Handle failed DNS case for Go 1.20+

Go 1.20 introduced DNS/CNAME handling changes. This can cause an
IP address represented in hex, oct, etc to be looked up as DNS and
fail. This change introduces a mock DNS resolver.

Note, with the mock resolver, we don't need to use 0x7f000001 any
longer. Keeping because it was already there.

Signed-off-by: Matt Farina <matt.farina@suse.com>
pull/11896/head
Matt Farina 2 years ago
parent 4e7e939f19
commit 046646c944
No known key found for this signature in database
GPG Key ID: 92C44A3D421FF7F9

@ -14,6 +14,7 @@ require (
github.com/cyphar/filepath-securejoin v0.2.3 github.com/cyphar/filepath-securejoin v0.2.3
github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2 github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2
github.com/evanphx/json-patch v5.6.0+incompatible github.com/evanphx/json-patch v5.6.0+incompatible
github.com/foxcpp/go-mockdns v1.0.0
github.com/gobwas/glob v0.2.3 github.com/gobwas/glob v0.2.3
github.com/gofrs/flock v0.8.1 github.com/gofrs/flock v0.8.1
github.com/gosuri/uitable v0.0.4 github.com/gosuri/uitable v0.0.4
@ -107,6 +108,7 @@ require (
github.com/mattn/go-isatty v0.0.17 // indirect github.com/mattn/go-isatty v0.0.17 // indirect
github.com/mattn/go-runewidth v0.0.9 // indirect github.com/mattn/go-runewidth v0.0.9 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
github.com/miekg/dns v1.1.25 // indirect
github.com/mitchellh/go-wordwrap v1.0.0 // indirect github.com/mitchellh/go-wordwrap v1.0.0 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/moby/locker v1.0.1 // indirect github.com/moby/locker v1.0.1 // indirect

833
go.sum

File diff suppressed because it is too large Load Diff

@ -36,6 +36,7 @@ func (suite *TLSRegistryClientTestSuite) SetupSuite() {
} }
func (suite *TLSRegistryClientTestSuite) TearDownSuite() { func (suite *TLSRegistryClientTestSuite) TearDownSuite() {
teardown(&suite.TestSuite)
os.RemoveAll(suite.WorkspaceDir) os.RemoveAll(suite.WorkspaceDir)
} }

@ -22,6 +22,7 @@ import (
"crypto/tls" "crypto/tls"
"fmt" "fmt"
"io" "io"
"net"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"net/url" "net/url"
@ -34,6 +35,7 @@ import (
"github.com/distribution/distribution/v3/registry" "github.com/distribution/distribution/v3/registry"
_ "github.com/distribution/distribution/v3/registry/auth/htpasswd" _ "github.com/distribution/distribution/v3/registry/auth/htpasswd"
_ "github.com/distribution/distribution/v3/registry/storage/driver/inmemory" _ "github.com/distribution/distribution/v3/registry/storage/driver/inmemory"
"github.com/foxcpp/go-mockdns"
"github.com/phayes/freeport" "github.com/phayes/freeport"
"github.com/stretchr/testify/suite" "github.com/stretchr/testify/suite"
"golang.org/x/crypto/bcrypt" "golang.org/x/crypto/bcrypt"
@ -63,6 +65,9 @@ type TestSuite struct {
CompromisedRegistryHost string CompromisedRegistryHost string
WorkspaceDir string WorkspaceDir string
RegistryClient *Client RegistryClient *Client
// A mock DNS server needed for TLS connection testing.
srv *mockdns.Server
} }
func setup(suite *TestSuite, tlsEnabled bool, insecure bool) *registry.Registry { func setup(suite *TestSuite, tlsEnabled bool, insecure bool) *registry.Registry {
@ -122,6 +127,15 @@ func setup(suite *TestSuite, tlsEnabled bool, insecure bool) *registry.Registry
// That function does not handle matching of ip addresses in octal, // That function does not handle matching of ip addresses in octal,
// decimal or hex form. // decimal or hex form.
suite.DockerRegistryHost = fmt.Sprintf("0x7f000001:%d", port) suite.DockerRegistryHost = fmt.Sprintf("0x7f000001:%d", port)
// As of Go 1.20, Go may lookup "0x7f000001" as a DNS entry and fail.
// Using a mock DNS server to handle the address.
suite.srv, _ = mockdns.NewServer(map[string]mockdns.Zone{
"0x7f000001.": {
A: []string{"127.0.0.1"},
},
}, false)
suite.srv.PatchNet(net.DefaultResolver)
} else { } else {
suite.DockerRegistryHost = fmt.Sprintf("localhost:%d", port) suite.DockerRegistryHost = fmt.Sprintf("localhost:%d", port)
} }
@ -152,6 +166,13 @@ func setup(suite *TestSuite, tlsEnabled bool, insecure bool) *registry.Registry
return dockerRegistry return dockerRegistry
} }
func teardown(suite *TestSuite) {
if suite.srv != nil {
mockdns.UnpatchNet(net.DefaultResolver)
suite.srv.Close()
}
}
func initCompromisedRegistryTestServer() string { func initCompromisedRegistryTestServer() string {
s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if strings.Contains(r.URL.Path, "manifests") { if strings.Contains(r.URL.Path, "manifests") {

Loading…
Cancel
Save