package imagetools import ( "bytes" "context" "encoding/base64" "encoding/json" "io" "net/http" "github.com/containerd/containerd/log" "github.com/containerd/containerd/remotes" "github.com/containerd/containerd/remotes/docker" "github.com/docker/buildx/util/resolver" clitypes "github.com/docker/cli/cli/config/types" "github.com/docker/distribution/reference" "github.com/moby/buildkit/util/tracing" ocispec "github.com/opencontainers/image-spec/specs-go/v1" "github.com/sirupsen/logrus" ) type Auth interface { GetAuthConfig(registryHostname string) (clitypes.AuthConfig, error) } type Opt struct { Auth Auth RegistryConfig map[string]resolver.RegistryConfig } type Resolver struct { auth docker.Authorizer hosts docker.RegistryHosts } func New(opt Opt) *Resolver { return &Resolver{ auth: docker.NewDockerAuthorizer(docker.WithAuthCreds(toCredentialsFunc(opt.Auth)), docker.WithAuthClient(http.DefaultClient)), hosts: resolver.NewRegistryConfig(opt.RegistryConfig), } } func (r *Resolver) resolver() remotes.Resolver { return docker.NewResolver(docker.ResolverOptions{ Hosts: func(domain string) ([]docker.RegistryHost, error) { res, err := r.hosts(domain) if err != nil { return nil, err } for i := range res { res[i].Authorizer = r.auth res[i].Client = tracing.DefaultClient } return res, nil }, }) } func (r *Resolver) Resolve(ctx context.Context, in string) (string, ocispec.Descriptor, error) { // discard containerd logger to avoid printing unnecessary info during image reference resolution. // https://github.com/containerd/containerd/blob/1a88cf5242445657258e0c744def5017d7cfb492/remotes/docker/resolver.go#L288 logger := logrus.New() logger.Out = io.Discard ctx = log.WithLogger(ctx, logrus.NewEntry(logger)) ref, err := parseRef(in) if err != nil { return "", ocispec.Descriptor{}, err } in, desc, err := r.resolver().Resolve(ctx, ref.String()) if err != nil { return "", ocispec.Descriptor{}, err } return in, desc, nil } func (r *Resolver) Get(ctx context.Context, in string) ([]byte, ocispec.Descriptor, error) { in, desc, err := r.Resolve(ctx, in) if err != nil { return nil, ocispec.Descriptor{}, err } dt, err := r.GetDescriptor(ctx, in, desc) if err != nil { return nil, ocispec.Descriptor{}, err } return dt, desc, nil } func (r *Resolver) GetDescriptor(ctx context.Context, in string, desc ocispec.Descriptor) ([]byte, error) { fetcher, err := r.resolver().Fetcher(ctx, in) if err != nil { return nil, err } rc, err := fetcher.Fetch(ctx, desc) if err != nil { return nil, err } buf := &bytes.Buffer{} _, err = io.Copy(buf, rc) rc.Close() if err != nil { return nil, err } return buf.Bytes(), nil } func parseRef(s string) (reference.Named, error) { ref, err := reference.ParseNormalizedNamed(s) if err != nil { return nil, err } ref = reference.TagNameOnly(ref) return ref, nil } func toCredentialsFunc(a Auth) func(string) (string, string, error) { return func(host string) (string, string, error) { if host == "registry-1.docker.io" { host = "https://index.docker.io/v1/" } ac, err := a.GetAuthConfig(host) if err != nil { return "", "", err } if ac.IdentityToken != "" { return "", ac.IdentityToken, nil } return ac.Username, ac.Password, nil } } func RegistryAuthForRef(ref string, a Auth) (string, error) { if a == nil { return "", nil } r, err := parseRef(ref) if err != nil { return "", err } host := reference.Domain(r) if host == "docker.io" { host = "https://index.docker.io/v1/" } ac, err := a.GetAuthConfig(host) if err != nil { return "", err } buf, err := json.Marshal(ac) if err != nil { return "", err } return base64.URLEncoding.EncodeToString(buf), nil }