Avoid parsing URL in verification logic

errordeveloper · errordeveloper · commit 24d864b46ee7 · 2023-09-27T14:53:07.000+01:00
Signed-off-by: Ilya Dmitrichenko &lt;errordeveloper@gmail.com&gt;
diff --git a/internal/controller/ocirepository_controller.go b/internal/controller/ocirepository_controller.go
@@ -611,7 +611,7 @@ func (r *OCIRepositoryReconciler) digestFromRevision(revision string) string {
 // verifySignature verifies the authenticity of the given image reference URL.
 // First, it tries to use a key if a Secret with a valid public key is provided.
 // If not, it falls back to a keyless approach for verification.
-func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv1.OCIRepository, url string, opt ...remote.Option) error {
+func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv1.OCIRepository, ref name.Reference, opt ...remote.Option) error {
 	ctxTimeout, cancel := context.WithTimeout(ctx, obj.Spec.Timeout.Duration)
 	defer cancel()
 
@@ -622,15 +622,6 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv
 			soci.WithRemoteOptions(opt...),
 		}
 
-		var nameOpts []name.Option
-		if obj.Spec.Insecure {
-			nameOpts = append(nameOpts, name.Insecure)
-		}
-		ref, err := name.ParseReference(url, nameOpts...)
-		if err != nil {
-			return err
-		}
-
 		// get the public keys from the given secret
 		if secretRef := obj.Spec.Verify.SecretRef; secretRef != nil {
 			certSecretName := types.NamespacedName{
@@ -665,7 +656,7 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv
 			}
 
 			if !signatureVerified {
-				return fmt.Errorf("no matching signatures were found for '%s'", url)
+				return fmt.Errorf("no matching signatures were found for '%s'", ref)
 			}
 
 			return nil
@@ -687,20 +678,25 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *ociv
 			return nil
 		}
 
-		return fmt.Errorf("no matching signatures were found for '%s'", url)
+		return fmt.Errorf("no matching signatures were found for '%s'", ref)
 	}
 
 	return nil
 }
 
 // parseRepository validates and extracts the repository URL.
-func (r *OCIRepositoryReconciler) parseRepository(url string) (name.Repository, error) {
-	if !strings.HasPrefix(url, ociv1.OCIRepositoryPrefix) {
+func (r *OCIRepositoryReconciler) parseRepository(obj *ociv1.OCIRepository) (name.Repository, error) {
+	if !strings.HasPrefix(obj.Spec.URL, ociv1.OCIRepositoryPrefix) {
 		return name.Repository{}, fmt.Errorf("URL must be in format 'oci://<domain>/<org>/<repo>'")
 	}
 
-	url = strings.TrimPrefix(url, ociv1.OCIRepositoryPrefix)
-	repo, err := name.NewRepository(url)
+	url := strings.TrimPrefix(obj.Spec.URL, ociv1.OCIRepositoryPrefix)
+
+	options := []name.Option{}
+	if obj.Spec.Insecure {
+		options = append(options, name.Insecure)
+	}
+	repo, err := name.NewRepository(url, options...)
 	if err != nil {
 		return name.Repository{}, err
 	}
@@ -715,7 +711,7 @@ func (r *OCIRepositoryReconciler) parseRepository(url string) (name.Repository,
 
 // getArtifactRef determines which tag or revision should be used and returns the OCI artifact FQN.
 func (r *OCIRepositoryReconciler) getArtifactRef(obj *ociv1.OCIRepository, options []remote.Option) (name.Reference, error) {
-	repo, err := r.parseRepository(obj.Spec.URL)
+	repo, err := r.parseRepository(obj)
 	if err != nil {
 		return nil, invalidOCIURLError{err}
 	}
