mirror of
https://github.com/opentffoundation/opentf.git
synced 2026-04-11 06:01:36 -04:00
44f171c270
Our requirements for discovering credentials for OCI registries include automatic discovery or manual specification of Docker CLI-style auth configuration files, which is a nontrivial amount of logic in itself, along with an OpenTofu-specific version of that configuration model embedded in the CLI configuration. To avoid incorporating all of this extra scope into package cliconfig, this new package ociauthconfig helps with modeling the overall OCI registry authentication policy and with the Docker-CLI-style auth config format. In a future commit, package cliconfig will drive this package's behavior based on the operator's CLI configuration settings, eventually returning an ociauthconfig.CredentialsConfigs representing the configured auth policy, which package main can then deliver to other components as part of an OCI client. This ultimately yields the ORAS Go library's credentials type, since that module has a relatively narrow indirect dependency surface area and will avoid us needlessly implementing and maintaining our own OCI registry client implementations. Signed-off-by: Martin Atkins <mart@degeneration.co.uk>
76 lines
2.2 KiB
Go
76 lines
2.2 KiB
Go
// Copyright (c) The OpenTofu Authors
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
// Copyright (c) 2023 HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
package ociauthconfig
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
)
|
|
|
|
type CredentialsSource interface {
|
|
CredentialsSpecificity() CredentialsSpecificity
|
|
Credentials(ctx context.Context, env CredentialsLookupEnvironment) (Credentials, error)
|
|
credentialsSourceImpl() // prevents implementations outside this package
|
|
}
|
|
|
|
func NewStaticCredentialsSource(creds Credentials, spec CredentialsSpecificity) CredentialsSource {
|
|
return &staticCredentialsSource{
|
|
creds: creds,
|
|
spec: spec,
|
|
}
|
|
}
|
|
|
|
func NewDockerCredentialHelperCredentialsSource(helperName string, serverURL string, spec CredentialsSpecificity) CredentialsSource {
|
|
return &dockerCredentialHelperCredentialSource{
|
|
helperName: helperName,
|
|
serverURL: serverURL,
|
|
spec: spec,
|
|
}
|
|
}
|
|
|
|
type staticCredentialsSource struct {
|
|
creds Credentials
|
|
spec CredentialsSpecificity
|
|
}
|
|
|
|
var _ CredentialsSource = (*staticCredentialsSource)(nil)
|
|
|
|
func (s *staticCredentialsSource) CredentialsSpecificity() CredentialsSpecificity {
|
|
return s.spec
|
|
}
|
|
|
|
func (s *staticCredentialsSource) Credentials(_ context.Context, _ CredentialsLookupEnvironment) (Credentials, error) {
|
|
return s.creds, nil
|
|
}
|
|
|
|
func (s *staticCredentialsSource) credentialsSourceImpl() {}
|
|
|
|
type dockerCredentialHelperCredentialSource struct {
|
|
helperName string
|
|
serverURL string
|
|
spec CredentialsSpecificity
|
|
}
|
|
|
|
var _ CredentialsSource = (*dockerCredentialHelperCredentialSource)(nil)
|
|
|
|
func (s *dockerCredentialHelperCredentialSource) CredentialsSpecificity() CredentialsSpecificity {
|
|
return s.spec
|
|
}
|
|
|
|
func (s *dockerCredentialHelperCredentialSource) Credentials(ctx context.Context, env CredentialsLookupEnvironment) (Credentials, error) {
|
|
result, err := env.QueryDockerCredentialHelper(ctx, s.helperName, s.serverURL)
|
|
if err != nil {
|
|
return Credentials{}, fmt.Errorf("from %q credential helper: %w", s.helperName, err)
|
|
}
|
|
return Credentials{
|
|
username: result.Username,
|
|
password: result.Secret,
|
|
// Docker-style credential helpers cannot produce OAuth credentials
|
|
}, nil
|
|
}
|
|
|
|
func (s *dockerCredentialHelperCredentialSource) credentialsSourceImpl() {}
|