upstream/terraform-provider-docker
1
0
Fork 0
mirror of https://github.com/kreuzwerker/terraform-provider-docker.git synced 2025-12-20 22:59:42 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: oauth authorization support for azurecr (#451)

Browse source 
* fix: oauth authorization support for azurecr

* fix: oauth when destroying images

* refactor: run make fmt
This commit is contained in:
William Sedlacek 2022-09-09 04:59:18 -07:00 committed by GitHub
parent 0d82189137
commit d0eae33123
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 62 additions and 71 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
internal/provider/authentication_helpers.go
View file

@ -50,6 +50,12 @@ func isECRRepositoryURL(url string) bool {
return ecrRexp.MatchString(url)
}
func isAzureCRRepositoryURL(url string) bool {
// Regexp is based on the azurecr urls shown https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal?tabs=azure-cli#push-image-to-registry
var azurecrRexp = regexp.MustCompile(`^.*\.azurecr\.io$`)
return azurecrRexp.MatchString(url)
}
func setupHTTPHeadersForRegistryRequests(req *http.Request, fallback bool) {
// We accept schema v2 manifests and manifest lists, and also OCI types
req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.v2+json")

15
internal/provider/data_source_docker_registry_image.go
View file

@ -81,7 +81,7 @@ func getImageDigest(registry string, registryWithProtocol string, image, tag, us
}
if username != "" {
if registry != "ghcr.io" && !isECRRepositoryURL(registry) && registry != "gcr.io" {
if registry != "ghcr.io" && !isECRRepositoryURL(registry) && !isAzureCRRepositoryURL(registry) && registry != "gcr.io" {
req.SetBasicAuth(username, password)
} else {
if isECRRepositoryURL(registry) {
@ -146,7 +146,8 @@ func getImageDigest(registry string, registryWithProtocol string, image, tag, us
}
type TokenResponse struct {
Token string
Token string
AccessToken string `json:"access_token"`
}
// Parses key/value pairs from a WWW-Authenticate header
@ -214,7 +215,15 @@ func getAuthToken(authHeader string, username string, password string, client *h
return "", fmt.Errorf("Error parsing OAuth token response: %s", err)
}
return token.Token, nil
if token.Token != "" {
return token.Token, nil
}
if token.AccessToken != "" {
return token.AccessToken, nil
}
return "", fmt.Errorf("Error unsupported OAuth response")
}
func doDigestRequest(req *http.Request, client *http.Client) (*http.Response, error) {

4
internal/provider/resource_docker_config_test.go
View file

@ -111,9 +111,9 @@ func TestAccDockerConfig_basicUpdatable(t *testing.T) {
})
}
/////////////
// ///////////
// Helpers
/////////////
// ///////////
func testCheckDockerConfigDestroy(ctx context.Context, s *terraform.State) error {
client := testAccProvider.Meta().(*ProviderConfig).DockerClient
for _, rs := range s.RootModule().Resources {

5
internal/provider/resource_docker_container_test.go
View file

@ -818,7 +818,6 @@ func TestAccDockerContainer_uploadSource(t *testing.T) {
})
}
//
func TestAccDockerContainer_uploadSourceHash(t *testing.T) {
var c types.ContainerJSON
var firstRunId string
@ -1606,9 +1605,9 @@ func TestAccDockerContainer_dualstackaddress(t *testing.T) {
})
}
///////////
// /////////
// HELPERS
///////////
// /////////
func testAccContainerRunning(resourceName string, container *types.ContainerJSON) resource.TestCheckFunc {
return func(s *terraform.State) error {
ctx := context.Background()

76
internal/provider/resource_docker_registry_image_funcs.go
View file

@ -14,7 +14,6 @@ import (
"io/ioutil"
"log"
"net/http"
"net/url"
"os"
"path/filepath"
"strings"
@ -483,7 +482,16 @@ func deleteDockerRegistryImage(pushOpts internalPushImageOptions, registryWithPr
}
if username != "" {
req.SetBasicAuth(username, password)
if pushOpts.Registry != "ghcr.io" && !isECRRepositoryURL(pushOpts.Registry) && !isAzureCRRepositoryURL(pushOpts.Registry) && pushOpts.Registry != "gcr.io" {
req.SetBasicAuth(username, password)
} else {
if isECRRepositoryURL(pushOpts.Registry) {
password = normalizeECRPasswordForHTTPUsage(password)
req.Header.Add("Authorization", "Basic "+password)
} else {
req.Header.Add("Authorization", "Bearer "+base64.StdEncoding.EncodeToString([]byte(password)))
}
}
}
setupHTTPHeadersForRegistryRequests(req, fallback)
@ -500,56 +508,26 @@ func deleteDockerRegistryImage(pushOpts internalPushImageOptions, registryWithPr
// Either OAuth is required or the basic auth creds were invalid
case http.StatusUnauthorized:
if strings.HasPrefix(resp.Header.Get("www-authenticate"), "Bearer") {
auth := parseAuthHeader(resp.Header.Get("www-authenticate"))
params := url.Values{}
params.Set("service", auth["service"])
params.Set("scope", auth["scope"])
tokenRequest, err := http.NewRequest("GET", auth["realm"]+"?"+params.Encode(), nil)
if err != nil {
return fmt.Errorf("Error creating registry request: %s", err)
}
if username != "" {
tokenRequest.SetBasicAuth(username, password)
}
tokenResponse, err := client.Do(tokenRequest)
if err != nil {
return fmt.Errorf("Error during registry request: %s", err)
}
if tokenResponse.StatusCode != http.StatusOK {
return fmt.Errorf("Got bad response from registry: " + tokenResponse.Status)
}
body, err := ioutil.ReadAll(tokenResponse.Body)
if err != nil {
return fmt.Errorf("Error reading response body: %s", err)
}
token := &TokenResponse{}
err = json.Unmarshal(body, token)
if err != nil {
return fmt.Errorf("Error parsing OAuth token response: %s", err)
}
req.Header.Set("Authorization", "Bearer "+token.Token)
oauthResp, err := client.Do(req)
if err != nil {
return err
}
switch oauthResp.StatusCode {
case http.StatusOK, http.StatusAccepted, http.StatusNotFound:
return nil
default:
return fmt.Errorf("Got bad response from registry: " + resp.Status)
}
if !strings.HasPrefix(resp.Header.Get("www-authenticate"), "Bearer") {
return fmt.Errorf("Bad credentials: " + resp.Status)
}
return fmt.Errorf("Bad credentials: " + resp.Status)
token, err := getAuthToken(resp.Header.Get("www-authenticate"), username, password, client)
if err != nil {
return err
}
req.Header.Set("Authorization", "Bearer "+token)
oauthResp, err := client.Do(req)
if err != nil {
return err
}
switch oauthResp.StatusCode {
case http.StatusOK, http.StatusAccepted, http.StatusNotFound:
return nil
default:
return fmt.Errorf("Got bad response from registry: " + resp.Status)
}
// Some unexpected status was given, return an error
default:
return fmt.Errorf("Got bad response from registry: " + resp.Status)

4
internal/provider/resource_docker_secret_test.go
View file

@ -136,9 +136,9 @@ func TestAccDockerSecret_labels(t *testing.T) {
})
}
/////////////
// ///////////
// Helpers
/////////////
// ///////////
func testCheckDockerSecretDestroy(ctx context.Context, s *terraform.State) error {
client := testAccProvider.Meta().(*ProviderConfig).DockerClient
for _, rs := range s.RootModule().Resources {

8
internal/provider/resource_docker_service_funcs.go
View file

@ -25,9 +25,9 @@ type convergeConfig struct {
delay time.Duration
}
/////////////////
// ///////////////
// TF CRUD funcs
/////////////////
// ///////////////
func resourceDockerServiceCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
var err error
client := meta.(*ProviderConfig).DockerClient
@ -226,9 +226,9 @@ func resourceDockerServiceDelete(ctx context.Context, d *schema.ResourceData, me
return nil
}
/////////////////
// ///////////////
// Helpers
/////////////////
// ///////////////
// fetchDockerService fetches a service by its name or id
func fetchDockerService(ctx context.Context, ID string, name string, client *client.Client) (*swarm.Service, error) {
apiServices, err := client.ServiceList(ctx, types.ServiceListOptions{})

14
internal/provider/resource_docker_service_structures.go
View file

@ -13,10 +13,10 @@ import (
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
)
//////////////
// ////////////
// flatteners
// flatten API objects to the terraform schema
//////////////
// ////////////
// see https://learn.hashicorp.com/tutorials/terraform/provider-create?in=terraform/providers#add-flattening-functions
func flattenTaskSpec(in swarm.TaskSpec) []interface{} {
m := make(map[string]interface{})
@ -110,7 +110,7 @@ func flattenServiceEndpointSpec(in *swarm.EndpointSpec) []interface{} {
return out
}
///// start TaskSpec
// /// start TaskSpec
func flattenContainerSpec(in *swarm.ContainerSpec) []interface{} {
out := make([]interface{}, 0)
m := make(map[string]interface{})
@ -525,8 +525,8 @@ func flattenTaskLogDriver(in *swarm.Driver) []interface{} {
return out
}
///// end TaskSpec
///// start EndpointSpec
// /// end TaskSpec
// /// start EndpointSpec
func flattenServicePorts(in []swarm.PortConfig) []interface{} {
out := make([]interface{}, len(in))
for i, v := range in {
@ -543,10 +543,10 @@ func flattenServicePorts(in []swarm.PortConfig) []interface{} {
///// end EndpointSpec
//////////////
// ////////////
// Mappers
// create API object from the terraform resource schema
//////////////
// ////////////
// createServiceSpec creates the service spec: https://docs.docker.com/engine/api/v1.32/#operation/ServiceCreate
func createServiceSpec(d *schema.ResourceData) (swarm.ServiceSpec, error) {
serviceSpec := swarm.ServiceSpec{

1
internal/provider/test_helpers.go
View file

@ -38,7 +38,6 @@ const (
// As a convention the test configurations are in
// 'testdata/<resourceType>/<resourceName>/<testName>.tf', e.g.
// 'testdata/resources/docker_container/testAccDockerContainerPrivateImage.tf'
//
func loadTestConfiguration(t *testing.T, resourceType resourceType, resourceName, testName string) string {
wd, err := os.Getwd()
if err != nil {