Merge pull request #1534 from grouville/reconcile-auth

Reconcile docker.#Push.auth and engine.#Push.auth
2022-01-31 16:08:53 -08:00 · 2022-01-31 16:08:53 -08:00 · 946629d1fa
commit 946629d1fa
parent 15bb3d9c3b d3dca120f7
12 changed files with 79 additions and 89 deletions
--- a/pkg/dagger.io/dagger/engine/image.cue
+++ b/pkg/dagger.io/dagger/engine/image.cue
@ -14,11 +14,10 @@ package engine
 	config: #ImageConfig

 	// Authentication
-	auth: [...{
-		target:   string
+	auth?: {
 		username: string
-		secret:   string | #Secret
-	}]
+		secret:   #Secret
+	}

 	// Complete ref of the pushed image, including digest
 	result: #Ref
@ -68,11 +67,10 @@ package engine
 	source: #Ref

 	// Authentication
-	auth: [...{
-		target:   string
+	auth?: {
 		username: string
-		secret:   string | #Secret
-	}]
+		secret:   #Secret
+	}

 	// Root filesystem of downloaded image
 	output: #FS
@ -98,11 +96,10 @@ package engine
 	}

 	// Authentication
-	auth: [...{
-		target:   string
+	auth: [registry=string]: {
 		username: string
-		secret:   string | #Secret
-	}]
+		secret:   #Secret
+	}

 	platforms?: [...string]
 	target?: string
--- a/pkg/universe.dagger.io/docker/pull.cue
+++ b/pkg/universe.dagger.io/docker/pull.cue
@ -12,18 +12,16 @@ import (
 	source: #Ref

 	// Registry authentication
-	// Key must be registry address, for example "index.docker.io"
-	auth: [registry=string]: {
+	auth?: {
 		username: string
 		secret:   dagger.#Secret
 	}

 	_op: engine.#Pull & {
 		"source": source
-		"auth": [ for target, creds in auth {
-			"target": target
-			creds
-		}]
+		if auth != _|_ {
+			"auth": auth
+		}
 	}

 	// Downloaded image
--- a/pkg/universe.dagger.io/docker/push.cue
+++ b/pkg/universe.dagger.io/docker/push.cue
@ -14,8 +14,7 @@ import (
 	result: #Ref & _push.result

 	// Registry authentication
-	// Key must be registry address
-	auth: [registry=string]: {
+	auth?: {
 		username: string
 		secret:   dagger.#Secret
 	}
@ -25,10 +24,9 @@ import (

 	_push: engine.#Push & {
 		"dest": dest
-		"auth": [ for target, creds in auth {
-			"target": target
-			creds
-		}]
+		if auth != _|_ {
+			"auth": auth
+		}
 		input:  image.rootfs
 		config: image.config
 	}
--- a/plan/task/auth.go
+++ b/plan/task/auth.go
@ -6,7 +6,6 @@ import (
 )

 type authValue struct {
-	Target   string
 	Username string
 	Secret   *plancontext.Secret
 }
@ -14,41 +13,23 @@ type authValue struct {
 // Decodes an auth field value
 //
 // Cue format:
-//   auth: [...{
-//     target:   string
+//   auth: {
 //     username: string
 //     secret:   string | #Secret
-//   }]
-func decodeAuthValue(pctx *plancontext.Context, v *compiler.Value) ([]*authValue, error) {
-	vals, err := v.List()
+//   }
+func decodeAuthValue(pctx *plancontext.Context, v *compiler.Value) (*authValue, error) {
+	authVal := authValue{}
+	username, err := v.Lookup("username").String()
 	if err != nil {
 		return nil, err
 	}
+	authVal.Username = username

-	authVals := []*authValue{}
-	for _, val := range vals {
-		authVal := authValue{}
-
-		target, err := val.Lookup("target").String()
-		if err != nil {
-			return nil, err
-		}
-		authVal.Target = target
-
-		username, err := val.Lookup("username").String()
-		if err != nil {
-			return nil, err
-		}
-		authVal.Username = username
-
-		secret, err := pctx.Secrets.FromValue(val.Lookup("secret"))
-		if err != nil {
-			return nil, err
-		}
-		authVal.Secret = secret
-
-		authVals = append(authVals, &authVal)
+	secret, err := pctx.Secrets.FromValue(v.Lookup("secret"))
+	if err != nil {
+		return nil, err
 	}
+	authVal.Secret = secret

-	return authVals, nil
+	return &authVal, nil
 }
--- a/plan/task/dockerfile.go
+++ b/plan/task/dockerfile.go
@ -30,15 +30,24 @@ type dockerfileTask struct {

 func (t *dockerfileTask) Run(ctx context.Context, pctx *plancontext.Context, s solver.Solver, v *compiler.Value) (*compiler.Value, error) {
 	lg := log.Ctx(ctx)
-
-	// Read auth info
-	auth, err := decodeAuthValue(pctx, v.Lookup("auth"))
+	auths, err := v.Lookup("auth").Fields()
 	if err != nil {
 		return nil, err
 	}
-	for _, a := range auth {
-		s.AddCredentials(a.Target, a.Username, a.Secret.PlainText())
-		lg.Debug().Str("target", a.Target).Msg("add target credentials")
+
+	for _, auth := range auths {
+		// Read auth info
+		a, err := decodeAuthValue(pctx, auth.Value)
+		if err != nil {
+			return nil, err
+		}
+		// Extract registry target from dest
+		target, err := solver.ParseAuthHost(auth.Label())
+		if err != nil {
+			return nil, err
+		}
+		s.AddCredentials(target, a.Username, a.Secret.PlainText())
+		lg.Debug().Str("target", target).Msg("add target credentials")
 	}

 	source, err := pctx.FS.FromValue(v.Lookup("source"))
--- a/plan/task/pull.go
+++ b/plan/task/pull.go
@ -28,13 +28,18 @@ func (c *pullTask) Run(ctx context.Context, pctx *plancontext.Context, s solver.
 	}

 	// Read auth info
-	auth, err := decodeAuthValue(pctx, v.Lookup("auth"))
-	if err != nil {
-		return nil, err
-	}
-	for _, a := range auth {
-		s.AddCredentials(a.Target, a.Username, a.Secret.PlainText())
-		lg.Debug().Str("target", a.Target).Msg("add target credentials")
+	if auth := v.Lookup("auth"); auth.Exists() {
+		a, err := decodeAuthValue(pctx, auth)
+		if err != nil {
+			return nil, err
+		}
+		// Extract registry target from source
+		target, err := solver.ParseAuthHost(rawRef)
+		if err != nil {
+			return nil, err
+		}
+		s.AddCredentials(target, a.Username, a.Secret.PlainText())
+		lg.Debug().Str("target", target).Msg("add target credentials")
 	}

 	ref, err := reference.ParseNormalizedNamed(rawRef)
--- a/plan/task/push.go
+++ b/plan/task/push.go
@ -36,13 +36,19 @@ func (c *pushTask) Run(ctx context.Context, pctx *plancontext.Context, s solver.
 	dest = reference.TagNameOnly(dest)

 	// Read auth info
-	auth, err := decodeAuthValue(pctx, v.Lookup("auth"))
-	if err != nil {
-		return nil, err
-	}
-	for _, a := range auth {
-		s.AddCredentials(a.Target, a.Username, a.Secret.PlainText())
-		lg.Debug().Str("target", a.Target).Msg("add target credentials")
+	if auth := v.Lookup("auth"); auth.Exists() {
+		// Read auth info
+		a, err := decodeAuthValue(pctx, auth)
+		if err != nil {
+			return nil, err
+		}
+		// Extract registry target from dest
+		target, err := solver.ParseAuthHost(rawDest)
+		if err != nil {
+			return nil, err
+		}
+		s.AddCredentials(target, a.Username, a.Secret.PlainText())
+		lg.Debug().Str("target", target).Msg("add target credentials")
 	}

 	// Get input state
--- a/solver/registryauth.go
+++ b/solver/registryauth.go
@ -51,7 +51,7 @@ func (a *RegistryAuthProvider) Credentials(ctx context.Context, req *bkauth.Cred
 	defer a.m.RUnlock()

 	for authHost, auth := range a.credentials {
-		u, err := parseAuthHost(authHost)
+		u, err := ParseAuthHost(authHost)
 		if err != nil {
 			return nil, err
 		}
@ -65,7 +65,7 @@ func (a *RegistryAuthProvider) Credentials(ctx context.Context, req *bkauth.Cred

 // Parsing function based on splitReposSearchTerm
 // "github.com/docker/docker/registry"
-func parseAuthHost(host string) (string, error) {
+func ParseAuthHost(host string) (string, error) {
 	host = strings.TrimPrefix(host, "http://")
 	host = strings.TrimPrefix(host, "https://")
 	host = strings.TrimSuffix(host, "/")
--- a/solver/registryauth_test.go
+++ b/solver/registryauth_test.go
@ -257,7 +257,7 @@ func TestParseAuthHost(t *testing.T) {

 	successRefs := []output{}
 	for _, scase := range scases {
-		named, err := parseAuthHost(scase.Host)
+		named, err := ParseAuthHost(scase.Host)
 		if err != nil {
 			t.Fatalf("Invalid normalized reference for [%q]. Got %q", scase, err)
 		}
@ -273,7 +273,7 @@ func TestParseAuthHost(t *testing.T) {
 	}

 	for _, fcase := range fcases {
-		named, err := parseAuthHost(fcase.Host)
+		named, err := ParseAuthHost(fcase.Host)
 		if err == nil {
 			t.Fatalf("Invalid normalized reference for [%q]. Expected failure for %q", fcase, named)
 		}
--- a/tests/tasks/dockerfile/build_auth.cue
+++ b/tests/tasks/dockerfile/build_auth.cue
@ -22,12 +22,10 @@ engine.#Plan & {

 		build: engine.#Dockerfile & {
 			source: inputs.directories.testdata.contents
-			auth: [{
-				target:   "daggerio/ci-test:private-pull"
+			auth: "daggerio/ci-test:private-pull": {
 				username: "daggertest"
-
-				secret: sopsSecrets.output.DOCKERHUB_TOKEN.contents
-			}]
+				secret:   sopsSecrets.output.DOCKERHUB_TOKEN.contents
+			}
 			dockerfile: contents: """
 				FROM daggerio/ci-test:private-pull@sha256:c74f1b1166784193ea6c8f9440263b9be6cae07dfe35e32a5df7a31358ac2060
 				"""
--- a/tests/tasks/pull/pull_auth.cue
+++ b/tests/tasks/pull/pull_auth.cue
@ -19,11 +19,10 @@ engine.#Plan & {

 		pull: engine.#Pull & {
 			source: "daggerio/ci-test:private-pull@sha256:c74f1b1166784193ea6c8f9440263b9be6cae07dfe35e32a5df7a31358ac2060"
-			auth: [{
-				target:   "daggerio/ci-test:private-pull"
+			auth: {
 				username: "daggertest"
 				secret:   sopsSecrets.output.DOCKERHUB_TOKEN.contents
-			}]
+			}
 		} & {
 			// assert result
 			digest: "sha256:c74f1b1166784193ea6c8f9440263b9be6cae07dfe35e32a5df7a31358ac2060"
--- a/tests/tasks/push/push.cue
+++ b/tests/tasks/push/push.cue
@ -12,11 +12,10 @@ engine.#Plan & {
 		args: ["-d", "../../secrets_sops.yaml"]
 	}

-	#auth: [{
-		target:   "daggerio/ci-test:private-pull"
+	#auth: {
 		username: "daggertest"
 		secret:   actions.sopsSecrets.output.DOCKERHUB_TOKEN.contents
-	}]
+	}

 	actions: {