Skip to content

Commit 5e88bb0

Browse files
cgwalterscgwalters
committed
proxy: Move policycontext into global state
I am not aware of a reason not to just cache this for the life of the proxy, like we do other global state. Prep for further changes. Signed-off-by: Colin Walters <[email protected]>
1 parent bbaa4b9 commit 5e88bb0

File tree

1 file changed

+16
-14
lines changed

1 file changed

+16
-14
lines changed

cmd/skopeo/proxy.go

Lines changed: 16 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,7 @@ import (
7474
"github.com/containers/image/v5/image"
7575
"github.com/containers/image/v5/manifest"
7676
"github.com/containers/image/v5/pkg/blobinfocache"
77+
"github.com/containers/image/v5/signature"
7778
"github.com/containers/image/v5/transports"
7879
"github.com/containers/image/v5/transports/alltransports"
7980
"github.com/containers/image/v5/types"
@@ -162,9 +163,10 @@ type proxyHandler struct {
162163
// lock protects everything else in this structure.
163164
lock sync.Mutex
164165
// opts is CLI options
165-
opts *proxyOptions
166-
sysctx *types.SystemContext
167-
cache types.BlobInfoCache
166+
opts *proxyOptions
167+
sysctx *types.SystemContext
168+
policyctx *signature.PolicyContext
169+
cache types.BlobInfoCache
168170

169171
// imageSerial is a counter for open images
170172
imageSerial uint64
@@ -204,6 +206,12 @@ func (h *proxyHandler) Initialize(args []any) (replyBuf, error) {
204206
h.sysctx = sysctx
205207
h.cache = blobinfocache.DefaultCache(sysctx)
206208

209+
policyContext, err := h.opts.global.getPolicyContext()
210+
if err != nil {
211+
return ret, err
212+
}
213+
h.policyctx = policyContext
214+
207215
r := replyBuf{
208216
value: protocolVersion,
209217
}
@@ -245,18 +253,8 @@ func (h *proxyHandler) openImageImpl(args []any, allowNotFound bool) (retReplyBu
245253
return ret, err
246254
}
247255

248-
policyContext, err := h.opts.global.getPolicyContext()
249-
if err != nil {
250-
return ret, err
251-
}
252-
defer func() {
253-
if err := policyContext.Destroy(); err != nil {
254-
retErr = noteCloseFailure(retErr, "tearing down policy context", err)
255-
}
256-
}()
257-
258256
unparsedTopLevel := image.UnparsedInstance(imgsrc, nil)
259-
allowed, err := policyContext.IsRunningImageAllowed(context.Background(), unparsedTopLevel)
257+
allowed, err := h.policyctx.IsRunningImageAllowed(context.Background(), unparsedTopLevel)
260258
if err != nil {
261259
return ret, err
262260
}
@@ -704,6 +702,10 @@ func (h *proxyHandler) close() {
704702
logrus.Warnf("Failed to close image %s: %v", transports.ImageName(image.cachedimg.Reference()), err)
705703
}
706704
}
705+
706+
if err := h.policyctx.Destroy(); err != nil {
707+
logrus.Warnf("tearing down policy context: %v", err)
708+
}
707709
}
708710

709711
// send writes a reply buffer to the socket

0 commit comments

Comments
 (0)