Merge pull request #233 from depot/fix/ecr-push

fix(push): use basic auth when specified by realm
depot · Dec 12, 2023 · cd87be6 · cd87be6
2 parents 971eeaf + b0eb0e3
commit cd87be6
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 7 deletions.
diff --git a/pkg/cmd/push/manifests.go b/pkg/cmd/push/manifests.go
@@ -24,7 +24,7 @@ import (
 )
 
 // PushManifest pushes a manifest to a registry.
-func PushManifest(ctx context.Context, registryToken string, refspec reference.Spec, tag string, manifest ocispecs.Descriptor, manifestBytes []byte) error {
+func PushManifest(ctx context.Context, registryToken *Token, refspec reference.Spec, tag string, manifest ocispecs.Descriptor, manifestBytes []byte) error {
 	// Reversing the refspec's path.Join behavior.
 	i := strings.Index(refspec.Locator, "/")
 	host, repository := refspec.Locator[:i], refspec.Locator[i+1:]
@@ -40,8 +40,7 @@ func PushManifest(ctx context.Context, registryToken string, refspec reference.S
 	}
 	req.Header.Set("User-Agent", depotapi.Agent())
 	req.Header.Set("Content-Type", manifest.MediaType)
-	// TODO:
-	req.Header.Set("Authorization", "Bearer "+registryToken)
+	req.Header.Set("Authorization", fmt.Sprintf("%s %s", registryToken.Scheme, registryToken.Token))
 
 	res, err := http.DefaultClient.Do(req)
 	if err != nil {

diff --git a/pkg/cmd/push/push.go b/pkg/cmd/push/push.go
@@ -176,7 +176,7 @@ func Push(ctx context.Context, progressFmt, buildID, tag, token string, dockerCl
 			tag = manifest.Digest.String()
 		}
 
-		err := PushManifest(ctx, registryToken.Token, parsedTag.Refspec, tag, manifest, buf)
+		err := PushManifest(ctx, registryToken, parsedTag.Refspec, tag, manifest, buf)
 		fin()
 		if err != nil {
 			finishReporting(err)
@@ -188,7 +188,7 @@ func Push(ctx context.Context, progressFmt, buildID, tag, token string, dockerCl
 		fin = logger(fmt.Sprintf("Pushing index %s", index.Digest.String()))
 
 		buf := buildDescriptors.IndexBytes[index.Digest]
-		err := PushManifest(ctx, registryToken.Token, parsedTag.Refspec, parsedTag.Tag, index, buf)
+		err := PushManifest(ctx, registryToken, parsedTag.Refspec, parsedTag.Tag, index, buf)
 		fin()
 		if err != nil {
 			finishReporting(err)

diff --git a/pkg/cmd/push/token.go b/pkg/cmd/push/token.go
@@ -2,6 +2,7 @@ package push
 
 import (
 	"context"
+	"encoding/base64"
 	"net/http"
 
 	"github.com/containerd/containerd/remotes/docker/auth"
@@ -33,6 +34,21 @@ func FetchToken(ctx context.Context, config *configtypes.AuthConfig, challenge *
 	} else {
 		username = config.Username
 		secret = config.Password
+		if challenge.Scheme == auth.BasicAuth {
+			if username != "" && secret != "" {
+				return &Token{
+					Token:  base64.StdEncoding.EncodeToString([]byte(username + ":" + secret)),
+					Scheme: "Basic",
+				}, nil
+			}
+
+			if config.Auth != "" {
+				return &Token{
+					Token:  config.Auth,
+					Scheme: "Basic",
+				}, nil
+			}
+		}
 	}
 
 	if secret == "" {
@@ -69,7 +85,6 @@ func GetAnonymousToken(ctx context.Context, username string, challenge *auth.Cha
 	}
 	client := http.DefaultClient
 	var headers http.Header
-	// TODO: handle nil fetchtoken
 	res, err := auth.FetchToken(ctx, client, headers, tokenOptions)
 	if err != nil {
 		return nil, err
@@ -96,7 +111,6 @@ func GetOAuthToken(ctx context.Context, username, secret string, challenge *auth
 
 	client := http.DefaultClient
 	var headers http.Header
-	// TODO: handle nil fetchtoken
 	res, err := auth.FetchTokenWithOAuth(ctx, client, headers, "depot-client", tokenOptions)
 	if err == nil {
 		return &Token{