From bf7372d690c9d2ce09e2215e730ff46b92d7c091 Mon Sep 17 00:00:00 2001 From: Achille Roussel Date: Fri, 3 Jan 2025 16:53:02 -0800 Subject: [PATCH] fix authentication to ECR public Signed-off-by: Achille Roussel --- internal/provider/authentication_helpers.go | 6 +++++- internal/provider/authentication_helpers_test.go | 10 +++++++++- internal/provider/data_source_docker_registry_image.go | 5 ++++- .../provider/resource_docker_registry_image_funcs.go | 5 ++++- 4 files changed, 22 insertions(+), 4 deletions(-) diff --git a/internal/provider/authentication_helpers.go b/internal/provider/authentication_helpers.go index 50662020a..01cbc49c5 100644 --- a/internal/provider/authentication_helpers.go +++ b/internal/provider/authentication_helpers.go @@ -41,8 +41,12 @@ func normalizeECRPasswordForDockerCLIUsage(password string) string { return password[4:] } +func isECRPublicRepositoryURL(url string) bool { + return url == "public.ecr.aws" +} + func isECRRepositoryURL(url string) bool { - if url == "public.ecr.aws" { + if isECRPublicRepositoryURL(url) { return true } // Regexp is based on the ecr urls shown in https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html diff --git a/internal/provider/authentication_helpers_test.go b/internal/provider/authentication_helpers_test.go index fef82429a..627e36d8a 100644 --- a/internal/provider/authentication_helpers_test.go +++ b/internal/provider/authentication_helpers_test.go @@ -4,8 +4,16 @@ import ( "testing" ) -func TestIsECRRepositoryURL(t *testing.T) { +func TestIsECRPublicRepositoryURL(t *testing.T) { + if !isECRPublicRepositoryURL("public.ecr.aws") { + t.Fatalf("Expected true") + } + if isECRPublicRepositoryURL("public.ecr.aws.com") { + t.Fatalf("Expected false") + } +} +func TestIsECRRepositoryURL(t *testing.T) { if !isECRRepositoryURL("2385929435838.dkr.ecr.eu-central-1.amazonaws.com") { t.Fatalf("Expected true") } diff --git a/internal/provider/data_source_docker_registry_image.go b/internal/provider/data_source_docker_registry_image.go index 49e0c7aec..eff13a957 100644 --- a/internal/provider/data_source_docker_registry_image.go +++ b/internal/provider/data_source_docker_registry_image.go @@ -85,7 +85,10 @@ func getImageDigest(registry string, registryWithProtocol string, image, tag, us if registry != "ghcr.io" && !isECRRepositoryURL(registry) && !isAzureCRRepositoryURL(registry) && registry != "gcr.io" { req.SetBasicAuth(username, password) } else { - if isECRRepositoryURL(registry) { + if isECRPublicRepositoryURL(registry) { + password = normalizeECRPasswordForHTTPUsage(password) + req.Header.Add("Authorization", "Bearer "+password) + } else if isECRRepositoryURL(registry) { password = normalizeECRPasswordForHTTPUsage(password) req.Header.Add("Authorization", "Basic "+password) } else { diff --git a/internal/provider/resource_docker_registry_image_funcs.go b/internal/provider/resource_docker_registry_image_funcs.go index 33ba4740e..36685c588 100644 --- a/internal/provider/resource_docker_registry_image_funcs.go +++ b/internal/provider/resource_docker_registry_image_funcs.go @@ -270,7 +270,10 @@ func deleteDockerRegistryImage(pushOpts internalPushImageOptions, registryWithPr if pushOpts.Registry != "ghcr.io" && !isECRRepositoryURL(pushOpts.Registry) && !isAzureCRRepositoryURL(pushOpts.Registry) && pushOpts.Registry != "gcr.io" { req.SetBasicAuth(username, password) } else { - if isECRRepositoryURL(pushOpts.Registry) { + if isECRPublicRepositoryURL(pushOpts.Registry) { + password = normalizeECRPasswordForHTTPUsage(password) + req.Header.Add("Authorization", "Bearer "+password) + } else if isECRRepositoryURL(pushOpts.Registry) { password = normalizeECRPasswordForHTTPUsage(password) req.Header.Add("Authorization", "Basic "+password) } else {