From 0be6a4066e0a94b5ab6ee523823bd1248f38167d Mon Sep 17 00:00:00 2001
From: Sam Alba <samalba@users.noreply.github.com>
Date: Wed, 15 Dec 2021 19:57:00 -0800
Subject: [PATCH 1/4] plan: added auth support to engine.#Pull

Signed-off-by: Sam Alba <samalba@users.noreply.github.com>
---
 plan/task/pull.go | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/plan/task/pull.go b/plan/task/pull.go
index 20d48e9b..46ecc9f2 100644
--- a/plan/task/pull.go
+++ b/plan/task/pull.go
@@ -19,6 +19,13 @@ func init() {
 type pullTask struct {
 }
 
+type authValue struct {
+	Target   string
+	Username string
+	// FIXME: handle secrets
+	Secret string
+}
+
 func (c *pullTask) Run(ctx context.Context, pctx *plancontext.Context, s solver.Solver, v *compiler.Value) (*compiler.Value, error) {
 	// FIXME: handle auth
 	rawRef, err := v.Lookup("source").String()
@@ -57,6 +64,17 @@ func (c *pullTask) Run(ctx context.Context, pctx *plancontext.Context, s solver.
 		return nil, err
 	}
 
+	auth := []authValue{}
+
+	// Read auth data
+	if err := v.Lookup("auth").Decode(&auth); err != nil {
+		return nil, err
+	}
+
+	for _, a := range auth {
+		s.AddCredentials(a.Target, a.Username, a.Secret)
+	}
+
 	result, err := s.Solve(ctx, st, pctx.Platform.Get())
 	if err != nil {
 		return nil, err

From d668dd6dd22cf78e329f161eac30bafc21b42881 Mon Sep 17 00:00:00 2001
From: Sam Alba <samalba@users.noreply.github.com>
Date: Wed, 15 Dec 2021 19:57:44 -0800
Subject: [PATCH 2/4] tests: added test for Pull with registry auth

Signed-off-by: Sam Alba <samalba@users.noreply.github.com>
---
 tests/tasks.bats               |  9 +++++++--
 tests/tasks/pull/pull_auth.cue | 18 ++++++++++++++++++
 2 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 tests/tasks/pull/pull_auth.cue

diff --git a/tests/tasks.bats b/tests/tasks.bats
index a563d1cb..ac1c182d 100644
--- a/tests/tasks.bats
+++ b/tests/tasks.bats
@@ -6,7 +6,12 @@ setup() {
 
 @test "task: #Pull" {
     cd "$TESTDIR"/tasks/pull
-    "$DAGGER" --europa up
+    "$DAGGER" --europa up ./pull.cue
+}
+
+@test "task: #Pull with auth" {
+    cd "$TESTDIR"/tasks/pull
+    "$DAGGER" --europa up ./pull_auth.cue
 }
 
 @test "task: #ReadFile" {
@@ -39,4 +44,4 @@ setup() {
 
     "$DAGGER" --europa up ./user.cue
     "$DAGGER" --europa up ./workdir.cue
-}
\ No newline at end of file
+}
diff --git a/tests/tasks/pull/pull_auth.cue b/tests/tasks/pull/pull_auth.cue
new file mode 100644
index 00000000..67ab1aab
--- /dev/null
+++ b/tests/tasks/pull/pull_auth.cue
@@ -0,0 +1,18 @@
+package main
+
+import (
+	"alpha.dagger.io/europa/dagger/engine"
+)
+
+engine.#Plan & {
+	actions: pull: engine.#Pull & {
+		source: "alpine:3.15.0@sha256:e7d88de73db3d3fd9b2d63aa7f447a10fd0220b7cbf39803c803f2af9ba256b3"
+	} & {
+		// assert result
+		digest: "sha256:e7d88de73db3d3fd9b2d63aa7f447a10fd0220b7cbf39803c803f2af9ba256b3"
+		config: {
+			Env: ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"]
+			Cmd: ["/bin/sh"]
+		}
+	}
+}

From b082b1e5bc5070100e0e706c7118c4695200892e Mon Sep 17 00:00:00 2001
From: Sam Alba <samalba@users.noreply.github.com>
Date: Thu, 16 Dec 2021 16:20:00 -0800
Subject: [PATCH 3/4] implemented integration tests for engine.#Pull + moved
 auth code separately for sharing code with other tasks later

Signed-off-by: Sam Alba <samalba@users.noreply.github.com>
---
 .github/workflows/ci.yml       |  3 +-
 plan/task/auth.go              | 54 ++++++++++++++++++++++++++++++++++
 plan/task/pull.go              | 33 +++++++++------------
 tests/tasks/pull/pull_auth.cue | 12 ++++++--
 4 files changed, 80 insertions(+), 22 deletions(-)
 create mode 100644 plan/task/auth.go

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 48b16184..8bcd4219 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -101,7 +101,8 @@ jobs:
         uses: crazy-max/ghaction-github-runtime@v1
 
       - name: Integration test
-        # env:
+        env:
+          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
         #   DAGGER_CACHE_TO: "type=gha,mode=max,scope=test-integration"
         #   DAGGER_CACHE_FROM: "type=gha,mode=max,scope=test-integration"
         run: |
diff --git a/plan/task/auth.go b/plan/task/auth.go
new file mode 100644
index 00000000..8fc7e44c
--- /dev/null
+++ b/plan/task/auth.go
@@ -0,0 +1,54 @@
+package task
+
+import (
+	"go.dagger.io/dagger/compiler"
+	"go.dagger.io/dagger/plancontext"
+)
+
+type authValue struct {
+	Target   string
+	Username string
+	Secret   *plancontext.Secret
+}
+
+// Decodes an auth field value
+//
+// Cue format:
+//   auth: [...{
+//     target:   string
+//     username: string
+//     secret:   string | #Secret
+//   }]
+func decodeAuthValue(pctx *plancontext.Context, v *compiler.Value) ([]*authValue, error) {
+	vals, err := v.List()
+	if err != nil {
+		return nil, err
+	}
+
+	authVals := []*authValue{}
+	for _, val := range vals {
+		authVal := authValue{}
+
+		target, err := val.Lookup("target").String()
+		if err != nil {
+			return nil, err
+		}
+		authVal.Target = target
+
+		username, err := val.Lookup("username").String()
+		if err != nil {
+			return nil, err
+		}
+		authVal.Username = username
+
+		secret, err := pctx.Secrets.FromValue(val.Lookup("secret"))
+		if err != nil {
+			return nil, err
+		}
+		authVal.Secret = secret
+
+		authVals = append(authVals, &authVal)
+	}
+
+	return authVals, nil
+}
diff --git a/plan/task/pull.go b/plan/task/pull.go
index 46ecc9f2..bfa775f3 100644
--- a/plan/task/pull.go
+++ b/plan/task/pull.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/docker/distribution/reference"
 	"github.com/moby/buildkit/client/llb"
+	"github.com/rs/zerolog/log"
 	"go.dagger.io/dagger/compiler"
 	"go.dagger.io/dagger/plancontext"
 	"go.dagger.io/dagger/solver"
@@ -19,20 +20,24 @@ func init() {
 type pullTask struct {
 }
 
-type authValue struct {
-	Target   string
-	Username string
-	// FIXME: handle secrets
-	Secret string
-}
-
 func (c *pullTask) Run(ctx context.Context, pctx *plancontext.Context, s solver.Solver, v *compiler.Value) (*compiler.Value, error) {
-	// FIXME: handle auth
+	lg := log.Ctx(ctx)
+
 	rawRef, err := v.Lookup("source").String()
 	if err != nil {
 		return nil, err
 	}
 
+	// Read auth info
+	auth, err := decodeAuthValue(pctx, v.Lookup("auth"))
+	if err != nil {
+		return nil, err
+	}
+	for _, a := range auth {
+		s.AddCredentials(a.Target, a.Username, a.Secret.PlainText())
+		lg.Debug().Str("target", a.Target).Msg("add target credentials")
+	}
+
 	ref, err := reference.ParseNormalizedNamed(rawRef)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse ref %s: %w", rawRef, err)
@@ -54,6 +59,7 @@ func (c *pullTask) Run(ctx context.Context, pctx *plancontext.Context, s solver.
 	if err != nil {
 		return nil, err
 	}
+
 	imageJSON, err := json.Marshal(image)
 	if err != nil {
 		return nil, err
@@ -64,17 +70,6 @@ func (c *pullTask) Run(ctx context.Context, pctx *plancontext.Context, s solver.
 		return nil, err
 	}
 
-	auth := []authValue{}
-
-	// Read auth data
-	if err := v.Lookup("auth").Decode(&auth); err != nil {
-		return nil, err
-	}
-
-	for _, a := range auth {
-		s.AddCredentials(a.Target, a.Username, a.Secret)
-	}
-
 	result, err := s.Solve(ctx, st, pctx.Platform.Get())
 	if err != nil {
 		return nil, err
diff --git a/tests/tasks/pull/pull_auth.cue b/tests/tasks/pull/pull_auth.cue
index 67ab1aab..5e5d22bf 100644
--- a/tests/tasks/pull/pull_auth.cue
+++ b/tests/tasks/pull/pull_auth.cue
@@ -5,11 +5,19 @@ import (
 )
 
 engine.#Plan & {
+	context: secrets: {
+		dockerHubToken: envvar: "DOCKERHUB_TOKEN"
+	}
 	actions: pull: engine.#Pull & {
-		source: "alpine:3.15.0@sha256:e7d88de73db3d3fd9b2d63aa7f447a10fd0220b7cbf39803c803f2af9ba256b3"
+		source: "blocklayer/alpine-private:3.15.0@sha256:c74f1b1166784193ea6c8f9440263b9be6cae07dfe35e32a5df7a31358ac2060"
+		auth: [{
+			target: "docker.io/blocklayer/alpine-private:3.15.0"
+			username: "daggertest"
+			secret: context.secrets.dockerHubToken.contents
+		}]
 	} & {
 		// assert result
-		digest: "sha256:e7d88de73db3d3fd9b2d63aa7f447a10fd0220b7cbf39803c803f2af9ba256b3"
+		digest: "sha256:c74f1b1166784193ea6c8f9440263b9be6cae07dfe35e32a5df7a31358ac2060"
 		config: {
 			Env: ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"]
 			Cmd: ["/bin/sh"]

From 96e9c0408a482afec6a18f5f376eaa46cca7b75b Mon Sep 17 00:00:00 2001
From: Sam Alba <samalba@users.noreply.github.com>
Date: Thu, 16 Dec 2021 16:23:00 -0800
Subject: [PATCH 4/4] fixed test files linting issues

Signed-off-by: Sam Alba <samalba@users.noreply.github.com>
---
 tests/tasks/pull/pull_auth.cue | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/tests/tasks/pull/pull_auth.cue b/tests/tasks/pull/pull_auth.cue
index 5e5d22bf..f821f74d 100644
--- a/tests/tasks/pull/pull_auth.cue
+++ b/tests/tasks/pull/pull_auth.cue
@@ -5,15 +5,13 @@ import (
 )
 
 engine.#Plan & {
-	context: secrets: {
-		dockerHubToken: envvar: "DOCKERHUB_TOKEN"
-	}
+	context: secrets: dockerHubToken: envvar: "DOCKERHUB_TOKEN"
 	actions: pull: engine.#Pull & {
-		source: "blocklayer/alpine-private:3.15.0@sha256:c74f1b1166784193ea6c8f9440263b9be6cae07dfe35e32a5df7a31358ac2060"
+		source: "daggerio/ci-test:private-pull@sha256:c74f1b1166784193ea6c8f9440263b9be6cae07dfe35e32a5df7a31358ac2060"
 		auth: [{
-			target: "docker.io/blocklayer/alpine-private:3.15.0"
+			target:   "daggerio/ci-test:private-pull"
 			username: "daggertest"
-			secret: context.secrets.dockerHubToken.contents
+			secret:   context.secrets.dockerHubToken.contents
 		}]
 	} & {
 		// assert result