forked from aws/amazon-ecs-agent
-
Notifications
You must be signed in to change notification settings - Fork 1
/
ecr.go
82 lines (73 loc) · 2.92 KB
/
ecr.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
// Copyright 2014-2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License"). You may
// not use this file except in compliance with the License. A copy of the
// License is located at
//
// http://aws.amazon.com/apache2.0/
//
// or in the "license" file accompanying this file. This file is distributed
// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
// express or implied. See the License for the specific language governing
// permissions and limitations under the License.
package dockerauth
import (
"encoding/base64"
"fmt"
"strings"
"github.com/aws/amazon-ecs-agent/agent/api"
"github.com/aws/amazon-ecs-agent/agent/ecr"
ecrapi "github.com/aws/amazon-ecs-agent/agent/ecr/model/ecr"
"github.com/aws/aws-sdk-go/aws"
log "github.com/cihub/seelog"
docker "github.com/fsouza/go-dockerclient"
)
type ecrAuthProvider struct {
authData *api.ECRAuthData
client ecr.ECRClient
}
const proxyEndpointScheme = "https://"
// NewECRAuthProvider returns a DockerAuthProvider that can handle retrieve
// credentials for pulling from Amazon EC2 Container Registry
func NewECRAuthProvider(authData *api.ECRAuthData, clientFactory ecr.ECRFactory) DockerAuthProvider {
if authData == nil {
return &ecrAuthProvider{}
}
log.Tracef("Getting client in %s with endpoint %s", authData.Region, authData.EndpointOverride)
return &ecrAuthProvider{
authData: authData,
client: clientFactory.GetClient(authData.Region, authData.EndpointOverride),
}
}
// GetAuthconfig retrieves the correct auth configuration for the given repository
func (authProvider *ecrAuthProvider) GetAuthconfig(image string) (docker.AuthConfiguration, error) {
if authProvider.authData == nil {
return docker.AuthConfiguration{}, fmt.Errorf("ecrAuthProvider cannot be used without AuthData")
}
log.Debugf("Calling ECR.GetAuthorizationToken for %s", image)
authData, err := authProvider.client.GetAuthorizationToken(authProvider.authData.RegistryID)
if err != nil {
return docker.AuthConfiguration{}, err
}
if authData == nil {
return docker.AuthConfiguration{}, fmt.Errorf("Missing AuthorizationData in ECR response for %s", image)
}
if authData.ProxyEndpoint != nil &&
strings.HasPrefix(proxyEndpointScheme+image, aws.StringValue(authData.ProxyEndpoint)) &&
authData.AuthorizationToken != nil {
return extractToken(authData)
}
return docker.AuthConfiguration{}, fmt.Errorf("No AuthorizationToken found for %s", image)
}
func extractToken(authData *ecrapi.AuthorizationData) (docker.AuthConfiguration, error) {
decodedToken, err := base64.StdEncoding.DecodeString(aws.StringValue(authData.AuthorizationToken))
if err != nil {
return docker.AuthConfiguration{}, err
}
parts := strings.SplitN(string(decodedToken), ":", 2)
return docker.AuthConfiguration{
Username: parts[0],
Password: parts[1],
ServerAddress: aws.StringValue(authData.ProxyEndpoint),
}, nil
}