Merge pull request #6342 from tonistiigi/sourcepolicy-fixes

tonistiigi · web-flow · commit 594543f9e933 · 2025-11-10T20:45:44.000-08:00
sourcepolicy: concurrency and cache fixes
diff --git a/sourcepolicy/engine.go b/sourcepolicy/engine.go
@@ -2,6 +2,7 @@ package sourcepolicy
 
 import (
 	"context"
+	"sync"
 
 	"github.com/moby/buildkit/solver/pb"
 	spb "github.com/moby/buildkit/sourcepolicy/pb"
@@ -25,31 +26,30 @@ var (
 // Rule matching is delegated to the `Matcher` interface.
 // Mutations are delegated to the `Mutater` interface.
 type Engine struct {
-	pol     []*spb.Policy
-	sources map[string]*selectorCache
+	pol       []*spb.Policy
+	sourcesMu sync.Mutex
+	sources   map[string]*selectorCache
 }
 
 // NewEngine creates a new source policy engine.
 func NewEngine(pol []*spb.Policy) *Engine {
 	return &Engine{
-		pol: pol,
+		pol:     pol,
+		sources: make(map[string]*selectorCache),
 	}
 }
 
 // TODO: The key here can't be used to cache attr constraint regexes.
 func (e *Engine) selectorCache(src *spb.Selector) *selectorCache {
-	if e.sources == nil {
-		e.sources = map[string]*selectorCache{}
-	}
-
 	key := src.MatchType.String() + " " + src.Identifier
 
+	e.sourcesMu.Lock()
+	defer e.sourcesMu.Unlock()
 	if s, ok := e.sources[key]; ok {
 		return s
 	}
 
 	s := &selectorCache{Selector: src}
-
 	e.sources[key] = s
 	return s
 }
@@ -130,7 +130,7 @@ func (e *Engine) evaluatePolicy(ctx context.Context, pol *spb.Policy, srcOp *pb.
 	var deny bool
 	for _, rule := range pol.Rules {
 		selector := e.selectorCache(rule.Selector)
-		matched, err := match(selector, ident, srcOp.Attrs)
+		matched, err := match(selector, ident, rule.Selector.Constraints, srcOp.Attrs)
 		if err != nil {
 			return false, errors.Wrap(err, "error matching source policy")
 		}
diff --git a/sourcepolicy/matcher.go b/sourcepolicy/matcher.go
@@ -7,8 +7,8 @@ import (
 	"github.com/pkg/errors"
 )
 
-func match(src *selectorCache, ref string, attrs map[string]string) (bool, error) {
-	for _, c := range src.Constraints {
+func match(src *selectorCache, ref string, constraints []*spb.AttrConstraint, attrs map[string]string) (bool, error) {
+	for _, c := range constraints {
 		if c == nil {
 			return false, errors.Errorf("invalid nil constraint for %v", src)
 		}
diff --git a/sourcepolicy/matcher_test.go b/sourcepolicy/matcher_test.go
@@ -319,7 +319,7 @@ func TestMatch(t *testing.T) {
 
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
-			matches, err := match(&selectorCache{Selector: tc.src}, tc.ref, tc.attrs)
+			matches, err := match(&selectorCache{Selector: tc.src}, tc.ref, tc.src.Constraints, tc.attrs)
 			if !tc.xErr {
 				require.NoError(t, err)
 			} else {

Original file line number	Diff line number	Diff line change
`@@ -7,8 +7,8 @@ import (`
`7`	`7`	`"github.com/pkg/errors"`
`8`	`8`	`)`
`9`	`9`
`10`		`-func match(src *selectorCache, ref string, attrs map[string]string) (bool, error) {`
`11`		`- for _, c := range src.Constraints {`
	`10`	`+func match(src selectorCache, ref string, constraints []spb.AttrConstraint, attrs map[string]string) (bool, error) {`
	`11`	`+ for _, c := range constraints {`
`12`	`12`	`if c == nil {`
`13`	`13`	`return false, errors.Errorf("invalid nil constraint for %v", src)`
`14`	`14`	`}`