support registry auth
HACK: the way buildkit works, we can only supply an Auth Provider for the entirety of the build session (`dagger up`). Therefore, we start by scanning all auth in the entire Cue tree and supply an auth provider for all of them. Drawbacks: - As soon as you add `auth` in a Pipeline for a registry, all other Pipelines have access to the same registry - You can't use different credentials for the same registry Fixes #301 Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
This commit is contained in:
Andrea Luzzardi
73
dagger/registryauth.go
Normal file
73
dagger/registryauth.go
Normal file
@@ -0,0 +1,73 @@
|
||||
package dagger
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/url"
|
||||
"strings"
|
||||
|
||||
bkauth "github.com/moby/buildkit/session/auth"
|
||||
"google.golang.org/grpc"
|
||||
"google.golang.org/grpc/codes"
|
||||
"google.golang.org/grpc/status"
|
||||
)
|
||||
|
||||
// registryAuthProvider is a buildkit provider for registry authentication
|
||||
// Adapted from: https://github.com/moby/buildkit/blob/master/session/auth/authprovider/authprovider.go
|
||||
type registryAuthProvider struct {
|
||||
credentials map[string]*bkauth.CredentialsResponse
|
||||
}
|
||||
|
||||
func newRegistryAuthProvider() *registryAuthProvider {
|
||||
return ®istryAuthProvider{}
|
||||
}
|
||||
|
||||
func (a *registryAuthProvider) SetCredentials(credentials map[string]*bkauth.CredentialsResponse) {
|
||||
a.credentials = credentials
|
||||
}
|
||||
|
||||
func (a *registryAuthProvider) Register(server *grpc.Server) {
|
||||
bkauth.RegisterAuthServer(server, a)
|
||||
}
|
||||
|
||||
func (a *registryAuthProvider) Credentials(ctx context.Context, req *bkauth.CredentialsRequest) (*bkauth.CredentialsResponse, error) {
|
||||
reqURL, err := parseAuthHost(req.Host)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
for authHost, auth := range a.credentials {
|
||||
u, err := parseAuthHost(authHost)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if u.Host == reqURL.Host {
|
||||
return auth, nil
|
||||
}
|
||||
}
|
||||
|
||||
return &bkauth.CredentialsResponse{}, nil
|
||||
}
|
||||
|
||||
func parseAuthHost(host string) (*url.URL, error) {
|
||||
if host == "registry-1.docker.io" {
|
||||
host = "https://index.docker.io/v1/"
|
||||
}
|
||||
|
||||
if !strings.HasPrefix(host, "http://") && !strings.HasPrefix(host, "https://") {
|
||||
host = "https://" + host
|
||||
}
|
||||
return url.Parse(host)
|
||||
}
|
||||
|
||||
func (a *registryAuthProvider) FetchToken(ctx context.Context, req *bkauth.FetchTokenRequest) (rr *bkauth.FetchTokenResponse, err error) {
|
||||
return nil, status.Errorf(codes.Unavailable, "client side tokens not implemented")
|
||||
}
|
||||
|
||||
func (a *registryAuthProvider) GetTokenAuthority(ctx context.Context, req *bkauth.GetTokenAuthorityRequest) (*bkauth.GetTokenAuthorityResponse, error) {
|
||||
return nil, status.Errorf(codes.Unavailable, "client side tokens not implemented")
|
||||
}
|
||||
|
||||
func (a *registryAuthProvider) VerifyTokenAuthority(ctx context.Context, req *bkauth.VerifyTokenAuthorityRequest) (*bkauth.VerifyTokenAuthorityResponse, error) {
|
||||
return nil, status.Errorf(codes.Unavailable, "client side tokens not implemented")
|
||||
}
|
||||
Reference in New Issue
Block a user