add support for registry authentication

Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
kubescape · Mar 22, 2023 · 1f29cee · 1f29cee
1 parent 488194e
commit 1f29cee
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 2 deletions.
diff --git a/core/services/scan.go b/core/services/scan.go
@@ -64,7 +64,7 @@ func (s *ScanService) GenerateSBOM(ctx context.Context) error {
 	// if SBOM is not available, create it
 	if sbom.Content == nil {
 		// create SBOM
-		sbom, err = s.sbomCreator.CreateSBOM(ctx, workload.ImageHash, domain.RegistryOptions{})
+		sbom, err = s.sbomCreator.CreateSBOM(ctx, workload.ImageHash, optionsFromWorkload(workload))
 		if err != nil {
 			return err
 		}
@@ -128,7 +128,7 @@ func (s *ScanService) ScanCVE(ctx context.Context) error {
 		// if SBOM is not available, create it
 		if sbom.Content == nil {
 			// create SBOM
-			sbom, err = s.sbomCreator.CreateSBOM(ctx, workload.ImageHash, domain.RegistryOptions{}) // FIXME: add registry options
+			sbom, err = s.sbomCreator.CreateSBOM(ctx, workload.ImageHash, optionsFromWorkload(workload))
 			if err != nil {
 				return err
 			}
@@ -214,6 +214,22 @@ func enrichContext(ctx context.Context, workload domain.ScanCommand) context.Con
 	return ctx
 }
 
+func optionsFromWorkload(workload domain.ScanCommand) domain.RegistryOptions {
+	options := domain.RegistryOptions{}
+	for _, cred := range workload.Credentialslist {
+		if cred.Auth != "" {
+			options.Credentials = append(options.Credentials, domain.RegistryCredentials{Authority: cred.Auth})
+		}
+		if cred.RegistryToken != "" {
+			options.Credentials = append(options.Credentials, domain.RegistryCredentials{Token: cred.RegistryToken})
+		}
+		if cred.Username != "" && cred.Password != "" {
+			options.Credentials = append(options.Credentials, domain.RegistryCredentials{Username: cred.Username, Password: cred.Password})
+		}
+	}
+	return options
+}
+
 func (s *ScanService) ValidateGenerateSBOM(ctx context.Context, workload domain.ScanCommand) (context.Context, error) {
 	_, span := otel.Tracer("").Start(ctx, "ScanService.ValidateGenerateSBOM")
 	defer span.End()

diff --git a/core/services/scan_test.go b/core/services/scan_test.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"testing"
 
+	"github.com/docker/docker/api/types"
 	"github.com/kubescape/kubevuln/adapters"
 	"github.com/kubescape/kubevuln/core/domain"
 	"github.com/kubescape/kubevuln/internal/tools"
@@ -80,6 +81,18 @@ func TestScanService_GenerateSBOM(t *testing.T) {
 				workload := domain.ScanCommand{
 					ImageHash: "k8s.gcr.io/kube-proxy@sha256:c1b135231b5b1a6799346cd701da4b59e5b7ef8e694ec7b04fb23b8dbe144137",
 				}
+				workload.Credentialslist = []types.AuthConfig{
+					{
+						Username: "test",
+						Password: "test",
+					},
+					{
+						RegistryToken: "test",
+					},
+					{
+						Auth: "test",
+					},
+				}
 				var err error
 				ctx, _ = s.ValidateGenerateSBOM(ctx, workload)
 				tools.EnsureSetup(t, err == nil)