diff --git a/app/puller_app.rs b/app/puller_app.rs index 8b1d076..489bb2a 100644 --- a/app/puller_app.rs +++ b/app/puller_app.rs @@ -5,7 +5,7 @@ use clap::Parser; use rules_minidock_tools::container_specs::{ConfigDelta, Manifest}; -// cargo run --bin puller-app -- --registry l.gcr.io --repository google/bazel --digest sha256:08434856d8196632b936dd082b8e03bae0b41346299aedf60a0d481ab427a69f +// cargo run --bin puller-app -- --registry l.gcr.io --repository google/bazel --digest sha256:08434856d8196632b936dd082b8e03bae0b41346299aedf60a0d481ab427a69f --architecture=x86_64 #[derive(Parser, Debug)] #[clap(name = "puller app")] @@ -23,8 +23,12 @@ struct Opt { architecture: String, #[clap(long)] - // List of comma separated helpers. with the registry:helper_path - //e.g. foo.gcr.io:/path/to/helper,bar.gcr.io:/path/to/helper2 + // List of comma separated helpers in registry:helper_path format; + // requests will attempt to match a helper first based on the "service" + // field in the authentication challenge, and then based on the registry + // param passed to this tool. + // e.g. foo.gcr.io:/path/to/helper,bar.gcr.io:/path/to/helper2 + // docker_authorization_helpers: Option, } diff --git a/app/pusher_app.rs b/app/pusher_app.rs index 862b145..8a059d0 100644 --- a/app/pusher_app.rs +++ b/app/pusher_app.rs @@ -38,8 +38,12 @@ struct Opt { skip_manifest_upload: bool, #[clap(long)] - // List of comma separated helpers. with the registry:helper_path - //e.g. foo.gcr.io:/path/to/helper,bar.gcr.io:/path/to/helper2 + // List of comma separated helpers in registry:helper_path format; + // requests will attempt to match a helper first based on the "service" + // field in the authentication challenge, and then based on the registry + // param passed to this tool. + // e.g. foo.gcr.io:/path/to/helper,bar.gcr.io:/path/to/helper2 + // docker_authorization_helpers: Option, } diff --git a/src/registry/http/http_cli/authentication_flow.rs b/src/registry/http/http_cli/authentication_flow.rs index 1d9ec05..e9905ef 100644 --- a/src/registry/http/http_cli/authentication_flow.rs +++ b/src/registry/http/http_cli/authentication_flow.rs @@ -37,6 +37,7 @@ pub async fn authenticate_request( auth_fail: &BearerConfig, inner_client: &Client>, docker_authorization_helpers: Arc>, + registry: String, ) -> Result { let mut parts = auth_fail.realm.clone().into_parts(); let new_query_items = if let Some(scope) = &auth_fail.scope { @@ -69,7 +70,12 @@ pub async fn authenticate_request( let matching_helper_opt: Option<&DockerAuthenticationHelper> = docker_authorization_helpers .iter() - .find(|e| e.registry == auth_fail.service); + .find(|e| e.registry == auth_fail.service) + // There's no guarantee that the "service" returned in the authentication challenge is + // an actual registry name, so if no match is found based on the Bearer "service" then + // we'll try to match based on the registry name. + // See https://distribution.github.io/distribution/spec/auth/token/ + .or_else(|| docker_authorization_helpers.iter().find(|e| e.registry == registry)); let basic_auth_info = if let Some(matching_helper) = matching_helper_opt { let mut child = Command::new(&matching_helper.helper_path) diff --git a/src/registry/http/http_cli/mod.rs b/src/registry/http/http_cli/mod.rs index 4c97708..14eb3ed 100644 --- a/src/registry/http/http_cli/mod.rs +++ b/src/registry/http/http_cli/mod.rs @@ -22,6 +22,7 @@ pub struct HttpCli { pub inner_client: Client>, pub auth_info: Arc>>, pub docker_authorization_helpers: Arc>, + pub registry: String, } impl HttpCli { @@ -101,6 +102,7 @@ impl HttpCli { &auth_fail, &self.inner_client, self.docker_authorization_helpers.clone(), + self.registry.clone(), ) .await?; let mut ai = self.auth_info.lock().await; diff --git a/src/registry/http/mod.rs b/src/registry/http/mod.rs index 411ac7e..d2d5f3b 100644 --- a/src/registry/http/mod.rs +++ b/src/registry/http/mod.rs @@ -128,6 +128,7 @@ impl HttpRegistry { inner_client: http_client, docker_authorization_helpers, auth_info: Default::default(), + registry: registry_base.as_ref().to_string(), }, };