workflow-demo:latest@sha256:56930391cf0e1be83108422bbef43001650cfb75f64b",                                         FormValidation.Kind.ERROR},
                 {"workflow-demo@sha256:56930391cf0e1be83108422bbef43001650cfb75f64b3429928f0c5986fdb750",                            FormValidation.Kind.OK},
+                {"workflow-demo@sha256:56930391cf0e1be83108422bbef43001650cfb75f64b3429928f0c5986fdB750",                            FormValidation.Kind.ERROR},
+                {"workflow-demo:",                                                                                                   FormValidation.Kind.ERROR},
+                {"workflow-demo:latest@",                                                                                            FormValidation.Kind.ERROR},
+                {"workflow-demo@",                                                                                                   FormValidation.Kind.ERROR},
                 {"jenkinsci/workflow-demo@sha256:56930391cf0e1be83108422bbef43001650cfb75f64b3429928f0c5986fdb750",                  FormValidation.Kind.OK},
                 {"docker:80/jenkinsci/workflow-demo@sha256:56930391cf0e1be83108422bbef43001650cfb75f64b3429928f0c5986fdb750",        FormValidation.Kind.OK},
                 {"docker:80/jenkinsci/workflow-demo:latest@sha256:56930391cf0e1be83108422bbef43001650cfb75f64b3429928f0c5986fdb750", FormValidation.Kind.OK},
-                {"docker:80/jenkinsci/workflow-demo:latest@sha1:0123456789abcdef", FormValidation.Kind.ERROR},                                //?
-                {"workflow-demo:latest@",                                         FormValidation.Kind.ERROR},
-                {"workflow-demo@",                            FormValidation.Kind.ERROR},
-                {"jenkinsci/workflow-demo@",                  FormValidation.Kind.ERROR},
-                {"docker:80/jenkinsci/workflow-demo@",        FormValidation.Kind.ERROR},
-                {"docker:80/jenkinsci/workflow-demo:latest@", FormValidation.Kind.ERROR},
+                {"docker:80/jenkinsci/workflow-demo:latest@sha1:0123456789abcdef",                                                   FormValidation.Kind.OK},                                
+                {"docker:80/jenkinsci/workflow-demo:latest@sha1:",                                                                   FormValidation.Kind.ERROR}, 
+                {"docker:80/jenkinsci/workflow-demo@",                                                                               FormValidation.Kind.ERROR},
+                {"docker:80/jenkinsci/workflow-demo:latest@",                                                                        FormValidation.Kind.ERROR},
                 {":tag",                                                                                                             FormValidation.Kind.ERROR},
                 {"name:tag",                                                                                                         FormValidation.Kind.OK},
                 {"name:.tag",                                                                                                        FormValidation.Kind.ERROR},
@@ -52,6 +55,10 @@ public class ImageNameValidatorTest {
                 {":",                                                                                                                FormValidation.Kind.ERROR},
                 {"  ",                                                                                                               FormValidation.Kind.ERROR},
 
+                {"a@sha512:56930391cf0e1be83108422bbef43001650cfb75f64b",                                                                                     FormValidation.Kind.ERROR},
+                {"a@sha512:56930391cf0e1be83108422bbef43001650cfb75f64b3429928f0c5986fdb75056930391cf0e1be83108422bbef43001650cfb75f64b3429928f0c5986fdb750", FormValidation.Kind.OK},
+                {"a@sha512:B6930391cf0e1be83108422bbef43001650cfb75f64b3429928f0c5986fdb75056930391cf0e1be83108422bbef43001650cfb75f64b3429928f0c5986fdb750", FormValidation.Kind.ERROR}
+
         };
     }
 
@@ -65,6 +72,7 @@ public ImageNameValidatorTest(final String userAndRepo, final FormValidation.Kin
 
     @Test
     public void test() {
-        assertSame(expected, ImageNameValidator.validateUserAndRepo(userAndRepo).kind);
+        FormValidation res = ImageNameValidator.validateUserAndRepo(userAndRepo);
+        assertSame(userAndRepo + " : " + res.getMessage(), expected, res.kind);
     }
 }