From 79629ba8e9a15229f6c404644ce37ddce30414a7 Mon Sep 17 00:00:00 2001
From: Benjamin Einaudi <antechrestos@users.noreply.github.com>
Date: Fri, 8 Nov 2019 18:23:33 +0100
Subject: [PATCH] Prevent asking pull scope for cross-repo mounting (#604)

Fixes #600
---
 pkg/v1/remote/write.go      |  7 ++++---
 pkg/v1/remote/write_test.go | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/pkg/v1/remote/write.go b/pkg/v1/remote/write.go
index 6f84e54d0..382d5ee3a 100644
--- a/pkg/v1/remote/write.go
+++ b/pkg/v1/remote/write.go
@@ -412,9 +412,10 @@ func scopesForUploadingImage(ref name.Reference, layers []v1.Layer) []string {
 
 	for _, l := range layers {
 		if ml, ok := l.(*MountableLayer); ok {
-			// we add push scope for ref.Context() after the loop
-			if ml.Reference.Context() != ref.Context() {
-				scopeSet[ml.Reference.Context().Scope(transport.PullScope)] = struct{}{}
+			// we will add push scope for ref.Context() after the loop.
+			// for now we ask pull scope for references of the same registry
+			if ml.Reference.Context() != ref.Context() && ml.Reference.Context().Registry == ref.Context().Registry {
+				scopeSet[ml.Reference.Scope(transport.PullScope)] = struct{}{}
 			}
 		}
 	}
diff --git a/pkg/v1/remote/write_test.go b/pkg/v1/remote/write_test.go
index 09b82300b..8ca72a373 100644
--- a/pkg/v1/remote/write_test.go
+++ b/pkg/v1/remote/write_test.go
@@ -907,6 +907,11 @@ func TestScopesForUploadingImage(t *testing.T) {
 		t.Fatalf("name.NewTag() = %v", err)
 	}
 
+	sameReference, err := name.NewTag("example.com/sample/sample:previous", name.WeakValidation)
+	if err != nil {
+		t.Fatalf("name.NewTag() = %v", err)
+	}
+
 	anotherRepo1, err := name.NewTag("example.com/sample/another_repo1:latest", name.WeakValidation)
 	if err != nil {
 		t.Fatalf("name.NewTag() = %v", err)
@@ -917,6 +922,11 @@ func TestScopesForUploadingImage(t *testing.T) {
 		t.Fatalf("name.NewTag() = %v", err)
 	}
 
+	repoOnOtherRegistry, err := name.NewTag("other-domain.com/sample/any_repo:latest", name.WeakValidation)
+	if err != nil {
+		t.Fatalf("name.NewTag() = %v", err)
+	}
+
 	img := setupImage(t)
 	layers, err := img.Layers()
 	if err != nil {
@@ -938,6 +948,19 @@ func TestScopesForUploadingImage(t *testing.T) {
 				referenceToUpload.Scope(transport.PushScope),
 			},
 		},
+		{
+			name:      "mountable layers with same reference",
+			reference: referenceToUpload,
+			layers:    []v1.Layer{
+				&MountableLayer{
+					Layer:     dummyLayer,
+					Reference: sameReference,
+				},
+			},
+			expected: []string{
+				referenceToUpload.Scope(transport.PushScope),
+			},
+		},
 		{
 			name:      "mountable layers with single reference with no-duplicate",
 			reference: referenceToUpload,
@@ -1016,6 +1039,19 @@ func TestScopesForUploadingImage(t *testing.T) {
 				anotherRepo2.Scope(transport.PullScope),
 			},
 		},
+		{
+			name:      "cross repository mountable layer",
+			reference: referenceToUpload,
+			layers: []v1.Layer{
+				&MountableLayer{
+					Layer:     dummyLayer,
+					Reference: repoOnOtherRegistry,
+				},
+			},
+			expected: []string{
+				referenceToUpload.Scope(transport.PushScope),
+			},
+		},
 	}
 
 	for _, tc := range testCases {