Match authorization helpers based on registry (#479)

app/puller_app.rs

@@ -5,7 +5,7 @@ use clap::Parser;
 
 use rules_minidock_tools::container_specs::{ConfigDelta, Manifest};
 
-// cargo run --bin puller-app -- --registry l.gcr.io --repository google/bazel --digest sha256:08434856d8196632b936dd082b8e03bae0b41346299aedf60a0d481ab427a69f
+// cargo run --bin puller-app -- --registry l.gcr.io --repository google/bazel --digest sha256:08434856d8196632b936dd082b8e03bae0b41346299aedf60a0d481ab427a69f --architecture=x86_64
 
 #[derive(Parser, Debug)]
 #[clap(name = "puller app")]
@@ -23,8 +23,12 @@ struct Opt {
     architecture: String,
 
     #[clap(long)]
-    // List of comma separated helpers. with the registry:helper_path
-    //e.g. foo.gcr.io:/path/to/helper,bar.gcr.io:/path/to/helper2
+    // List of comma separated helpers in registry:helper_path format;
+    // requests will attempt to match a helper first based on the "service"
+    // field in the authentication challenge, and then based on the registry
+    // param passed to this tool.
+    // e.g. foo.gcr.io:/path/to/helper,bar.gcr.io:/path/to/helper2
+    // 
     docker_authorization_helpers: Option<String>,
 }
 

app/pusher_app.rs

@@ -38,8 +38,12 @@ struct Opt {
     skip_manifest_upload: bool,
 
     #[clap(long)]
-    // List of comma separated helpers. with the registry:helper_path
-    //e.g. foo.gcr.io:/path/to/helper,bar.gcr.io:/path/to/helper2
+    // List of comma separated helpers in registry:helper_path format;
+    // requests will attempt to match a helper first based on the "service"
+    // field in the authentication challenge, and then based on the registry
+    // param passed to this tool.
+    // e.g. foo.gcr.io:/path/to/helper,bar.gcr.io:/path/to/helper2
+    // 
     docker_authorization_helpers: Option<String>,
 }
 

src/registry/http/http_cli/authentication_flow.rs

@@ -37,6 +37,7 @@ pub async fn authenticate_request(
     auth_fail: &BearerConfig,
     inner_client: &Client<hyper_rustls::HttpsConnector<hyper::client::HttpConnector>>,
     docker_authorization_helpers: Arc<Vec<DockerAuthenticationHelper>>,
+    registry: String,
 ) -> Result<AuthResponse, RequestFailType> {
     let mut parts = auth_fail.realm.clone().into_parts();
     let new_query_items = if let Some(scope) = &auth_fail.scope {
@@ -69,7 +70,12 @@ pub async fn authenticate_request(
 
     let matching_helper_opt: Option<&DockerAuthenticationHelper> = docker_authorization_helpers
         .iter()
-        .find(|e| e.registry == auth_fail.service);
+        .find(|e| e.registry == auth_fail.service)
+        // There's no guarantee that the "service" returned in the authentication challenge is
+        // an actual registry name, so if no match is found based on the Bearer "service" then
+        // we'll try to match based on the registry name.
+        // See https://distribution.github.io/distribution/spec/auth/token/
+        .or_else(|| docker_authorization_helpers.iter().find(|e| e.registry == registry));
 
     let basic_auth_info = if let Some(matching_helper) = matching_helper_opt {
         let mut child = Command::new(&matching_helper.helper_path)

src/registry/http/http_cli/mod.rs

@@ -22,6 +22,7 @@ pub struct HttpCli {
     pub inner_client: Client<hyper_rustls::HttpsConnector<hyper::client::HttpConnector>>,
     pub auth_info: Arc<Mutex<Option<AuthResponse>>>,
     pub docker_authorization_helpers: Arc<Vec<DockerAuthenticationHelper>>,
+    pub registry: String,
 }
 
 impl HttpCli {
@@ -101,6 +102,7 @@ impl HttpCli {
                                 &auth_fail,
                                 &self.inner_client,
                                 self.docker_authorization_helpers.clone(),
+                                self.registry.clone(),
                             )
                             .await?;
                             let mut ai = self.auth_info.lock().await;

src/registry/http/mod.rs

@@ -128,6 +128,7 @@ impl HttpRegistry {
                 inner_client: http_client,
                 docker_authorization_helpers,
                 auth_info: Default::default(),
+                registry: registry_base.as_ref().to_string(),
             },
         };