fix: oauth authorization support for azurecr (#451)

* fix: oauth authorization support for azurecr

* fix: oauth when destroying images

* refactor: run make fmt

internal/provider/authentication_helpers.go

@@ -50,6 +50,12 @@ func isECRRepositoryURL(url string) bool {
 	return ecrRexp.MatchString(url)
 }
 
+func isAzureCRRepositoryURL(url string) bool {
+	// Regexp is based on the azurecr urls shown https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal?tabs=azure-cli#push-image-to-registry
+	var azurecrRexp = regexp.MustCompile(`^.*\.azurecr\.io$`)
+	return azurecrRexp.MatchString(url)
+}
+
 func setupHTTPHeadersForRegistryRequests(req *http.Request, fallback bool) {
 	// We accept schema v2 manifests and manifest lists, and also OCI types
 	req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.v2+json")

internal/provider/data_source_docker_registry_image.go

@@ -81,7 +81,7 @@ func getImageDigest(registry string, registryWithProtocol string, image, tag, us
 	}
 
 	if username != "" {
-		if registry != "ghcr.io" && !isECRRepositoryURL(registry) && registry != "gcr.io" {
+		if registry != "ghcr.io" && !isECRRepositoryURL(registry) && !isAzureCRRepositoryURL(registry) && registry != "gcr.io" {
 			req.SetBasicAuth(username, password)
 		} else {
 			if isECRRepositoryURL(registry) {
@@ -147,6 +147,7 @@ func getImageDigest(registry string, registryWithProtocol string, image, tag, us
 
 type TokenResponse struct {
 	Token       string
+	AccessToken string `json:"access_token"`
 }
 
 // Parses key/value pairs from a WWW-Authenticate header
@@ -214,9 +215,17 @@ func getAuthToken(authHeader string, username string, password string, client *h
 		return "", fmt.Errorf("Error parsing OAuth token response: %s", err)
 	}
 
+	if token.Token != "" {
 		return token.Token, nil
 	}
 
+	if token.AccessToken != "" {
+		return token.AccessToken, nil
+	}
+
+	return "", fmt.Errorf("Error unsupported OAuth response")
+}
+
 func doDigestRequest(req *http.Request, client *http.Client) (*http.Response, error) {
 	digestResponse, err := client.Do(req)
 	if err != nil {

internal/provider/resource_docker_container_test.go

@@ -818,7 +818,6 @@ func TestAccDockerContainer_uploadSource(t *testing.T) {
 	})
 }
 
-//
 func TestAccDockerContainer_uploadSourceHash(t *testing.T) {
 	var c types.ContainerJSON
 	var firstRunId string

internal/provider/resource_docker_registry_image_funcs.go

@@ -14,7 +14,6 @@ import (
 	"io/ioutil"
 	"log"
 	"net/http"
-	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
@@ -483,7 +482,16 @@ func deleteDockerRegistryImage(pushOpts internalPushImageOptions, registryWithPr
 	}
 
 	if username != "" {
+		if pushOpts.Registry != "ghcr.io" && !isECRRepositoryURL(pushOpts.Registry) && !isAzureCRRepositoryURL(pushOpts.Registry) && pushOpts.Registry != "gcr.io" {
 			req.SetBasicAuth(username, password)
+		} else {
+			if isECRRepositoryURL(pushOpts.Registry) {
+				password = normalizeECRPasswordForHTTPUsage(password)
+				req.Header.Add("Authorization", "Basic "+password)
+			} else {
+				req.Header.Add("Authorization", "Bearer "+base64.StdEncoding.EncodeToString([]byte(password)))
+			}
+		}
 	}
 
 	setupHTTPHeadersForRegistryRequests(req, fallback)
@@ -500,41 +508,16 @@ func deleteDockerRegistryImage(pushOpts internalPushImageOptions, registryWithPr
 
 	// Either OAuth is required or the basic auth creds were invalid
 	case http.StatusUnauthorized:
-		if strings.HasPrefix(resp.Header.Get("www-authenticate"), "Bearer") {
+		if !strings.HasPrefix(resp.Header.Get("www-authenticate"), "Bearer") {
-			auth := parseAuthHeader(resp.Header.Get("www-authenticate"))
+			return fmt.Errorf("Bad credentials: " + resp.Status)
-			params := url.Values{}
+		}
-			params.Set("service", auth["service"])
+
-			params.Set("scope", auth["scope"])
+		token, err := getAuthToken(resp.Header.Get("www-authenticate"), username, password, client)
-			tokenRequest, err := http.NewRequest("GET", auth["realm"]+"?"+params.Encode(), nil)
 		if err != nil {
-				return fmt.Errorf("Error creating registry request: %s", err)
+			return err
 		}
 
-			if username != "" {
+		req.Header.Set("Authorization", "Bearer "+token)
-				tokenRequest.SetBasicAuth(username, password)
-			}
-
-			tokenResponse, err := client.Do(tokenRequest)
-			if err != nil {
-				return fmt.Errorf("Error during registry request: %s", err)
-			}
-
-			if tokenResponse.StatusCode != http.StatusOK {
-				return fmt.Errorf("Got bad response from registry: " + tokenResponse.Status)
-			}
-
-			body, err := ioutil.ReadAll(tokenResponse.Body)
-			if err != nil {
-				return fmt.Errorf("Error reading response body: %s", err)
-			}
-
-			token := &TokenResponse{}
-			err = json.Unmarshal(body, token)
-			if err != nil {
-				return fmt.Errorf("Error parsing OAuth token response: %s", err)
-			}
-
-			req.Header.Set("Authorization", "Bearer "+token.Token)
 		oauthResp, err := client.Do(req)
 		if err != nil {
 			return err
@@ -545,11 +528,6 @@ func deleteDockerRegistryImage(pushOpts internalPushImageOptions, registryWithPr
 		default:
 			return fmt.Errorf("Got bad response from registry: " + resp.Status)
 		}
-
-		}
-
-		return fmt.Errorf("Bad credentials: " + resp.Status)
-
 		// Some unexpected status was given, return an error
 	default:
 		return fmt.Errorf("Got bad response from registry: " + resp.Status)

internal/provider/test_helpers.go

@@ -38,7 +38,6 @@ const (
 // As a convention the test configurations are in
 // 'testdata/<resourceType>/<resourceName>/<testName>.tf', e.g.
 // 'testdata/resources/docker_container/testAccDockerContainerPrivateImage.tf'
-//
 func loadTestConfiguration(t *testing.T, resourceType resourceType, resourceName, testName string) string {
 	wd, err := os.Getwd()
 	if err != nil {