Check cagent annotation

Signed-off-by: David Gageot <david.gageot@docker.com>

Author: dgageot

cmd/root/push.go

@@ -27,6 +27,7 @@ func newPushCmd() *cobra.Command {
 func runPushCommand(cmd *cobra.Command, args []string) error {
 	telemetry.TrackCommand("push", args)
 
+	ctx := cmd.Context()
 	filePath := args[0]
 	tag := args[1]
 	out := cli.NewPrinter(cmd.OutOrStdout())
@@ -36,7 +37,7 @@ func runPushCommand(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	_, err = oci.PackageFileAsOCIToStore(filePath, tag, store)
+	_, err = oci.PackageFileAsOCIToStore(ctx, filePath, tag, store)
 	if err != nil {
 		return fmt.Errorf("failed to build artifact: %w", err)
 	}

pkg/agentfile/resolver_test.go

@@ -112,7 +112,7 @@ agents:
 
 	// Package as OCI artifact
 	ociRef := "test.registry.io/myorg/testagent:v1"
-	_, err = oci.PackageFileAsOCIToStore(agentFile, ociRef, store)
+	_, err = oci.PackageFileAsOCIToStore(t.Context(), agentFile, ociRef, store)
 	require.NoError(t, err)
 
 	ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second)
@@ -156,7 +156,7 @@ agents:
 `
 	updatedFile := filepath.Join(t.TempDir(), "updated-agent.yaml")
 	require.NoError(t, os.WriteFile(updatedFile, []byte(updatedContent), 0o644))
-	_, err = oci.PackageFileAsOCIToStore(updatedFile, ociRef, store)
+	_, err = oci.PackageFileAsOCIToStore(t.Context(), updatedFile, ociRef, store)
 	require.NoError(t, err)
 
 	// Third resolution (simulating reload after update)
@@ -202,9 +202,9 @@ agents:
 	// Package as different OCI artifacts
 	ociRef1 := "test.io/org/agent1:v1"
 	ociRef2 := "test.io/org/agent2:v1"
-	_, err = oci.PackageFileAsOCIToStore(agent1File, ociRef1, store)
+	_, err = oci.PackageFileAsOCIToStore(t.Context(), agent1File, ociRef1, store)
 	require.NoError(t, err)
-	_, err = oci.PackageFileAsOCIToStore(agent2File, ociRef2, store)
+	_, err = oci.PackageFileAsOCIToStore(t.Context(), agent2File, ociRef2, store)
 	require.NoError(t, err)
 
 	ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second)
@@ -252,7 +252,7 @@ agents:
 
 	// Package as OCI artifact
 	ociRef := "test.io/cleanup/agent:v1"
-	_, err = oci.PackageFileAsOCIToStore(agentFile, ociRef, store)
+	_, err = oci.PackageFileAsOCIToStore(t.Context(), agentFile, ociRef, store)
 	require.NoError(t, err)
 
 	ctx, cancel := context.WithCancel(t.Context())

pkg/oci/package_test.go

@@ -22,7 +22,7 @@ description: "Test application"
 	require.NoError(t, err)
 
 	tag := "test-app:v1.0.0"
-	digest, err := PackageFileAsOCIToStore(testFile, tag, store)
+	digest, err := PackageFileAsOCIToStore(t.Context(), testFile, tag, store)
 	require.NoError(t, err)
 
 	assert.NotEmpty(t, digest)
@@ -54,7 +54,7 @@ description: "Test application"
 func TestPackageFileAsOCIToStoreMissingFile(t *testing.T) {
 	store, err := content.NewStore(content.WithBaseDir(t.TempDir()))
 	require.NoError(t, err)
-	_, err = PackageFileAsOCIToStore("/non/existent/file.txt", "test:latest", store)
+	_, err = PackageFileAsOCIToStore(t.Context(), "/non/existent/file.txt", "test:latest", store)
 	require.Error(t, err)
 }
 
@@ -64,7 +64,7 @@ func TestPackageFileAsOCIToStoreInvalidTag(t *testing.T) {
 
 	store, err := content.NewStore(content.WithBaseDir(t.TempDir()))
 	require.NoError(t, err)
-	_, err = PackageFileAsOCIToStore(testFile, "", store)
+	_, err = PackageFileAsOCIToStore(t.Context(), testFile, "", store)
 	require.Error(t, err)
 }
 
@@ -106,7 +106,7 @@ func TestPackageFileAsOCIToStoreDifferentFileTypes(t *testing.T) {
 			require.NoError(t, os.WriteFile(testFile, []byte(tc.content), 0o644))
 
 			// Package the file as OCI artifact
-			digest, err := PackageFileAsOCIToStore(testFile, tc.tag, store)
+			digest, err := PackageFileAsOCIToStore(t.Context(), testFile, tc.tag, store)
 			require.NoError(t, err)
 
 			digests = append(digests, digest)

pkg/remote/pull.go

@@ -32,6 +32,9 @@ func Pull(ctx context.Context, registryRef string, opts ...crane.Option) (string
 	localRef := ref.Context().RepositoryStr() + ":" + ref.Identifier()
 	if meta, metaErr := store.GetArtifactMetadata(localRef); metaErr == nil {
 		if meta.Digest == remoteDigest {
+			if !hasCagentAnnotation(meta.Annotations) {
+				return "", fmt.Errorf("artifact %s found in store wasn't created by cagent", localRef)
+			}
 			return meta.Digest, nil
 		}
 	}
@@ -41,10 +44,23 @@ func Pull(ctx context.Context, registryRef string, opts ...crane.Option) (string
 		return "", fmt.Errorf("pulling image from registry %s: %w", registryRef, err)
 	}
 
+	manifest, err := img.Manifest()
+	if err != nil {
+		return "", fmt.Errorf("getting manifest from pulled image: %w", err)
+	}
+	if !hasCagentAnnotation(manifest.Annotations) {
+		return "", fmt.Errorf("artifact %s found in store wasn't created by cagent", localRef)
+	}
+
 	digest, err := store.StoreArtifact(img, localRef)
 	if err != nil {
 		return "", fmt.Errorf("storing artifact in content store: %w", err)
 	}
 
 	return digest, nil
 }
+
+func hasCagentAnnotation(annotations map[string]string) bool {
+	_, exists := annotations["io.docker.cagent.version"]
+	return exists
+}

pkg/server/server.go

@@ -769,7 +769,7 @@ func (s *Server) pushAgent(c echo.Context) error {
 		return echo.NewHTTPError(http.StatusInternalServerError, "failed to create content store")
 	}
 
-	digest, err := oci.PackageFileAsOCIToStore(validatedFilepath, req.Tag, store)
+	digest, err := oci.PackageFileAsOCIToStore(c.Request().Context(), validatedFilepath, req.Tag, store)
 	if err != nil {
 		slog.Error("Failed to build artifact", "filepath", validatedFilepath, "tag", req.Tag, "error", err)
 		return echo.NewHTTPError(http.StatusInternalServerError, "failed to build artifact")