oci_append: produce valid layer and validate (#120)

imjasonh · web-flow · commit dd1a90058dd9 · 2024-04-16T08:39:28.000-04:00
Signed-off-by: Jason Hall &lt;jason@chainguard.dev&gt;
diff --git a/internal/provider/append_resource.go b/internal/provider/append_resource.go
@@ -3,14 +3,15 @@ package provider
 import (
 	"archive/tar"
 	"bytes"
+	"compress/gzip"
 	"context"
 	"fmt"
 
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/mutate"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
-	"github.com/google/go-containerregistry/pkg/v1/static"
+	"github.com/google/go-containerregistry/pkg/v1/tarball"
 	ggcrtypes "github.com/google/go-containerregistry/pkg/v1/types"
 	"github.com/hashicorp/terraform-plugin-framework/diag"
 	"github.com/hashicorp/terraform-plugin-framework/path"
@@ -214,11 +215,13 @@ func (r *AppendResource) doAppend(ctx context.Context, data *AppendResourceModel
 	adds := []mutate.Addendum{}
 	for _, l := range ls {
 		var b bytes.Buffer
-		tw := tar.NewWriter(&b)
+		zw := gzip.NewWriter(&b)
+		tw := tar.NewWriter(zw)
 		for name, f := range l.Files {
 			if err := tw.WriteHeader(&tar.Header{
 				Name: name,
 				Size: int64(len(f.Contents.ValueString())),
+				Mode: 0644,
 			}); err != nil {
 				return nil, []diag.Diagnostic{diag.NewErrorDiagnostic("Unable to write tar header", fmt.Sprintf("Unable to write tar header for %q, got error: %s", name, err))}
 			}
@@ -229,9 +232,17 @@ func (r *AppendResource) doAppend(ctx context.Context, data *AppendResourceModel
 		if err := tw.Close(); err != nil {
 			return nil, []diag.Diagnostic{diag.NewErrorDiagnostic("Unable to close tar writer", fmt.Sprintf("Unable to close tar writer, got error: %s", err))}
 		}
+		if err := zw.Close(); err != nil {
+			return nil, []diag.Diagnostic{diag.NewErrorDiagnostic("Unable to close gzip writer", fmt.Sprintf("Unable to close gzip writer, got error: %s", err))}
+		}
+
+		l, err := tarball.LayerFromReader(&b)
+		if err != nil {
+			return nil, []diag.Diagnostic{diag.NewErrorDiagnostic("Unable to create layer", fmt.Sprintf("Unable to create layer, got error: %s", err))}
+		}
 
 		adds = append(adds, mutate.Addendum{
-			Layer:     static.NewLayer(b.Bytes(), ggcrtypes.OCILayer),
+			Layer:     l,
 			History:   v1.History{CreatedBy: "terraform-provider-oci: oci_append"},
 			MediaType: ggcrtypes.OCILayer,
 		})
diff --git a/internal/provider/append_resource_test.go b/internal/provider/append_resource_test.go
@@ -6,9 +6,12 @@ import (
 	"testing"
 
 	ocitesting "github.com/chainguard-dev/terraform-provider-oci/testing"
+	"github.com/google/go-containerregistry/pkg/crane"
 	"github.com/google/go-containerregistry/pkg/v1/random"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/google/go-containerregistry/pkg/v1/validate"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/terraform"
 )
 
 func TestAccAppendResource(t *testing.T) {
@@ -55,6 +58,17 @@ func TestAccAppendResource(t *testing.T) {
 					resource.TestCheckResourceAttr("oci_append.test", "base_image", ref1.String()),
 					resource.TestMatchResourceAttr("oci_append.test", "image_ref", regexp.MustCompile(`/test@sha256:[0-9a-f]{64}$`)),
 					resource.TestMatchResourceAttr("oci_append.test", "id", regexp.MustCompile(`/test@sha256:[0-9a-f]{64}$`)),
+					resource.TestCheckFunc(func(s *terraform.State) error {
+						rs := s.RootModule().Resources["oci_append.test"]
+						img, err := crane.Pull(rs.Primary.Attributes["image_ref"])
+						if err != nil {
+							return fmt.Errorf("failed to pull image: %v", err)
+						}
+						if err := validate.Image(img); err != nil {
+							return fmt.Errorf("failed to validate image: %v", err)
+						}
+						return nil
+					}),
 				),
 			},
 			// Update and Read testing
