proxy: Move policycontext into global state

I am not aware of a reason not to just cache this for the life of the proxy, like we do other global state. Prep for further changes. Signed-off-by: Colin Walters <walters@verbum.org>
containers · Aug 15, 2024 · 5e88bb0 · 5e88bb0
1 parent bbaa4b9
commit 5e88bb0
Showing 1 changed file with 16 additions and 14 deletions.
diff --git a/cmd/skopeo/proxy.go b/cmd/skopeo/proxy.go
@@ -74,6 +74,7 @@ import (
 	"github.com/containers/image/v5/image"
 	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/pkg/blobinfocache"
+	"github.com/containers/image/v5/signature"
 	"github.com/containers/image/v5/transports"
 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/image/v5/types"
@@ -162,9 +163,10 @@ type proxyHandler struct {
 	// lock protects everything else in this structure.
 	lock sync.Mutex
 	// opts is CLI options
-	opts   *proxyOptions
-	sysctx *types.SystemContext
-	cache  types.BlobInfoCache
+	opts      *proxyOptions
+	sysctx    *types.SystemContext
+	policyctx *signature.PolicyContext
+	cache     types.BlobInfoCache
 
 	// imageSerial is a counter for open images
 	imageSerial uint64
@@ -204,6 +206,12 @@ func (h *proxyHandler) Initialize(args []any) (replyBuf, error) {
 	h.sysctx = sysctx
 	h.cache = blobinfocache.DefaultCache(sysctx)
 
+	policyContext, err := h.opts.global.getPolicyContext()
+	if err != nil {
+		return ret, err
+	}
+	h.policyctx = policyContext
+
 	r := replyBuf{
 		value: protocolVersion,
 	}
@@ -245,18 +253,8 @@ func (h *proxyHandler) openImageImpl(args []any, allowNotFound bool) (retReplyBu
 		return ret, err
 	}
 
-	policyContext, err := h.opts.global.getPolicyContext()
-	if err != nil {
-		return ret, err
-	}
-	defer func() {
-		if err := policyContext.Destroy(); err != nil {
-			retErr = noteCloseFailure(retErr, "tearing down policy context", err)
-		}
-	}()
-
 	unparsedTopLevel := image.UnparsedInstance(imgsrc, nil)
-	allowed, err := policyContext.IsRunningImageAllowed(context.Background(), unparsedTopLevel)
+	allowed, err := h.policyctx.IsRunningImageAllowed(context.Background(), unparsedTopLevel)
 	if err != nil {
 		return ret, err
 	}
@@ -704,6 +702,10 @@ func (h *proxyHandler) close() {
 			logrus.Warnf("Failed to close image %s: %v", transports.ImageName(image.cachedimg.Reference()), err)
 		}
 	}
+
+	if err := h.policyctx.Destroy(); err != nil {
+		logrus.Warnf("tearing down policy context: %v", err)
+	}
 }
 
 // send writes a reply buffer to the socket