fix: check content-type when using referrers API

Signed-off-by: Kyle M. Tarplee <[email protected]>

example_copy_test.go

@@ -144,6 +144,7 @@ func TestMain(m *testing.M) {
 				MediaType: ocispec.MediaTypeImageIndex,
 				Manifests: referrers,
 			}
+			w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
 			if err := json.NewEncoder(w).Encode(result); err != nil {
 				panic(err)
 			}

extendedcopy_test.go

@@ -1031,15 +1031,20 @@ func TestExtendedCopyGraph_FilterAnnotationWithMultipleRegex_Referrers(t *testin
 	// set up test server
 	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		p := r.URL.Path
+		var manifests []ocispec.Descriptor
 		switch {
 		case p == "/v2/test/referrers/"+descs[0].Digest.String():
+			manifests = descs[1:]
+			fallthrough
+		case strings.HasPrefix(p, "/v2/test/referrers/"):
 			result := ocispec.Index{
 				Versioned: specs.Versioned{
 					SchemaVersion: 2, // historical value. does not pertain to OCI or docker version
 				},
 				MediaType: ocispec.MediaTypeImageIndex,
-				Manifests: descs[1:],
+				Manifests: manifests,
 			}
+			w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
 			if err := json.NewEncoder(w).Encode(result); err != nil {
 				t.Errorf("failed to write response: %v", err)
 			}
@@ -1076,7 +1081,6 @@ func TestExtendedCopyGraph_FilterAnnotationWithMultipleRegex_Referrers(t *testin
 		default:
 			t.Errorf("unexpected access: %s %s", r.Method, r.URL)
 			w.WriteHeader(http.StatusNotFound)
-			return
 		}
 	}))
 	defer ts.Close()
@@ -1454,15 +1458,20 @@ func TestExtendedCopyGraph_FilterArtifactTypeWithMultipleRegex_Referrers(t *test
 	// set up test server
 	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		p := r.URL.Path
+		var manifests []ocispec.Descriptor
 		switch {
 		case p == "/v2/test/referrers/"+descs[0].Digest.String():
+			manifests = descs[1:]
+			fallthrough
+		case strings.HasPrefix(p, "/v2/test/referrers/"):
 			result := ocispec.Index{
 				Versioned: specs.Versioned{
 					SchemaVersion: 2, // historical value. does not pertain to OCI or docker version
 				},
 				MediaType: ocispec.MediaTypeImageIndex,
-				Manifests: descs[1:],
+				Manifests: manifests,
 			}
+			w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
 			if err := json.NewEncoder(w).Encode(result); err != nil {
 				t.Errorf("failed to write response: %v", err)
 			}
@@ -1695,15 +1704,20 @@ func TestExtendedCopyGraph_FilterArtifactTypeAndAnnotationWithMultipleRegex_Refe
 	// set up test server
 	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		p := r.URL.Path
+		var manifests []ocispec.Descriptor
 		switch {
 		case p == "/v2/test/referrers/"+descs[0].Digest.String():
+			manifests = descs[1:]
+			fallthrough
+		case strings.HasPrefix(p, "/v2/test/referrers/"):
 			result := ocispec.Index{
 				Versioned: specs.Versioned{
 					SchemaVersion: 2, // historical value. does not pertain to OCI or docker version
 				},
 				MediaType: ocispec.MediaTypeImageIndex,
-				Manifests: descs[1:],
+				Manifests: manifests,
 			}
+			w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
 			if err := json.NewEncoder(w).Encode(result); err != nil {
 				t.Errorf("failed to write response: %v", err)
 			}

registry/remote/example_test.go

@@ -174,6 +174,17 @@ func TestMain(m *testing.M) {
 			w.Header().Set("Content-Digest", string(blobDescriptor.Digest))
 			w.Header().Set("Content-Length", strconv.Itoa(len(blobContent)))
 			w.Write([]byte(blobContent))
+		case p == fmt.Sprintf("/v2/%s/referrers/%s", exampleRepositoryName, "sha256:0000000000000000000000000000000000000000000000000000000000000000"):
+			result := ocispec.Index{
+				Versioned: specs.Versioned{
+					SchemaVersion: 2, // historical value. does not pertain to OCI or docker version
+				},
+				MediaType: ocispec.MediaTypeImageIndex,
+			}
+			w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
+			if err := json.NewEncoder(w).Encode(result); err != nil {
+				panic(err)
+			}
 		case p == fmt.Sprintf("/v2/%s/referrers/%s", exampleRepositoryName, exampleManifestDescriptor.Digest.String()):
 			q := r.URL.Query()
 			var referrers []ocispec.Descriptor
@@ -191,6 +202,7 @@ func TestMain(m *testing.M) {
 				MediaType: ocispec.MediaTypeImageIndex,
 				Manifests: referrers,
 			}
+			w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
 			if err := json.NewEncoder(w).Encode(result); err != nil {
 				panic(err)
 			}

registry/remote/repository.go

@@ -548,6 +548,11 @@ func (r *Repository) referrersPageByAPI(ctx context.Context, artifactType string
 		return "", errutil.ParseErrorResponse(resp)
 	}
 
+	if resp.Header.Get("Content-Type") != ocispec.MediaTypeImageIndex {
+		resp.StatusCode = http.StatusNotFound
+		return "", errutil.ParseErrorResponse(resp)
+	}
+
 	var index ocispec.Index
 	lr := limitReader(resp.Body, r.MaxMetadataBytes)
 	if err := json.NewDecoder(lr).Decode(&index); err != nil {
@@ -657,8 +662,9 @@ func (r *Repository) pingReferrers(ctx context.Context) (bool, error) {
 
 	switch resp.StatusCode {
 	case http.StatusOK:
-		r.SetReferrersCapability(true)
-		return true, nil
+		supported := resp.Header.Get("Content-Type") == ocispec.MediaTypeImageIndex
+		r.SetReferrersCapability(supported)
+		return supported, nil
 	case http.StatusNotFound:
 		if err := errutil.ParseErrorResponse(resp); errutil.IsErrorCode(err, errcode.ErrorCodeNameUnknown) {
 			// repository not found

registry/remote/repository_test.go

@@ -1272,6 +1272,7 @@ func TestRepository_Predecessors(t *testing.T) {
 			MediaType: ocispec.MediaTypeImageIndex,
 			Manifests: referrers,
 		}
+		w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
 		if err := json.NewEncoder(w).Encode(result); err != nil {
 			t.Errorf("failed to write response: %v", err)
 		}
@@ -1384,6 +1385,7 @@ func TestRepository_Referrers(t *testing.T) {
 			MediaType: ocispec.MediaTypeImageIndex,
 			Manifests: referrers,
 		}
+		w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
 		if err := json.NewEncoder(w).Encode(result); err != nil {
 			t.Errorf("failed to write response: %v", err)
 		}
@@ -1944,6 +1946,7 @@ func TestRepository_Referrers_ServerFiltering(t *testing.T) {
 				spec.AnnotationReferrersFiltersApplied: "artifactType",
 			},
 		}
+		w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
 		if err := json.NewEncoder(w).Encode(result); err != nil {
 			t.Errorf("failed to write response: %v", err)
 		}
@@ -2019,6 +2022,7 @@ func TestRepository_Referrers_ServerFiltering(t *testing.T) {
 			MediaType: ocispec.MediaTypeImageIndex,
 			Manifests: referrers,
 		}
+		w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
 		// set filter header
 		w.Header().Set("OCI-Filters-Applied", "artifactType")
 		if err := json.NewEncoder(w).Encode(result); err != nil {
@@ -2100,6 +2104,7 @@ func TestRepository_Referrers_ServerFiltering(t *testing.T) {
 				spec.AnnotationReferrersFiltersApplied: "artifactType",
 			},
 		}
+		w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
 		// set filter header
 		w.Header().Set("OCI-Filters-Applied", "artifactType")
 		if err := json.NewEncoder(w).Encode(result); err != nil {
@@ -2241,6 +2246,7 @@ func TestRepository_Referrers_ClientFiltering(t *testing.T) {
 			MediaType: ocispec.MediaTypeImageIndex,
 			Manifests: referrers,
 		}
+		w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
 		if err := json.NewEncoder(w).Encode(result); err != nil {
 			t.Errorf("failed to write response: %v", err)
 		}
@@ -3502,6 +3508,7 @@ func Test_ManifestStore_Push_ReferrersAPIAvailable_NoSubjectHeader(t *testing.T)
 				MediaType: ocispec.MediaTypeImageIndex,
 				Manifests: []ocispec.Descriptor{},
 			}
+			w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
 			if err := json.NewEncoder(w).Encode(result); err != nil {
 				t.Errorf("failed to write response: %v", err)
 			}
@@ -4503,6 +4510,7 @@ func Test_ManifestStore_Delete_ReferrersAPIAvailable(t *testing.T) {
 				MediaType: ocispec.MediaTypeImageIndex,
 				Manifests: []ocispec.Descriptor{},
 			}
+			w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
 			if err := json.NewEncoder(w).Encode(result); err != nil {
 				t.Errorf("failed to write response: %v", err)
 			}
@@ -5887,6 +5895,7 @@ func Test_ManifestStore_PushReference_ReferrersAPIAvailable_NoSubjectHeader(t *t
 				MediaType: ocispec.MediaTypeImageIndex,
 				Manifests: []ocispec.Descriptor{},
 			}
+			w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
 			if err := json.NewEncoder(w).Encode(result); err != nil {
 				t.Errorf("failed to write response: %v", err)
 			}
@@ -7082,6 +7091,7 @@ func TestRepository_pingReferrers(t *testing.T) {
 		switch {
 		case r.Method == http.MethodGet && r.URL.Path == "/v2/test/referrers/"+zeroDigest:
 			count++
+			w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
 			w.WriteHeader(http.StatusOK)
 		default:
 			t.Errorf("unexpected access: %s %s", r.Method, r.URL)
@@ -7284,6 +7294,7 @@ func TestRepository_pingReferrers_Concurrent(t *testing.T) {
 		switch {
 		case r.Method == http.MethodGet && r.URL.Path == "/v2/test/referrers/"+zeroDigest:
 			atomic.AddInt32(&count, 1)
+			w.Header().Set("Content-Type", ocispec.MediaTypeImageIndex)
 			w.WriteHeader(http.StatusOK)
 		default:
 			t.Errorf("unexpected access: %s %s", r.Method, r.URL)