dagger/solver/registryauth.go

package solver

import (
	"context"
	"fmt"
	"strings"
	"sync"

	bkauth "github.com/moby/buildkit/session/auth"
	"google.golang.org/grpc"
	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/status"
)

const defaultDockerDomain = "docker.io"

// RegistryAuthProvider is a buildkit provider for registry authentication
// Adapted from: https://github.com/moby/buildkit/blob/master/session/auth/authprovider/authprovider.go
type RegistryAuthProvider struct {
	credentials map[string]*bkauth.CredentialsResponse
	m           sync.RWMutex
}

func NewRegistryAuthProvider() *RegistryAuthProvider {
	return &RegistryAuthProvider{
		credentials: map[string]*bkauth.CredentialsResponse{},
	}
}

func (a *RegistryAuthProvider) AddCredentials(target, username, secret string) {
	a.m.Lock()
	defer a.m.Unlock()

	a.credentials[target] = &bkauth.CredentialsResponse{
		Username: username,
		Secret:   secret,
	}
}

func (a *RegistryAuthProvider) Register(server *grpc.Server) {
	bkauth.RegisterAuthServer(server, a)
}

func (a *RegistryAuthProvider) Credentials(ctx context.Context, req *bkauth.CredentialsRequest) (*bkauth.CredentialsResponse, error) {
	host := req.Host
	if host == "registry-1.docker.io" {
		host = defaultDockerDomain
	}

	a.m.RLock()
	defer a.m.RUnlock()

	for authHost, auth := range a.credentials {
		u, err := ParseAuthHost(authHost)
		if err != nil {
			return nil, err
		}
		if u == host {
			return auth, nil
		}
	}

	return &bkauth.CredentialsResponse{}, nil
}

// Parsing function based on splitReposSearchTerm
// "github.com/docker/docker/registry"
func ParseAuthHost(host string) (string, error) {
	host = strings.TrimPrefix(host, "http://")
	host = strings.TrimPrefix(host, "https://")
	host = strings.TrimSuffix(host, "/")

	// Remove everything after @
	nameParts := strings.SplitN(host, "@", 2)
	host = nameParts[0]

	// if ":" > 1, trim after last ":" found
	if strings.Count(host, ":") > 1 {
		host = host[:strings.LastIndex(host, ":")]
	}

	// if ":" > 0, trim after last ":" found if it contains "."
	// ex: samalba/hipache:1.15, registry.com:5000:1.0
	if strings.Count(host, ":") > 0 {
		tmpStr := host[strings.LastIndex(host, ":"):]
		if strings.Count(tmpStr, ".") > 0 {
			host = host[:strings.LastIndex(host, ":")]
		}
	}

	nameParts = strings.SplitN(host, "/", 2)
	var domain string
	switch {
	// Localhost registry parsing
	case strings.Contains(nameParts[0], "localhost"):
		domain = nameParts[0]
	// If the split returned an array of len 1 that doesn't contain any .
	// ex: ubuntu
	case len(nameParts) == 1 && !strings.Contains(nameParts[0], "."):
		domain = defaultDockerDomain
	// if the split does not contain "." nor ":", but contains images
	// ex: samalba/hipache, samalba/hipache:1.15, samalba/hipache@sha:...
	case !strings.Contains(nameParts[0], ".") && !strings.Contains(nameParts[0], ":"):
		domain = defaultDockerDomain
	case nameParts[0] == "registry-1.docker.io":
		domain = defaultDockerDomain
	case nameParts[0] == "index.docker.io":
		domain = defaultDockerDomain
	// Private remaining registry parsing
	case strings.Contains(nameParts[0], "."):
		domain = nameParts[0]
	// Fail by default
	default:
		return "", fmt.Errorf("failed parsing [%s] expected host format: [%s]", nameParts[0], "registrydomain.extension")
	}
	return domain, nil
}

func (a *RegistryAuthProvider) FetchToken(ctx context.Context, req *bkauth.FetchTokenRequest) (rr *bkauth.FetchTokenResponse, err error) {
	return nil, status.Errorf(codes.Unavailable, "client side tokens not implemented")
}

func (a *RegistryAuthProvider) GetTokenAuthority(ctx context.Context, req *bkauth.GetTokenAuthorityRequest) (*bkauth.GetTokenAuthorityResponse, error) {
	return nil, status.Errorf(codes.Unavailable, "client side tokens not implemented")
}

func (a *RegistryAuthProvider) VerifyTokenAuthority(ctx context.Context, req *bkauth.VerifyTokenAuthorityRequest) (*bkauth.VerifyTokenAuthorityResponse, error) {
	return nil, status.Errorf(codes.Unavailable, "client side tokens not implemented")
}
cleanup: split dagger into sub-packages Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com> 2021-05-26 01:30:49 +02:00			`package solver`
implemented docker-login op to add custom registry credentials to the buildkit from a pipeline Signed-off-by: Sam Alba <sam.alba@gmail.com> 2021-04-27 02:39:19 +02:00
			`import (`
			`"context"`
Re-implement docker registry parsing Dagger used to rely on registry.ParseNormalize function to extract registry domains from images / registry URLs. However, it contained some flaws for private registries. This PR fixes that by implementing a test suite around it, and tweaks the splitReposSearchTerm function from the docker CLI. The logic of splitReposSearchTerm is kept, and enhanced to fit to all of our use cases. In case of a bad matching, a clear error is returned Signed-off-by: guillaume <guillaume.derouville@gmail.com> 2022-01-19 01:37:45 +01:00			`"fmt"`
implemented docker-login op to add custom registry credentials to the buildkit from a pipeline Signed-off-by: Sam Alba <sam.alba@gmail.com> 2021-04-27 02:39:19 +02:00			`"strings"`
			`"sync"`

			`bkauth "github.com/moby/buildkit/session/auth"`
			`"google.golang.org/grpc"`
			`"google.golang.org/grpc/codes"`
			`"google.golang.org/grpc/status"`
			`)`

Re-implement docker registry parsing Dagger used to rely on registry.ParseNormalize function to extract registry domains from images / registry URLs. However, it contained some flaws for private registries. This PR fixes that by implementing a test suite around it, and tweaks the splitReposSearchTerm function from the docker CLI. The logic of splitReposSearchTerm is kept, and enhanced to fit to all of our use cases. In case of a bad matching, a clear error is returned Signed-off-by: guillaume <guillaume.derouville@gmail.com> 2022-01-19 01:37:45 +01:00			`const defaultDockerDomain = "docker.io"`

cleanup: split dagger into sub-packages Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com> 2021-05-26 01:30:49 +02:00			`// RegistryAuthProvider is a buildkit provider for registry authentication`
implemented docker-login op to add custom registry credentials to the buildkit from a pipeline Signed-off-by: Sam Alba <sam.alba@gmail.com> 2021-04-27 02:39:19 +02:00			`// Adapted from: https://github.com/moby/buildkit/blob/master/session/auth/authprovider/authprovider.go`
cleanup: split dagger into sub-packages Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com> 2021-05-26 01:30:49 +02:00			`type RegistryAuthProvider struct {`
implemented docker-login op to add custom registry credentials to the buildkit from a pipeline Signed-off-by: Sam Alba <sam.alba@gmail.com> 2021-04-27 02:39:19 +02:00			`credentials map[string]*bkauth.CredentialsResponse`
			`m sync.RWMutex`
			`}`

cleanup: split dagger into sub-packages Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com> 2021-05-26 01:30:49 +02:00			`func NewRegistryAuthProvider() *RegistryAuthProvider {`
			`return &RegistryAuthProvider{`
implemented docker-login op to add custom registry credentials to the buildkit from a pipeline Signed-off-by: Sam Alba <sam.alba@gmail.com> 2021-04-27 02:39:19 +02:00			`credentials: map[string]*bkauth.CredentialsResponse{},`
			`}`
			`}`

cleanup: split dagger into sub-packages Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com> 2021-05-26 01:30:49 +02:00			`func (a *RegistryAuthProvider) AddCredentials(target, username, secret string) {`
implemented docker-login op to add custom registry credentials to the buildkit from a pipeline Signed-off-by: Sam Alba <sam.alba@gmail.com> 2021-04-27 02:39:19 +02:00			`a.m.Lock()`
			`defer a.m.Unlock()`

			`a.credentials[target] = &bkauth.CredentialsResponse{`
			`Username: username,`
			`Secret: secret,`
			`}`
			`}`

cleanup: split dagger into sub-packages Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com> 2021-05-26 01:30:49 +02:00			`func (a RegistryAuthProvider) Register(server grpc.Server) {`
implemented docker-login op to add custom registry credentials to the buildkit from a pipeline Signed-off-by: Sam Alba <sam.alba@gmail.com> 2021-04-27 02:39:19 +02:00			`bkauth.RegisterAuthServer(server, a)`
			`}`

cleanup: split dagger into sub-packages Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com> 2021-05-26 01:30:49 +02:00			`func (a RegistryAuthProvider) Credentials(ctx context.Context, req bkauth.CredentialsRequest) (*bkauth.CredentialsResponse, error) {`
Fix login miss behavior and update op Signed-off-by: Tom Chauveau <tom.chauveau@epitech.eu> 2021-07-01 14:08:49 +02:00			`host := req.Host`
			`if host == "registry-1.docker.io" {`
Re-implement docker registry parsing Dagger used to rely on registry.ParseNormalize function to extract registry domains from images / registry URLs. However, it contained some flaws for private registries. This PR fixes that by implementing a test suite around it, and tweaks the splitReposSearchTerm function from the docker CLI. The logic of splitReposSearchTerm is kept, and enhanced to fit to all of our use cases. In case of a bad matching, a clear error is returned Signed-off-by: guillaume <guillaume.derouville@gmail.com> 2022-01-19 01:37:45 +01:00			`host = defaultDockerDomain`
implemented docker-login op to add custom registry credentials to the buildkit from a pipeline Signed-off-by: Sam Alba <sam.alba@gmail.com> 2021-04-27 02:39:19 +02:00			`}`

			`a.m.RLock()`
			`defer a.m.RUnlock()`

			`for authHost, auth := range a.credentials {`
Make ParseAuthHost public Signed-off-by: guillaume <guillaume.derouville@gmail.com> 2022-01-31 16:05:58 +01:00			`u, err := ParseAuthHost(authHost)`
implemented docker-login op to add custom registry credentials to the buildkit from a pipeline Signed-off-by: Sam Alba <sam.alba@gmail.com> 2021-04-27 02:39:19 +02:00			`if err != nil {`
			`return nil, err`
			`}`
Fix login miss behavior and update op Signed-off-by: Tom Chauveau <tom.chauveau@epitech.eu> 2021-07-01 14:08:49 +02:00			`if u == host {`
implemented docker-login op to add custom registry credentials to the buildkit from a pipeline Signed-off-by: Sam Alba <sam.alba@gmail.com> 2021-04-27 02:39:19 +02:00			`return auth, nil`
			`}`
			`}`

			`return &bkauth.CredentialsResponse{}, nil`
			`}`

Re-implement docker registry parsing Dagger used to rely on registry.ParseNormalize function to extract registry domains from images / registry URLs. However, it contained some flaws for private registries. This PR fixes that by implementing a test suite around it, and tweaks the splitReposSearchTerm function from the docker CLI. The logic of splitReposSearchTerm is kept, and enhanced to fit to all of our use cases. In case of a bad matching, a clear error is returned Signed-off-by: guillaume <guillaume.derouville@gmail.com> 2022-01-19 01:37:45 +01:00			`// Parsing function based on splitReposSearchTerm`
			`// "github.com/docker/docker/registry"`
Make ParseAuthHost public Signed-off-by: guillaume <guillaume.derouville@gmail.com> 2022-01-31 16:05:58 +01:00			`func ParseAuthHost(host string) (string, error) {`
Improve parseAuthHost function to work for all ref Signed-off-by: Tom Chauveau <tom.chauveau@epitech.eu> 2021-06-30 18:27:26 +02:00			`host = strings.TrimPrefix(host, "http://")`
			`host = strings.TrimPrefix(host, "https://")`
Re-implement docker registry parsing Dagger used to rely on registry.ParseNormalize function to extract registry domains from images / registry URLs. However, it contained some flaws for private registries. This PR fixes that by implementing a test suite around it, and tweaks the splitReposSearchTerm function from the docker CLI. The logic of splitReposSearchTerm is kept, and enhanced to fit to all of our use cases. In case of a bad matching, a clear error is returned Signed-off-by: guillaume <guillaume.derouville@gmail.com> 2022-01-19 01:37:45 +01:00			`host = strings.TrimSuffix(host, "/")`
Fix docker hub login error when using image ref as target Signed-off-by: Tom Chauveau <tom.chauveau@epitech.eu> 2021-06-18 22:01:16 +02:00
Re-implement docker registry parsing Dagger used to rely on registry.ParseNormalize function to extract registry domains from images / registry URLs. However, it contained some flaws for private registries. This PR fixes that by implementing a test suite around it, and tweaks the splitReposSearchTerm function from the docker CLI. The logic of splitReposSearchTerm is kept, and enhanced to fit to all of our use cases. In case of a bad matching, a clear error is returned Signed-off-by: guillaume <guillaume.derouville@gmail.com> 2022-01-19 01:37:45 +01:00			`// Remove everything after @`
			`nameParts := strings.SplitN(host, "@", 2)`
			`host = nameParts[0]`

			`// if ":" > 1, trim after last ":" found`
			`if strings.Count(host, ":") > 1 {`
			`host = host[:strings.LastIndex(host, ":")]`
			`}`

			`// if ":" > 0, trim after last ":" found if it contains "."`
			`// ex: samalba/hipache:1.15, registry.com:5000:1.0`
			`if strings.Count(host, ":") > 0 {`
			`tmpStr := host[strings.LastIndex(host, ":"):]`
			`if strings.Count(tmpStr, ".") > 0 {`
			`host = host[:strings.LastIndex(host, ":")]`
			`}`
			`}`
implemented docker-login op to add custom registry credentials to the buildkit from a pipeline Signed-off-by: Sam Alba <sam.alba@gmail.com> 2021-04-27 02:39:19 +02:00
Re-implement docker registry parsing Dagger used to rely on registry.ParseNormalize function to extract registry domains from images / registry URLs. However, it contained some flaws for private registries. This PR fixes that by implementing a test suite around it, and tweaks the splitReposSearchTerm function from the docker CLI. The logic of splitReposSearchTerm is kept, and enhanced to fit to all of our use cases. In case of a bad matching, a clear error is returned Signed-off-by: guillaume <guillaume.derouville@gmail.com> 2022-01-19 01:37:45 +01:00			`nameParts = strings.SplitN(host, "/", 2)`
			`var domain string`
			`switch {`
			`// Localhost registry parsing`
			`case strings.Contains(nameParts[0], "localhost"):`
			`domain = nameParts[0]`
			`// If the split returned an array of len 1 that doesn't contain any .`
			`// ex: ubuntu`
			`case len(nameParts) == 1 && !strings.Contains(nameParts[0], "."):`
			`domain = defaultDockerDomain`
			`// if the split does not contain "." nor ":", but contains images`
			`// ex: samalba/hipache, samalba/hipache:1.15, samalba/hipache@sha:...`
			`case !strings.Contains(nameParts[0], ".") && !strings.Contains(nameParts[0], ":"):`
			`domain = defaultDockerDomain`
			`case nameParts[0] == "registry-1.docker.io":`
			`domain = defaultDockerDomain`
			`case nameParts[0] == "index.docker.io":`
			`domain = defaultDockerDomain`
			`// Private remaining registry parsing`
			`case strings.Contains(nameParts[0], "."):`
			`domain = nameParts[0]`
			`// Fail by default`
			`default:`
			`return "", fmt.Errorf("failed parsing [%s] expected host format: [%s]", nameParts[0], "registrydomain.extension")`
implemented docker-login op to add custom registry credentials to the buildkit from a pipeline Signed-off-by: Sam Alba <sam.alba@gmail.com> 2021-04-27 02:39:19 +02:00			`}`
Re-implement docker registry parsing Dagger used to rely on registry.ParseNormalize function to extract registry domains from images / registry URLs. However, it contained some flaws for private registries. This PR fixes that by implementing a test suite around it, and tweaks the splitReposSearchTerm function from the docker CLI. The logic of splitReposSearchTerm is kept, and enhanced to fit to all of our use cases. In case of a bad matching, a clear error is returned Signed-off-by: guillaume <guillaume.derouville@gmail.com> 2022-01-19 01:37:45 +01:00			`return domain, nil`
implemented docker-login op to add custom registry credentials to the buildkit from a pipeline Signed-off-by: Sam Alba <sam.alba@gmail.com> 2021-04-27 02:39:19 +02:00			`}`

cleanup: split dagger into sub-packages Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com> 2021-05-26 01:30:49 +02:00			`func (a RegistryAuthProvider) FetchToken(ctx context.Context, req bkauth.FetchTokenRequest) (rr *bkauth.FetchTokenResponse, err error) {`
implemented docker-login op to add custom registry credentials to the buildkit from a pipeline Signed-off-by: Sam Alba <sam.alba@gmail.com> 2021-04-27 02:39:19 +02:00			`return nil, status.Errorf(codes.Unavailable, "client side tokens not implemented")`
			`}`

cleanup: split dagger into sub-packages Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com> 2021-05-26 01:30:49 +02:00			`func (a RegistryAuthProvider) GetTokenAuthority(ctx context.Context, req bkauth.GetTokenAuthorityRequest) (*bkauth.GetTokenAuthorityResponse, error) {`
implemented docker-login op to add custom registry credentials to the buildkit from a pipeline Signed-off-by: Sam Alba <sam.alba@gmail.com> 2021-04-27 02:39:19 +02:00			`return nil, status.Errorf(codes.Unavailable, "client side tokens not implemented")`
			`}`

cleanup: split dagger into sub-packages Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com> 2021-05-26 01:30:49 +02:00			`func (a RegistryAuthProvider) VerifyTokenAuthority(ctx context.Context, req bkauth.VerifyTokenAuthorityRequest) (*bkauth.VerifyTokenAuthorityResponse, error) {`
implemented docker-login op to add custom registry credentials to the buildkit from a pipeline Signed-off-by: Sam Alba <sam.alba@gmail.com> 2021-04-27 02:39:19 +02:00			`return nil, status.Errorf(codes.Unavailable, "client side tokens not implemented")`
			`}`